CCNA Describe the concepts of security, compliance, and identity Questions

75 of 235 questions · Page 3/4 · Describe the concepts of security, compliance, and identity · Answers revealed

151
MCQeasy

A company's security team configures network firewall rules so that only a dedicated jump server's IP address can initiate RDP connections to production servers. This is an example of which security principle?

A.Least privilege
B.Defense in depth
C.Zero Trust
D.Separation of duties
AnswerA

By restricting RDP access to only the jump server, the company is following the principle of least privilege, giving only the minimum access needed.

Why this answer

Restricting RDP access to only a dedicated jump server's IP address ensures that no other hosts or users can directly initiate remote desktop connections to production servers. This enforces the principle of least privilege by granting only the minimum necessary network access (the jump server) required for administrative tasks, reducing the attack surface and limiting lateral movement.

Exam trap

The trap here is that candidates confuse 'least privilege' (limiting access to what is necessary) with 'defense in depth' (multiple layers), because both involve restricting access, but least privilege focuses on the minimal permissions while defense in depth focuses on layered controls.

How to eliminate wrong answers

Option B (Defense in depth) is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption) working together, not a single access restriction. Option C (Zero Trust) is wrong because Zero Trust assumes no implicit trust and requires continuous verification of every request, whereas this rule is a static IP-based allowlist that does not verify identity or session context. Option D (Separation of duties) is wrong because separation of duties divides critical tasks among different people to prevent fraud or error, not restrict network access to a specific source IP.

152
MCQhard

A company deploys a custom web application on Azure App Service (PaaS). The application stores data in Azure SQL Database. The security team needs to identify which security responsibilities fall under the customer according to the Microsoft shared responsibility model. Which of the following is primarily the customer's responsibility for this PaaS deployment?

A.Physical security of the datacenter hosting the App Service
B.Patching the operating system of the App Service host machines
C.Managing user identities and access to the application
D.Network security for the Azure backbone connecting datacenters
AnswerC

The customer is responsible for managing identity and access to their application, including authentication, authorization, and user roles. Microsoft provides the platform but does not control who accesses the customer's app.

Why this answer

In a PaaS deployment like Azure App Service with Azure SQL Database, the customer is responsible for managing user identities and access to the application, including authentication, authorization, and role-based access control (RBAC). Microsoft manages the underlying infrastructure, including the host OS, physical datacenter security, and network backbone, but the customer must secure application-level access and data plane operations.

Exam trap

The trap here is that candidates often assume PaaS means Microsoft handles all security, but the customer still owns identity and access management for the application and data, which is a frequent exam distraction.

How to eliminate wrong answers

Option A is wrong because physical security of the datacenter is always Microsoft's responsibility under the shared responsibility model, regardless of service model. Option B is wrong because patching the operating system of the App Service host machines is managed by Microsoft as part of the PaaS abstraction; the customer only patches the application code and configuration. Option D is wrong because network security for the Azure backbone connecting datacenters is Microsoft's responsibility, as it is part of the core network infrastructure that the customer cannot control or configure.

153
MCQeasy

A company is migrating its on-premises applications to Azure. The CIO states that the company is fully responsible for managing the security of its own applications and data, while Microsoft is responsible for the security of the underlying physical infrastructure, such as hardware and data centers. This division of security responsibilities is an example of which concept?

A.Defense in depth
B.Shared responsibility model
C.Zero Trust
D.Least privilege
AnswerB

The shared responsibility model clearly delineates security responsibilities between the cloud provider (Microsoft) and the customer. In IaaS, the customer manages more (applications, data) while the provider secures the physical layer; in PaaS/SaaS, the provider takes on more responsibility.

Why this answer

The scenario directly describes the shared responsibility model, which delineates security obligations between the cloud provider and the customer. Microsoft secures the physical infrastructure (hardware, data centers, networking), while the customer is responsible for securing their own applications, data, and identity management. This division is a foundational concept in cloud computing, explicitly defined in Microsoft's documentation for Azure.

Exam trap

The trap here is that candidates confuse the shared responsibility model with defense in depth, because both involve multiple security layers, but the question specifically asks about the division of responsibilities between provider and customer, not the layering of controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, access controls) to protect resources, not a division of responsibilities between provider and customer. Option C is wrong because Zero Trust is a security model based on 'never trust, always verify'—it assumes breach and verifies every request, not a split of security duties. Option D is wrong because least privilege is an access control principle granting only necessary permissions, not a framework for allocating security responsibilities between parties.

154
MCQmedium

A company stores critical financial reports in a SharePoint Online library. To ensure that the reports have not been tampered with, the security team compares a calculated hash of each file against a stored baseline. This verification process primarily protects which security goal?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data is authentic and has not been modified. Comparing hashes directly verifies that the file content is unchanged.

Why this answer

The verification process uses hash comparison to detect unauthorized changes to files, which directly protects data integrity. Integrity ensures that data has not been altered or tampered with during storage or transit. In SharePoint Online, hashing (e.g., SHA-256) creates a unique fingerprint; if the calculated hash matches the stored baseline, the file is unchanged.

Exam trap

The trap here is confusing integrity with non-repudiation, as both involve cryptographic verification, but non-repudiation requires a digital signature (private key) to prove origin, whereas hash comparison alone only detects changes without identifying who made them.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access (e.g., encryption), not detecting tampering. Option C is wrong because availability ensures data is accessible when needed (e.g., uptime, redundancy), not verifying file integrity. Option D is wrong because non-repudiation provides proof of origin or action (e.g., digital signatures, audit logs), not detection of unauthorized modification.

155
MCQhard

You are reviewing a Conditional Access policy configuration in Microsoft Entra ID. Based on the exhibit, what is the effect of this policy?

A.Blocks sign-ins for users with high user risk
B.Blocks sign-ins that have a high sign-in risk level
C.Blocks all sign-ins for the assigned users
D.Requires multi-factor authentication for high-risk sign-ins
AnswerB

The policy blocks when signInRiskLevels is high.

Why this answer

Option C is correct. The policy blocks sign-ins with high sign-in risk level. Option A is wrong because user risk level is empty.

Option B is wrong because it does not require MFA. Option D is wrong because it only blocks high risk, not all.

156
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Information Protection? (Select three.)

Select 3 answers
A.Rights management
B.eDiscovery
C.Data classification
D.Sensitivity labels
E.Data loss prevention policies
AnswersA, C, D

Protect data with encryption and usage restrictions.

Why this answer

Options A, B, and D are correct. Microsoft Purview Information Protection includes sensitivity labels (A), data classification (B), and rights management (D). Option C is incorrect because DLP is a separate solution.

Option E is incorrect because eDiscovery is a different solution.

157
MCQeasy

A financial institution uses digital signatures to sign all transaction records. This ensures that the records have not been altered after signing. Which security goal does this primarily protect?

A.Confidentiality
B.Non-repudiation
C.Integrity
D.Availability
AnswerC

Integrity ensures data is accurate and has not been modified. Digital signatures detect any alteration, thus protecting integrity.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to create a hash of the transaction record, which is then encrypted with the signer's private key. Any alteration to the record after signing would cause the hash verification to fail, directly protecting the integrity of the data. While digital signatures also support non-repudiation, the question specifically asks which goal is primarily protected by ensuring records have not been altered, which is integrity.

Exam trap

The trap here is that candidates confuse the secondary property of non-repudiation with the primary property of integrity, because digital signatures provide both, but the question's wording 'have not been altered after signing' directly points to integrity, not the ability to prove the signer's identity.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES), not through digital signatures which do not hide the content. Option B is wrong because non-repudiation ensures the signer cannot deny having signed the document, which is a secondary benefit of digital signatures, but the question explicitly focuses on preventing alteration after signing, which is integrity. Option D is wrong because availability ensures systems and data are accessible when needed, often via redundancy or disaster recovery, and digital signatures do not address uptime or access.

158
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Compliance Manager? (Choose three.)

Select 3 answers
A.Automated testing of controls
B.Manage user identities
C.Improvement actions
D.Create data loss prevention policies
E.Compliance score
AnswersA, C, E

Controls can be tested automatically.

Why this answer

Correct answers are A, C, and E: Compliance Manager provides a compliance score, automated testing of controls, and improvement actions. Option B is incorrect because creating DLP policies is not a Compliance Manager capability. Option D is incorrect because managing user identities is in Microsoft Entra ID.

159
MCQhard

A company uses Microsoft Defender for Cloud to secure its hybrid cloud environment. They need to continuously assess compliance with regulatory standards like ISO 27001 and receive recommendations for remediation. Which feature should they enable?

A.Defender for Cloud’s regulatory compliance dashboard
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Defender for Cloud’s Secure Score
AnswerA

The regulatory compliance dashboard tracks compliance against standards and provides remediation steps.

Why this answer

Microsoft Defender for Cloud's regulatory compliance dashboard provides continuous assessments against standards like ISO 27001 and offers recommendations. Secure Score is a security posture metric. Defender plans are for workload protection.

Workload protections are specific to resources.

160
MCQmedium

An organization wants to enable passwordless authentication for its users by using a mobile app. Which Microsoft Entra ID authentication method should they implement?

A.Temporary Access Pass
B.Windows Hello for Business
C.FIDO2 security keys
D.Microsoft Authenticator (passwordless sign-in)
AnswerD

Microsoft Authenticator provides phone sign-in, a passwordless method via mobile app.

Why this answer

Microsoft Authenticator supports passwordless phone sign-in, allowing users to authenticate via app notification. FIDO2 security keys are hardware tokens. Windows Hello for Business uses biometrics.

Temporary Access Pass is for initial setup.

161
MCQeasy

A security architect is designing a system where user access rights are reviewed and certified on a regular basis by data owners. The goal is to ensure that users continue to have only the permissions necessary to perform their job functions and that no excessive permissions exist. Which security principle is primarily being implemented through these regular reviews?

A.Defense in depth
B.Zero trust
C.Least privilege
D.Separation of duties
AnswerC

Least privilege means granting users the minimum level of access required. Regular access reviews are a key governance practice to uphold least privilege by detecting and removing excessive permissions.

Why this answer

Option C is correct because regular access reviews directly enforce the principle of least privilege by ensuring users retain only the permissions necessary for their current job functions. This process identifies and removes excessive permissions that may have accumulated over time, aligning with the core goal of minimizing the attack surface. In Microsoft 365, this is often implemented through Azure AD access reviews, where data owners certify or revoke user access.

Exam trap

The trap here is that candidates may confuse the periodic review of permissions with the zero trust model, but zero trust focuses on continuous verification at each access request rather than periodic certification of existing rights.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, antivirus) to protect assets, not a principle focused on limiting user permissions. Option B is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request, but it does not specifically address periodic certification of existing permissions by data owners. Option D is wrong because separation of duties divides critical tasks among multiple users to prevent fraud or error (e.g., one person requests access, another approves), whereas regular reviews focus on validating that current permissions are still appropriate, not on splitting responsibilities.

162
MCQmedium

Your organization is implementing Microsoft Purview to manage data compliance. They need to automatically detect and protect credit card numbers in emails and documents. Which Microsoft Purview feature should they configure?

A.Data Lifecycle Management
B.Data Loss Prevention (DLP)
C.Insider Risk Management
D.Information Protection
AnswerB

DLP policies automatically detect sensitive information like credit card numbers and apply protective actions.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can automatically detect sensitive information like credit card numbers and apply protective actions, such as blocking or encrypting the content. Information Protection refers to sensitivity labels and encryption, but DLP is the feature that uses policies to detect and protect data in transit and at rest. Data Lifecycle Management handles retention and deletion.

Insider Risk Management focuses on user behavior.

163
MCQmedium

You are a security analyst using Microsoft Sentinel. You run the Kusto query shown in the exhibit. What does this query do?

A.Counts security alerts containing 'MFA' per day for the last 7 days
B.Lists all identities that triggered MFA alerts
C.Counts distinct users with MFA alerts per day
D.Counts alerts by severity over the last week
AnswerA

Summarize count() by AlertName and time creates a daily count.

Why this answer

Option B is correct. The query filters alerts with 'MFA' in the name over the last 7 days, counts them per day, and renders a timechart. Option A is wrong because it counts alerts, not distinct users.

Option C is wrong because it counts alerts, not identities. Option D is wrong because it doesn't filter by severity.

164
MCQmedium

Your organization is implementing a new policy to ensure that only authorized users can access sensitive financial data stored in Microsoft SharePoint Online. The security team wants to enforce multi-factor authentication (MFA) for all users accessing this data, but only when accessing from outside the corporate network. Which Microsoft Entra ID conditional access policy setting should you configure to meet this requirement?

A.Use app-enforced restrictions for SharePoint
B.Grant access requiring device to be marked as compliant when location is not trusted
C.Grant access requiring multi-factor authentication when the location is not trusted
D.Block access when the location is not trusted
AnswerC

This enforces MFA for external access while allowing internal access without MFA.

Why this answer

Option B is correct because conditional access policies allow you to grant access only when specific conditions are met, such as requiring MFA when the location is not trusted. Option A is wrong because blocking access from outside the network would prevent legitimate remote work. Option C is wrong because blocking access from non-compliant devices does not directly enforce MFA.

Option D is wrong because session controls, like app-enforced restrictions, do not enforce MFA at sign-in.

165
MCQeasy

A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Zero trust
AnswerA

Defense in depth is the correct concept. It employs overlapping security controls so that if one layer is breached, subsequent layers continue to protect the system.

Why this answer

Defense in depth is a security strategy that layers multiple independent controls—such as firewalls, intrusion detection systems (IDS), and endpoint antivirus—across different network segments. The core principle is that if one layer is breached or fails, subsequent layers continue to provide protection, ensuring no single point of failure compromises the entire security posture.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'zero trust' because both involve multiple security controls, but zero trust is specifically about eliminating implicit trust through continuous verification, not about layering independent defenses.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on restricting user permissions to the minimum necessary for their role, not on layering multiple security controls. Option C (Separation of duties) is wrong because it divides critical tasks among multiple people to prevent fraud or error, not to create redundant security layers. Option D (Zero trust) is wrong because it assumes no implicit trust and continuously verifies every access request, but it does not inherently require multiple independent security layers; it is a model of continuous verification, not a layered defense strategy.

166
Multi-Selecteasy

A company implements a security policy where employees must use a smart card to log into their workstations. After logging in, they can only access file shares that correspond to their department. Which two security concepts are demonstrated in this scenario?

Select 2 answers
A.Authentication and authorization
B.Identification and accounting
C.Authorization and non-repudiation
D.Confidentiality and integrity
AnswersA, C

Smart card login verifies identity (authentication). Restricting file share access based on department controls what the user can do (authorization).

Why this answer

The smart card login verifies the user's identity, which is authentication. The subsequent restriction to department-specific file shares controls what resources the user can access, which is authorization. Together, these two steps demonstrate the security concepts of authentication (proving who you are) and authorization (determining what you can do).

Exam trap

The trap here is that candidates confuse authentication with identification, or think that authorization alone covers the scenario, but the smart card login explicitly demonstrates authentication as a separate step before authorization is applied.

167
MCQeasy

A company subscribes to a SaaS human resources application hosted by an external provider. The provider is responsible for maintaining the physical data centers, network infrastructure, and the underlying application software. The company is responsible for managing user accounts, configuring user permissions, and classifying the data they upload. Which security model does this arrangement primarily describe?

A.Defense in depth
B.Zero Trust
C.Shared responsibility model
D.CIA triad
AnswerC

The shared responsibility model correctly defines the split of security tasks between the cloud provider and the customer based on the service model (IaaS, PaaS, SaaS). In this SaaS example, the provider handles infrastructure, and the customer handles data and access.

Why this answer

Option C is correct because the scenario explicitly describes a division of security responsibilities between the SaaS provider and the customer. The provider handles physical security, network infrastructure, and application software (security *of* the cloud), while the company manages user accounts, permissions, and data classification (security *in* the cloud). This is the core definition of the shared responsibility model, which is foundational to cloud computing and directly tested in SC-900.

Exam trap

The trap here is that candidates confuse the shared responsibility model with defense in depth or Zero Trust, because all three involve 'security layers' or 'trust boundaries,' but only the shared responsibility model specifically defines the split of security obligations between a cloud provider and a customer.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) applied within a single organization's own environment, not a model for dividing responsibilities between a provider and a customer. Option B is wrong because Zero Trust is a security framework based on 'never trust, always verify' (e.g., continuous authentication, micro-segmentation), not a model for allocating security duties between a cloud provider and a tenant. Option D is wrong because the CIA triad (Confidentiality, Integrity, Availability) is a set of security objectives, not a model that describes how security tasks are split between a provider and a customer.

168
MCQmedium

Your company has a Microsoft 365 E5 subscription and uses Microsoft Teams for collaboration. The security team needs to ensure that guest users invited to Teams channels are required to pass multi-factor authentication (MFA) before accessing company resources. Currently, guest users are invited via Entra ID External ID but MFA is not enforced. You need to enforce MFA for all guest users. The solution should apply to all guest users across all applications. What should you configure?

A.Create a Conditional Access policy in Entra ID that targets all guest users and requires MFA
B.Set the guest user access level in Teams to allow only authenticated users
C.Configure Entra ID External ID to require MFA for all external users
D.Enable MFA for each guest user account individually
AnswerA

Conditional Access policies can be scoped to guest users and require MFA for all apps.

Why this answer

Option A is correct because a Conditional Access policy targeting all guest users and requiring MFA is the standard way to enforce MFA for guests across applications. Option B is wrong because it adds a step for all external users, which is broader than needed. Option C is wrong because it does not enforce MFA.

Option D is wrong because the per-user MFA option is deprecated and less flexible.

169
MCQmedium

An organization uses Microsoft Intune to manage devices. They want to ensure that only devices that are compliant with security policies (e.g., encryption enabled, latest patches) can access corporate email. Which Microsoft Entra feature should they use to enforce this requirement?

A.Conditional Access in Microsoft Entra ID
B.Microsoft Defender for Endpoint
C.Device compliance policies in Microsoft Intune
D.Azure AD Join
AnswerA

Conditional Access can block or allow access based on device compliance status.

Why this answer

Conditional Access policies can require that devices be marked as compliant by Intune before granting access. Option A is wrong because device compliance policies in Intune set the compliance state but do not enforce access. Option C is wrong because Azure AD Join is a device identity, not an access enforcement mechanism.

Option D is wrong because Microsoft Defender for Endpoint provides threat detection, not access control.

170
MCQhard

Your organization uses Microsoft Purview to classify sensitive data. You need to create a custom sensitive information type that detects employee IDs matching the pattern 'EMP-XXXXX' (where X is a digit). Which rule pack element must you define?

A.Keyword list
B.Regular expression
C.Data store reference
D.Function
AnswerB

A regex pattern can detect the 'EMP-XXXXX' pattern.

Why this answer

Option D is correct because a regex pattern is used to define custom patterns in sensitive information types. Option A is incorrect because a keyword list is for exact keywords. Option B is incorrect because a function is for built-in functions.

Option C is incorrect because a data store reference is for external data sources.

171
MCQmedium

A company uses digital signatures to ensure that a sender cannot later deny having sent a message. Which security principle does this primarily address?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation specifically addresses the inability to deny an action. Digital signatures provide cryptographic proof of origin and consent, ensuring the sender cannot deny sending the message.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to bind a signer's identity to a message. The signature is created with the sender's private key and verified with their public key, providing cryptographic proof of origin. This directly enforces non-repudiation because the sender cannot plausibly deny having signed the message, as only they possess the private key.

Exam trap

The trap here is that candidates often confuse digital signatures with encryption, assuming they primarily provide confidentiality, when in fact signatures focus on authentication and non-repudiation, while encryption (e.g., using the recipient's public key) is what ensures confidentiality.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES), not digital signatures. Option B is wrong because integrity ensures data has not been altered, which digital signatures also provide via hashing, but the question specifically asks about preventing denial of sending, which is non-repudiation. Option C is wrong because availability ensures systems and data are accessible when needed, often via redundancy or failover, and is unrelated to sender identity or signature verification.

172
MCQhard

Refer to the exhibit. You are configuring a sensitivity label in Microsoft Purview. The label is set to automatically apply when credit card numbers are detected. However, users report that the label is not being applied to documents containing credit card numbers. What is the most likely cause?

A.The encryption is misconfigured
B.The label is not published to a label policy
C.The auto-labeling condition is incorrect
D.The user permissions are missing
AnswerB

Labels must be published via a label policy to be applied automatically.

Why this answer

Option B is correct because the auto-labeling rule requires a condition, but the label may not be published to users. However, the exhibit shows no policy assignment. The most likely cause is that the label is not published to a label policy (option B).

Option A is incorrect because encryption is configured. Option C is incorrect because the condition is valid. Option D is incorrect because user permissions are defined.

173
MCQmedium

An organization is redesigning its security architecture based on the Zero Trust model. Which principle requires that every access request must be fully authenticated, authorized, and encrypted before granting access, regardless of the network location?

A.Assume breach
B.Least privilege
C.Verify explicitly
D.Trust but verify
AnswerC

This principle states that every access request should be fully authenticated, authorized, and encrypted, regardless of the network location or device.

Why this answer

The Zero Trust model is built on three core principles: verify explicitly, least privilege, and assume breach. The principle that mandates every access request—regardless of whether it originates from inside or outside the corporate network—must be fully authenticated, authorized, and encrypted before granting access is 'verify explicitly'. This means using strong authentication methods (e.g., multifactor authentication), continuous validation of authorization (e.g., Conditional Access policies), and enforcing encryption (e.g., TLS 1.3) for every request, not just those from untrusted locations.

Exam trap

Microsoft often tests the distinction between 'verify explicitly' and 'trust but verify', where candidates mistakenly choose 'trust but verify' because it sounds like a security principle, but the Zero Trust model explicitly rejects any form of implicit trust, requiring verification for every request regardless of network location.

How to eliminate wrong answers

Option A is wrong because 'assume breach' is a Zero Trust principle that focuses on minimizing the blast radius and segmenting access, not on the upfront verification of each request; it assumes a breach has already occurred and designs defenses accordingly. Option B is wrong because 'least privilege' is a principle that limits user and device access rights to only what is necessary to perform a task, but it does not address the requirement for full authentication, authorization, and encryption of every request. Option D is wrong because 'trust but verify' is an outdated security model that implicitly trusts users or devices inside the network perimeter and only verifies when necessary, which contradicts the Zero Trust mandate to never trust and always verify explicitly.

174
MCQeasy

A company implements a security model where no user or device is automatically trusted, even if they are inside the corporate network. Every access request must be authenticated, authorized, and encrypted before granting access, regardless of the request origin. This model is known as:

A.Defense in depth
B.Perimeter security
C.Zero Trust
D.Least privilege
AnswerC

Zero Trust is the correct model. It requires explicit verification of every access request, regardless of network location, and enforces least privilege and assumed breach principles.

Why this answer

Option C is correct because Zero Trust is a security model that explicitly assumes no implicit trust based on network location. Every access request must be authenticated, authorized, and encrypted, regardless of whether it originates from inside or outside the corporate network. This aligns with the core Zero Trust principle of 'never trust, always verify'.

Exam trap

The trap here is that candidates often confuse Zero Trust with Defense in depth, assuming that multiple layers of security automatically remove implicit trust, but Zero Trust specifically targets the assumption of trust based on network location.

How to eliminate wrong answers

Option A is wrong because Defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, antivirus) but does not inherently remove implicit trust from internal networks. Option B is wrong because Perimeter security relies on a strong network boundary (e.g., firewalls, VPNs) and trusts internal traffic once inside, which directly contradicts the described model. Option D is wrong because Least privilege is a principle of granting only the minimum necessary permissions, not a model that addresses authentication, authorization, and encryption for every request regardless of origin.

175
MCQeasy

A user reports that they cannot access a sensitive document in SharePoint. The document has a sensitivity label of 'Highly Confidential' applied. The user is a member of the 'Finance' group, which has the label permission. However, the user is located in a country that is blocked by a conditional access policy. What is the most likely reason the user cannot access the document?

A.The user does not have the required sensitivity label permission
B.The user does not have a Microsoft 365 E5 license
C.A conditional access policy is blocking access based on the user's location
D.The document does not have a sensitivity label applied
AnswerC

Conditional access policies can block access from specific locations, overriding label permissions.

Why this answer

Option D is correct because conditional access policies can block access based on location, overriding label permissions. Option A is wrong because the user has the required label permission. Option B is wrong because the label is correctly applied.

Option C is wrong because licensing is not indicated as an issue.

176
MCQmedium

A user authenticates with a smart card and is then granted access to a specific database based on their job role in the finance department. Which security concept describes the process of determining what the authenticated user is allowed to do?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Authorization evaluates the user's role and permissions to decide whether they can access the specific database, matching the description.

Why this answer

Authorization is the security concept that determines what an authenticated user is permitted to do. In this scenario, after the user authenticates with a smart card, the system checks their job role in the finance department against access control lists (ACLs) or role-based access control (RBAC) policies to grant access to the specific database. This is distinct from authentication, which only verifies identity.

Exam trap

The trap here is confusing authentication with authorization; candidates often pick 'Authentication' because they focus on the smart card step, but the question explicitly asks about determining what the user is allowed to do, which is authorization.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (e.g., via smart card credentials), not determining what they are allowed to do. Option C is wrong because accounting (or auditing) tracks and logs user activities for compliance and monitoring, but does not enforce permissions. Option D is wrong because encryption protects data at rest or in transit by converting it into ciphertext, but does not control access rights after decryption.

177
MCQmedium

Your organization is implementing a Zero Trust security model. Which Microsoft Entra ID feature should you use to verify that users and devices meet specific health requirements before granting access to corporate resources?

A.Privileged Identity Management (PIM)
B.Identity Governance
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access evaluates signals like device compliance to enforce access controls.

Why this answer

Option B is correct because Conditional Access policies can enforce device compliance, MFA, and other health checks. Option A is wrong because Privileged Identity Management manages just-in-time admin roles. Option C is wrong because Identity Protection detects risks but doesn't enforce device health.

Option D is wrong because Identity Governance manages access reviews and lifecycle.

178
MCQeasy

An organization wants to use a cloud-based SIEM to collect security data from multiple sources, including on-premises servers and cloud applications. Which Microsoft solution should they choose?

A.Microsoft Sentinel
B.Microsoft Intune
C.Microsoft 365 Defender
D.Microsoft Defender for Cloud
AnswerA

Sentinel is a scalable SIEM that collects and analyzes security data from diverse sources.

Why this answer

Microsoft Sentinel is a cloud-native SIEM that can ingest data from various sources. Defender for Cloud is for cloud security posture management. Microsoft 365 Defender is for detection and response across Microsoft 365.

Intune is for device management.

179
MCQhard

Your company uses Microsoft Purview Information Protection to classify sensitive data. A user reports that when they try to share a document containing a credit card number via email, the email is blocked. Which Purview feature is most likely causing this behavior?

A.Data Loss Prevention (DLP) policy
B.Audit log
C.Sensitivity label
D.Retention label
AnswerA

DLP policies can detect credit card numbers and block sharing via email.

Why this answer

Option A is correct because Data Loss Prevention (DLP) policies can block emails containing sensitive data. Option B is wrong because sensitivity labels apply metadata but don't block actions. Option C is wrong because retention labels manage retention, not blocking.

Option D is wrong because audit logs record events but don't enforce blocks.

180
Multi-Selectmedium

Which TWO of the following are benefits of using Microsoft Entra ID for identity management?

Select 2 answers
A.Single sign-on (SSO) to cloud applications
B.Password hash synchronization
C.Multi-factor authentication (MFA)
D.Automated security incident detection
E.Replacement of on-premises Active Directory
AnswersA, C

Entra ID enables SSO across thousands of SaaS apps.

Why this answer

Single sign-on (SSO) and multi-factor authentication (MFA) are key benefits of Entra ID. Password hash synchronization is a feature of Entra Connect, not a direct benefit. On-premises Active Directory is a separate service.

Security incident detection is more aligned with Microsoft Sentinel or Defender.

181
MCQeasy

Which Microsoft cloud service provides a unified data governance solution that helps you manage and protect data across your entire data estate, including multi-cloud and on-premises?

A.Microsoft Defender for Cloud
B.Microsoft Intune
C.Microsoft Sentinel
D.Microsoft Purview
AnswerD

Purview provides data governance, classification, and lineage.

Why this answer

Option D is correct because Microsoft Purview is the unified data governance service. Option A is wrong because Microsoft Defender for Cloud focuses on security posture. Option B is wrong because Microsoft Intune manages endpoints.

Option C is wrong because Microsoft Sentinel is a SIEM.

182
MCQeasy

A company uses a cloud-based email service. The service provider ensures that the physical data centers are secure and that the email platform is patched and available. The company is responsible for managing user accounts and ensuring that employees use strong passwords. This division of responsibilities is an example of which concept?

A.Defense in depth
B.Shared responsibility model
C.Zero Trust
D.Principle of least privilege
AnswerB

Correct. The shared responsibility model clearly divides security obligations between the cloud provider and the customer.

Why this answer

The scenario describes a clear division of security responsibilities between the cloud service provider (securing physical data centers, patching the platform) and the customer (managing user accounts, enforcing strong passwords). This is the core definition of the shared responsibility model, which is a foundational concept in cloud computing (as defined by NIST SP 800-145 and adopted by major providers like Microsoft 365). The model explicitly delineates that the provider is responsible for 'security of the cloud' (physical hosts, network, hypervisor) while the customer is responsible for 'security in the cloud' (user identities, data, client endpoints).

Exam trap

The trap here is that candidates confuse the shared responsibility model with defense in depth because both involve multiple security layers, but the question specifically tests the contractual and operational division of security tasks between cloud provider and customer, not the stacking of controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, antivirus, encryption) to protect assets, not a division of responsibilities between two parties. Option C is wrong because Zero Trust is a security model based on 'never trust, always verify'—it assumes no implicit trust and requires continuous authentication for every access request, not a contractual split of duties. Option D is wrong because the principle of least privilege is an access control concept that grants users only the minimum permissions needed to perform their tasks, not a framework for dividing security obligations between a provider and a customer.

183
MCQmedium

Your organization wants to use Microsoft Entra ID to provide single sign-on (SSO) for a third-party SaaS application. What must you configure in Microsoft Entra ID?

A.Identity Protection policy
B.Conditional Access policy
C.Enterprise application registration
D.Self-service password reset
AnswerC

You register the SaaS app as an enterprise application and configure SSO.

Why this answer

Option A is correct because you need to add the SaaS app from the gallery and configure SSO. Option B is incorrect because Conditional Access is for access controls. Option C is incorrect because Identity Protection is for risk detection.

Option D is incorrect because self-service password reset is a different feature.

184
MCQmedium

A company's security team has adopted a strategy that assumes a breach has already occurred. They implement network segmentation, apply strict least privilege access, continuously verify all access requests, and never trust users or devices solely because they are inside the network perimeter. This approach best describes which security model?

A.Zero Trust
B.Shared responsibility model
C.Defense in depth
D.Identity and Access Management (IAM)
AnswerA

Zero Trust is a security model that eliminates implicit trust and continuously validates every phase of a digital interaction. It assumes breach, verifies explicitly, and uses least privilege access.

Why this answer

The scenario explicitly describes the core tenets of the Zero Trust model: assume breach, enforce least privilege, segment networks, and never trust any user or device based solely on network location. Zero Trust, as defined by NIST SP 800-207, mandates continuous verification of every access request, treating every request as if it originates from an untrusted network, which directly matches the company's strategy.

Exam trap

The trap here is that candidates confuse 'Defense in depth' with Zero Trust because both involve multiple security controls, but Defense in depth does not require the 'assume breach' mindset or the elimination of implicit trust based on network perimeter, which is the defining characteristic of Zero Trust.

How to eliminate wrong answers

Option B (Shared responsibility model) is wrong because it describes the division of security responsibilities between a cloud provider and a customer (e.g., AWS or Azure), not a security architecture that assumes breach and verifies every request. Option C (Defense in depth) is wrong because it relies on multiple layers of security controls (e.g., firewalls, IDS/IPS) but does not inherently require the 'never trust, always verify' principle or the assumption of an existing breach; it is a layered approach, not a trust model. Option D (Identity and Access Management - IAM) is wrong because IAM is a subset of security controls focused on managing identities and access policies (e.g., Azure AD, RBAC), not a comprehensive security model that dictates network segmentation and continuous verification of all access requests.

185
MCQmedium

A healthcare organization must comply with HIPAA regulations. They use Microsoft Purview to classify and label patient data. Which Microsoft Purview capability helps them enforce data protection policies automatically?

A.eDiscovery
B.Audit logs
C.Sensitivity labels
D.Data loss prevention (DLP) policies
AnswerD

DLP policies can automatically block or warn users when sensitive data is shared inappropriately.

Why this answer

Data loss prevention (DLP) policies in Microsoft Purview can automatically detect and protect sensitive data like health information. Option A is wrong because sensitivity labels apply classification but not automatic protection actions. Option B is wrong because audit logs record events but don't enforce policies.

Option D is wrong because eDiscovery focuses on searching content for legal purposes, not automatic enforcement.

186
MCQmedium

Refer to the exhibit. A security administrator is reviewing an Azure Resource Manager template for a virtual machine. What is the purpose of the 'identity' section shown?

A.It enables system-assigned managed identity for the VM.
B.It configures multi-factor authentication for the VM.
C.It creates a new managed identity named 'id1' in the resource group.
D.It assigns a user-assigned managed identity to the VM so it can access other Azure resources securely.
AnswerD

User-assigned managed identities allow VMs to authenticate to Azure services without secrets.

Why this answer

The identity section assigns a user-assigned managed identity to the virtual machine, allowing it to authenticate to Azure services without storing credentials. Option B is wrong because system-assigned managed identity would have 'type': 'SystemAssigned'. Option C is wrong because it does not create a new identity; it references an existing one.

Option D is wrong because it does not enable MFA.

187
MCQeasy

Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled and applies to all cloud apps. Which users are affected by this policy?

A.All users who are members of any Azure AD administrative role
B.All users who are members of the Global Administrator role only
C.All users who are members of the Global Administrator or Exchange Administrator role
D.All users in the organization
AnswerC

Correctly interprets the includeRoles property.

Why this answer

Option D is correct because the property 'includeRoles' specifies that only users assigned the Global Administrator or Exchange Administrator roles are included. Option A is wrong because the policy does not apply to all users. Option B is wrong because it applies only to roles, not all users.

Option C is wrong because it does not apply to all admin roles, only the two specified.

188
MCQeasy

A healthcare organization uses digital signatures on electronic medical records to ensure that the records have not been tampered with during transmission. Which security goal is primarily being addressed by this practice?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data has not been altered by unauthorized parties. Digital signatures provide a mechanism to detect any changes, thus preserving integrity.

Why this answer

Digital signatures use asymmetric cryptography (e.g., RSA or ECDSA) to create a hash of the electronic medical record, which is then encrypted with the signer's private key. Any tampering with the record during transmission will cause the hash verification to fail, directly ensuring data integrity. This practice does not primarily address confidentiality (which requires encryption) or availability (which focuses on uptime).

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but the question's focus on 'tampered with during transmission' directly points to integrity, not the ability to prove who signed it.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized access to data, typically achieved through encryption (e.g., AES or TLS), not through digital signatures which do not hide the content. Option C is wrong because availability ensures that systems and data are accessible when needed, often via redundancy or disaster recovery, and digital signatures do not contribute to uptime. Option D is wrong because non-repudiation prevents the signer from denying their action, which is a secondary benefit of digital signatures, but the question specifically asks about tamper detection during transmission, which is the core integrity goal.

189
Multi-Selectmedium

Which TWO components are part of the 'Zero Trust' security model? (Choose two.)

Select 2 answers
A.Least privilege
B.VPN access
C.Password complexity
D.Verify explicitly
E.Perimeter-based security
AnswersA, D

Limit access to only what is needed.

Why this answer

Correct answers are B and C: Verify explicitly assumes every access request is a potential threat, and Least privilege ensures users have only the minimum access needed. Option A is incorrect because perimeter security is a traditional model. Option D is incorrect because password complexity is a single factor.

Option E is incorrect because VPNs are network access methods, not Zero Trust principles.

190
MCQmedium

A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?

A.Software as a Service (SaaS)
B.Platform as a Service (PaaS)
C.Infrastructure as a Service (IaaS)
D.On-premises
AnswerC

In IaaS, the customer manages the virtual machines, operating systems, applications, and data, while the provider manages the physical hosts and network. This gives the customer the most security responsibility among cloud service models.

Why this answer

In the Infrastructure as a Service (IaaS) model, the customer is responsible for securing the operating system, applications, data, and network configurations, while Microsoft only secures the physical datacenter, host servers, and hypervisor. This gives the customer the most security responsibility compared to PaaS or SaaS, where Microsoft manages more of the stack.

Exam trap

The trap here is that candidates often confuse 'most responsibility' with 'most control' and incorrectly pick on-premises (Option D), forgetting that the question explicitly asks about cloud service models, where IaaS gives the customer the greatest security responsibility among the cloud options.

How to eliminate wrong answers

Option A is wrong because in SaaS (e.g., Microsoft 365), Microsoft manages nearly the entire security stack including the application, runtime, and data storage, leaving the customer responsible only for data classification and account hygiene. Option B is wrong because in PaaS (e.g., Azure SQL Database), Microsoft secures the runtime, OS, and middleware, while the customer manages only the application code and data access. Option D is wrong because on-premises workloads give the customer 100% security responsibility, but the question asks about cloud service models, and on-premises is not a cloud model; the CISO specifically wants to understand division of responsibilities across cloud service models.

191
Multi-Selecteasy

A user logs into a company portal by entering a username and password. After successful login, the system checks if the user is a member of the 'Sales' group and then grants access to the sales dashboard. Which two security concepts are demonstrated in this process? (Choose all that apply.) (Choose two.)

Select 2 answers
A.Authentication
B.Authorization
C.Non-repudiation
D.Accounting
AnswersA, B

Correct. The user provided credentials (username/password) to prove their identity, which is authentication.

Why this answer

Authentication is demonstrated because the user proves their identity by providing a username and password, which the system verifies before allowing access. This is the process of validating credentials, typically against a directory service like Azure AD or an on-premises Active Directory, confirming the user is who they claim to be.

Exam trap

The trap here is that candidates often confuse authentication (verifying identity) with authorization (verifying permissions), and may incorrectly select non-repudiation or accounting because they sound like security concepts, but neither is involved in the simple login and group-check process described.

192
MCQeasy

You run the PowerShell command shown in the exhibit. What is the purpose of this command?

A.Applies a sensitivity label to a document
B.Encrypts a document using Azure Information Protection
C.Removes a sensitivity label from a document
D.Exports audit logs for labeled documents
AnswerA

Set-AIPFileLabel assigns a label to the specified file.

Why this answer

Option A is correct. The command assigns a sensitivity label to a document. Option B is wrong because it does not remove a label.

Option C is wrong because it does not encrypt the file; labeling may include encryption but the command itself only assigns the label. Option D is wrong because it does not export audit logs.

193
Multi-Selectmedium

Which TWO are principles of the Zero Trust security model?

Select 2 answers
A.Verify explicitly
B.Trust everything inside the network
C.Assume breach
D.Use a VPN for remote access
E.Layer defenses
AnswersA, C

Zero Trust requires verifying every access request explicitly.

Why this answer

Options A and C are correct. Zero Trust principles include 'verify explicitly' and 'assume breach'. Option B is a traditional perimeter security approach.

Option D is a principle of defense in depth, not Zero Trust. Option E describes a traditional VPN-based approach.

194
MCQmedium

A company wants to ensure that all users access corporate resources using multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure to enforce MFA for all users?

A.Conditional Access
B.Privileged Identity Management
C.Identity Protection
D.Security defaults
AnswerA

Conditional Access policies can require MFA for all users based on conditions like user risk or location.

Why this answer

Conditional Access policies allow granular control over authentication requirements, including MFA enforcement. Security defaults provide basic MFA but are less flexible. Identity Protection detects risks but does not enforce MFA directly.

Privileged Identity Management manages roles, not MFA enforcement.

195
MCQeasy

A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?

A.Confidentiality
B.Integrity
C.Availability
D.Accountability
AnswerA

Correct. Confidentiality prevents unauthorized access to information, which matches the requirement to limit access to authorized employees.

Why this answer

Confidentiality ensures that sensitive information is accessible only to authorized individuals. By restricting access to customer records to authorized employees, the company directly prevents unauthorized disclosure, which is the core goal of confidentiality in the CIA triad.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity, thinking that preventing unauthorized changes is the same as preventing unauthorized viewing, but confidentiality is about secrecy, not data accuracy.

How to eliminate wrong answers

Option B (Integrity) is wrong because integrity focuses on protecting data from unauthorized modification or deletion, not on restricting access. Option C (Availability) is wrong because availability ensures that systems and data are accessible when needed, not who can view them. Option D (Accountability) is wrong because accountability is not a principle of the CIA triad; it is a separate concept related to auditing and traceability of actions.

196
Multi-Selecteasy

Which TWO of the following are types of identity in Microsoft Entra ID? (Select two.)

Select 2 answers
A.Synchronized identity
B.Cloud-only identity
C.Guest identity
D.Managed identity
E.Hybrid identity
AnswersA, B

User account synchronized from on-premises Active Directory.

Why this answer

Options A and D are correct. Microsoft Entra ID supports cloud-only identities (A) and synchronized identities from on-premises (D). Option B is incorrect because 'Guest identity' is a type of external identity, but it is not a primary category.

Option C is incorrect because 'Hybrid identity' is a scenario, not a type. Option E is incorrect because 'Managed identity' is a specific Azure resource identity.

197
MCQeasy

Refer to the exhibit. A security analyst runs this Kusto Query Language (KQL) query in Microsoft Sentinel. What is being identified?

A.Multi-factor authentication failures.
B.Successful sign-ins in the last day.
C.Sign-in attempts from unknown IP addresses.
D.Sign-in attempts by disabled user accounts.
AnswerD

ResultType 50057 corresponds to 'User Account Disabled'.

Why this answer

The query filters sign-in logs from the last day with ResultType 50057, which indicates that the user account is disabled. Option B is wrong because ResultType 50057 is specifically for disabled accounts. Option C is wrong because successful sign-ins have ResultType 0.

Option D is wrong because MFA failure has different result types.

198
MCQhard

A security architect is designing a Zero Trust security model for a hybrid organization. Which principle of Zero Trust requires that every access request must be fully authenticated and authorized regardless of the network location, and that access should be granted with the minimum level required?

A.Assume breach
B.Verify explicitly
C.Use least privileged access
D.Segment access
AnswerB

Verify explicitly means always authenticate and authorize based on all available data points (user identity, device health, location, etc.) before granting access, and then use least privilege.

Why this answer

B is correct because the 'Verify explicitly' principle of Zero Trust mandates that every access request must be fully authenticated and authorized based on all available data points—including user identity, device health, and location—before granting access. This principle directly requires that authentication and authorization occur for every request, regardless of network location, and that the resulting access is granted with the minimum level required, which is further enforced by the 'Use least privileged access' principle. In a hybrid organization, this ensures that even requests from inside the corporate network are treated with the same scrutiny as external requests.

Exam trap

The trap here is that candidates confuse 'Verify explicitly' with 'Use least privileged access' because both involve access control, but 'Verify explicitly' is specifically about the authentication and authorization step, while 'Use least privileged access' is about the scope of permissions after access is granted.

How to eliminate wrong answers

Option A is wrong because 'Assume breach' is a Zero Trust principle that focuses on minimizing the blast radius and segmenting access, not on the authentication and authorization of every request. Option C is wrong because 'Use least privileged access' is a separate Zero Trust principle that limits access rights to the minimum necessary, but it does not itself require that every request be fully authenticated and authorized. Option D is wrong because 'Segment access' is a principle that involves dividing the network into isolated zones to limit lateral movement, not the explicit verification of each access request.

199
MCQeasy

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Confidentiality is the principle of limiting access to data only to those who are authorized, which directly matches the requirement.

Why this answer

The principle of confidentiality ensures that information is accessible only to authorized individuals or systems. In this scenario, restricting access to customer data to only authorized sales representatives aligns with maintaining confidentiality. The other options are incorrect: Integrity ensures data is not improperly modified, Availability ensures systems are operational, and Non-repudiation ensures actions cannot be denied.

200
MCQeasy

A user downloads a software update from a company's internal website. The update file is hashed, and the hash value is published on a separate secure page. After downloading, the user computes the hash of the downloaded file and compares it to the published hash. The two values match. Which security concept is primarily demonstrated by this comparison?

A.Confidentiality
B.Integrity
C.Availability
D.Authentication
AnswerB

Integrity ensures data has not been tampered with. Matching hashes indicates the file is unchanged, confirming its integrity.

Why this answer

Hashing is a one-way cryptographic function that produces a fixed-size digest from input data. By comparing the computed hash of the downloaded file to the published hash, the user verifies that the file has not been altered during transit or storage. This directly demonstrates the security concept of integrity, which ensures data has not been tampered with or corrupted.

Exam trap

The trap here is that candidates often confuse integrity with authentication, mistakenly thinking that verifying a hash proves the file's origin (authentication) rather than its unaltered state (integrity).

How to eliminate wrong answers

Option A is wrong because confidentiality is about protecting data from unauthorized access, typically achieved through encryption (e.g., AES, TLS), not through hash comparison. Option C is wrong because availability ensures that systems and data are accessible when needed, often via redundancy or disaster recovery, not by verifying file integrity. Option D is wrong because authentication verifies the identity of a user or system (e.g., via passwords, certificates, or multi-factor authentication), not the integrity of a file.

201
MCQeasy

A security administrator is explaining the shared responsibility model to a new team member. The company uses a Software-as-a-Service (SaaS) application such as Microsoft 365. For which of the following items is the customer primarily responsible under this model?

A.Physical security of the data center hosting the SaaS application
B.Patching the hypervisor that runs the SaaS infrastructure
C.Managing user access and classifying data stored in the service
D.Applying security updates to the SaaS application itself
AnswerC

The customer is responsible for their own data, including managing who has access, classifying information, and ensuring data is handled in accordance with compliance requirements.

Why this answer

In the shared responsibility model for SaaS like Microsoft 365, the customer is responsible for managing user access (e.g., configuring Azure AD roles, conditional access policies, and multi-factor authentication) and classifying data stored in the service (e.g., applying sensitivity labels via Microsoft Purview Information Protection). The provider manages the underlying infrastructure, including physical security, hypervisor patching, and application updates.

Exam trap

The trap here is that candidates often confuse operational tasks like patching or physical security with customer responsibilities, failing to recognize that in SaaS the provider handles all infrastructure and application maintenance, leaving only identity and data governance to the customer.

How to eliminate wrong answers

Option A is wrong because physical security of the data center is the sole responsibility of the cloud provider (Microsoft) in the SaaS model; the customer has no physical access or control. Option B is wrong because patching the hypervisor is an infrastructure-layer task managed entirely by the provider, as the customer only interacts with the application layer. Option D is wrong because applying security updates to the SaaS application itself is performed by the provider; the customer is only responsible for configuring application-level settings and managing their own data.

202
MCQeasy

A healthcare organization stores sensitive patient records in a cloud database. The database is encrypted at rest using AES-256. If an attacker gains access to the physical storage media, they cannot read the data. Which security concept does this encryption primarily provide?

A.Confidentiality
B.Integrity
C.Availability
D.Authorization
AnswerA

Correct: Encryption protects the data from unauthorized disclosure, which is the definition of confidentiality.

Why this answer

Encryption at rest using AES-256 ensures that data stored on physical media is unreadable without the decryption key. If an attacker gains physical access to the storage media, the ciphertext cannot be deciphered, directly protecting the secrecy of the data. This aligns with the security goal of confidentiality, which prevents unauthorized disclosure of information.

Exam trap

The trap here is that candidates confuse encryption at rest with integrity controls, mistakenly thinking encryption prevents modification, when in fact encryption only ensures confidentiality and does not provide tamper detection.

How to eliminate wrong answers

Option B is wrong because integrity ensures data has not been tampered with or altered, typically via hashing or digital signatures, not encryption at rest. Option C is wrong because availability ensures systems and data are accessible when needed, often through redundancy or backups, not encryption. Option D is wrong because authorization controls what actions authenticated users can perform, whereas encryption at rest protects data confidentiality regardless of authorization status.

203
MCQeasy

A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerC

Correct. Availability ensures that resources are accessible to authorized users when needed. Deploying across multiple regions with automatic failover is a classic implementation of availability.

Why this answer

Deploying a mission-critical application across two Azure regions with automatic traffic routing directly addresses the security goal of availability. This architecture ensures that if one region fails, the application remains accessible from the other region, minimizing downtime. Azure Traffic Manager or Azure Front Door can be used to route traffic based on priority or latency, providing high availability and disaster recovery.

Exam trap

The trap here is that candidates may confuse high availability (availability goal) with disaster recovery or think that multi-region deployment primarily protects data confidentiality or integrity, when in fact it is designed to ensure continuous service uptime.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on protecting data from unauthorized access, not on ensuring uptime or failover. Option B is wrong because integrity ensures data is not tampered with or altered, which is not the primary goal of multi-region deployment. Option D is wrong because non-repudiation provides proof of origin or delivery of data, often through digital signatures, and is unrelated to regional failover.

204
MCQmedium

A company has implemented a security model where every access request is fully authenticated, authorized, and encrypted before granting access, regardless of where the request originates (corporate network or internet). The model assumes that no entity is inherently trustworthy and requires continuous verification. This model is known as:

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Shared responsibility
AnswerC

Zero Trust is the correct answer because it is built on the principle of 'never trust, always verify' and assumes no implicit trust based on network location.

Why this answer

The described model—requiring full authentication, authorization, and encryption for every access request, treating no entity as inherently trustworthy, and demanding continuous verification—is the core definition of Zero Trust. This aligns with the NIST SP 800-207 standard, which explicitly states that Zero Trust assumes no implicit trust and enforces verification for every request, regardless of network location.

Exam trap

The trap here is that candidates often confuse Zero Trust with defense in depth, assuming that multiple security layers inherently imply no trust, but defense in depth does not require per-request authentication, authorization, and encryption from any location.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, antivirus) to protect assets, but it does not inherently assume zero trust or require continuous verification for every access request. Option B is wrong because least privilege is a principle that grants users only the minimum permissions needed to perform their tasks, but it does not mandate full authentication, authorization, and encryption for every request or continuous verification. Option D is wrong because shared responsibility is a cloud security model that delineates security obligations between the provider and customer (e.g., in Azure, Microsoft secures the infrastructure while the customer secures data and identities), but it does not define an access verification model like the one described.

205
MCQhard

A company is deploying a web application on Azure App Service. The security officer states that according to the shared responsibility model, the customer is responsible for managing access to the application and securing the application code. Which of the following responsibilities does Microsoft retain for Azure App Service?

A.Configuring network firewall rules for the App Service
B.Patching the underlying operating system of the App Service host
C.Managing user authentication and authorization
D.Applying encryption to the application data at rest
AnswerB

Microsoft is responsible for patching the host OS and underlying infrastructure as part of the PaaS shared responsibility model.

Why this answer

For Azure App Service, Microsoft retains responsibility for patching the underlying operating system of the host infrastructure. This is part of the shared responsibility model where the cloud provider manages the host OS and hypervisor, while the customer manages the application code, data, and access configurations.

Exam trap

The trap here is that candidates often confuse 'patching the underlying OS' with 'patching the application runtime' or 'configuring network security,' mistakenly thinking Microsoft handles all security tasks for PaaS services, when in fact the customer retains significant control over access and data protection.

How to eliminate wrong answers

Option A is wrong because configuring network firewall rules for the App Service (such as IP restrictions or Azure Front Door integration) is a customer responsibility, not Microsoft's. Option C is wrong because managing user authentication and authorization (e.g., using Azure AD or built-in authentication modules) is the customer's responsibility to configure within their application. Option D is wrong because applying encryption to application data at rest (e.g., using Azure SQL Transparent Data Encryption or storage encryption keys) is a customer-managed task, though Microsoft provides the underlying platform encryption.

206
MCQhard

A multinational corporation wants to implement a Zero Trust security model. They plan to verify every access request explicitly, use least privilege access, and assume breach. Which Microsoft security solution should they use to enforce conditional access policies based on user, device, location, and risk?

A.Microsoft Sentinel
B.Microsoft Intune
C.Microsoft Entra Conditional Access
D.Microsoft Defender for Cloud Apps
AnswerC

It is the core service for implementing conditional access policies in a Zero Trust model.

Why this answer

Microsoft Entra Conditional Access is the service that enforces access policies based on signals like user, device, location, and risk. Option A is wrong because Microsoft Defender for Cloud Apps provides cloud app security but not the primary conditional access engine. Option C is wrong because Microsoft Intune manages devices but does not enforce access policies on its own.

Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security analytics, not access control.

207
MCQmedium

A company requires all employees to provide a one-time passcode generated by an authenticator app in addition to their password when accessing the corporate VPN. This practice is an example of which security concept?

A.A. Authorization
B.B. Auditing
C.C. Authentication
D.D. Accounting
AnswerC

Authentication is the process of verifying the identity of a user or system, and using two factors (password + OTP) is a strong form of authentication.

Why this answer

Option C is correct because the requirement for a one-time passcode (OTP) from an authenticator app in addition to a password is a classic implementation of multi-factor authentication (MFA). Authentication is the process of verifying the identity of a user, device, or service, and this scenario uses two distinct factors: something you know (password) and something you have (the OTP generated by the app). This directly aligns with the security concept of authentication, not authorization, auditing, or accounting.

Exam trap

The trap here is that candidates often confuse authentication (proving identity) with authorization (granting permissions), especially when the question describes a 'gate' like VPN access, leading them to incorrectly select authorization.

How to eliminate wrong answers

Option A is wrong because authorization determines what an authenticated user is allowed to do (e.g., access a specific resource), not how they prove their identity. Option B is wrong because auditing refers to the logging and review of events for compliance or forensic purposes, not the act of verifying credentials. Option D is wrong because accounting (often part of AAA) tracks resource usage and consumption, such as session time or data transferred, not the verification of identity.

208
MCQeasy

Refer to the exhibit. You have a Data Loss Prevention (DLP) policy in Microsoft Purview. What will happen when a user tries to share a document containing a credit card number via email?

A.The email is blocked only if the recipient is external
B.The email is sent with a warning to the recipient
C.The email is sent but the user is not notified
D.The email is blocked and the user receives a notification
AnswerD

The action blocks access and sends a notification email.

Why this answer

Option B is correct because the rule blocks access and notifies the user. Option A is incorrect because the user is notified. Option C is incorrect because the document is blocked, not allowed with warning.

Option D is incorrect because the rule applies to all users.

209
MCQmedium

A financial organization implements a security control that logs every access attempt to sensitive financial records, including who accessed the data, when it was accessed, and from which device. The logs are regularly reviewed by the security team. This control primarily addresses which security concept?

A.Confidentiality
B.Integrity
C.Availability
D.Accountability
AnswerD

Accountability means that actions can be traced back to a specific user. Logging access and reviewing logs provides an audit trail to hold users responsible for their actions.

Why this answer

Accountability ensures that actions affecting sensitive data can be traced uniquely to an individual. By logging who accessed the data, when, and from which device, the organization creates an audit trail that holds users responsible for their actions. This directly supports non-repudiation and forensic analysis, which are the core goals of accountability.

Exam trap

The trap here is that candidates confuse logging with confidentiality, thinking that tracking access prevents unauthorized viewing, when in fact logging only records the event and does not block the access itself.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., through encryption or access controls), not on logging who accessed it. Option B is wrong because integrity ensures data has not been altered or tampered with (e.g., via hashing or checksums), whereas logging does not protect against modification. Option C is wrong because availability ensures systems and data are accessible when needed (e.g., through redundancy or failover), and logging does not directly contribute to uptime or resilience.

210
MCQeasy

A user receives an encrypted email from their bank. They use their private key to decrypt the message. After reading it, they verify that the message content has not been altered during transit. Which security principle is primarily demonstrated by the verification that the content was not altered?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data has not been altered. Verifying that the message content remains unchanged directly demonstrates integrity.

Why this answer

The verification that the message content has not been altered during transit directly demonstrates the principle of integrity. Integrity ensures that data remains unchanged from its source to its destination, typically enforced through cryptographic hashing or digital signatures. In this scenario, the user's ability to confirm that the email content was not tampered with relies on a hash or signature verification mechanism, which is the core function of integrity protection.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but non-repudiation proves the origin of the message (who sent it), whereas integrity proves the message was not altered—two distinct security goals.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data (e.g., encryption), not on detecting changes to the content. Option C is wrong because availability ensures that systems and data are accessible when needed, which is unrelated to verifying content alteration. Option D is wrong because non-repudiation provides proof of the sender's identity and prevents them from denying having sent the message, but it does not directly verify that the content was not altered during transit.

211
Multi-Selectmedium

A user logs into a company's financial application using their Microsoft Entra ID credentials. After successful sign-in, the application displays a dashboard with data for only the regions the user is authorized to manage. Which two security concepts are demonstrated in this scenario? (Select all that apply.)

Select 2 answers
A.Authentication
B.Authorization
C.Accounting
D.Non-repudiation
AnswersA, B

The sign-in with credentials verifies the user's identity, which is authentication.

Why this answer

Authentication is demonstrated because the user proves their identity by logging in with Microsoft Entra ID credentials, confirming they are who they claim to be. Authorization is demonstrated because after authentication, the application restricts the dashboard to show only data for regions the user is permitted to manage, enforcing access control based on assigned permissions.

Exam trap

The trap here is that candidates confuse authentication (verifying identity) with authorization (granting permissions), and may incorrectly select accounting or non-repudiation because they associate logging in with tracking or non-denial, but the scenario explicitly describes identity verification and access restriction, not logging or signature-based proof.

212
MCQeasy

A small business wants to enable single sign-on (SSO) for its employees using their existing on-premises Active Directory. They plan to migrate to cloud-based identity management. Which Microsoft service should they use to connect their on-premises directory to Microsoft Entra ID?

A.Microsoft Entra Connect
B.Microsoft Intune
C.Active Directory Federation Services (AD FS)
D.Microsoft Entra Cloud Sync
AnswerA

Entra Connect syncs identities and enables SSO with options like password hash sync and pass-through authentication.

Why this answer

Microsoft Entra Connect synchronizes on-premises Active Directory with Microsoft Entra ID, enabling SSO. Option A is wrong because Microsoft Entra Cloud Sync is a newer, simpler tool but not the primary one for full SSO. Option B is wrong because Active Directory Federation Services (AD FS) provides federation, not synchronization.

Option D is wrong because Microsoft Intune manages devices, not identity synchronization.

213
MCQeasy

A user logs into a company's application using their username and password. After logging in, the application checks whether the user belongs to the 'Admin' role before granting access to the user management page. Which security concept is primarily illustrated by the role check?

A.Authentication
B.Authorization
C.Accounting
D.Non-repudiation
AnswerB

Authorization is the process of granting or denying access to resources based on the authenticated user's permissions. The role check determines if the user is authorized to access the user management page, making this the correct answer.

Why this answer

The role check after login determines what actions the authenticated user is allowed to perform, specifically whether they can access the user management page. This is the essence of authorization, which controls access to resources based on identity and assigned permissions. In Microsoft identity and access management, authorization is enforced via role-based access control (RBAC), where the application verifies the user's role claim (e.g., 'Admin') in the access token.

Exam trap

Microsoft often tests the distinction between authentication and authorization by presenting a scenario where a user is already logged in and then a permission check occurs, leading candidates to mistakenly select 'authentication' because they focus on the login step rather than the subsequent access control decision.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying the user's identity (e.g., validating username and password), which has already occurred before the role check. Option C is wrong because accounting (or auditing) tracks user activities and resource usage for compliance or billing, not the enforcement of access rights. Option D is wrong because non-repudiation ensures that a user cannot deny an action they performed, typically achieved through digital signatures or audit logs, not by checking role membership.

214
MCQmedium

Your company uses Microsoft Intune for device management. You need to ensure that all company data on a user's personally owned device is removed when the user is offboarded, but the user's personal data should remain. Which wipe action should you use?

A.Delete
B.Selective wipe
C.Full wipe
D.Retire
AnswerB

Selective wipe removes only company data from managed apps.

Why this answer

Option B is correct because selective wipe in Intune removes only company data from managed apps, leaving personal data intact. Option A is wrong because a full wipe resets the entire device. Option C is wrong because retire removes the device from management but does not automatically wipe data.

Option D is wrong because delete removes the device record without wiping.

215
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to discover shadow IT usage. Which feature should you enable?

A.File policies
B.Conditional Access App Control
C.Cloud Discovery
D.App catalog
AnswerC

Cloud Discovery identifies unsanctioned cloud apps used in the organization.

Why this answer

Option C is correct because Cloud Discovery analyzes traffic logs to identify shadow IT. Option A is incorrect because Conditional Access App Control is for enforcing policies on sanctioned apps. Option B is incorrect because the app catalog lists known cloud apps.

Option D is incorrect because file policies are for data protection.

216
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

Select 3 answers
A.Detect credit card numbers in Exchange Online emails
B.Block network traffic from suspicious IP addresses
C.Detect sensitive information in Microsoft Teams messages
D.Detect malware in email attachments
E.Detect passport numbers in SharePoint Online documents
AnswersA, C, E

DLP can scan email content for sensitive info.

Why this answer

Options A, C, and D are correct. DLP can detect sensitive data in Exchange emails, SharePoint documents, and Teams messages. Option B is wrong because DLP does not block network traffic; that is a network security function.

Option E is wrong because DLP does not detect malware; that is Microsoft Defender for Endpoint.

217
MCQmedium

Your company is implementing a zero-trust security model. Which principle requires verifying every access request as though it originates from an untrusted network, even if the request comes from within the corporate network?

A.Least privilege
B.Trust but verify
C.Explicit verification
D.Assume breach
AnswerD

This principle assumes every request is from an untrusted source.

Why this answer

Option C is correct because 'Assume breach' is the zero-trust principle that treats every access request as potentially compromised. Option A is incorrect because 'Explicit verification' is a different principle. Option B is incorrect because 'Least privilege' limits access rights.

Option D is incorrect because 'Trust but verify' is not a zero-trust principle.

218
MCQmedium

A financial company processes stock trades. To ensure that a trader cannot later deny having submitted a specific trade order, the system captures a digital signature from the trader for each order. Which security goal is being addressed by this practice?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerD

Non-repudiation ensures that an individual cannot deny having performed an action or sent a message. Digital signatures provide non-repudiation by binding the action to the signer.

Why this answer

Non-repudiation ensures that a party cannot deny having performed a specific action. By capturing a digital signature from the trader for each trade order, the system creates cryptographic proof that the trader indeed submitted that order. This prevents the trader from later claiming they did not authorize the trade, directly addressing the non-repudiation goal.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, but integrity only ensures data hasn't been tampered with, while non-repudiation specifically provides cryptographic proof of origin and action.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data, not on proving who performed an action. Option B is wrong because integrity ensures data has not been altered, but does not provide proof of origin or prevent denial of action. Option C is wrong because availability ensures systems and data are accessible when needed, which is unrelated to proving the authenticity of a submitted order.

219
MCQeasy

A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?

A.Least privilege
B.Defense in depth
C.Zero Trust
D.Separation of duties
AnswerB

Correct. Defense in depth uses multiple, overlapping security controls (firewalls, IPS, antivirus, encryption) so that failure of one does not compromise the entire security posture. This is exactly what the company is implementing.

Why this answer

The strategy described uses multiple independent security controls—firewall, IPS, endpoint antivirus, and encryption—so that if one layer fails, others continue to protect the asset. This is the core definition of defense in depth, which creates overlapping layers of protection rather than relying on a single point of failure.

Exam trap

The trap here is that candidates confuse Zero Trust with defense in depth because both involve multiple controls, but Zero Trust specifically requires identity-based verification and micro-segmentation rather than relying on layered perimeter defenses.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user access rights to only what is necessary for their role, not the layering of security controls. Option C is wrong because Zero Trust assumes no implicit trust and requires continuous verification of every access request, whereas the described strategy focuses on layered perimeter and endpoint defenses without explicitly eliminating trust assumptions. Option D is wrong because separation of duties divides critical tasks among multiple people to prevent fraud or error, not to provide overlapping technical security controls.

220
MCQeasy

A hospital stores patient medical records electronically. An attacker gains access to the system and modifies patient diagnoses. Which principle of the CIA triad has been violated?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures that data is not altered or destroyed by unauthorized parties. The attacker modified patient diagnoses, so integrity is violated.

Why this answer

The CIA triad's Integrity principle ensures that data is not modified by unauthorized parties. In this scenario, the attacker altered patient diagnoses, which directly violates data integrity. Confidentiality (unauthorized disclosure) and Availability (denial of service) are not the primary concerns here.

Exam trap

The trap here is that candidates may confuse 'access' with 'confidentiality' and choose A, but the key is the modification of data, which is a clear integrity violation, not just unauthorized viewing.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data, not unauthorized modification; the attacker did access the system, but the core violation is the alteration of records. Option C is wrong because availability ensures systems and data are accessible when needed; the attacker did not disrupt access to the records. Option D is wrong because non-repudiation is a security concept that prevents a party from denying an action (e.g., using digital signatures or audit logs), not a core principle of the CIA triad; it is not directly violated by data modification.

221
MCQeasy

A healthcare organization must comply with HIPAA regulations regarding the protection of patient health information (PHI). Which cloud compliance concept ensures that the organization has controls in place to meet regulatory requirements?

A.Privacy management
B.Identity management
C.Security management
D.Compliance management
AnswerD

Compliance management involves implementing controls to meet regulatory requirements like HIPAA.

Why this answer

Compliance management is the discipline of ensuring that an organization adheres to regulations like HIPAA by implementing controls. Security management focuses on protecting assets from threats. Identity management deals with authentication and authorization.

Privacy management addresses personal data protection. The question specifically asks about meeting regulatory requirements.

222
MCQmedium

A company's IT department implements a policy for server administrators: they must submit an access request to perform privileged tasks on critical servers. Each request is approved by a manager, and the granted elevated permissions automatically expire after four hours. This approach reduces the risk of standing privileges being exploited. Which security concept is primarily being applied?

A.Just-in-time access
B.Least privilege
C.Defense in depth
D.Zero Trust
AnswerA

Correct. The scenario describes temporary, time-limited elevated access upon request, which is exactly just-in-time (JIT) access.

Why this answer

Option A is correct because just-in-time (JIT) access is a security concept that grants elevated permissions only when needed, for a limited duration, and requires approval. In this scenario, the policy requires an access request, manager approval, and automatic expiration after four hours, which directly aligns with JIT access to reduce the risk of standing privileges being exploited.

Exam trap

The trap here is that candidates confuse 'least privilege' (a static principle of minimal permissions) with 'just-in-time access' (a dynamic, time-bound activation mechanism), but the question's emphasis on 'request, approval, and automatic expiration' specifically points to JIT, not just the principle of least privilege.

How to eliminate wrong answers

Option B is wrong because least privilege is a principle that ensures users have only the minimum permissions necessary to perform their tasks, but it does not inherently include time-bound or approval-based elevation; the scenario specifically describes temporary, approved access, which is JIT, not just least privilege. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, antivirus, encryption), not a single policy for temporary privileged access. Option D is wrong because Zero Trust is a security model that assumes no implicit trust and continuously verifies every request, but the scenario focuses on time-limited, approved elevation, not the broader Zero Trust principles of micro-segmentation or continuous verification.

223
MCQeasy

A company subscribes to Microsoft 365 E5, a Software-as-a-Service (SaaS) offering. The IT department is responsible for configuring user accounts and managing data in Exchange Online and SharePoint Online. According to the shared responsibility model, which security responsibility is retained by Microsoft for this SaaS deployment?

A.Managing user access to the applications
B.Securing the underlying application code and platform
C.Configuring multi-factor authentication for users
D.Protecting data from unauthorized access by other tenants
AnswerB

As a SaaS provider, Microsoft is responsible for the security of the application code, runtime environment, and underlying infrastructure. The customer does not manage the platform.

Why this answer

In a SaaS model like Microsoft 365 E5, Microsoft retains responsibility for securing the underlying application code, platform, and physical infrastructure. This includes patching the operating system, hardening the application stack, and ensuring the runtime environment is secure. The customer is responsible for managing user identities, configuring access controls, and protecting their own data.

Exam trap

The trap here is that candidates often confuse customer-managed security controls (like MFA and user access) with Microsoft's inherent platform responsibilities, leading them to select options that are actually customer obligations under the SaaS model.

How to eliminate wrong answers

Option A is wrong because managing user access to applications (e.g., assigning roles, controlling permissions) is a customer responsibility, not Microsoft's, under the shared responsibility model for SaaS. Option C is wrong because configuring multi-factor authentication (MFA) for users is a customer task—Microsoft provides the MFA service, but the customer must enable and enforce it. Option D is wrong because protecting data from unauthorized access by other tenants is a foundational part of Microsoft's SaaS platform security (logical isolation via Azure Active Directory and tenant boundaries), and while Microsoft ensures this isolation, the customer also retains responsibility for their own data classification and protection measures; however, the question asks for a responsibility retained by Microsoft, and securing the platform code is a clearer, non-delegable Microsoft responsibility.

224
MCQeasy

Your organization needs to control which users can access Microsoft Purview compliance portal. Which method should you use to grant access?

A.Add users to an Azure RBAC role
B.Configure Intune policy to allow access
C.Assign users to the Compliance Administrator role group in Microsoft Purview
D.Assign Microsoft 365 E5 licenses to users
AnswerC

Role groups in Purview grant access to the compliance portal.

Why this answer

Option A is correct because you assign the appropriate role group in Microsoft Purview compliance portal. Option B is incorrect because licenses are needed but do not alone grant access. Option C is incorrect because Azure RBAC manages Azure resources, not Purview.

Option D is incorrect because Intune manages devices, not access to Purview.

225
MCQeasy

A company's security policy requires that all data transferred between the corporate data center and the cloud must be protected from unauthorized access during transmission. They use encryption protocols such as TLS to achieve this. Which security goal is primarily being addressed?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerA

Encrypting data during transmission ensures that only authorized parties can read the data, thereby maintaining confidentiality.

Why this answer

Confidentiality is the security goal that ensures data is not disclosed to unauthorized entities. By using encryption protocols such as TLS, the data in transit is rendered unreadable to any party that intercepts the traffic, directly protecting against unauthorized access during transmission.

Exam trap

The trap here is that candidates may confuse encryption with integrity, thinking that encryption alone prevents tampering, but encryption only provides confidentiality; integrity requires separate mechanisms like MACs or digital signatures, which TLS also includes but are not the primary goal stated in the question.

How to eliminate wrong answers

Option B (Integrity) is wrong because integrity focuses on ensuring data has not been altered or tampered with during transit, which is typically achieved through hashing or message authentication codes (e.g., HMAC), not solely by encryption. Option C (Availability) is wrong because availability concerns ensuring systems and data are accessible when needed, often addressed by redundancy and disaster recovery, not by encrypting data in transit. Option D (Non-repudiation) is wrong because non-repudiation provides proof of the origin or delivery of data, usually via digital signatures or audit logs, and is not the primary goal of encryption protocols like TLS.

← PreviousPage 3 of 4 · 235 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the concepts of security, compliance, and identity questions.