CCNA Describe the capabilities of Microsoft security solutions Questions

75 of 470 questions · Page 5/7 · Describe the capabilities of Microsoft security solutions · Answers revealed

301
MCQhard

Your organization uses Microsoft Sentinel for SIEM. You receive an alert that a user account was compromised. You need to automatically disable the user's access across all cloud apps (SaaS) and reset their password. What should you use?

A.Create a Microsoft Sentinel automated response playbook
B.Use Microsoft Intune to remote wipe the user's device
C.Manually disable the user in Microsoft Entra ID and reset password
D.Configure a Microsoft Defender for Cloud Apps session policy
AnswerA

Playbooks can automate actions like disabling user and resetting password.

Why this answer

Option B is correct because Microsoft Sentinel can use automation rules with playbooks (Power Automate or Logic Apps) to trigger actions like disabling a user and resetting password in Microsoft Entra ID. Option A is wrong because manual response is not automated. Option C is wrong because Microsoft Defender for Cloud Apps can block access but not reset passwords.

Option D is wrong because Microsoft Intune manages devices, not user accounts.

302
MCQmedium

Your organization uses Microsoft Sentinel as a SIEM. You need to collect security events from on-premises servers. Which connector should you use?

A.Azure Monitor Agent (AMA)
B.Azure Security Center connector
C.Microsoft 365 Defender connector
D.Log Analytics workspace
AnswerA

AMA collects events from on-premises servers to Sentinel.

Why this answer

Option B is correct because the Azure Monitor Agent (AMA) is the recommended agent to collect events from Windows and Linux servers to Log Analytics workspaces, which feed into Sentinel. Option A is incorrect because Log Analytics is the workspace, not a connector. Option C is incorrect because Office 365 connector is for cloud services.

Option D is incorrect because Azure Security Center is now Defender for Cloud, which integrates but is not a connector.

303
MCQmedium

A company runs critical applications on Azure virtual machines and on-premises SQL servers. The security team wants to reduce VM attack surface by allowing just-in-time (JIT) access to RDP and SSH ports only when needed. Additionally, they need to monitor changes to important registry keys and system files on the SQL servers. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud offers JIT VM access and file integrity monitoring, fulfilling both requirements.

Why this answer

Microsoft Defender for Cloud provides just-in-time (JIT) VM access to reduce the attack surface by locking down inbound traffic to RDP (port 3389) and SSH (port 22) until a user requests access. It also includes adaptive application controls and file integrity monitoring (FIM) to track changes to registry keys and system files on both Azure VMs and on-premises SQL servers. This makes it the single solution that addresses both requirements.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Endpoint's broader device protection capabilities with the specific JIT and FIM features that are exclusive to Microsoft Defender for Cloud.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, including antivirus and behavioral analysis, but does not natively provide JIT VM access or file integrity monitoring for registry keys and system files. Option C (Microsoft Defender for Identity) is wrong because it is designed to detect identity-based threats using on-premises Active Directory signals, not to manage VM network access or monitor file/registry changes. Option D (Microsoft Defender for Cloud Apps) is wrong because it is a cloud access security broker (CASB) that controls and monitors cloud app usage, not VM access or on-premises SQL server file integrity.

304
MCQmedium

Your company, Fabrikam, uses Microsoft 365 and has Microsoft Purview Information Protection deployed. You need to protect sensitive documents labeled as 'Confidential' so that they cannot be printed or copied when opened in Microsoft Word. You have created a sensitivity label with the appropriate encryption settings. However, users report that they can still print and copy content from these documents. You verify that the label is published and assigned to the correct users. What should you configure to enforce the protection?

A.Configure the sensitivity label to apply an Azure Rights Management template that restricts printing and copying
B.Implement conditional access policies to block access from unmanaged devices
C.Configure auto-labeling policies to apply the label automatically
D.Create a data loss prevention policy that blocks printing and copying
AnswerA

RMS templates define user permissions for protected content.

Why this answer

Option B is correct because rights management (RMS) templates define user rights like printing and copying. The label must be configured with an RMS template that denies these permissions. Option A is wrong because DLP policies detect and block actions but do not enforce rights within documents.

Option C is wrong because auto-labeling applies labels but does not enforce rights. Option D is wrong because conditional access policies control access, not usage rights.

305
MCQeasy

A company uses Microsoft Purview Information Protection to classify and label sensitive documents. The compliance team wants to automatically apply a 'Confidential' label to documents containing an employee's passport number. Which method should they use?

A.Manual labeling by users
B.Trainable classifiers
C.Auto-labeling policy
D.DLP policy
AnswerC

Auto-labeling policy can automatically apply labels based on sensitive info types.

Why this answer

Auto-labeling in Microsoft Purview uses sensitive info types to automatically apply labels based on content. Option B is wrong because it's manual; Option C is wrong because it's for classification, not labeling; Option D is wrong because it's for DLP.

306
MCQmedium

An organization wants to detect and respond to threats across their cloud infrastructure, including Azure, AWS, and GCP. Which Microsoft security solution should they centralize their security monitoring in?

A.Microsoft Purview
B.Microsoft Sentinel
C.Microsoft Defender for Cloud
D.Microsoft Defender for Cloud Apps
AnswerB

Provides SIEM across multi-cloud environments.

Why this answer

Option B is correct because Microsoft Sentinel is a cloud-native SIEM that can ingest logs from multiple clouds. Option A is wrong because Defender for Cloud focuses on Azure and hybrid workloads. Option C is wrong because Defender for Cloud Apps is a CASB.

Option D is wrong because Purview is for data governance.

307
MCQhard

A security analyst is using Microsoft 365 Defender to investigate a sophisticated multi-stage attack. The analyst needs to query data across endpoints, email, and identity logs to identify the attacker's behavior patterns and correlate events. Which Microsoft 365 Defender capability should the analyst use?

A.Automated investigation and response
B.Threat analytics
C.Advanced hunting
D.Action center
AnswerC

Advanced hunting uses KQL to query raw data from multiple Microsoft 365 Defender components, enabling custom threat hunting and correlation across data sources.

Why this answer

Advanced hunting is the correct capability because it provides a Kusto Query Language (KQL)-based query interface that allows the security analyst to perform custom, cross-domain searches across data from endpoints (Microsoft Defender for Endpoint), email (Microsoft Defender for Office 365), and identity logs (Microsoft Defender for Identity). This enables the correlation of events and identification of attacker behavior patterns across a multi-stage attack, which is not possible with the other options.

Exam trap

The trap here is that candidates often confuse 'Advanced hunting' with 'Threat analytics' because both involve investigating threats, but Threat analytics is a passive reading tool for pre-built reports, while Advanced hunting is an active, custom query engine for raw data correlation.

How to eliminate wrong answers

Option A is wrong because Automated investigation and response (AIR) is designed to automatically respond to confirmed threats by running playbooks and taking remediation actions, not for manually querying and correlating raw data across multiple domains. Option B is wrong because Threat analytics provides curated threat intelligence reports and vulnerability information about known attackers and campaigns, but it does not allow custom queries across endpoint, email, and identity logs. Option D is wrong because the Action center is a centralized location to review and approve or reject pending remediation actions from automated investigations, not a tool for querying or hunting across data sources.

308
MCQmedium

A company uses Microsoft 365. The security team wants to protect users from clicking malicious URLs in email messages. The solution should rewrite all links in incoming emails so that when a user clicks them, the URL is checked in real time against a dynamic list of known malicious sites. Which Microsoft Defender for Office 365 feature should they enable?

A.Anti-phishing policies
B.Safe Attachments
C.Safe Links
D.Anti-spam policies
AnswerC

Safe Links rewrites URLs and checks them on click, providing protection against malicious links.

Why this answer

Safe Links is the correct feature because it is specifically designed to protect users from malicious URLs in email messages and Office documents. It rewrites all links in incoming emails so that when a user clicks them, the URL is checked in real time against a dynamic list of known malicious sites, providing time-of-click protection.

Exam trap

The trap here is that candidates often confuse Safe Links with Anti-phishing policies, but Anti-phishing policies handle impersonation and spoofing detection, not URL rewriting and real-time click verification.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policies protect against phishing attempts by analyzing email content and sender reputation, but they do not rewrite URLs or provide real-time URL scanning at click time. Option B is wrong because Safe Attachments protects against malicious attachments by detonating them in a sandbox environment, not by rewriting or scanning URLs in email messages. Option D is wrong because Anti-spam policies filter out spam messages based on content and sender analysis, but they do not rewrite URLs or perform real-time URL checks.

309
MCQmedium

Your organization uses Microsoft Sentinel. You need to create an automation rule that automatically closes a low-severity incident after 24 hours of inactivity. Which action should you include in the rule?

A.Run playbook
B.Create incident
C.Add comment
D.Change status to Closed
AnswerD

The action changes the incident status to Closed after 24 hours of inactivity.

Why this answer

Automation rules in Microsoft Sentinel can change incident status. The 'Change status' action can set an incident to 'Closed'. 'Run playbook' triggers a playbook but does not close directly. 'Create incident' creates a new incident. 'Add comment' adds a comment. Option B is correct to change status to closed.

310
MCQhard

You are reviewing a Microsoft Sentinel KQL query. What is the primary purpose of this query?

A.Identify all users who have attempted to log on to Microsoft Teams more than 10 times in the last 7 days and who are global administrators
B.Identify users with high logon attempts to Teams and high failed sign-ins, possibly indicating a brute-force attack
C.Identify users with high failed sign-ins and check if they have conditional access policies applied
D.Identify users with high successful logon attempts to Teams and correlate with failed sign-ins to detect account compromise
AnswerB

The query correlates high Teams logon attempts with high failed sign-ins, a common brute-force indicator.

Why this answer

Option C is correct because the query joins IdentityLogonEvents (Teams logon attempts) with AADNonInteractiveUserSignInLogs (failed non-interactive sign-ins) and sorts by high failed sign-ins. This identifies users with many Teams logon attempts and many failed sign-ins, which could indicate brute-force attacks. Option A is incorrect because it does not filter for admin roles.

Option B is incorrect because the focus is on failed sign-ins, not successful ones. Option D is incorrect because it does not include any information about conditional access policies.

311
Multi-Selectmedium

Which TWO capabilities are provided by Microsoft Defender for Cloud Apps?

Select 2 answers
A.Email security
B.Cloud Discovery to identify shadow IT
C.Data loss prevention for cloud apps
D.Endpoint detection and response
E.Identity protection
AnswersB, C

Cloud Discovery identifies unsanctioned cloud app usage.

Why this answer

Option A is correct because Defender for Cloud Apps provides cloud discovery to identify shadow IT. Option C is correct because it offers DLP capabilities for cloud apps. Option B is wrong because endpoint detection is provided by Defender for Endpoint.

Option D is wrong because identity protection is provided by Entra ID Protection. Option E is wrong because email security is provided by Defender for Office 365.

312
MCQhard

A manufacturing company experiences repeated ransomware attacks targeting their on-premises file servers. They have Microsoft 365 E5 and want to implement a solution to detect and automatically respond to such threats across hybrid environments. What should they deploy?

A.Microsoft Defender for Identity
B.Microsoft Purview Communication Compliance
C.Microsoft Defender for Office 365
D.Microsoft Defender for Cloud Apps
AnswerA

It monitors on-premises Active Directory and detects attacker behavior.

Why this answer

Option C is correct because Microsoft Defender for Identity is designed to protect on-premises Active Directory and detect attacks like ransomware. Option A is wrong because Microsoft Defender for Cloud Apps focuses on SaaS applications. Option B is wrong because Microsoft Defender for Office 365 protects cloud email and collaboration.

Option D is wrong because Microsoft Purview is for data governance and compliance.

313
MCQhard

An organization wants to implement a zero-trust security model. They plan to require multi-factor authentication (MFA) for all users accessing sensitive applications, but only when the sign-in risk is medium or higher. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Conditional Access policy with risk condition
C.Microsoft Defender for Cloud Apps access policy
D.Microsoft Entra ID Protection risk detection policy
AnswerB

Conditional Access policies can use sign-in risk to trigger MFA.

Why this answer

Option A is correct because Conditional Access policies can evaluate sign-in risk (from Identity Protection) and require MFA when risk is medium or higher. Option B is wrong because Identity Protection itself detects risk but doesn't enforce policies. Option C is wrong because Privileged Identity Management (PIM) manages privileged roles.

Option D is wrong because Microsoft Defender for Cloud Apps provides app control, not risk-based MFA.

314
MCQhard

A tenant administrator runs the PowerShell cmdlet shown in the exhibit. The output shows that some compliance policies have IsAssigned = $false. What does this indicate?

A.The compliance policy is scheduled to be assigned in the future
B.The compliance policy is not assigned to any user or device group
C.The compliance policy has been evaluated and found non-compliant
D.The compliance policy is a built-in policy that cannot be assigned
AnswerB

IsAssigned indicates assignment status.

Why this answer

The `IsAssigned` property in the output of a compliance policy PowerShell cmdlet (such as `Get-DeviceCompliancePolicy`) directly indicates whether the policy has been assigned to any user or device group. When `IsAssigned = $false`, it means the policy exists in the tenant but has not been linked to any group via an assignment, so it is not being enforced on any devices. This is a core concept in Microsoft Intune and Microsoft 365 compliance: a policy must be assigned to a group to take effect.

Exam trap

The trap here is that candidates confuse `IsAssigned` with compliance evaluation status or policy type, mistakenly thinking it indicates future scheduling, non-compliance, or built-in restrictions, rather than understanding it simply reflects whether the policy has been assigned to a group.

How to eliminate wrong answers

Option A is wrong because a future scheduled assignment would still show `IsAssigned = $true` once the assignment is configured; the property reflects the existence of an assignment, not its activation time. Option C is wrong because `IsAssigned` has nothing to do with compliance evaluation results—non-compliant devices are tracked via the `ComplianceStatus` property, not `IsAssigned`. Option D is wrong because built-in policies (like default compliance policies) can still be assigned and would show `IsAssigned = $true` if they are; the property does not indicate whether a policy is built-in or custom.

315
Multi-Selecteasy

A company wants to enforce multifactor authentication for all users. Which TWO Microsoft Entra ID features can be used together to achieve this?

Select 2 answers
A.Conditional Access
B.Identity Protection
C.Security defaults
D.Authentication methods (Settings)
E.Password protection
AnswersA, D

Correct: Can require MFA.

Why this answer

Conditional Access policies can require MFA, and Authentication methods management allows configuring MFA methods. Security defaults also enforce MFA but is not a feature to combine. Identity Protection is risk-based.

Password protection is not MFA.

316
MCQhard

A company deploys Microsoft Entra ID Protection. The security team wants to automatically block sign-ins from anonymous IP addresses. They configure a Conditional Access policy. Which assignment condition should they use?

A.User risk level condition with 'Medium'
B.Device condition with 'Compliant'
C.Sign-in risk level condition with 'High'
D.Location condition with 'Any IP'
AnswerC

Sign-in risk level condition includes 'Anonymous IP address' as a high risk detection.

Why this answer

Entra ID Protection provides risk detections like 'Anonymous IP address'. Conditional Access can use this as a condition. Option A is wrong because it's too broad; Option B is wrong because it's for compliance; Option D is wrong because it's for device trust.

317
MCQmedium

A company uses Microsoft 365 and sanctioned cloud apps like Salesforce and Box. The security team wants to prevent users from downloading sensitive documents from these apps when accessing from unmanaged personal devices, while still allowing read-only access. They need real-time session monitoring and control. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerB

Defender for Cloud Apps can enforce session policies via Conditional Access App Control, allowing granular control over actions like download, upload, and copy based on user, device, and data sensitivity.

Why this answer

Microsoft Defender for Cloud Apps provides real-time session monitoring and control via its Conditional Access App Control feature. This allows administrators to enforce policies that block downloads or restrict access to sensitive data based on device compliance, such as blocking downloads from unmanaged personal devices while permitting read-only access. The solution integrates with sanctioned cloud apps like Salesforce and Box to apply these controls at the session level.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming that Office 365 covers all cloud app security, but Defender for Office 365 is limited to Microsoft 365 services and cannot enforce session policies on third-party SaaS apps like Salesforce or Box.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on email and collaboration security (e.g., anti-phishing, anti-malware) and does not provide session-level control over third-party cloud apps like Salesforce or Box. Option C is wrong because Microsoft Defender for Identity is designed to detect identity-based threats (e.g., compromised accounts, lateral movement) using on-premises Active Directory signals, not to monitor or control user sessions in cloud apps. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices from malware and attacks, but it does not offer real-time session monitoring or conditional access controls for cloud app sessions.

318
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview DLP policy JSON snippet. The policy is enabled and contains one rule. What is the effect of this rule?

A.Applies only to SharePoint, not Exchange.
B.Only audits the activity, does not block.
C.Blocks access and sends a policy tip to users.
D.Blocks access to content containing a credit card number in Exchange and SharePoint, without user notification.
AnswerD

The rule has 'BlockAccess' action and no notification settings.

Why this answer

The rule detects credit card numbers in Exchange Online and SharePoint Online. The action 'BlockAccess' will block access to the content. The rule does not include user notification, so users will not receive a policy tip.

The policy applies to all users (no user filter). Option A correctly describes this.

319
Drag & Dropmedium

Sequence the steps to enable Microsoft Defender for Cloud Apps for an organization.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enabling Defender for Cloud Apps involves signing in, connecting an app, configuring settings, granting permissions, and verifying connectivity.

320
MCQmedium

A security team manages a hybrid environment with on-premises Windows servers and Azure VMs. They need a solution that can detect lateral movement attacks, pass-the-hash attempts, and anomalous service account behavior on the on-premises Active Directory environment. They also want these alerts to be integrated into Microsoft Defender for Cloud for centralized monitoring. Which Microsoft security solution should they deploy on their on-premises domain controllers?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Identity
C.Microsoft Defender for Endpoint
D.Microsoft Intune
AnswerB

Defender for Identity is a cloud-based security solution that integrates with on-premises Active Directory to detect suspicious user and entity behavior, including lateral movement and pass-the-hash attacks.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to monitor on-premises Active Directory traffic and detect advanced threats like lateral movement, pass-the-hash, and anomalous service account behavior. It integrates directly with Microsoft Defender for Cloud to provide centralized alerting and investigation across hybrid environments.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity with Microsoft Defender for Endpoint, assuming endpoint protection covers identity threats, but MDI is the only solution that directly monitors on-premises Active Directory for lateral movement and pass-the-hash attacks.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 protects against email-based threats (phishing, malware in attachments/links) and does not monitor on-premises Active Directory or detect lateral movement or pass-the-hash attacks. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices (Windows, Linux, macOS) and does not natively analyze on-premises AD domain controller traffic for identity-based attacks. Option D is wrong because Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) solution; it does not provide security monitoring or threat detection for on-premises Active Directory.

321
MCQmedium

A security operations team investigates a multi-stage attack that began with a phishing email, then moved to credential compromise, and finally to lateral movement on endpoints. They need a single pane of glass to view the entire attack story, including the initial email, the compromised user's sign-in activities, and processes on affected devices. Which Microsoft security solution provides this unified investigation experience?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Microsoft Defender for Identity
AnswerC

Microsoft 365 Defender unifies alerts and incidents from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps into a single view.

Why this answer

Microsoft 365 Defender (now Microsoft Defender XDR) provides a unified investigation experience by correlating signals across email, identity, and endpoint domains into a single incident view. This allows the security team to see the full attack story—from the initial phishing email in Defender for Office 365, to the compromised user's sign-in activities via Defender for Identity, and the lateral movement processes on endpoints through Defender for Endpoint—all within one console.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft 365 Defender (an XDR), assuming that any cross-domain investigation requires a SIEM, when in fact Microsoft 365 Defender provides the native, pre-correlated attack story across email, identity, and endpoints without needing custom log ingestion.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR solution that ingests logs from multiple sources but does not natively provide the pre-correlated, cross-domain attack story across email, identity, and endpoints in a single pane of glass; it requires custom analytics rules and data connectors to stitch the story together. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform focused on cloud resources (VMs, databases, containers), not on investigating phishing emails, user sign-ins, or endpoint lateral movement. Option D is wrong because Microsoft Defender for Identity is an on-premises identity threat detection solution that monitors Active Directory signals (e.g., Kerberos, NTLM, LDAP) and can detect credential compromise and lateral movement, but it does not cover the initial phishing email or endpoint process details, and it lacks the unified incident view across all three domains.

322
MCQmedium

A company uses Microsoft Defender for Office 365 and wants to protect users from malicious attachments in email. They need a feature that scans email attachments in a sandbox environment before they are delivered to recipients. Which Defender for Office 365 feature should they use?

A.Safe Links
B.Safe Attachments
C.Anti-phishing policies
D.Anti-spam policies
AnswerB

Safe Attachments uses sandboxing to scan attachments for malicious content before they reach the user's inbox.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a sandbox environment before delivery, analyzing them for malicious behavior. This protects users from zero-day threats and advanced malware that signature-based detection might miss.

Exam trap

The trap here is confusing Safe Attachments (which scans attachments in a sandbox) with Safe Links (which scans URLs), as both are part of Microsoft Defender for Office 365 but serve different protection purposes.

How to eliminate wrong answers

Option A is wrong because Safe Links protects users from malicious URLs in email and Office documents, not attachments. Option C is wrong because Anti-phishing policies protect against phishing attempts by analyzing sender reputation and impersonation patterns, not by scanning attachments in a sandbox. Option D is wrong because Anti-spam policies filter unwanted bulk email based on content and sender reputation, not by detonating attachments in a sandbox.

323
MCQhard

You are troubleshooting a Windows device that is reporting as non-compliant in Microsoft Intune. The exhibit shows the output of a PowerShell command run on the device. Based on the output, which component is likely misconfigured?

A.Microsoft Defender for Endpoint sensor onboarding
B.Antivirus protection
C.Antispyware protection
D.Microsoft Defender Antivirus real-time protection
AnswerA

The sensor onboarding status is not shown; the device may not be fully onboarded.

Why this answer

Option D is correct because the output shows that all Defender components are enabled, so the issue is likely not with Defender for Endpoint. The non-compliance could be due to missing updates, which are not shown. Option A is wrong because AMService is enabled.

Option B is wrong because Antispyware is enabled. Option C is wrong because Antivirus is enabled.

324
MCQmedium

A financial institution is deploying Microsoft Sentinel to monitor security events across its hybrid cloud environment. They want to correlate alerts from multiple sources and automate incident response. Which Microsoft Sentinel feature should they use to create automated workflows?

A.Workbooks
B.Analytics rules
C.Playbooks
D.Hunting queries
AnswerC

Playbooks are used to automate incident response by running predefined actions (like blocking an IP or notifying a team) when triggered by an alert or incident.

Why this answer

Playbooks in Microsoft Sentinel are built on Azure Logic Apps and allow you to automate incident response by defining a series of actions triggered by alerts. They can orchestrate tasks such as blocking IPs, opening tickets, or notifying teams, making them the correct choice for creating automated workflows.

Exam trap

The trap here is confusing the purpose of Analytics rules (alert generation) with Playbooks (automated response), as both are part of the detection and response pipeline but serve distinct roles.

How to eliminate wrong answers

Option A is wrong because Workbooks are used for visualizing and analyzing data through dashboards, not for automating workflows. Option B is wrong because Analytics rules define conditions for generating alerts from data sources, but they do not execute automated response actions. Option D is wrong because Hunting queries are ad-hoc searches for potential threats in raw log data, not for creating automated incident response workflows.

325
MCQmedium

Refer to the exhibit. A Microsoft Purview DLP policy is configured. When a user attempts to share a document containing a credit card number externally, what will happen?

A.The document is shared but the user is notified.
B.The sharing attempt is blocked and the user receives a notification.
C.The document is encrypted before sharing.
D.The policy has no effect because no severity level is set.
AnswerB

Both actions are specified in the policy rule.

Why this answer

The rule has both 'BlockAccess' and 'NotifyUser' actions, so the sharing will be blocked and the user will be notified. Option A is wrong because only notifying without blocking is not configured. Option B is wrong because the policy does not include encryption.

Option D is wrong because the policy is active and will block.

326
MCQeasy

A company wants to block users from accessing phishing websites via Microsoft Edge. Which Microsoft security solution should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Purview
C.Microsoft Intune
D.Microsoft Defender SmartScreen
AnswerD

This is the correct answer because Defender SmartScreen provides real-time protection against phishing and malicious websites.

Why this answer

Microsoft Defender SmartScreen protects against phishing and malicious websites. Option A is correct. Option B (Microsoft Defender for Endpoint) focuses on endpoint detection and response, not web filtering.

Option C (Microsoft Purview) is for data governance. Option D (Microsoft Intune) is for device management.

327
MCQhard

A company wants to gain visibility into the use of unsanctioned cloud applications (shadow IT) within their organization. The security team has access to network proxy logs that show traffic to various cloud services. They want to use a Microsoft security solution to analyze these logs and identify which cloud apps are being used, by whom, and how much data is being consumed. Which capability of Microsoft Defender for Cloud Apps should they use?

A.App governance
B.Cloud Discovery
C.Conditional Access App Control
D.App Connectors
AnswerB

Cloud Discovery uses log data to discover and evaluate cloud app usage, helping identify shadow IT and providing insights into usage patterns.

Why this answer

Cloud Discovery in Microsoft Defender for Cloud Apps analyzes network proxy logs (or traffic logs from firewalls and proxies) to identify unsanctioned cloud app usage (shadow IT). It provides visibility into which cloud apps are being used, by which users, and how much data is consumed, directly matching the company's requirement to analyze logs for shadow IT detection.

Exam trap

The trap here is that candidates confuse Cloud Discovery (log analysis for shadow IT discovery) with App Connectors (API-based integration for managed apps), leading them to select App Connectors because they think 'connecting' to apps is needed to see usage.

How to eliminate wrong answers

Option A is wrong because App governance is a feature for monitoring and controlling app permissions and data access within Microsoft 365 (e.g., OAuth apps), not for analyzing network proxy logs to discover unsanctioned cloud apps. Option C is wrong because Conditional Access App Control is a reverse proxy capability that enforces access policies in real time for managed apps, not a log analysis tool for discovering shadow IT. Option D is wrong because App Connectors are used to connect Defender for Cloud Apps to specific cloud apps (e.g., Salesforce, AWS) via APIs for deep visibility and control, not for analyzing network proxy logs to discover unsanctioned apps.

328
MCQmedium

An organization uses Exchange Online and is concerned about phishing attacks that include malicious hyperlinks. They need a security solution that checks URLs at the time a user clicks them and blocks access to known malicious or suspicious websites. The solution must also provide real-time reputation analysis for link clicks. Which Microsoft security solution should they enable?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Microsoft Defender for Office 365 includes Safe Links and Safe Attachments to protect users from malicious content in email and Office apps. Safe Links specifically provides time-of-click protection for URLs.

Why this answer

Microsoft Defender for Office 365 (MDO) provides Safe Links, a feature specifically designed to protect against phishing attacks by scanning URLs at the time of click. It performs real-time reputation analysis against Microsoft's threat intelligence to block access to known malicious or suspicious websites. This directly addresses the requirement for click-time URL verification and blocking.

Exam trap

The trap here is that candidates confuse endpoint security (Defender for Endpoint) with email security (Defender for Office 365), overlooking that the question explicitly mentions Exchange Online and click-time URL analysis, which is a core Safe Links feature of MDO.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint device protection (antivirus, EDR, attack surface reduction) and does not include click-time URL scanning for Exchange Online emails. Option C is wrong because Microsoft Defender for Cloud Apps is a CASB that provides visibility and control over cloud app usage, not real-time link click protection for email. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security information and event management, not an inline email security feature for URL reputation analysis.

329
Multi-Selecteasy

A company wants to use Microsoft Intune to manage devices. Which TWO capabilities does Intune provide?

Select 2 answers
A.Mobile device management (MDM)
B.Compliance assessment for cloud resources
C.Endpoint detection and response
D.Mobile application management (MAM)
E.Identity and access management
AnswersA, D

Correct: Core feature.

Why this answer

Intune provides mobile device management (MDM) and mobile application management (MAM). Endpoint detection is from Defender, compliance assessment is from Defender for Cloud, and identity management from Entra ID.

330
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. Which policy should you configure?

A.Device compliance policy in Microsoft Intune
B.Enrollment restrictions in Microsoft Intune
C.App protection policy in Microsoft Intune
D.Conditional Access policy in Microsoft Entra ID
AnswerD

Conditional Access enforces access controls based on device compliance.

Why this answer

Conditional Access policies in Microsoft Entra ID evaluate signals such as device compliance status from Intune before granting access to cloud apps like Exchange Online. By configuring a Conditional Access policy that requires device compliance, only devices marked as compliant by Intune can access corporate email. This is the correct mechanism because Conditional Access acts as the gatekeeper that enforces the compliance requirement at the authentication and authorization layer.

Exam trap

The trap here is that candidates often confuse the policy that defines compliance (Intune Device Compliance) with the policy that enforces access based on that compliance (Entra ID Conditional Access), leading them to pick Option A instead of D.

How to eliminate wrong answers

Option A is wrong because a Device compliance policy in Microsoft Intune defines the security requirements (e.g., encryption, OS version) and marks a device as compliant or non-compliant, but it does not enforce access control to corporate email on its own. Option B is wrong because Enrollment restrictions in Microsoft Intune control which devices can enroll into management (e.g., by platform or manufacturer), not whether already enrolled devices can access email. Option C is wrong because App protection policies in Microsoft Intune manage data protection within apps (e.g., preventing copy/paste or requiring PIN) but do not evaluate device compliance or block access to email based on the device's overall compliance state.

331
MCQeasy

A company wants to collect security logs from on-premises servers, cloud applications, and network devices into a central repository, and then use advanced analytics detect threats and automate incident response. Which Microsoft security solution should they deploy?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Azure Firewall
AnswerA

Microsoft Sentinel provides SIEM and SOAR capabilities, allowing centralized log collection, threat detection, and automated response across hybrid environments.

Why this answer

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It collects security logs from diverse sources like on-premises servers, cloud apps, and network devices into a central Log Analytics workspace, then uses built-in analytics and machine learning to detect threats and automate incident response via playbooks.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel (a SIEM/SOAR) with Microsoft Defender for Cloud (a CSPM/CWPP), thinking both do log collection and threat detection, but only Sentinel provides a unified SIEM repository with advanced analytics and automated response across hybrid and multi-cloud sources.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), not a SIEM; it focuses on assessing and hardening cloud resources, not central log collection and advanced threat analytics across hybrid environments. Option C is wrong because Microsoft 365 Defender is an Extended Detection and Response (XDR) solution that correlates signals across Microsoft 365 products (e.g., Defender for Endpoint, Defender for Office 365), but it does not ingest logs from third-party network devices or on-premises servers into a single SIEM repository. Option D is wrong because Azure Firewall is a managed network firewall service that filters traffic based on rules; it provides logging for its own traffic but cannot aggregate logs from multiple sources or perform threat detection analytics.

332
Multi-Selecthard

Which TWO of the following are capabilities of Microsoft Defender for Office 365?

Select 2 answers
A.Scan email attachments in a sandbox environment before delivery
B.Protect against spear-phishing attacks using impersonation protection
C.Enforce device compliance policies for mobile devices
D.Place a legal hold on mailboxes for eDiscovery
E.Monitor user behavior for compromised accounts
AnswersA, B

Safe Attachments does this.

Why this answer

Option A is correct because Microsoft Defender for Office 365 includes Safe Attachments, which detonates email attachments in a virtual sandbox environment before delivery to the user's mailbox. This allows the service to analyze the file for malicious behavior without risking the recipient's device.

Exam trap

The trap here is that candidates confuse the broader Microsoft 365 Defender suite (which includes Defender for Office 365, Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps) with the specific capabilities of Defender for Office 365 alone, leading them to select features like UEBA or device compliance that belong to other security products.

333
MCQeasy

An organization wants to allow users to sign in using their mobile phone number and a verification code. Which Microsoft Entra ID feature enables this?

A.FIDO2 security keys
B.App passwords
C.SMS-based authentication
D.Password hash synchronization
AnswerC

SMS-based authentication uses phone number for sign-in.

Why this answer

Microsoft Entra ID supports SMS-based authentication. Option D is correct. Option A (FIDO2) uses hardware keys.

Option B (Password Hash Sync) is for sync. Option C (App passwords) is for legacy apps.

334
MCQeasy

A company uses Microsoft 365 and wants to protect its users from clicking malicious links in phishing emails. The security team needs a solution that rewrites URLs in email messages to check the link at the time of click, and blocks access if the link is malicious. Which Microsoft security solution should they use?

A.Azure Firewall
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Identity
AnswerB

Microsoft Defender for Office 365 provides Safe Links and Safe Attachments features to protect against malicious links and attachments in emails and Office documents. Safe Links rewrites URLs and checks them at click time.

Why this answer

Microsoft Defender for Office 365 includes Safe Links, a feature specifically designed to protect users from malicious URLs in email messages. Safe Links rewrites URLs at the time of delivery, and when a user clicks a link, it checks the destination in real time against threat intelligence; if the link is malicious, access is blocked. This directly matches the requirement to rewrite URLs and perform click-time verification.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 (which includes Safe Links and Safe Attachments for email security) with Microsoft Defender for Endpoint (which protects devices) or Azure Firewall (which protects network traffic), leading them to select a solution that does not address the specific email URL rewriting requirement.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a network-layer firewall that filters traffic based on IP addresses, ports, and protocols; it does not rewrite URLs in email messages or perform click-time link inspection. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR), antivirus, and vulnerability management on devices; it does not rewrite URLs in email or provide click-time URL protection. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks (e.g., lateral movement, privilege escalation); it does not inspect or rewrite URLs in email messages.

335
MCQeasy

Your company wants to use Microsoft Defender for Identity to detect security threats from on-premises Active Directory. What is a prerequisite for deploying Defender for Identity?

A.Obtain Microsoft 365 E3 licenses
B.Install a sensor on each user's workstation
C.Install a sensor on a domain controller
D.Configure Azure AD Connect
AnswerC

The sensor monitors domain controller traffic to detect threats.

Why this answer

Microsoft Defender for Identity requires a domain controller or AD FS server to be installed with the sensor. Option C is correct. Option A is wrong because the sensor must be installed on a domain controller, not a workstation.

Option B is wrong because Azure AD Connect sync is not required. Option D is wrong because Microsoft 365 E5 license is needed, but the sensor is installed on DCs.

336
MCQmedium

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) to protect credit card numbers. You need to ensure that when a user attempts to share a document containing a credit card number via email, the email is blocked and the user receives a policy tip. Which action should you configure in the DLP policy?

A.Notify user
B.Audit only
C.Block with user notification
D.Block override
AnswerC

Block with user notification prevents the email and shows a policy tip.

Why this answer

In Microsoft Purview DLP, the 'Block' action with user notification sends a policy tip and blocks the email. 'Block override' allows override with justification. 'Audit only' logs without blocking. 'Notify user' sends an email but does not block. Option B is correct because it blocks the email and shows a policy tip.

337
Multi-Selecthard

A SOC analyst is investigating a potential security incident in Microsoft Sentinel. Which three are valid methods to gather additional context about a user entity? (Choose three.)

Select 3 answers
A.Create an automation rule to assign the incident
B.Run an advanced hunting query in Microsoft 365 Defender
C.Open the entity page for the user in Microsoft Sentinel
D.Add the user to a watchlist
E.Run a playbook that queries external threat intelligence sources
AnswersB, C, E

Advanced hunting allows deep search across data sources.

Why this answer

Options A, C, and D are correct because entity pages, advanced hunting, and playbooks provide context. Option B is wrong because watchlists are static and not for investigation. Option E is wrong because automation rules are for incident handling, not investigation.

338
Multi-Selectmedium

Which THREE capabilities are provided by Microsoft Defender for Cloud? (Choose three.)

Select 3 answers
A.Security recommendations for resources
B.Just-in-Time (JIT) VM access
C.Vulnerability assessment for virtual machines
D.Regulatory compliance assessment
E.Cloud Security Posture Management (CSPM)
AnswersA, C, E

Correct: Provides recommendations to improve security.

Why this answer

Microsoft Defender for Cloud provides Cloud Security Posture Management (CSPM), vulnerability assessment for VMs, and security recommendations. Option B (threat protection for Azure) is also a capability but is part of the broader 'Defender for Cloud' workload protection. However, the question asks for capabilities; CSPM, vulnerability assessment, and security recommendations are core.

Option D (Just-in-Time VM access) is a feature, but the three most common are A, C, E.

339
MCQeasy

An organization uses Microsoft 365 Defender and wants to automate the investigation and response to common email-based phishing attacks. They want the system to automatically take actions such as deleting malicious emails from user inboxes across the organization after analysis. Which Microsoft 365 Defender component provides this automated capability?

A.Azure AD Identity Protection
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerB

This solution protects against email threats and includes automated investigation and response for phishing attacks.

Why this answer

Microsoft Defender for Office 365 includes automated investigation and response (AIR) capabilities specifically designed for email-based threats like phishing. When a phishing email is detected, AIR can automatically trigger remediation actions—such as soft-deleting or hard-deleting the malicious message from user mailboxes—based on predefined playbooks, without requiring manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, mistakenly thinking endpoint protection can handle email threats, but only Defender for Office 365 includes the email-specific automated investigation and response (AIR) engine.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection focuses on detecting and responding to identity-based risks (e.g., compromised credentials, sign-in anomalies) and does not have the ability to delete emails from user inboxes. Option C is wrong because Microsoft Defender for Endpoint is designed to protect endpoints (devices) from malware and advanced attacks, not to analyze or remove emails from mailboxes. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs cloud application usage and data protection, but it does not provide automated email remediation for phishing attacks.

340
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of its Azure resources. Which two actions can be taken to improve the Secure Score? (Choose two.)

Select 2 answers
A.Delete unused Azure resources to simplify management
B.Disable diagnostic logging for storage accounts
C.Implement security recommendations by remediating unhealthy resources
D.Disable non-critical virtual machines to reduce attack surface
E.Enable Microsoft Defender for Cloud plans for all supported resource types
AnswersC, E

Remediating recommendations directly increases Secure Score.

Why this answer

Options A and C are correct because enabling Defender plans and implementing recommendations improve Secure Score. Option B is wrong because disabling VMs reduces attack surface but does not improve score. Option D is wrong because removing resources may reduce score.

Option E is wrong because disabling logging reduces visibility.

341
MCQhard

Your organization, Contoso Ltd., has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You are deploying Microsoft Defender for Identity (MDI) to protect against identity-based attacks. You have installed the MDI sensor on domain controllers and configured the service with the necessary permissions. After installation, you notice that MDI is not generating alerts for pass-the-hash attacks. You have verified that the sensors are healthy and that audit policies are correctly configured. You need to ensure that MDI can detect pass-the-hash attacks. What should you do?

A.Enable password hash synchronization in Microsoft Entra Connect
B.Install the Azure ATP agent on all servers
C.Enable Kerberos event logging on domain controllers
D.Configure multi-factor authentication for all users
AnswerA

PHS is required for MDI to detect pass-the-hash attacks.

Why this answer

Option A is correct because enabling password hash synchronization (PHS) in Entra Connect allows MDI to analyze NTLM hashes and detect pass-the-hash attacks. Option B is wrong because MFA registration does not affect MDI detection. Option C is wrong because Kerberos logging is not required for pass-the-hash detection.

Option D is wrong because Azure ATP agent is the legacy name; the MDI sensor is already installed.

342
MCQeasy

Your company uses Microsoft 365 E5 and wants to provide a unified security dashboard showing alerts from endpoints, email, identity, and cloud apps. Which solution should you use?

A.Microsoft Defender XDR portal (security.microsoft.com)
B.Microsoft Sentinel
C.Microsoft Intune admin center
D.Microsoft Purview Compliance Portal
AnswerA

The XDR portal provides a unified view of alerts from endpoints, email, identity, and cloud apps.

Why this answer

Option C is correct because Microsoft Defender XDR (formerly Microsoft 365 Defender) provides a unified dashboard for alerts across domains. Option A is wrong because Microsoft Sentinel is a SIEM that ingests logs but not a simple dashboard. Option B is wrong because Microsoft Purview is for compliance.

Option D is wrong because Microsoft Intune is for device management.

343
MCQmedium

A company uses Azure virtual machines (IaaS) and on-premises Windows servers. The security team needs a single solution that provides a continuous assessment of security posture, a regulatory compliance dashboard for NIST SP 800-53, and integrated threat detection for hybrid workloads (e.g., brute force attacks on SSH). Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerA

Defender for Cloud offers unified CSPM and threat protection for hybrid environments, including a regulatory compliance dashboard with built-in standards like NIST SP 800-53.

Why this answer

Microsoft Defender for Cloud is the correct choice because it provides continuous assessment of security posture (via the Secure Score), a regulatory compliance dashboard with built-in standards like NIST SP 800-53, and integrated threat detection for hybrid workloads, including brute force attacks on SSH for Azure VMs and on-premises servers. It unifies these capabilities across IaaS, on-premises, and other cloud environments, making it the single solution the security team needs.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (which covers infrastructure security posture and threat detection for workloads) with Microsoft Sentinel (a SIEM), but Sentinel requires manual configuration of data connectors and workbooks to achieve the same compliance dashboard and does not provide continuous posture assessment out of the box.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud Apps) is wrong because it is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, app permissions, and data protection for SaaS applications, not on infrastructure-level security posture or compliance dashboards for NIST SP 800-53. Option C (Microsoft Defender for Identity) is wrong because it is an identity-based threat detection solution that monitors on-premises Active Directory signals (e.g., Kerberos, NTLM) for attacks like pass-the-hash, not for brute force attacks on SSH or VM-level security posture. Option D (Microsoft Sentinel) is wrong because it is a Security Information and Event Management (SIEM) solution that ingests logs from multiple sources for advanced analytics and incident response, but it does not natively provide a continuous security posture assessment or a built-in regulatory compliance dashboard for NIST SP 800-53 without additional workbooks and configurations.

344
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the most likely purpose of this query?

A.To identify successful logins after multiple failures
B.To detect privilege escalation events
C.To detect accounts that have been locked out
D.To identify potential brute-force attack attempts
AnswerD

High number of failed logins from a single account is a common sign of brute-force attacks.

Why this answer

Option C is correct because the query counts failed login events (EventID 4625) per account and computer, filtering for accounts with more than 10 failures, which indicates a potential brute-force attack. Option A is wrong because the query does not check for account lockouts. Option B is wrong because the query does not check for successful logins.

Option D is wrong because the query does not check for privilege escalation.

345
MCQmedium

A security operations team needs to protect their organization's Windows 10 and Windows 11 devices from advanced persistent threats (APTs), ransomware, and fileless malware. They also require a centralized dashboard to view device security posture, investigate incidents, and perform proactive threat hunting using advanced queries. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Endpoint provides comprehensive endpoint protection, including EDR, threat hunting, and a centralized security operations console for Windows devices.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR) capabilities specifically designed to protect Windows 10 and Windows 11 devices against advanced persistent threats (APTs), ransomware, and fileless malware. It includes a centralized dashboard (Microsoft 365 Defender portal) for viewing device security posture, investigating incidents, and performing proactive threat hunting using advanced hunting queries based on Kusto Query Language (KQL).

Exam trap

The trap here is that candidates often confuse the scope of each Defender product, mistakenly selecting Defender for Office 365 or Defender for Identity because they see 'threat protection' in the question, but fail to recognize that the requirement specifically mentions endpoint devices (Windows 10/11) and advanced hunting queries, which are exclusive to Defender for Endpoint.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, OneDrive, and Teams from threats like phishing and malware, not on endpoint device protection or advanced hunting for APTs and fileless malware. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks (e.g., pass-the-hash, Kerberoasting), not endpoint device security posture or fileless malware on Windows 10/11. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that protects cloud applications and data, not Windows endpoints, and does not provide device-level advanced hunting or EDR capabilities.

346
MCQhard

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to prevent users from sharing credit card numbers via email, but allow sharing via Microsoft Teams messages. What should they configure?

A.Create a DLP policy scoped to Exchange Online with a block action, and a separate DLP policy scoped to Teams with an audit-only action
B.Create a single DLP policy that blocks credit card numbers in both Exchange and Teams
C.Configure an exception in the DLP policy for Teams using a rule exception
D.Use Microsoft Purview Insider Risk Management to block sharing in Teams
AnswerA

This allows blocking in email while only auditing in Teams, meeting the requirement.

Why this answer

Option A is correct because Microsoft Purview DLP allows you to create separate policies scoped to different workloads. By creating a DLP policy for Exchange Online with a block action, you prevent credit card numbers from being shared via email. A separate DLP policy scoped to Microsoft Teams with an audit-only action allows sharing in Teams while still logging the activity for monitoring.

Exam trap

The trap here is that candidates assume a single DLP policy with multiple locations can have different actions per location, but in reality, the action is applied uniformly across all selected locations unless separate policies are created.

How to eliminate wrong answers

Option B is wrong because a single DLP policy scoped to both Exchange and Teams would apply the same action (block) to both workloads, which would prevent sharing in Teams as well. Option C is wrong because DLP policies do not support rule exceptions that exempt an entire workload like Teams; exceptions are typically used for specific conditions like trusted domains or IP ranges. Option D is wrong because Microsoft Purview Insider Risk Management is designed to detect and investigate risky user activities, not to enforce real-time blocking of sensitive data sharing in Teams.

347
MCQhard

Your organization, Fabrikam Inc., uses Microsoft 365 E5 licenses. The security team is deploying Microsoft Purview to protect sensitive data. They need to ensure that when a user attempts to share a document containing credit card numbers with an external partner, the action is blocked and the user receives a policy tip. Additionally, the incident should be logged for investigation. You have already created a sensitivity label for credit card data and auto-labeled documents. Which Microsoft Purview feature should you configure to meet these requirements?

A.Enable Microsoft Purview Insider Risk Management to detect the sharing activity.
B.Implement Microsoft Purview Records Management with a retention label that prevents sharing.
C.Create a Data Loss Prevention (DLP) policy that applies to documents containing credit card numbers, with an action to block sharing and notify users via policy tip.
D.Configure a sensitivity label policy that blocks external sharing when the label is applied.
AnswerC

DLP policies can detect sensitive data and enforce actions like blocking and policy tips.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can detect sensitive information (e.g., credit card numbers) in documents and emails, block sharing, display policy tips, and generate incident reports. Sensitivity labels alone do not enforce restrictions on sharing. Records management handles retention.

Insider risk management detects risky user activities. Audit logs record events but do not block actions.

348
Multi-Selecthard

Your company uses Microsoft Purview to meet data privacy regulations. You need to discover and classify personal data stored in Azure SQL Database. Which THREE tools or features can you use?

Select 3 answers
A.Microsoft 365 compliance center
B.Azure Information Protection
C.Microsoft Purview Data Estate Insights
D.Data Classification in Azure SQL Database
E.Microsoft Purview Data Map
AnswersC, D, E

Data Estate Insights provides reports on data classification and sensitivity.

Why this answer

Options A, C, and E are correct. Microsoft Purview Data Map (A) scans and catalogs data sources. Data classification in Azure SQL Database (C) is a built-in feature to classify columns.

Microsoft Purview Data Estate Insights (E) provides visibility into data estate. Option B is wrong because Azure Information Protection is for labeling files, not databases. Option D is wrong because Microsoft 365 compliance center is for Microsoft 365 data, not Azure SQL.

349
MCQeasy

Your organization wants to automatically investigate and remediate email-based threats in Microsoft 365. Which security solution should you use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Automated investigation and remediation for email threats.

Why this answer

Microsoft Defender for Office 365 is the correct solution because it is specifically designed to protect against email-based threats such as phishing, malware, and business email compromise (BEC). It provides automated investigation and remediation capabilities through features like Automated Investigation and Response (AIR) and Threat Explorer, which can automatically analyze and remediate malicious emails, attachments, and URLs in Exchange Online.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, assuming endpoint protection covers email threats, but email security is a separate workload requiring dedicated protection for Exchange Online and SharePoint Online.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on protecting endpoints (e.g., devices, servers) from threats like malware and ransomware, not on email-based threats. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs and protects cloud applications, not specifically email threats. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution for enterprise-wide threat detection and response, not a dedicated email security solution.

350
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps? (Select TWO.)

Select 2 answers
A.Enforce device compliance policies
B.Provide threat analytics reports
C.Control access with Conditional Access App Control
D.Classify sensitive data across cloud apps
E.Discover shadow IT cloud apps
AnswersC, E

Conditional Access App Control provides session and access controls.

Why this answer

Correct: Discover shadow IT (A) and Control access via Conditional Access App Control (D). Option B: DLP is in Purview, not Defender for Cloud Apps. Option C: Device compliance is in Intune/Entra.

Option E: Threat analytics is in Defender for Endpoint/Office.

351
Multi-Selectmedium

Which THREE of the following are features of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

Select 3 answers
A.Provide policy tips to users
B.Detect sensitive data in email messages
C.Apply sensitivity labels automatically
D.Retain data for a specified period
E.Monitor sensitive data on endpoints
AnswersA, B, E

Policy tips inform users about policy violations in real-time.

Why this answer

Options A, C, and D are correct. DLP can detect sensitive data in emails, monitor endpoints, and be customized with policy tips. Option B is wrong because sensitivity labels are part of Information Protection, not DLP directly.

Option E is wrong because retention policies are part of Records Management.

352
MCQmedium

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They need to ensure that when a user tries to share a document containing a credit card number externally via email, the user sees a policy tip and the email is blocked. Which DLP rule action should they configure?

A.Notify user with policy tip only
B.Block the message and notify the user with a policy tip
C.Block the message only
D.Redirect the message to the compliance admin
AnswerB

This blocks the email and sends a policy tip to the user.

Why this answer

DLP rules can have actions like 'Block' and 'Notify user with policy tip'. Option A is wrong because it doesn't block; Option B is wrong because it doesn't notify; Option D is wrong because it doesn't block.

353
MCQhard

A company uses Microsoft Defender for Endpoint on all workstations and Microsoft Defender for Office 365 for email protection. The security operations team wants a single console to see all incidents from both products, automatically investigate and respond to threats across endpoints and email, and integrate with Microsoft Sentinel for advanced hunting. Which Microsoft security solution should they use?

A.Microsoft 365 Defender
B.Microsoft Defender for Cloud
C.Microsoft Purview Compliance Portal
D.Microsoft Entra ID Protection
AnswerA

Microsoft 365 Defender (Defender XDR) correlates signals from multiple Microsoft Defender products into unified incidents and enables automated response across domains.

Why this answer

Microsoft 365 Defender is the correct solution because it provides a unified incident queue that aggregates alerts from Microsoft Defender for Endpoint and Microsoft Defender for Office 365, enabling automated investigation and response (AIR) across endpoints and email. It also natively integrates with Microsoft Sentinel for advanced hunting via the Microsoft 365 Defender connector, allowing the security operations team to correlate signals and perform cross-domain threat hunting.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (which protects cloud workloads) with Microsoft 365 Defender (which unifies endpoint, email, and identity security), leading them to select the cloud-focused option instead of the cross-workload unified solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, on-premises, and multi-cloud environments; it does not unify endpoint and email incidents or provide the automated investigation and response across those workloads. Option C is wrong because Microsoft Purview Compliance Portal focuses on data governance, compliance, and risk management (e.g., data classification, eDiscovery, audit), not on security incident management or automated threat response. Option D is wrong because Microsoft Entra ID Protection (formerly Azure AD Identity Protection) detects identity-based risks such as leaked credentials and anomalous sign-ins, but it does not aggregate endpoint or email incidents, nor does it provide automated response across those domains.

354
MCQeasy

A company uses Microsoft 365 and several third-party SaaS apps. The security team wants to detect when a user signs in from a remote location that is significantly far from their typical sign-in location within a very short time, indicating possible account compromise. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerA

Defender for Cloud Apps includes anomaly detection policies like impossible travel that can detect sign-ins from geographically distant locations in a short time.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) provides the 'impossible travel' detection capability, which analyzes sign-in events across both Microsoft 365 and third-party SaaS apps. It uses machine learning to establish a baseline of a user's typical sign-in locations and then alerts when two sign-ins occur from geographically distant locations within a time frame that makes physical travel impossible, indicating a potential account compromise.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Identity, assuming identity protection covers all sign-in anomalies, but MDCA specifically handles cross-cloud app behavioral analytics like impossible travel, while Defender for Identity is limited to on-premises AD and hybrid identity threats.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Identity focuses on on-premises Active Directory and hybrid identity threats (e.g., Kerberos attacks, DCSync), not cross-SaaS sign-in anomaly detection. Option C is wrong because Microsoft Defender for Office 365 protects email and collaboration workloads (e.g., phishing, malware in attachments), not user sign-in behavior across multiple SaaS apps. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices (e.g., malware, fileless attacks), not for analyzing cloud app sign-in patterns.

355
MCQeasy

Your organization wants to ensure that all external emails are automatically tagged with a disclaimer at the top of the email body. Which Microsoft Exchange Online feature should you configure?

A.Journal rule
B.Data loss prevention (DLP) policy
C.Safe Links policy
D.Mail flow rule (transport rule)
AnswerD

Mail flow rules can apply disclaimers to messages based on conditions.

Why this answer

Option C is correct because mail flow rules (transport rules) can add disclaimers to emails. Option A is incorrect because DLP policies do not add disclaimers. Option B is incorrect because Safe Links adds URL protection, not disclaimers.

Option D is incorrect because journaling archives emails.

356
Multi-Selecthard

Which THREE of the following are features of Microsoft Purview Insider Risk Management?

Select 3 answers
A.Phishing simulation campaigns
B.Vulnerability scanning of network endpoints
C.Detection of repeated security policy violations by a user
D.Detection of unauthorized data exfiltration via email
E.Forensic evidence capturing user actions on devices
AnswersC, D, E

It can detect cumulative policy violations.

Why this answer

Insider Risk Management includes detecting data leaks, detecting security policy violations, and providing forensic evidence. Vulnerability scanning (D) is not part of Insider Risk Management; it's part of Defender for Cloud. Phishing simulation (E) is part of Attack Simulation Training.

357
MCQmedium

An organization uses Microsoft Defender for Cloud to secure its Azure workloads. They want to receive recommendations for improving the security posture of their virtual machines. What should they enable?

A.Microsoft Defender for Cloud Apps
B.Microsoft Sentinel
C.Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM)
D.Azure Policy
AnswerC

Correct: CSPM provides recommendations for improving security posture.

Why this answer

Microsoft Defender for Cloud provides security recommendations based on assessments. Enabling Defender for Cloud (with the foundational CSPM or enhanced security features) will generate recommendations.

358
MCQmedium

An organization wants to protect against business email compromise (BEC) attacks where attackers impersonate the CEO to trick employees into transferring funds. Which Microsoft Defender for Office 365 capability should they configure to detect such impersonation?

A.Safe Attachments
B.Safe Links
C.Impersonation protection
D.Spoof intelligence
AnswerC

Impersonation protection is part of anti-phishing policies and allows you to define users (e.g., CEO) and domains to protect against impersonation.

Why this answer

Impersonation protection in Defender for Office 365 is specifically designed to detect and block business email compromise (BEC) attacks where an attacker spoofs a trusted sender, such as a CEO or CFO. It uses machine learning and sender intelligence to analyze email patterns and flag messages that impersonate internal or external high-value targets, making it the correct capability for this scenario.

Exam trap

The trap here is that candidates often confuse impersonation protection (user-level) with spoof intelligence (domain-level), assuming both handle the same type of attack, but impersonation protection is the only one that detects CEO fraud by analyzing sender identity rather than just domain authentication.

How to eliminate wrong answers

Option A is wrong because Safe Attachments protects against malware by detonating attachments in a sandbox, not against impersonation-based BEC attacks. Option B is wrong because Safe Links protects users from malicious URLs in emails and Office documents by checking links at click-time, not from sender impersonation. Option D is wrong because Spoof intelligence handles domain-level spoofing (e.g., forged From addresses using similar domains) but does not cover user-level impersonation of specific individuals like a CEO.

359
MCQhard

A company runs containerized applications on Azure Kubernetes Service (AKS) and stores container images in Azure Container Registry. The security team wants to automatically scan container images for vulnerabilities every time a new image is pushed to the registry and receive recommendations for remediation. Which Microsoft security solution should they enable?

A.A. Microsoft Defender for Endpoint
B.B. Microsoft Defender for Identity
C.C. Microsoft Defender for Cloud
D.D. Microsoft Defender for Office 365
AnswerC

Defender for Cloud includes the Defender for Container Registries plan that automatically scans images for vulnerabilities and provides remediation recommendations.

Why this answer

Microsoft Defender for Cloud provides integrated vulnerability assessment for container images stored in Azure Container Registry. When enabled, it automatically scans each new image pushed to the registry, identifies known vulnerabilities (using the Qualys scanner or Microsoft's own threat intelligence), and generates actionable remediation recommendations. This directly meets the security team's requirement for automated scanning and remediation guidance.

Exam trap

The trap here is that candidates confuse 'Defender for Cloud' (which covers workload protection including containers) with 'Defender for Endpoint' (which is device-focused), leading them to incorrectly select A because they think container scanning is an endpoint function.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint is designed for endpoint detection and response (EDR) on devices (e.g., Windows, macOS, Linux servers), not for scanning container images in a registry. Option B is wrong because Microsoft Defender for Identity focuses on detecting identity-based threats (e.g., compromised accounts, lateral movement) in on-premises Active Directory and cloud identities, not container image vulnerability scanning. Option D is wrong because Microsoft Defender for Office 365 protects against email threats (phishing, malware, spoofing) and collaboration risks in Microsoft 365 apps, not container registries or image scanning.

360
MCQeasy

A security administrator is using Microsoft Defender for Cloud to improve the security posture of Azure resources. The administrator wants to view a consolidated assessment of compliance with industry standards such as CIS and NIST. Which feature should be used?

A.Regulatory compliance dashboard
B.Secure Score
C.Azure Policy
D.Microsoft Sentinel
AnswerA

This dashboard directly provides compliance assessments against industry standards like CIS and NIST, showing which controls pass or fail.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a consolidated view of compliance with industry standards like CIS and NIST. It continuously assesses Azure resources against built-in compliance frameworks and displays the results in a dashboard, showing which controls are passing or failing. This directly meets the administrator's need to view a consolidated assessment of compliance with those specific standards.

Exam trap

The trap here is that candidates often confuse Secure Score (which shows overall security posture) with the Regulatory compliance dashboard (which specifically maps to industry standards), leading them to pick Secure Score when the question explicitly asks for compliance with CIS and NIST.

How to eliminate wrong answers

Option B (Secure Score) is wrong because Secure Score measures the overall security posture based on security recommendations, not compliance with specific industry standards like CIS or NIST. Option C (Azure Policy) is wrong because Azure Policy enforces and audits resource configurations using custom or built-in policies, but it does not provide a consolidated compliance dashboard against industry frameworks; it is a rule engine, not a compliance reporting tool. Option D (Microsoft Sentinel) is wrong because Microsoft Sentinel is a SIEM/SOAR solution for threat detection, investigation, and response, not a compliance assessment tool for Azure resources against standards like CIS or NIST.

361
MCQmedium

A company uses Microsoft 365 and wants to protect users from malicious attachments in email. The security team wants a solution that detonates attachments in a sandbox environment before delivery, and only allows the email through if the attachment is deemed safe. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Azure Firewall
AnswerA

Correct. Defender for Office 365's Safe Attachments feature detonates attachments in a sandbox to block malicious ones.

Why this answer

Microsoft Defender for Office 365 includes Safe Attachments, a feature that detonates email attachments in a virtual sandbox environment before delivery. It analyzes the attachment's behavior for malicious activity and only releases the email to the recipient's mailbox if the attachment is deemed safe, directly meeting the requirement for pre-delivery sandboxing.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 (which handles email security) with Microsoft Defender for Endpoint (which handles device security), leading them to select the wrong solution for email-specific threats.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not email attachment sandboxing. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) for controlling shadow IT and data protection across SaaS apps, not for email attachment detonation. Option D is wrong because Azure Firewall is a network-layer firewall that filters traffic based on IP/port rules, not capable of detonating email attachments in a sandbox.

362
MCQmedium

A company uses Microsoft Defender for Cloud to secure its Azure resources. The security team wants to receive a single recommendation for all resources that are missing just-in-time (JIT) VM access. Which Microsoft Defender for Cloud feature should they use?

A.Regulatory compliance dashboard
B.Security recommendations
C.Inventory
D.Security alerts
AnswerB

Security recommendations provide actionable steps to improve security posture, including enabling JIT.

Why this answer

Security recommendations in Defender for Cloud provide a list of best practices like enabling JIT. Option A is wrong because it's for alerts; Option B is wrong because it's for compliance; Option D is wrong because it's for inventory.

363
MCQhard

A company uses Azure SQL Database for a critical line-of-business application. The security team wants to enable threat protection that specifically detects and alerts on SQL injection attempts and anomalous database access patterns. Which workload protection plan should they enable within Microsoft Defender for Cloud?

A.Azure Defender for Servers
B.Azure Defender for SQL
C.Azure Defender for App Service
D.Azure Defender for Storage
AnswerB

Azure Defender for SQL is the dedicated plan for Azure SQL databases and SQL servers on machines. It includes vulnerability assessments and threat detection for SQL injection and other database threats.

Why this answer

Azure Defender for SQL is the correct workload protection plan because it is specifically designed to detect and alert on SQL injection attempts and anomalous database access patterns for Azure SQL Database. It uses Microsoft's threat intelligence and machine learning to monitor database activity, providing targeted alerts for SQL-specific threats, unlike other Defender plans that focus on different resource types.

Exam trap

The trap here is that candidates may confuse Azure Defender for SQL with Azure Defender for App Service, mistakenly thinking SQL injection is a web application attack, but SQL injection targets the database layer, which is protected by the SQL-specific plan, not the App Service plan.

How to eliminate wrong answers

Option A is wrong because Azure Defender for Servers protects virtual machines and their operating systems, not Azure SQL Database, and it does not specialize in SQL injection detection. Option C is wrong because Azure Defender for App Service secures web applications and APIs, focusing on threats like DDoS or web app vulnerabilities, not database-level SQL injection. Option D is wrong because Azure Defender for Storage monitors storage accounts for anomalies like unusual access patterns or malware uploads, but it does not cover SQL databases or SQL injection attempts.

364
MCQhard

A security operations center (SOC) wants to enrich their detection capabilities by automatically correlating internal network logs with external threat intelligence feeds containing known malicious IP addresses and domains. They need to ingest, normalize, and prioritize these indicators and generate alerts when matches are found. Which Microsoft security solution provides built-in capabilities for this purpose?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Endpoint
D.Microsoft 365 Defender
AnswerA

Sentinel natively supports threat intelligence connectors and analytics rules to correlate feeds with log data.

Why this answer

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) solution that provides built-in capabilities to ingest logs from internal network sources, normalize them using common data models, and automatically correlate them with external threat intelligence feeds (e.g., STIX/TAXII). It can prioritize indicators based on severity and generate real-time alerts when matches are found, making it the correct choice for this SOC requirement.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft 365 Defender (an XDR), assuming that XDR covers all security operations needs, but XDR lacks the broad log ingestion and custom threat intelligence feed integration that a SIEM provides.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud) is wrong because it is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) focused on securing cloud resources, not a SIEM for ingesting and correlating internal network logs with external threat intelligence feeds. Option C (Microsoft Defender for Endpoint) is wrong because it is an endpoint detection and response (EDR) solution that protects individual devices, not a centralized platform for ingesting diverse network logs and threat intelligence. Option D (Microsoft 365 Defender) is wrong because it is an extended detection and response (XDR) solution that correlates signals across Microsoft 365 products (e.g., email, endpoints, identities), but it lacks the broad log ingestion and custom threat intelligence feed integration capabilities of a dedicated SIEM like Sentinel.

365
MCQeasy

Your company is deploying Microsoft Defender for Office 365. The security team wants to automatically remove malicious attachments from emails before they reach user inboxes. Which protection feature should be configured?

A.Anti-spam policies
B.Safe Attachments policies
C.Anti-phishing policies
D.Safe Links policies
AnswerB

Safe Attachments scans and removes malicious attachments.

Why this answer

Safe Attachments in Defender for Office 365 detonates attachments in a sandbox and removes malicious ones before delivery. Option A is incorrect because Safe Links protects URLs, not attachments. Option B is incorrect because anti-phishing policies target phishing attempts.

Option D is incorrect because anti-spam policies handle spam, not malware.

366
Multi-Selecteasy

Which TWO Microsoft security solutions can be used to centrally manage security policies across hybrid environments including on-premises and cloud? (Choose TWO.)

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Office 365
D.Microsoft Intune
E.Microsoft Defender for Cloud Apps
AnswersA, B

Sentinel ingests logs from on-premises and cloud sources for centralized monitoring.

Why this answer

Microsoft Defender for Cloud provides unified security management across multicloud and on-premises. Microsoft Sentinel is a SIEM/SOAR that aggregates security data from various sources. Defender for Cloud Apps focuses on SaaS applications.

Defender for Office 365 protects email. Intune manages endpoints. Defender for Cloud and Sentinel work across hybrid environments.

367
MCQhard

Your company uses Microsoft 365 Copilot to assist employees with drafting emails and documents. The security team needs to ensure that when Copilot accesses sensitive data, it respects the organization's sensitivity labels and does not expose highly confidential information to unauthorized users. What should the security team configure?

A.Configure Microsoft Defender for Cloud Apps session policies
B.Apply Microsoft Purview sensitivity labels to data and enable Copilot data protection
C.Disable Copilot for all users
D.Create a data loss prevention policy that blocks Copilot
AnswerB

Sensitivity labels are honored by Copilot to protect data.

Why this answer

Option D is correct because Microsoft Purview sensitivity labels are integrated with Microsoft 365 Copilot to enforce data protection. Option A is wrong because Copilot is already integrated with Microsoft 365. Option B is wrong because data loss prevention policies block sharing but do not control Copilot access.

Option C is wrong because Microsoft Defender for Cloud Apps is for cloud app security, not Copilot.

368
MCQmedium

You are a security administrator for Contoso Ltd. The company uses Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra ID. Recently, several users reported receiving phishing emails that bypassed the existing anti-phishing policies. The security team suspects that attackers are using sophisticated techniques to evade detection. You need to enhance the email security posture by implementing a solution that uses AI and machine learning to detect advanced phishing attempts, including those using social engineering and impersonation. Which Microsoft solution should you use?

A.Microsoft Sentinel
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 provides AI-driven protection against sophisticated phishing attacks, including impersonation and advanced threats.

Why this answer

Microsoft Defender for Office 365 includes advanced anti-phishing capabilities with AI and machine learning, such as impersonation protection and spoof intelligence. Microsoft Sentinel is a SIEM/SOAR, not an email security solution. Defender for Cloud Apps is a CASB.

Defender for Identity identifies threats via on-premises AD signals. Microsoft Purview focuses on compliance and data governance.

369
MCQeasy

A company wants to restrict access to a sensitive SharePoint site based on the user's location and device compliance. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Privileged Identity Management
C.Entitlement Management
D.Identity Protection
AnswerA

Conditional Access policies allow location and device compliance conditions.

Why this answer

Conditional Access policies can enforce location and device compliance. Option A is correct. Option B (Identity Protection) is for risk detection.

Option C (PIM) is for role management. Option D (Entitlement Management) is for access packages.

370
Drag & Dropmedium

Arrange the steps to configure multi-factor authentication (MFA) for a user in Azure AD.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MFA configuration involves navigating to user settings, requiring re-registration, user registration, and policy enforcement.

371
Multi-Selectmedium

Which THREE are capabilities of Microsoft Purview Data Loss Prevention (DLP)? (Choose three.)

Select 3 answers
A.Automatically classify and label data
B.Detect sensitive information in documents and emails
C.Block sharing of sensitive data with external users
D.Manage encryption keys for data at rest
E.Provide policy tips to users when they attempt to share sensitive data
AnswersB, C, E

DLP uses sensitive info types to detect data.

Why this answer

Options A, C, and D are correct. DLP can detect sensitive info, block sharing, and apply policies in Microsoft 365 apps. Option B is wrong because DLP does not classify automatically (auto-labeling is separate).

Option E is wrong because DLP does not manage encryption keys.

372
MCQhard

A security operations center (SOC) team needs to ingest security logs from on-premises servers, Azure virtual machines, and SaaS applications like Salesforce. They want a cloud-native solution that uses machine learning to detect threats, provides a unified query language for hunting, and supports automated incident response through playbooks. Which Microsoft solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Defender for Endpoint
AnswerB

Microsoft Sentinel is the correct SIEM+SOAR solution that ingests logs from multiple sources, provides advanced threat detection via ML, and supports automation with playbooks.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution that ingests logs from on-premises servers, Azure VMs, and SaaS applications like Salesforce. It uses built-in machine learning to detect threats, offers the Kusto Query Language (KQL) for unified hunting, and supports automated incident response via playbooks built on Azure Logic Apps.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM tool) with a SIEM, or assume Microsoft 365 Defender can ingest third-party SaaS logs, but only Microsoft Sentinel provides a cloud-native SIEM with unified log ingestion, ML threat detection, and automated playbook response.

How to eliminate wrong answers

Option A (Microsoft Defender for Cloud) is wrong because it is a Cloud Security Posture Management (CSPM) and workload protection tool, not a SIEM; it lacks a unified query language for hunting across diverse log sources and does not natively support playbook-driven incident response. Option C (Microsoft 365 Defender) is wrong because it is an XDR (Extended Detection and Response) solution focused on Microsoft 365 endpoints, email, and identities, not designed to ingest logs from on-premises servers or third-party SaaS like Salesforce. Option D (Microsoft Defender for Endpoint) is wrong because it is an endpoint-specific EDR (Endpoint Detection and Response) tool, not a SIEM; it cannot aggregate logs from multiple sources or provide a unified hunting query language across on-premises, Azure, and SaaS environments.

373
MCQeasy

Refer to the exhibit. You are configuring a Microsoft Entra ID group. What does the exhibit represent?

A.A dynamic security group based on department attribute.
B.A Microsoft 365 group with dynamic membership.
C.A dynamic group based on user location.
D.A static security group with assigned members.
AnswerA

The rule uses user.department to automatically add members.

Why this answer

The JSON shows a dynamic group in Microsoft Entra ID with a membership rule that includes users whose department equals 'Marketing'. Option A is incorrect because it's a dynamic group, not assigned. Option C is incorrect because it's a security group, not a Microsoft 365 group (no mailEnabled).

Option D is incorrect because the rule is for department, not location.

374
MCQmedium

Refer to the exhibit. A company has configured the above Conditional Access policy in Microsoft Entra ID. A user attempts to access Exchange Online from an untrusted location. What happens?

A.The user is granted access without MFA because the policy does not apply.
B.Access is blocked because the condition is not met.
C.The user is prompted for MFA because the policy applies to all users.
D.The user is blocked because the grant requires MFA.
AnswerA

Correct: The policy only applies to trusted locations.

Why this answer

The policy applies only to trusted locations. Since the user is from an untrusted location, the policy does not apply, so the user can access without MFA (assuming no other policies apply).

375
MCQhard

A security operations center (SOC) receives a high volume of low-fidelity alerts from various security tools. They need a solution that can automatically correlate alerts into incidents, use built-in machine learning to reduce false positives, and provide a unified console for investigation and response across Azure, on-premises, and Microsoft 365. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerB

Sentinel is a SIEM/SOAR that correlates alerts, reduces noise with ML, and provides a unified investigation and response console.

Why this answer

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) solution that ingests high-volume, low-fidelity alerts from multiple sources, correlates them into incidents using built-in analytics and machine learning, and provides a unified console for investigation and response across Azure, on-premises, and Microsoft 365. Its fusion and anomaly detection rules specifically reduce false positives by learning normal behavior patterns, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (a CSPM/CWPP) with a SIEM, or assume Defender for Endpoint can handle cross-environment correlation, when only Microsoft Sentinel provides the SIEM capabilities of alert aggregation, ML-based false-positive reduction, and a unified investigation console across Azure, on-premises, and Microsoft 365.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) focused on securing cloud resources and workloads, not a SIEM that correlates alerts into incidents or provides a unified SOC console across hybrid environments. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices and investigates endpoint-specific threats, but it does not aggregate alerts from multiple security tools or provide cross-domain incident correlation for Azure, on-premises, and Microsoft 365. Option D is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that focuses on shadow IT discovery and data protection for SaaS applications, not a SIEM that performs high-volume alert correlation and false-positive reduction via built-in machine learning.

← PreviousPage 5 of 7 · 470 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft security solutions questions.