CCNA Describe the capabilities of Microsoft security solutions Questions

75 of 470 questions · Page 1/7 · Describe the capabilities of Microsoft security solutions · Answers revealed

1
MCQmedium

A company uses Microsoft 365 and wants to protect its users from malicious links and attachments in email, as well as phishing attacks. Which Microsoft security solution is specifically designed for email and collaboration protection?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 safeguards Microsoft 365 email, Teams, and SharePoint from threats like phishing, malicious links, and attachments.

Why this answer

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) is the dedicated security solution for email and collaboration workloads. It provides protection against malicious links (Safe Links), malicious attachments (Safe Attachments), and anti-phishing policies specifically for Exchange Online, SharePoint, OneDrive, and Teams. This directly matches the question's requirement for email and collaboration protection.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Endpoint (device protection) with Microsoft Defender for Office 365 (email and collaboration protection), because both names start with 'Microsoft Defender' and both involve threat detection, but they protect completely different attack surfaces.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint is designed for endpoint devices (Windows, macOS, Linux, Android, iOS) and focuses on preventing, detecting, and responding to threats on those devices, not on email or collaboration content. Option C is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility, data loss prevention, and threat protection for cloud applications (e.g., Shadow IT discovery), not specifically for email and collaboration protection. Option D is wrong because Microsoft Defender for Identity is an on-premises Active Directory security solution that uses signals to detect advanced attacks like Pass-the-Hash and Kerberos Golden Ticket attacks, not email or collaboration threats.

2
MCQhard

You are a security administrator for Contoso Ltd., which uses Microsoft 365 E5. The company has 10,000 users and uses Microsoft Entra ID for identity. The security team has noticed an increase in sign-in attempts from anonymous IP addresses and from locations outside the company's home country. They want to implement a solution that automatically blocks sign-ins from anonymous IP addresses and requires MFA for sign-ins from outside the home country. They also want to ensure that if a user's risk level is high, they are forced to change their password. The solution must use Microsoft Entra ID Protection and Conditional Access. You have already configured a Conditional Access policy to require MFA for all users. Which of the following is the most efficient way to meet all requirements with minimal administrative overhead?

A.Configure Identity Protection sign-in risk policy to block anonymous IP addresses, user risk policy to require password change for high-risk users, and create a Conditional Access policy to require MFA for sign-ins from outside the home country.
B.Create a single Conditional Access policy that blocks anonymous IP addresses, requires MFA based on location, and forces password change for high-risk users.
C.Configure Identity Protection to block anonymous IP addresses and require password change for high-risk users. Use Conditional Access to block sign-ins from outside the home country.
D.Configure Identity Protection to block anonymous IP addresses and require password change for high-risk users. Use Conditional Access to require MFA for all users.
AnswerA

This meets all requirements: anonymous IP blocked via risk policy, password change via user risk policy, location-based MFA via Conditional Access.

Why this answer

Correct: D. Using Identity Protection's risk policies for anonymous IP and high risk, plus a Conditional Access policy for location-based MFA, is efficient. Option A: Combining all in one policy is not possible because Conditional Access cannot detect anonymous IP automatically (Identity Protection does).

Option B: Only Conditional Access cannot detect anonymous IP. Option C: Missing location-based MFA requirement.

3
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. You discover that a user is accessing a sanctioned app from an unmanaged device. You need to ensure that when users access this app from unmanaged devices, they are prompted for additional authentication and their session is monitored. What should you configure?

A.Enable Microsoft Entra ID Identity Protection and configure a sign-in risk policy.
B.Create a Conditional Access policy that requires device compliance and block access for non-compliant devices.
C.Create a session policy in Microsoft Defender for Cloud Apps that blocks downloads for all devices.
D.Create a Conditional Access policy that uses the 'Require session control' grant and target 'All cloud apps' and 'Unmanaged devices' as conditions.
AnswerD

This redirects the session to Defender for Cloud Apps for monitoring and control.

Why this answer

Option D is correct because you need to use a Conditional Access policy with the 'Require session control' grant, targeting 'All cloud apps' and 'Unmanaged devices' as conditions. This integrates with Microsoft Defender for Cloud Apps to enforce additional authentication (via Microsoft Entra ID) and enable session monitoring, such as real-time activity logging and download blocking, for the sanctioned app when accessed from unmanaged devices.

Exam trap

The trap here is confusing session control (which allows conditional access with monitoring) with device compliance policies (which block or allow based on device state) or Identity Protection (which focuses on risk-based sign-in detection).

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection's sign-in risk policy detects risky sign-ins (e.g., anonymous IP addresses) but does not specifically target unmanaged devices or provide session monitoring for cloud apps. Option B is wrong because requiring device compliance and blocking non-compliant devices would deny access entirely, not prompt for additional authentication and monitor the session as required. Option C is wrong because a session policy in Defender for Cloud Apps that blocks downloads for all devices does not enforce additional authentication or session monitoring for unmanaged devices specifically; it only restricts a single action (downloads) globally.

4
MCQhard

Your organization uses Microsoft Entra ID. You need to allow external users from a specific partner tenant to access a single internal application, but only after they provide a phone number for verification. What should you configure?

A.Cross-tenant access settings for the partner tenant
B.B2B collaboration invitation settings
C.Conditional Access policy for the application
D.Identity Protection policy
AnswerA

Cross-tenant access settings allow you to trust MFA from the partner tenant and enforce requirements.

Why this answer

Cross-tenant access settings allow you to trust MFA and device compliance from external tenants. By configuring inbound access settings, you can require that the partner tenant's users meet your MFA requirements (phone verification). Option B is incorrect because B2B collaboration settings control invitation, not authentication requirements.

Option C is incorrect because Conditional Access policies apply to your tenant but cannot directly enforce MFA on external users without cross-tenant trust. Option D is incorrect because identity protection is for risk detection, not MFA enforcement.

5
MCQhard

Refer to the exhibit. You are a security administrator for a company using Azure Virtual Network Manager. You have deployed the security admin configuration shown. What is the impact of this rule?

A.It blocks inbound SMB traffic from the internet to the subnet.
B.It blocks outbound traffic from the subnet to the internet.
C.It denies all traffic from the internet to the subnet.
D.It blocks inbound RDP traffic from the internet.
AnswerA

SMB uses port 445; the rule denies internet-to-subnet traffic on that port.

Why this answer

The rule denies inbound TCP traffic on port 445 (SMB) from the Internet to the subnet 10.0.0.0/24. This blocks external SMB access, preventing common ransomware propagation. Option A is incorrect because port 445 is SMB, not RDP (3389).

Option C is incorrect because direction is inbound. Option D is incorrect because it denies all traffic only on port 445, not all ports.

6
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure Azure resources. You need to ensure that all storage accounts have soft delete enabled to protect against accidental deletion. Which policy should you implement?

A.Azure Blueprints
B.Azure Policy with a built-in policy for storage accounts
C.Azure role-based access control (RBAC)
D.Defender for Cloud security recommendations
AnswerB

Azure Policy can enforce soft delete configuration on storage accounts.

Why this answer

Option A is correct because Azure Policy can audit or enforce configurations on resources, including enabling soft delete on storage accounts. Option B is wrong because Defender for Cloud recommendations suggest actions but do not enforce them automatically. Option C is wrong because Azure RBAC controls permissions, not configurations.

Option D is wrong because Azure Blueprints package resources but do not enforce individual settings.

7
MCQhard

A company uses Microsoft Purview to classify and label data. The compliance team needs to automatically apply a 'Highly Confidential' sensitivity label to any document containing a passport number that is stored in SharePoint Online. The label should also encrypt the document. What should the compliance team configure?

A.Create a retention label with a retention rule
B.Create an auto-labeling policy for sensitivity labels
C.Create a data loss prevention (DLP) policy
D.Create a manual sensitivity label and train users
AnswerB

Auto-labeling policies can automatically apply labels with encryption based on sensitive info types.

Why this answer

Option D is correct because an auto-labeling policy can be set to scan SharePoint for content containing a passport number and apply a label with encryption. Option A is wrong because manual labeling is not automatic. Option B is wrong because a DLP policy blocks sharing but does not apply labels.

Option C is wrong because a retention label is for retention, not encryption.

8
MCQmedium

A company uses Azure virtual machines and also has physical servers in their on-premises datacenter. The security team needs a single dashboard to view security recommendations, detect misconfigurations, and get a secure score for both environments. They also want to integrate with Microsoft Defender for Cloud for threat protection. Which Microsoft security solution provides this unified visibility across hybrid workloads?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Security Center
AnswerA

Defender for Cloud provides a unified dashboard for security posture management (secure score, recommendations) and integrated threat protection across hybrid workloads.

Why this answer

Microsoft Defender for Cloud provides a unified dashboard that delivers security recommendations, misconfiguration detection, and a secure score across both Azure virtual machines and on-premises physical servers. It natively integrates with Microsoft Defender for Cloud's threat protection capabilities, enabling hybrid workload coverage without additional licensing or complex setup.

Exam trap

Microsoft often tests the distinction between Microsoft Defender for Cloud (unified posture management and threat protection) and Microsoft Sentinel (SIEM/SOAR), causing candidates to confuse the two due to overlapping security monitoring capabilities.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution focused on log ingestion, threat hunting, and incident response, not a unified dashboard for security posture recommendations and secure scores. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices, not a cross-environment dashboard for security recommendations and secure scores across hybrid workloads. Option D is wrong because Microsoft Security Center is a legacy name; the current unified solution is Microsoft Defender for Cloud, which replaced Azure Security Center and Azure Defender.

9
MCQmedium

A company wants to improve its security awareness program by periodically sending simulated phishing emails to employees to test their ability to identify malicious messages. The results should be tracked in a dashboard that shows which employees clicked the links. Which Microsoft 365 Defender capability should they use?

A.Attack Simulation Training
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft 365 Defender Incident Response
AnswerA

Correct. Attack Simulation Training is specifically designed for creating and managing simulated phishing attacks to train employees.

Why this answer

Attack Simulation Simulation Training is the correct answer because it is the specific Microsoft 365 Defender capability designed to create and launch simulated phishing campaigns, track employee interactions (e.g., clicks on malicious links), and report results in a dashboard. This feature is part of Microsoft Defender for Office 365 but is a distinct workload focused on security awareness training and measurement.

Exam trap

The trap here is that candidates confuse the broader Microsoft Defender for Office 365 (which includes anti-phishing policies) with the specific Attack Simulation Training feature, assuming the entire suite is needed for simulation, when in fact the simulation tool is a discrete component with its own dashboard and configuration portal.

How to eliminate wrong answers

Option B (Microsoft Defender for Office 365) is wrong because while it provides the underlying protection (e.g., anti-phishing, Safe Links, Safe Attachments) and hosts Attack Simulation Training, the question specifically asks for the capability to simulate phishing and track clicks, which is a separate feature within the suite, not the entire service. Option C (Microsoft Defender for Cloud Apps) is wrong because it is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, app permissions, and data protection across SaaS applications, not on simulating phishing attacks against users. Option D (Microsoft 365 Defender Incident Response) is wrong because it is a workflow for investigating and remediating real security incidents (e.g., automated investigation and response), not for proactively testing user awareness with simulated attacks.

10
Multi-Selecthard

An organization uses Microsoft Purview Information Protection to classify and protect data. Which TWO methods can be used to apply sensitivity labels automatically?

Select 2 answers
A.Auto-labeling policies in Microsoft 365 compliance center
B.Client-side automatic classification via the unified labeling client
C.Default labeling policy for Microsoft 365 Apps
D.Manual labeling by end users
E.PowerShell scripts to apply labels on export
AnswersA, B

Correct: Can automatically apply labels.

Why this answer

Auto-labeling policies can apply labels based on conditions. Client-side labeling via the Azure Information Protection unified labeling client also supports automatic classification. Manual labeling is not automatic.

Labeling in Microsoft 365 Apps is default but not automatic. PowerShell cannot directly apply labels automatically without scripts.

11
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect hybrid workloads. A security administrator needs to ensure that all Azure subscriptions are automatically covered by Defender for Cloud's security policies. What should the administrator configure?

A.Assign the Azure Security Benchmark initiative to each resource group.
B.Assign the Azure Security Benchmark initiative to the root management group.
C.Enable Defender for Cloud on each subscription individually.
D.Install the Log Analytics agent on all VMs.
AnswerB

Assigning to the root management group automatically applies policies to all subscriptions.

Why this answer

Defender for Cloud's default policy initiative is automatically assigned to all subscriptions in a management group, ensuring consistent coverage. Option A is incorrect because assigning at the resource group level does not apply to other groups. Option B is incorrect because Azure Policy must be assigned, not just enabled.

Option D is incorrect because manual onboarding is not automatic.

12
MCQmedium

An organization uses Microsoft Intune to manage devices. The security team wants to ensure that only devices with a minimum OS version and antivirus enabled can access corporate email. What should they configure?

A.Conditional Access policy referencing device compliance
B.Device enrollment restrictions
C.App protection policies in Microsoft Defender for Cloud Apps
D.A device compliance policy
AnswerA

Conditional Access uses compliance status to allow or block access.

Why this answer

Conditional Access with device compliance policies evaluates device health and enforces access controls. Option A is incorrect because compliance policies alone do not enforce access. Option C is incorrect because app protection policies manage data within apps, not device-level access.

Option D is incorrect because device enrollment is a prerequisite, not enforcement.

13
MCQeasy

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to prevent users from sharing credit card numbers via email outside the company. Which type of DLP rule action should they configure?

A.Block
B.Notify
C.Audit only
D.Encrypt
AnswerA

Block prevents the email from being sent and can provide user notification.

Why this answer

The 'Block' action prevents the email from being sent and can optionally notify the user and admin. Option A is wrong because 'Audit only' logs the event but does not block. Option C is wrong because 'Encrypt' is a separate action but not the primary block mechanism.

Option D is wrong because 'Notify' only sends an alert without blocking.

14
Multi-Selectmedium

A cybersecurity analyst uses Microsoft Sentinel to detect threats. Which THREE types of analytics rules can be created?

Select 3 answers
A.Scheduled query rules
B.Near-real-time (NRT) rules
C.Hunting rules
D.Fusion rules
E.Machine learning rules
AnswersA, B, D

Correct: Standard rule type.

Why this answer

Scheduled, NRT, and Fusion are analytics rule types in Sentinel. Hunting rules are not analytics; they are queries. Machine learning rules are often part of Fusion or built-in.

15
Multi-Selecthard

Which THREE actions can Microsoft Sentinel perform as part of automated incident response using playbooks?

Select 3 answers
A.Block an IP address on a firewall
B.Install anti-malware software on a device
C.Reset a user's password
D.Create an incident in ServiceNow
E.Modify a network security group rule
AnswersA, C, D

Playbooks can trigger firewall blocking via connectors.

Why this answer

Option A is correct because playbooks can create incidents in other systems. Option B is correct because playbooks can block IP addresses. Option C is correct because playbooks can reset user passwords.

Option D is wrong because playbooks cannot directly modify firewall rules; they can trigger automation. Option E is wrong because playbooks cannot automatically install software.

16
MCQmedium

A company has on-premises Active Directory. They want to detect advanced attacks like Pass-the-Hash, DCSync, and malicious Kerberos activity using behavioral analytics. Which Microsoft security solution should they deploy on their domain controllers?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerC

Defender for Identity is specifically designed to detect identity-based attacks on on-premises AD using behavioral analytics.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it uses behavioral analytics and machine learning to detect advanced attacks specifically targeting on-premises Active Directory, such as Pass-the-Hash, DCSync, and malicious Kerberos activity. MDI monitors domain controller traffic, including Kerberos authentication and NTLM relay, to identify anomalous patterns indicative of these attacks.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Defender for Endpoint, assuming endpoint protection covers domain controllers, but MDI is specifically designed for Active Directory security and behavioral analytics against identity-based attacks.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices like workstations and servers, not on monitoring domain controller traffic or Active Directory-specific attack vectors like DCSync. Option B is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange Online, SharePoint) from threats like phishing and malware, not on-premises Active Directory attacks. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that monitors cloud applications and shadow IT, not on-premises domain controllers or Kerberos/NTLM traffic.

17
MCQmedium

A security analyst in your organization receives an alert from Microsoft Defender XDR indicating that a user's device may be infected with ransomware. The analyst needs to immediately isolate the device from the network to prevent further spread. What should the analyst do?

A.Revoke the user's session in Microsoft Entra ID
B.Use Microsoft Defender for Endpoint to initiate device isolation
C.Open Microsoft Sentinel and run a playbook
D.Use Microsoft Intune to wipe the device
AnswerB

Defender for Endpoint allows immediate isolation of the device.

Why this answer

Option B is correct because Microsoft Defender for Endpoint (part of Defender XDR) provides the ability to isolate a device from the network. Option A is wrong because Microsoft Sentinel is SIEM, not endpoint action. Option C is wrong because Microsoft Intune can wipe devices but is slower and not immediate isolation.

Option D is wrong because Microsoft Entra ID is for identity, not device isolation.

18
Multi-Selecthard

Which TWO actions can be performed using Microsoft Entra Identity Governance? (Choose two.)

Select 2 answers
A.Configure self-service password reset
B.Reset user passwords
C.Automate user lifecycle workflows
D.Create conditional access policies
E.Manage access reviews for groups and applications
AnswersC, E

Correct: Lifecycle workflows are part of Identity Governance.

Why this answer

Identity Governance includes access reviews and entitlement management. Option B (assign roles via PIM) is Privileged Identity Management, which is part of Identity Governance. Option C (lifecycle workflows) is also part of Identity Governance.

Option A (SSPR) is separate. Option E (Conditional Access) is not part of Identity Governance.

19
MCQmedium

A company uses Microsoft Defender for Cloud Apps. The security team discovers that a user has granted a third-party OAuth app with 'read all mail' and 'send mail as user' permissions. They want to automatically revoke the authorization for this risky app and block similar apps in the future. Which Defender for Cloud Apps feature should they use?

A.App Discovery
B.Conditional Access App Control
C.OAuth app policies
D.Cloud Discovery
AnswerC

Correct. OAuth app policies allow you to manage and revoke permissions for OAuth apps and set automatic governance actions.

Why this answer

OAuth app policies in Microsoft Defender for Cloud Apps allow security teams to automatically revoke permissions for risky third-party OAuth apps and block future similar apps. This feature specifically governs OAuth consent grants, such as 'read all mail' and 'send mail as user', by enabling automated governance actions like revoking permissions and blocking the app based on risk level.

Exam trap

The trap here is that candidates confuse App Discovery/Cloud Discovery (which identify unmanaged cloud app usage) with OAuth app policies (which specifically govern third-party app permissions and consent grants).

How to eliminate wrong answers

Option A is wrong because App Discovery is a feature for identifying Shadow IT by analyzing traffic logs to discover cloud apps in use, not for managing OAuth app permissions. Option B is wrong because Conditional Access App Control provides real-time session-level monitoring and control (e.g., blocking downloads) for managed apps, but it does not revoke or block OAuth app authorizations. Option D is wrong because Cloud Discovery is the underlying data collection mechanism for App Discovery, focusing on traffic analysis to identify cloud app usage, not on OAuth app governance.

20
MCQmedium

A company wants to protect against malware and phishing attacks in email and collaboration tools like Microsoft Teams. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Identity
AnswerA

Protects email and collaboration tools from malware and phishing.

Why this answer

Option B is correct because Microsoft Defender for Office 365 protects against threats in email and collaboration tools. Option A is wrong because Defender for Endpoint focuses on devices. Option C is wrong because Defender for Cloud Apps is a CASB.

Option D is wrong because Defender for Identity protects on-premises Active Directory.

21
MCQeasy

Your organization wants to label emails and documents as 'Confidential' automatically based on content patterns. Which Microsoft Purview feature should you use?

A.Audit log
B.Retention labels
C.Auto-labeling (sensitivity labels)
D.Data Loss Prevention policy
AnswerC

Auto-labeling applies sensitivity labels automatically based on content.

Why this answer

Option C is correct because auto-labeling policies in Purview automatically apply sensitivity labels based on conditions. Option A is incorrect because retention labels are for retention, not classification. Option B is incorrect because DLP is for protecting data, not labeling.

Option D is incorrect because audit is for logging.

22
MCQhard

Your company is implementing Microsoft Purview Data Loss Prevention (DLP). You need to prevent users from sharing sensitive data like credit card numbers via email with external recipients, but allow internal sharing. What should you configure?

A.Sensitivity labels with encryption
B.A DLP policy for Exchange Online with a condition 'content contains sensitive information type' and 'shared with people outside my organization'
C.Retention labels and policies
D.Conditional Access policies with session controls
AnswerB

DLP policies can block external sharing of sensitive data while allowing internal sharing.

Why this answer

Option A is correct because DLP policies can be scoped to specific locations (e.g., Exchange Online) and set conditions such as 'when shared with external users'. Option B is wrong because sensitivity labels are applied manually or automatically but do not enforce sharing restrictions. Option C is wrong because retention policies do not block sharing.

Option D is wrong because Microsoft Entra ID Conditional Access controls access, not data sharing.

23
MCQmedium

A security team needs to detect and investigate suspicious activities in their on-premises Active Directory environment, such as pass-the-hash attacks, Kerberoasting, and unusual service account behavior. They also want to integrate these alerts with Microsoft Defender for Cloud for a unified view across hybrid workloads. Which Microsoft security solution should they deploy on-premises?

A.Microsoft Defender for Identity
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Endpoint
AnswerA

Correct. Defender for Identity monitors on-premises AD and detects identity-based attacks like pass-the-hash and Kerberoasting.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to detect and investigate advanced threats in on-premises Active Directory environments, including pass-the-hash attacks, Kerberoasting, and anomalous service account behavior. It uses behavioral analytics and integrates directly with Microsoft Defender for Cloud to provide a unified view across hybrid workloads, enabling security teams to correlate on-premises AD signals with cloud alerts.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity with Microsoft Defender for Endpoint, assuming endpoint protection covers AD attacks, but MDI is the only solution that specifically monitors Active Directory authentication and behavior on domain controllers.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, OneDrive, and Teams from threats like phishing and malware, not on-premises Active Directory attacks. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that protects cloud applications and data, not on-premises AD environments. Option D is wrong because Microsoft Defender for Endpoint is designed for endpoint detection and response (EDR) on devices, not for monitoring Active Directory authentication protocols or service account behavior.

24
MCQmedium

You are reviewing a Microsoft Purview sensitivity label configuration. Based on the exhibit, what will happen when this label is applied to a document?

A.The document will be watermarked only.
B.The document will be encrypted and will expire after a set period.
C.The document will be encrypted with AES256, watermarked with 'CONFIDENTIAL', and sharing will be blocked.
D.The document will display a warning before sharing.
AnswerC

All three actions are specified in the label configuration.

Why this answer

Option A is correct because the label includes three actions: encrypt with AES256, apply a watermark, and block sharing. Option B is wrong because there is no expiration. Option C is wrong because it blocks sharing, not just warning.

Option D is wrong because it includes encryption and watermark, not just marking.

25
Multi-Selecteasy

Which TWO of the following are features of Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Security Information and Event Management (SIEM)
B.Data loss prevention
C.Endpoint detection and response
D.Identity governance
E.Security Orchestration, Automation, and Response (SOAR)
AnswersA, E

Correct: Core SIEM capability.

Why this answer

Microsoft Sentinel is a SIEM and SOAR solution that collects security data across the enterprise and uses AI to detect threats. It does not manage endpoints or provide identity governance.

26
MCQmedium

Refer to the exhibit. The exhibit shows an Azure Policy definition. A storage account named 'storagedev' is created with network ACLs set to allow all traffic (defaultAction: Allow) and no IP rules. What will happen when this policy is assigned?

A.The storage account will be created successfully
B.The policy will audit the storage account and mark it as non-compliant
C.The storage account creation will be denied
D.The storage account will be created, but the policy will modify the ACLs
AnswerC

The policy condition is met, and deny effect blocks creation.

Why this answer

Option D is correct because the condition matches (defaultAction Allow and no IP rules) and the effect is deny, so the storage account creation will be denied. Option A is wrong because deny effect blocks creation. Option B is wrong because audit would log but not block.

Option C is wrong because the condition is met.

27
MCQeasy

A company wants to reduce the attack surface on its Windows devices by blocking common techniques used by malware, such as preventing Office applications from creating child processes or blocking executable files from running from the %TEMP% folder. Which Microsoft Defender for Endpoint feature should be configured?

A.Microsoft Defender Antivirus
B.Attack surface reduction rules
C.Network protection
D.Controlled folder access
AnswerB

These rules target specific malware techniques, such as blocking Office applications from creating child processes and blocking executable files from running from common temporary folders.

Why this answer

Attack surface reduction (ASR) rules are a feature of Microsoft Defender for Endpoint that specifically target common malware behaviors, such as blocking Office applications from creating child processes and preventing executable files from running from the %TEMP% folder. These rules are designed to reduce the attack surface by enforcing policies that stop suspicious or malicious actions at the process level, without relying solely on signature-based detection.

Exam trap

The trap here is that candidates often confuse Attack surface reduction rules with Microsoft Defender Antivirus or Controlled folder access, assuming that any 'blocking' feature is part of the antivirus or that folder protection covers execution, when in fact ASR rules are the only feature that enforces behavior-based policies on process creation and execution from specific locations.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender Antivirus provides real-time antimalware protection through signature-based and behavior-based detection, but it does not include the granular, rule-based controls to block specific behaviors like Office apps spawning child processes or executables from %TEMP%. Option C is wrong because Network protection extends Defender for Endpoint's web protection to block outbound connections to malicious IPs/domains, but it does not control local process creation or file execution from specific folders. Option D is wrong because Controlled folder access protects folders from unauthorized changes by ransomware and other threats, but it does not block the execution of executables from %TEMP% or prevent Office apps from creating child processes.

28
MCQeasy

A company uses Microsoft Intune to manage its devices. The security team wants to enforce that all devices running Windows 11 must have BitLocker enabled and a minimum operating system build version. Which Intune policy type should they use?

A.Configuration profile
B.Enrollment restriction
C.App protection policy
D.Compliance policy
AnswerD

Compliance policies enforce conditions like encryption and OS version.

Why this answer

Option A is correct because compliance policies enforce device compliance rules like BitLocker and OS version. Option B is wrong because configuration profiles configure settings, not compliance. Option C is wrong because app protection policies manage data on mobile apps.

Option D is wrong because enrollment restrictions limit device enrollment.

29
MCQhard

Refer to the exhibit. The exhibit shows an alert from Microsoft Defender XDR. The security team needs to determine if the file 'invoice.docm' is known malware and if other devices in the organization have this file. What should they do next?

A.Isolate the device DESKTOP-01 immediately
B.Trigger the automated investigation for this alert
C.Review the user jdoe's recent activities
D.Search in Advanced Hunting for the file's SHA256 hash across all devices
AnswerD

Advanced Hunting allows querying for the file hash across the organization to find other affected devices.

Why this answer

Option D is correct because the file SHA256 allows querying threat intelligence and hunting for the file across devices. Option A is wrong because the alert is already triggered. Option B is wrong because the device is already identified.

Option C is wrong because the user action is already captured.

30
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Purview? (Choose three.)

Select 3 answers
A.Data classification and labeling
B.Data lifecycle management and retention
C.Data loss prevention (DLP)
D.Identity protection and risk detection
E.Threat and vulnerability management
AnswersA, B, C

Purview classifies and labels sensitive data.

Why this answer

Microsoft Purview offers data classification, data loss prevention, and data lifecycle management. Option D is a Microsoft Entra feature; Option E is a Microsoft Defender feature.

31
Multi-Selectmedium

Which THREE of the following are capabilities of Microsoft Defender for Office 365?

Select 3 answers
A.Safe Links protection in email and Office documents
B.Anti-phishing policies to protect against impersonation
C.Cloud discovery of unsanctioned SaaS apps
D.Device compliance policies for mobile devices
E.Safe Attachments scanning in email
AnswersA, B, E

Safe Links protects users from malicious URLs.

Why this answer

Safe Links is a core capability of Microsoft Defender for Office 365 that proactively scans URLs in email messages and Office documents (like Word, Excel, and PowerPoint) at the time of click. It rewrites links to route through Microsoft's protection infrastructure, blocking access to malicious or phishing websites in real time. This protects users from zero-hour threats that may not yet be detected by traditional signature-based filters.

Exam trap

The trap here is that candidates confuse the scope of Microsoft Defender for Office 365 with other Microsoft 365 security products, mistakenly attributing cloud discovery (Defender for Cloud Apps) or device compliance (Intune) to Defender for Office 365, which is strictly focused on email and Office document protection.

32
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. What will this policy do?

A.Block access when user risk is medium or high
B.Block sign-ins when sign-in risk is high
C.Require MFA when user risk is high
D.Block access when user risk is high
AnswerD

Policy blocks based on high user risk.

Why this answer

The policy JSON specifies `"userRiskLevels": ["high"]` and `"builtInControls": ["block"]`, meaning it blocks access when the user risk level is high. User risk reflects the likelihood that the user's identity is compromised, based on Microsoft's risk detection signals. Option D correctly identifies this behavior.

Exam trap

The trap here is confusing user risk with sign-in risk; candidates often pick 'block sign-ins when sign-in risk is high' because they overlook the `userRiskLevels` field in the JSON and assume the policy targets sign-in risk instead.

How to eliminate wrong answers

Option A is wrong because the policy only targets user risk level 'high', not 'medium or high'; Conditional Access policies require explicit risk level values. Option B is wrong because the policy evaluates user risk, not sign-in risk (which would use `signInRiskLevels` in the JSON). Option C is wrong because the policy's control is 'block', not 'require MFA'; requiring MFA would use `"mfa"` in the `builtInControls` array.

33
MCQhard

A company uses Salesforce and Box as cloud apps. The security team discovers that a third-party OAuth app with excessive permissions was granted access to Salesforce data by a user. They want a solution that can detect such risky OAuth apps and automatically revoke their permissions based on policy. Which Microsoft security solution provides this capability?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerA

Correct. Defender for Cloud Apps can discover and assess OAuth apps, and with its OAuth app policies, it can automatically revoke permissions for high-risk apps.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) that provides visibility into third-party OAuth apps connected to cloud services like Salesforce and Box. It can detect OAuth apps with excessive permissions and automatically revoke them based on conditional access or app governance policies, making it the correct solution for this scenario.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming the latter covers all cloud app security, when in reality MDCA is the dedicated CASB for multi-SaaS environments like Salesforce and Box.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not on monitoring or controlling OAuth permissions in SaaS applications. Option C (Microsoft Defender for Office 365) is wrong because it protects Exchange Online, SharePoint, and Teams from threats like phishing and malware, but does not manage OAuth app permissions in third-party SaaS apps like Salesforce. Option D (Microsoft Sentinel) is wrong because it is a Security Information and Event Management (SIEM) solution that ingests logs and generates alerts, but it lacks native capabilities to automatically revoke OAuth app permissions; it would require custom playbooks or integration with MDCA for such actions.

34
MCQeasy

You are the security administrator for a small business that uses Microsoft 365 Business Premium. The company wants to enable multi-factor authentication (MFA) for all users. You need to ensure that users are prompted for MFA when they sign in from unfamiliar locations or devices. The solution should be easy to deploy without additional licensing. Which of the following should you configure?

A.Create a conditional access policy in Microsoft Entra ID that requires MFA for all cloud apps
B.Enable security defaults in Microsoft Entra ID
C.Deploy the Microsoft Authenticator app and instruct users to enable it
D.Configure identity protection to enable risk-based MFA
AnswerB

Security defaults provide a baseline of security including MFA for all users, and are included in all licensing tiers.

Why this answer

Option B is correct because security defaults are a pre-configured set of security policies that include MFA based on risk. Option A is incorrect because conditional access policies require Azure AD Premium licenses, which are not included in Business Premium. Option C is incorrect because risk-based policies require Azure AD Premium P2.

Option D is incorrect because the Microsoft Authenticator app alone does not enforce MFA.

35
MCQmedium

You run the Microsoft Graph PowerShell command in the exhibit. What information does this command retrieve about the user?

A.The user's license assignments
B.The user's last sign-in dates
C.The user's assigned roles
D.The user's group memberships
AnswerB

The SignInActivity property shows last interactive and non-interactive sign-in dates.

Why this answer

Option C is correct because the command uses Get-MgUser with the SignInActivity property to retrieve last sign-in times. Option A is wrong because it does not show group memberships. Option B is wrong because it shows sign-in times, not licenses.

Option D is wrong because it shows the user's details, not license assignments.

36
Multi-Selecteasy

Your organization wants to implement a Zero Trust security model. Which TWO principles are part of the Zero Trust model? (Select TWO.)

Select 2 answers
A.Assume breach
B.Grant access based on IP address
C.Verify explicitly
D.Rely on network perimeter security
E.Use implicit trust for internal traffic
AnswersA, C

Assume breach is a key principle of Zero Trust.

Why this answer

Options A and D are correct: Zero Trust assumes breach and verifies explicitly. Option B is wrong because implicit trust is not part of Zero Trust. Option C is wrong because network perimeter is the traditional model.

Option E is wrong because perimeter-based access is not Zero Trust.

37
MCQeasy

A security analyst needs to investigate a potential data exfiltration incident involving sensitive files being sent via email. Which Microsoft Purview solution provides the necessary monitoring?

A.Microsoft Purview Compliance Manager
B.Microsoft Purview Insider Risk Management
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Audit
AnswerC

Correct: DLP monitors email for sensitive data.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies monitor and control sensitive data in email and other locations.

38
MCQeasy

Your organization uses Microsoft Entra ID and wants to automatically block sign-ins from users located in countries that are not approved for business operations. Which Microsoft Entra ID feature should you configure?

A.Privileged Identity Management
B.Terms of Use
C.Conditional Access with Named Locations
D.Identity Protection user risk policy
AnswerC

Correct: Conditional Access policies can use Named Locations to block sign-ins from specific countries.

Why this answer

Conditional Access policies allow you to create location-based policies to block or grant access based on geographic locations. Option A is correct because Named Locations are used in Conditional Access to define countries. Option B (Identity Protection) detects risks but does not directly block by country.

Option C (Privileged Identity Management) manages roles. Option D (Terms of Use) presents agreements but does not block by location.

39
MCQhard

Your organization uses Microsoft Sentinel to detect threats. A security analyst needs to create a custom analytics rule that triggers an incident when a user accesses more than 1000 files from an external IP address within 5 minutes. Which rule type should the analyst configure?

A.Fusion rule
B.ML Behavior Analytics rule
C.Scheduled query rule
D.Near-real-time (NRT) query rule
AnswerC

Scheduled query rules allow custom KQL with time windows and aggregation.

Why this answer

Option B is correct because Scheduled query rules allow aggregation over time windows. Option A is wrong because NRT rules run every minute and cannot aggregate over 5 minutes. Option C is wrong because Fusion uses ML to correlate alerts.

Option D is wrong because ML Behavior Analytics is for UEBA anomalies.

40
Multi-Selecteasy

A company wants to use Microsoft Defender for Cloud to secure their hybrid cloud environment. Which TWO resource types can be assessed by Defender for Cloud?

Select 2 answers
A.Azure Virtual Machines
B.AWS EC2 instances
C.On-premises servers connected via Azure Arc
D.Kubernetes clusters
E.On-premises SQL Server
AnswersA, C

Correct: Supported.

Why this answer

Defender for Cloud assesses Azure VMs and on-premises servers via Azure Arc. AWS accounts are not directly assessed; only Azure resources. SQL Server on-premises is not supported unless via arc.

Kubernetes is not a resource type listed.

41
MCQhard

A company uses Microsoft Sentinel as its SIEM. They need to create a custom analytics rule that runs every hour and queries for failed logins from a specific IP address. Which rule scheduling option should they configure?

A.Run every 5 minutes with a 5-minute query period
B.Run every 24 hours with a 24-hour query period
C.Run every 1 hour with a 5-minute query period
D.Run every 1 hour with a 1-hour query period
AnswerD

This runs hourly and queries the last hour's data, matching the requirement.

Why this answer

Analytics rules in Sentinel have run frequency and query period. Option A is wrong because it's too frequent; Option B is correct but the query period should be set to cover the data; Option C is wrong because it's for over a day; Option D is wrong because it's for real-time.

42
MCQmedium

A security operations center (SOC) team needs to collect security logs from Azure services, on-premises servers, and third-party firewalls. They want a cloud-native solution that provides advanced threat detection through analytics, machine learning, and the ability to hunt for threats across all data sources. Which Microsoft solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender
C.Microsoft Sentinel
D.Microsoft Defender for Identity
AnswerC

Microsoft Sentinel is a scalable, cloud-native SIEM that collects data from any source, applies analytics and machine learning for threat detection, and supports proactive threat hunting.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution that ingests logs from Azure services, on-premises servers, and third-party firewalls. It provides advanced threat detection via built-in analytics, machine learning models, and a powerful query language (Kusto Query Language) for threat hunting across all data sources.

Exam trap

The trap here is confusing Microsoft Defender for Cloud (a CSPM/CWPP tool) with Microsoft Sentinel (a cloud-native SIEM), as both appear in the Azure portal and deal with security logs, but only Sentinel provides centralized log ingestion, analytics, and threat hunting across heterogeneous sources.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) focused on securing cloud workloads, not a SIEM for collecting and analyzing logs from diverse sources. Option B is wrong because Microsoft 365 Defender is an extended detection and response (XDR) solution that primarily protects Microsoft 365 workloads (email, endpoints, identities) and does not natively ingest third-party firewall logs or on-premises server logs as a central SIEM. Option D is wrong because Microsoft Defender for Identity is an identity-based threat detection solution that monitors on-premises Active Directory signals, not a general-purpose log collection and hunting platform for all data sources.

43
MCQmedium

A company uses Exchange Online. The security team wants to protect users from malware hidden in email attachments by detonating them in a secure sandbox environment before delivery. Which Microsoft Defender for Office 365 feature should they enable?

A.Safe Links
B.Safe Attachments
C.Anti-Phishing
D.Anti-Spoofing
AnswerB

Safe Attachments uses dynamic analysis in a sandbox to detonate attachments and determine if they are malicious, blocking or quarantining threatening attachments before delivery.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a secure, isolated sandbox environment to detect and block malware before the message reaches the user's inbox. This feature uses dynamic analysis to observe attachment behavior in real time, ensuring zero-day threats are identified and neutralized.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments because both are part of Microsoft Defender for Office 365, but Safe Links deals with URLs while Safe Attachments deals with file payloads; the question explicitly mentions 'malware hidden in email attachments' which directly points to Safe Attachments.

How to eliminate wrong answers

Option A is wrong because Safe Links protects users from malicious URLs in emails and Office documents by scanning and rewriting links at the time of click, not by detonating attachments in a sandbox. Option C is wrong because Anti-Phishing policies protect against phishing attempts by analyzing sender identity and impersonation patterns, not by sandboxing file attachments. Option D is wrong because Anti-Spoofing is a subset of anti-phishing that validates sender authenticity using SPF, DKIM, and DMARC checks, and has no attachment sandboxing capability.

44
MCQmedium

Your company uses Microsoft Purview Information Protection to classify and protect sensitive data. You need to ensure that when a user sends an email containing a credit card number, the email is automatically encrypted and a custom footer is added. Which two components should you configure?

A.Data Loss Prevention (DLP) policy for credit card numbers
B.Sensitivity label with auto-classification for credit card numbers
C.Auto-labeling policy that applies the sensitivity label to emails
D.Retention label and policy for credit card data
AnswerB, C

The label can detect credit card numbers and apply encryption.

Why this answer

Option A is correct because a sensitive info type label can auto-classify credit card numbers. Option B is correct because an auto-labeling policy applies the protection and footer. Option C is wrong because DLP policies block or warn but do not encrypt.

Option D is wrong because retention policies manage lifecycle, not encryption.

45
MCQeasy

An organization uses Microsoft Sentinel for security information and event management (SIEM) and security orchestration automated response (SOAR). They want to automatically respond to a specific incident by running a playbook. What should they configure?

A.Automation rule
B.Workbook
C.Hunting query
D.Analytics rule
AnswerA

Triggers playbooks automatically on incidents.

Why this answer

Option D is correct because automation rules in Sentinel trigger playbooks based on incidents. Option A is wrong because analytics rules generate alerts, not responses. Option B is wrong because workbooks visualize data.

Option C is wrong because hunting queries proactively search for threats.

46
MCQmedium

A company runs workloads in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The security team needs a single, unified dashboard to continuously assess the security posture of all cloud resources, identify misconfigurations, and receive prioritized recommendations for remediation. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Cloud Apps
C.Microsoft Sentinel
D.Microsoft Defender for Endpoint
AnswerA

Defender for Cloud offers multi-cloud CSPM, allowing assessment of resources in Azure, AWS, and GCP from a single dashboard with prioritized recommendations.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides a unified cloud security posture management (CSPM) dashboard that continuously assesses resources across Azure, AWS, and GCP. It identifies misconfigurations against industry benchmarks (e.g., CIS, NIST) and delivers prioritized, actionable recommendations to remediate risks, directly meeting the requirement for a single dashboard across multi-cloud environments.

Exam trap

The trap here is confusing a cloud security posture management (CSPM) tool (Defender for Cloud) with a cloud access security broker (CASB) or a SIEM/SOAR solution, leading candidates to pick Defender for Cloud Apps or Sentinel because they also provide security visibility, but for different use cases.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, data loss prevention, and threat protection for SaaS applications (e.g., Office 365, Salesforce), not for assessing the security posture of IaaS/PaaS cloud resources across Azure, AWS, and GCP. Option C is wrong because Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution that ingests logs and alerts for threat detection and incident response, not a continuous posture assessment and misconfiguration identification tool. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices (e.g., Windows, macOS, Linux) and mobile, not for assessing the security posture of cloud infrastructure resources like VMs, storage accounts, or databases across multiple cloud providers.

47
Multi-Selecteasy

Which TWO features are part of Microsoft Entra ID? (Select two.)

Select 2 answers
A.Privileged Identity Management
B.Microsoft Sentinel
C.Conditional Access
D.Identity Protection
E.Microsoft Intune
AnswersC, D

Conditional Access is an Entra ID feature.

Why this answer

Conditional Access and Identity Protection are part of Entra ID. PIM is also part of Entra ID, but the question asks for TWO; only A and C are correct. Intune is separate.

Sentinel is separate.

48
MCQhard

Contoso has a hybrid identity with AD DS synced to Microsoft Entra ID. They want to block legacy authentication protocols that bypass MFA. Which security solution should they use?

A.Microsoft Entra Password Protection
B.Microsoft Entra ID Protection
C.Microsoft Entra Connect Health
D.Conditional Access policy
AnswerD

Conditional Access can block legacy authentication by targeting client apps.

Why this answer

Correct: Conditional Access policy can block legacy authentication. Option A: Identity Protection detects risk but doesn't block protocols. Option B: Azure AD Connect has no such feature.

Option D: Password Protection blocks weak passwords.

49
Multi-Selecthard

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. Which THREE actions can be taken automatically when a DLP policy matches?

Select 3 answers
A.Automatically notify the legal department
B.Delete the sensitive content
C.Show a policy tip to the user
D.Encrypt the sensitive content
E.Block the sharing of sensitive data
AnswersC, D, E

Correct: Policy tips educate users.

Why this answer

DLP can block sharing, show policy tips, and encrypt content. It does not delete content or automatically notify legal; notification is via admin alert or user tip.

50
MCQmedium

An organization uses Microsoft Sentinel for SIEM. The security operations center (SOC) wants to automatically create an incident when a user account is compromised and suspicious activity is detected. Which Microsoft Sentinel feature should be used?

A.Analytics rules
B.Watchlists
C.Automation playbooks
D.Workbooks
AnswerA

Analytics rules create incidents from detections.

Why this answer

Analytics rules in Microsoft Sentinel can be configured to create incidents based on detection logic. Option A is incorrect because playbooks are for automated responses, not incident creation. Option B is incorrect because workbooks are for visualization.

Option D is incorrect because watchlists are for threat intelligence.

51
MCQmedium

Your organization uses Microsoft Intune for mobile device management. You need to ensure that users cannot copy corporate data from managed apps to personal apps. Which policy should you configure?

A.App Configuration Policy
B.App Protection Policy
C.Device Compliance Policy
D.Conditional Access Policy
AnswerB

APP can restrict data transfer between managed and unmanaged apps.

Why this answer

App Protection Policies (APP) in Intune protect data at the app level, with settings like 'Allow app to transfer data to other apps' set to 'None' or 'Policy managed apps only'. Compliance policies enforce device compliance. Configuration policies configure app settings.

Conditional Access can require managed apps but does not restrict data transfer. Option A is correct.

52
MCQhard

Refer to the exhibit. You are a compliance administrator running PowerShell to update a sensitivity label in Microsoft Purview. The command fails with an error that the label is not found. What is the most likely cause?

A.The -Settings parameter is deprecated.
B.The cmdlet Get-MgInformationProtectionPolicy does not return labels.
C.The user does not have permissions to view labels.
D.The label name is misspelled.
AnswerB

Labels are retrieved via Get-MgInformationProtectionSensitivityLabel.

Why this answer

The cmdlet Get-MgInformationProtectionPolicy retrieves the unified label policy. However, the labels are stored in a different location and are accessed via Get-MgInformationProtectionSensitivityLabel. The exhibit uses the wrong cmdlet.

Option C is correct. Option A is wrong because the label name is correct. Option B is wrong because the -Settings parameter syntax is acceptable.

Option D is wrong because the error indicates the label is not found, not permissions.

53
MCQeasy

Refer to the exhibit. An administrator creates a Conditional Access policy in Microsoft Entra ID. What will this policy do?

A.Block access for Global Administrators unless they use MFA
B.Require MFA for all users
C.Require MFA for Global Administrators accessing any application
D.Require MFA for users accessing the Microsoft Entra admin center only
AnswerC

The policy targets Global Administrators and includes all applications.

Why this answer

Option C is correct because the policy applies to all applications, for users with Global Administrator role, and requires MFA. Option A is wrong because it applies to all applications, not just specific. Option B is wrong because it applies to Global Administrators, not all users.

Option D is wrong because it requires MFA, not block.

54
MCQhard

You are the security administrator for a large healthcare organization that uses Microsoft 365 E5. The organization must comply with HIPAA and GDPR regulations. You have implemented Microsoft Purview Information Protection with sensitivity labels to classify and protect patient data. Recently, the compliance team identified that some documents containing Protected Health Information (PHI) are being shared externally without protection. You need to prevent users from sharing documents classified as 'Highly Confidential' with external users unless the document is encrypted and labeled. Additionally, you must ensure that any external sharing of such documents is automatically blocked. You have the following options available. Which action should you take?

A.Configure auto-labeling for SharePoint to automatically apply the 'Highly Confidential' label to all documents containing PHI
B.Create a data loss prevention (DLP) policy in Microsoft Purview that detects the 'Highly Confidential' label and blocks sharing with external users
C.Configure a conditional access policy in Microsoft Entra ID to block external access to SharePoint sites containing PHI
D.Create a retention policy for SharePoint that prevents deletion of documents with the 'Highly Confidential' label
AnswerB

DLP policies can use sensitivity labels as conditions and take actions like blocking external sharing.

Why this answer

Option A is correct because a DLP policy can detect documents with the 'Highly Confidential' label and block external sharing. Option B is incorrect because auto-labeling applies labels but does not block sharing. Option C is incorrect because retention policies do not control sharing.

Option D is incorrect because conditional access policies do not inspect document labels.

55
MCQhard

An organization is deploying Microsoft Intune for mobile device management. They need to ensure that all iOS devices must have a passcode of at least 6 characters and the device must be encrypted. What should they configure?

A.A Conditional Access policy
B.A device configuration profile
C.An app protection policy
D.A device compliance policy
AnswerD

Compliance policies define required device settings.

Why this answer

Device compliance policies in Intune can require specific settings like passcode length and encryption. Option A is incorrect because Conditional Access uses compliance status. Option C is incorrect because configuration profiles push settings but do not enforce compliance.

Option D is incorrect because app protection policies manage apps, not devices.

56
MCQeasy

Your company uses Microsoft Defender for Endpoint. A report shows that several devices are missing critical security updates. What feature should you use to deploy the missing updates?

A.Microsoft Intune update rings for Windows
B.Microsoft Defender for Endpoint's threat and vulnerability management (TVM)
C.Microsoft Configuration Manager
D.Microsoft Update
AnswerA

Intune can deploy and manage Windows updates.

Why this answer

Option C is correct because Microsoft Intune can manage updates for Windows devices. Option A is wrong because Defender for Endpoint detects but does not deploy updates. Option B is wrong because Microsoft Update is a service, not a management tool.

Option D is wrong because Microsoft Configuration Manager is on-premises, but Intune is cloud-based and more likely for modern management.

57
Multi-Selectmedium

Which TWO Microsoft Purview solutions can be used to discover and classify sensitive data in Microsoft 365? (Select two.)

Select 2 answers
A.Data Loss Prevention
B.Information Protection
C.Sensitivity labels
D.Audit
E.Data Classification
AnswersB, E

Information Protection includes sensitivity labels that classify data.

Why this answer

Data Classification and Information Protection are correct. Sensitivity labels (Option D) are part of Information Protection. DLPs (Option C) use classifications but do not discover.

Audit (Option E) tracks activities.

58
MCQmedium

A company uses Microsoft Sentinel as its SIEM. The security team wants to automatically trigger a playbook when a high-severity incident is created. Which automation option should be used?

A.Azure Policy assignment
B.Microsoft Power Automate flow directly from Sentinel
C.Automation rule in Microsoft Sentinel
D.Azure Logic Apps HTTP trigger
AnswerC

Correct: Automation rules trigger playbooks automatically.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically run playbooks when incidents are created or updated, based on conditions like severity.

59
MCQhard

You are reviewing a Microsoft Purview auto-labeling policy configuration. Based on the exhibit, what happens when a document contains a credit card number and is labeled 'Confidential'?

A.Access is allowed
B.Encryption is applied to the document
C.An administrator is notified
D.Access is blocked
AnswerD

The rule blocks access when condition met.

Why this answer

Option B is correct because the rule specifies action 'blockAccess' when condition 'contains Credit Card Number' and label 'Confidential'. Option A is wrong because it blocks, not allows. Option C is wrong because it does not apply encryption; it blocks access.

Option D is wrong because it does not notify admin.

60
MCQmedium

Your company uses Microsoft Defender for Cloud to secure Azure resources. You need to enable network security recommendations for all virtual networks. Which security policy should you enable?

A.Azure Security Benchmark
B.Adaptive network hardening
C.Network Security Group (NSG) flow logs
D.Just-in-time VM access
AnswerA

Azure Security Benchmark includes built-in policies for network security recommendations.

Why this answer

Option D is correct because the 'Azure Security Benchmark' policy initiative includes many network security controls. Option A is wrong because 'Adaptive network hardening' is a recommendation, not a policy. Option B is wrong because 'Just-in-time VM access' is a feature.

Option C is wrong because 'Network Security Group (NSG)' is a resource, not a policy.

61
MCQhard

Your organization has implemented Microsoft Defender for Cloud to protect Azure resources. You are responsible for security posture management. You need to ensure that all Azure VMs have the latest security updates installed. You have enabled automatic VM patching via Azure Update Manager. However, some VMs are not receiving updates because they are not registered with the Update Manager. You need to identify which VMs are missing updates and ensure they are patched. What should you do?

A.Create an Azure Policy to enforce automatic updates on all VMs.
B.Use the Microsoft Defender for Cloud recommendation 'System updates should be installed on your machines' to identify VMs missing updates, then enable auto-patching for those VMs.
C.Review Microsoft Defender for Cloud security alerts for 'Missing system updates'.
D.Use Azure Update Manager's compliance view to export a list of VMs with missing updates.
AnswerB

This recommendation lists VMs missing updates.

Why this answer

Option A is correct because Microsoft Defender for Cloud provides a recommendation 'System updates should be installed on your machines' that identifies VMs missing updates. Option B is wrong because Azure Policy can enforce compliance but does not directly identify missing updates. Option C is wrong because Azure Update Manager's compliance view shows update status, but it may not show unregistered VMs.

Option D is wrong because security alerts are for threats, not missing updates.

62
MCQhard

Refer to the exhibit. The KQL query is run in Microsoft Defender for Endpoint. What is the purpose of this query?

A.To find devices with a high number of operations on potentially sensitive files.
B.To list all devices that have files named confidential.
C.To detect malware on devices.
D.To list all file creation events.
AnswerA

Correct: It identifies devices with many events on confidential-named files.

Why this answer

The query looks for devices where multiple file events (over 5) involving files with 'confidential' in the name and larger than 1000 bytes occurred in the last 7 days, grouped by device and action type.

63
MCQeasy

A company wants to use Microsoft Defender for Office 365 to protect against malicious links in email. Which feature should they enable?

A.Safe Attachments
B.Anti-malware policy
C.Safe Links
D.Anti-spam policy
AnswerC

Safe Links protects against malicious links in email and Office documents.

Why this answer

Safe Links is the Defender for Office 365 feature that provides time-of-click protection against malicious URLs. Option A is wrong because it's for attachments; Option C is wrong because it's for anti-malware; Option D is wrong because it's for anti-spam.

64
MCQmedium

Your organization uses Microsoft Purview to classify data. You need to automatically apply a 'Confidential' sensitivity label to any document that contains a Social Security number. What should you create?

A.An auto-labeling policy for sensitivity labels
B.A sensitivity label policy with manual labeling
C.A Data Loss Prevention (DLP) policy
D.A retention policy
AnswerA

Auto-labeling can automatically apply labels based on sensitive content detected.

Why this answer

Option D is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive info types like SSN. Option A is wrong because a manual label policy requires user action. Option B is wrong because a DLP policy blocks sharing but doesn't apply labels.

Option C is wrong because a retention policy manages data retention, not classification.

65
MCQmedium

A company manages Azure virtual machines and on-premises servers. The security team needs a single dashboard that provides a secure score and actionable recommendations to improve the security posture across both environments. Which Microsoft solution should be used?

A.Microsoft 365 Defender portal
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerB

Defender for Cloud delivers security posture management with secure score and recommendations for Azure, on-premises, and multi-cloud environments.

Why this answer

Microsoft Defender for Cloud provides a unified dashboard that displays a secure score and actionable recommendations for Azure virtual machines, on-premises servers, and other cloud workloads. It integrates with Azure Arc to extend security monitoring to on-premises resources, enabling a single view of security posture across hybrid environments.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (formerly Azure Security Center) with Microsoft 365 Defender, assuming the latter covers all security needs, but Microsoft 365 Defender is limited to Microsoft 365 workloads and does not assess Azure or on-premises infrastructure security posture.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Defender portal focuses on protecting Microsoft 365 workloads (e.g., email, endpoints, identities) and does not provide a secure score or recommendations for Azure VMs or on-premises servers. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security information and event management, not a dashboard for secure score and posture recommendations. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) that focuses on shadow IT and app governance, not on infrastructure-level secure score or hybrid server recommendations.

66
MCQhard

A company uses Microsoft Intune for mobile device management (MDM). They need to ensure that corporate data on personal devices is encrypted. Which configuration profile type should they deploy?

A.Email profile
B.Certificate profile
C.Compliance policy
D.Device restrictions profile
AnswerD

Device restrictions profile includes security settings like encryption.

Why this answer

Device restrictions profiles include settings for encryption. For iOS, this includes 'Encrypt device' setting. Option A is wrong because it's for email; Option B is wrong because it's for certificates; Option D is wrong because it's for compliance.

67
MCQeasy

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to identify resources that are missing system updates. Which feature should they use?

A.Just-in-time VM access
B.Vulnerability assessment solutions
C.Adaptive application controls
D.Secure Score recommendations
AnswerD

Secure Score includes recommendations for missing updates.

Why this answer

Defender for Cloud's Secure Score includes recommendations for missing system updates. Option B is incorrect because vulnerability assessment is for vulnerabilities, not updates. Option C is incorrect because just-in-time access is for management ports.

Option D is incorrect because adaptive application controls allowlist applications.

68
Multi-Selectmedium

Which THREE Microsoft Purview features can be used to protect data in Microsoft 365? (Select three.)

Select 3 answers
A.eDiscovery
B.Data Loss Prevention
C.Insider Risk Management
D.Microsoft Defender for Cloud Apps
E.Sensitivity labels
AnswersB, C, E

DLP prevents unauthorized sharing.

Why this answer

Data Loss Prevention, Sensitivity labels, and Insider Risk Management are Purview features. Defender for Cloud Apps (Option D) is a separate product. eDiscovery (Option E) is for discovery, not protection.

69
Multi-Selecteasy

Which TWO of the following are features of Microsoft Purview Data Loss Prevention (DLP)? (Select TWO.)

Select 2 answers
A.Detect and block malware
B.Apply sensitivity labels
C.Manage user access rights
D.Provide policy tips to users
E.Monitor and prevent sharing of sensitive data
AnswersD, E

DLP can show policy tips when users attempt to share sensitive data.

Why this answer

Correct: Monitor and prevent sharing of sensitive data (A) and Provide policy tips to users (D). Option B: Threat protection is Defender. Option C: Sensitivity labels are Information Protection.

Option E: Identity governance is Entra ID Governance.

70
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a passcode can access corporate email. What should you configure?

A.Device configuration policy
B.Enrollment restrictions
C.Device compliance policy
D.App protection policy
AnswerC

Compliance policies require devices to meet security requirements like passcode.

Why this answer

Compliance policies in Intune define the conditions devices must meet to be considered compliant, such as requiring a passcode. Conditional Access policies then enforce access based on compliance. Option B is incorrect because app protection policies manage data within apps, not device-level requirements.

Option C is incorrect because device configuration policies set device settings but do not enforce compliance. Option D is incorrect because enrollment restrictions control which devices can enroll.

71
MCQhard

Refer to the exhibit. A security analyst in your SOC runs the provided KQL query in Microsoft Sentinel to identify users with repeated MFA or suspicious sign-in alerts. The query returns no results even though alerts exist. What is the most likely issue?

A.The 'extend' operator fails because 'Entities' array is empty.
B.The alert names do not contain the strings 'MFA' or 'Suspicious sign-in'.
C.The TimeGenerated filter is too restrictive; alerts older than 7 days are excluded.
D.The 'has' operator is case-sensitive and the alert names are in uppercase.
AnswerB

If alert names use different terms, the filter will exclude them.

Why this answer

The query uses the 'has' operator which is case-insensitive, but the alert names in the environment might use different wording (e.g., 'Azure AD MFA' instead of 'MFA'). Option A is incorrect because the query uses 'has' which is case-insensitive. Option C is incorrect because the time range is 7 days.

Option D is incorrect because the query correctly uses 'extend'.

72
Multi-Selecthard

Which THREE Microsoft Defender XDR components are included in the unified security operations platform? (Select three.)

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
E.Microsoft Defender for IoT
AnswersA, C, D

Email and collaboration protection is included.

Why this answer

Defender for Endpoint, for Office 365, and for Identity are part of Defender XDR. Defender for Cloud (Option D) is separate. Defender for IoT (Option E) is not included in the core XDR platform.

73
MCQmedium

An organization wants to protect against spear-phishing attacks where attackers impersonate the company's CEO or other trusted domains to trick employees into transferring funds. They need a security solution that uses machine learning to detect and prevent such impersonation attempts in incoming emails. Which Microsoft 365 protection feature should they enable?

A.Anti-spam policy
B.Anti-phishing policy (impersonation protection)
C.Safe Links
D.Safe Attachments
AnswerB

Correct. Anti-phishing policies in Defender for Office 365 include impersonation protection, which uses AI to detect and block phishing that impersonates users or domains.

Why this answer

Anti-phishing policy with impersonation protection uses machine learning models to detect and block attempts to impersonate specific users (like the CEO) or trusted domains in incoming emails. This directly addresses the scenario of spear-phishing attacks that trick employees into transferring funds by mimicking trusted senders.

Exam trap

Microsoft often tests the distinction between anti-phishing policies (which include impersonation protection) and anti-spam policies, leading candidates to mistakenly choose anti-spam when the question explicitly mentions targeted impersonation rather than generic spam.

How to eliminate wrong answers

Option A is wrong because anti-spam policy focuses on bulk unsolicited email (spam) using content filters and IP reputation, not on detecting impersonation of specific individuals or domains. Option C is wrong because Safe Links protects users from clicking malicious URLs in emails or Office documents by scanning links at time of click, but it does not detect or prevent impersonation of trusted senders. Option D is wrong because Safe Attachments scans email attachments for malware using detonation in a sandbox environment, but it does not address the impersonation aspect of spear-phishing.

74
Multi-Selecteasy

Which TWO of the following are capabilities of Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Email security
B.Identity protection
C.Endpoint detection and response (EDR)
D.Cloud Workload Protection (CWP)
E.Cloud Security Posture Management (CSPM)
AnswersD, E

CWP provides threat detection for workloads in Defender for Cloud.

Why this answer

Options A and D are correct. Defender for Cloud provides cloud security posture management (CSPM) and cloud workload protection (CWP). Option B is wrong because endpoint detection is covered by Defender for Endpoint, not Defender for Cloud.

Option C is wrong because email security is covered by Defender for Office 365. Option E is wrong because identity protection is covered by Microsoft Entra ID Protection.

75
MCQmedium

A company wants to improve its security posture across Microsoft 365. The security team needs a central dashboard that provides a score based on current security configurations, gives recommendations for improving the score, and allows tracking of improvement actions over time. Which Microsoft security solution should they use?

A.Microsoft Secure Score
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Compliance Manager
D.Microsoft Intune
AnswerA

Correct. Secure Score provides a central dashboard for monitoring and improving security posture across Microsoft 365 services, with a score and recommendations.

Why this answer

Microsoft Secure Score is the correct solution because it provides a central dashboard that calculates a numerical score based on the tenant's current security configurations across Microsoft 365 services. It offers prioritized improvement actions, tracks progress over time, and allows security teams to monitor and manage their security posture in a single view.

Exam trap

The trap here is that candidates often confuse Microsoft Secure Score with Microsoft Purview Compliance Manager, because both provide a score and recommendations, but Secure Score focuses on security configurations while Compliance Manager focuses on regulatory compliance controls.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) focused on discovering and controlling cloud app usage, not on providing a centralized security posture score with improvement recommendations. Option C is wrong because Microsoft Purview Compliance Manager is designed for compliance management, offering a compliance score based on controls and regulations (e.g., GDPR, ISO 27001), not a security posture score based on security configurations. Option D is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) solution for managing devices and apps, not a dashboard for tracking security improvement actions across the entire Microsoft 365 environment.

Page 1 of 7 · 470 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft security solutions questions.