CCNA Describe the capabilities of Microsoft security solutions Questions

75 of 470 questions · Page 6/7 · Describe the capabilities of Microsoft security solutions · Answers revealed

376
MCQmedium

A company uses Azure resources, on-premises servers, and third-party cloud apps. The security team wants a single solution to collect security logs from all these sources, detect threats using advanced analytics, and automate responses to incidents. Which Microsoft security solution should they use?

A.A
B.B
C.C
D.D
AnswerC

Correct. Microsoft Sentinel is designed to ingest logs from multiple sources, provide threat detection via analytics, and automate responses.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that can ingest logs from Azure resources, on-premises servers via the Log Analytics agent or Azure Arc, and third-party cloud apps using connectors. It provides advanced analytics with built-in machine learning to detect threats and supports automated incident response through playbooks powered by Azure Logic Apps.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM tool) with a SIEM solution, failing to recognize that Sentinel is the only Microsoft service designed specifically for cross-source log aggregation, advanced threat detection, and automated incident response in a hybrid multi-cloud environment.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and workload protection platform, not a SIEM; it does not natively collect logs from on-premises servers or third-party cloud apps for unified threat detection and automated response. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) solution focused on endpoint compliance and app policies, not on collecting security logs or performing threat detection across hybrid environments. Option D is wrong because Microsoft Purview Compliance Manager is a compliance management tool that helps assess and manage regulatory compliance, not a security log collection or threat detection solution.

377
MCQeasy

A company wants to classify and label data in Microsoft SharePoint Online automatically based on content containing passport numbers. Which Microsoft Purview feature should they use?

A.Audit log
B.Data classification dashboard
C.Data loss prevention (DLP) policy
D.Auto-labeling policy
AnswerD

Auto-labeling policies scan content and apply labels based on sensitive info types.

Why this answer

Correct: Auto-labeling policy in Purview applies labels automatically. Option B: DLP policy prevents sharing. Option C: Data classification dashboard shows classification results.

Option D: Audit logs are for activity tracking.

378
MCQhard

Your organization is planning to deploy Microsoft Defender for Cloud Apps to discover shadow IT. You need to ensure that logs from your network proxy servers are ingested. Which method should you use to connect the logs?

A.Log collector
B.Conditional Access App Control
C.Microsoft Sentinel data connector
D.App connector API
AnswerA

Correct: Log collectors are deployed on-premises to forward proxy logs to Defender for Cloud Apps for shadow IT discovery.

Why this answer

Defender for Cloud Apps uses log collectors to ingest traffic logs from proxies and firewalls. Option D is correct. Option A (API connector) connects to cloud apps, not proxies.

Option B (Conditional Access) controls access. Option C (Microsoft Sentinel connector) is for SIEM ingestion, not Cloud App Discovery.

379
MCQhard

Refer to the exhibit. You are reviewing a policy in Microsoft Defender for Cloud that monitors for unencrypted data uploads to an S3 bucket. The policy condition is shown. Which statement about this policy is correct?

A.The policy enforces encryption for objects uploaded to the 'documents' bucket.
B.The policy applies to all S3 buckets in the account.
C.The policy requires encryption with AWS KMS.
D.The policy denies all uploads to the bucket.
AnswerA

The condition requires server-side encryption with AES256, enforcing encryption for all uploads to that bucket.

Why this answer

The condition specifies that the request must have server-side encryption set to AES256. This is a security control to ensure data is encrypted at rest. The policy restricts uploads without encryption, but it allows uploads with AES256 encryption.

The resource is a wildcard under the 'documents' bucket. Option D correctly states that the policy applies to objects in the 'documents' bucket.

380
Multi-Selectmedium

Your company uses Microsoft Defender for Endpoint. You need to configure attack surface reduction (ASR) rules. Which TWO of the following are ASR rules?

Select 2 answers
A.Block executable content from email client and webmail
B.Allow only signed executables
C.Block inbound connections from the internet
D.Block untrusted fonts
E.Block Office applications from creating child processes
AnswersA, E

This is a built-in ASR rule.

Why this answer

Options A and C are correct. Blocking Office applications from creating child processes (A) and blocking executable content from email client (C) are ASR rules. Option B is a Windows Defender Firewall rule, not ASR.

Option D is an application control rule, not ASR. Option E is a network protection rule, not ASR.

381
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview eDiscovery? (Choose three.)

Select 3 answers
A.Block sharing of sensitive data via email
B.Export search results to a PST file
C.Place a legal hold on mailboxes and sites
D.Automatically delete emails older than 7 years
E.Search for content across Exchange Online, SharePoint Online, and OneDrive for Business
AnswersB, C, E

eDiscovery supports exporting results to PST.

Why this answer

Option B is correct because Microsoft Purview eDiscovery includes the capability to export search results to a PST file, allowing investigators to preserve and review mailbox content offline. This is a standard feature in both eDiscovery (Standard) and eDiscovery (Premium) for exporting Exchange Online data.

Exam trap

The trap here is that candidates confuse eDiscovery's search and hold capabilities with retention or DLP features, leading them to select options like automatic deletion or blocking sensitive data, which belong to separate Purview solutions.

382
MCQmedium

A company uses Microsoft Defender for Cloud to secure their multi-cloud environment, which includes Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). They want a unified view of security posture, continuous assessment of resources, and recommendations to improve security across all clouds. Which feature of Defender for Cloud provides this capability?

A.Cloud Security Posture Management (CSPM)
B.Cloud Workload Protection (CWP)
C.Microsoft Secure Score
D.Regulatory Compliance Dashboard
AnswerA

CSPM provides posture management, secure score, and recommendations across multi-cloud environments, meeting all requirements.

Why this answer

Cloud Security Posture Management (CSPM) is the correct feature because it provides a unified, multi-cloud view of security posture, continuously assesses resources against security benchmarks (e.g., CIS, NIST), and generates actionable recommendations to harden configurations across Azure, AWS, and GCP. This directly matches the scenario's requirement for a single pane of glass for posture management and improvement across all three clouds.

Exam trap

The trap here is that candidates confuse Cloud Security Posture Management (CSPM) with Cloud Workload Protection (CWP), mistakenly thinking that workload protection includes posture assessment, when in fact CSPM is the dedicated feature for multi-cloud posture visibility and recommendations.

How to eliminate wrong answers

Option B (Cloud Workload Protection, CWP) is wrong because CWP focuses on threat detection and advanced defenses for workloads (e.g., just-in-time VM access, file integrity monitoring), not on providing a unified posture view or continuous assessment of resource configurations. Option C (Microsoft Secure Score) is wrong because Secure Score is a metric that quantifies an organization's security posture based on Defender for Cloud recommendations, but it is not the feature that performs the continuous assessment or generates the recommendations itself. Option D (Regulatory Compliance Dashboard) is wrong because this dashboard tracks compliance against specific standards (e.g., SOC 2, PCI DSS) using built-in assessments, but it does not provide the general, unified posture view and continuous assessment of all resources across multi-cloud environments.

383
MCQmedium

A security operations center (SOC) team needs a centralized platform to collect logs from firewalls, servers, and cloud applications. They want to analyze these logs to detect threats, create custom alerts, and automate response actions using playbooks. The solution should also provide threat intelligence feeds and allow for advanced hunting with Kusto Query Language (KQL). Which Microsoft security solution should the team implement?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Purview Compliance Manager
AnswerB

Correct. Sentinel is the intended SIEM/SOAR solution for centralized log collection, threat detection, automation, and hunting with KQL.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It provides a centralized platform for collecting logs from diverse sources (firewalls, servers, cloud apps), enables custom alert creation, automates response via playbooks (Azure Logic Apps), integrates threat intelligence feeds, and supports advanced hunting using Kusto Query Language (KQL).

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool) with a full SIEM/SOAR solution, overlooking that Sentinel is the dedicated platform for centralized log collection, custom alerts, playbook automation, and KQL-based hunting.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), not a centralized SIEM for log collection, custom alerts, playbook automation, or KQL-based hunting. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution focused on device-level threats, not a multi-source log aggregation and SIEM platform with playbooks and threat intelligence feeds. Option D is wrong because Microsoft Purview Compliance Manager is a compliance and risk management tool for assessing regulatory posture, not a security operations platform for log analysis, threat detection, or automated response.

384
MCQmedium

Your organization uses Microsoft Copilot for Security. You want to use natural language to generate a KQL query for threat hunting. What should you do?

A.Manually write the KQL query in the advanced hunting page.
B.Use the Copilot prompt bar in the Microsoft Defender portal.
C.Install the Copilot add-in for Sentinel.
D.Subscribe to Microsoft 365 Copilot.
AnswerB

The prompt bar allows natural language input to generate queries.

Why this answer

Microsoft Copilot for Security includes a prompt bar where you can ask questions in natural language to generate queries. Option B is correct. Option A is wrong because Copilot is integrated into the portal.

Option C is wrong because Copilot does not require a separate subscription. Option D is wrong because you don't need to write the query manually.

385
MCQmedium

A company uses Microsoft Defender for Cloud to secure their Azure environment. The security team needs to check whether their resources comply with the CIS (Center for Internet Security) benchmark. How can they view their compliance status against CIS in Defender for Cloud?

A.Use the secure score recommendations and look for CIS-related controls
B.Use the Regulatory Compliance dashboard and add the CIS standard as a compliance initiative
C.Use Azure Policy initiative assignments directly from the Policy service
D.Use the vulnerability assessment solution for machines to check CIS settings
AnswerB

Correct. The Regulatory Compliance dashboard in Defender for Cloud allows you to add built-in compliance initiatives, including CIS benchmarks, to view your compliance posture against that standard.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud allows you to add built-in compliance standards like CIS as an initiative. Once added, the dashboard continuously assesses your Azure resources against the CIS benchmark controls and displays pass/fail status. This is the correct method because Defender for Cloud integrates with Azure Policy to evaluate compliance against regulatory standards.

Exam trap

The trap here is that candidates confuse secure score recommendations with regulatory compliance assessments, assuming that secure score covers all compliance standards, when in fact secure score is a separate metric based on security controls, not specific regulatory frameworks like CIS.

How to eliminate wrong answers

Option A is wrong because secure score recommendations are based on security best practices and built-in controls, not specific regulatory standards like CIS; they do not directly map to CIS benchmarks. Option C is wrong because Azure Policy initiative assignments from the Policy service can define compliance rules, but viewing the compliance status against CIS specifically requires the Regulatory Compliance dashboard in Defender for Cloud, which provides a pre-built view with continuous assessment and reporting. Option D is wrong because the vulnerability assessment solution for machines (e.g., Qualys or Microsoft Defender Vulnerability Management) checks for OS-level vulnerabilities and missing patches, not compliance with CIS benchmark settings across all resource types.

386
MCQmedium

Your organization is deploying Microsoft Defender XDR to detect and respond to advanced threats. You need to ensure that security alerts from Microsoft Defender for Endpoint are automatically correlated with alerts from Microsoft Defender for Office 365. What should you configure?

A.Ensure that all Microsoft Defender services are onboarded to the same tenant and that the incidents feature is enabled
B.Configure a custom detection rule in Microsoft 365 Defender
C.Create an advanced hunting query to join alerts from different data sources
D.Enable Microsoft Sentinel and configure incident creation rules
AnswerA

Microsoft Defender XDR automatically correlates alerts from onboarded services into incidents when all services are in the same tenant and the feature is enabled by default.

Why this answer

Microsoft Defender XDR automatically correlates alerts from different Microsoft Defender services (e.g., Defender for Endpoint and Defender for Office 365) when they are onboarded to the same tenant and the incidents feature is enabled. This built-in correlation uses the Microsoft 365 Defender backend to fuse related alerts into a single incident, providing a unified view of the attack chain without additional configuration.

Exam trap

The trap here is that candidates may think additional tools like Sentinel or custom rules are needed for correlation, but Microsoft Defender XDR provides automatic cross-service correlation by default when all services are in the same tenant and incidents are enabled.

How to eliminate wrong answers

Option B is wrong because custom detection rules in Microsoft 365 Defender are used to create custom alerts based on advanced hunting queries, not to automatically correlate existing alerts from different services. Option C is wrong because advanced hunting queries are for manually searching and analyzing raw data across tables, not for enabling automatic correlation of alerts into incidents. Option D is wrong because Microsoft Sentinel is a separate SIEM solution that requires additional licensing and configuration; it is not required for native correlation within Microsoft Defender XDR, which handles this automatically when services are in the same tenant.

387
MCQeasy

Your organization uses Microsoft Purview eDiscovery to manage legal holds. A legal hold has been placed on a user’s mailbox, but the user has left the company and their mailbox has been converted to a shared mailbox. You need to ensure that the legal hold remains effective. What should you do?

A.Convert the shared mailbox back to a user mailbox to keep the hold.
B.Create a new legal hold for the shared mailbox.
C.Verify that the legal hold is still listed in the eDiscovery case for the mailbox.
D.Remove the legal hold and reapply it to the shared mailbox.
AnswerC

The hold persists after conversion.

Why this answer

Option B is correct because converting a mailbox to a shared mailbox does not remove the hold; however, you should verify that the hold is still in place. Option A is wrong because the hold is already applied. Option C is wrong because you don't need to recreate the hold.

Option D is wrong because the hold is not automatically removed.

388
MCQhard

Refer to the exhibit. A security analyst is reviewing a Microsoft Defender XDR alert. Which two tactics identified are most relevant? (This is a multiple-choice question asking which two tactics are shown, but the format is single answer. We need to adjust: The question asks: 'Which two tactics are identified?' The correct answer is the option listing both 'InitialAccess and LateralMovement'.)

A.LateralMovement and PrivilegeEscalation
B.LateralMovement and Exfiltration
C.InitialAccess and Persistence
D.InitialAccess and LateralMovement
AnswerD

These are the two tactics in the alert.

Why this answer

The exhibit shows "tactics": ["InitialAccess", "LateralMovement"]. Option A lists both. Option B includes Persistence, not shown.

Option C includes PrivilegeEscalation. Option D includes Exfiltration.

389
MCQmedium

Your organization uses Microsoft Defender for Office 365. A user reports receiving a suspicious email that appears to be from their CEO asking for a wire transfer. The email passed through the spam filter. What additional protection should be enabled to detect such attacks?

A.Safe Attachments policy
B.Anti-spam policy
C.Safe Links policy
D.Impersonation protection in anti-phishing policy
AnswerD

Impersonation protection detects emails that impersonate users or domains.

Why this answer

Impersonation protection in Microsoft Defender for Office 365 specifically detects emails that impersonate executives or domains. It can be configured in anti-phishing policies. Option A is incorrect because safe attachments protect against malicious attachments, not impersonation.

Option B is incorrect because safe links protect against malicious URLs. Option C is incorrect because anti-spam policies filter bulk mail, not targeted impersonation.

390
Multi-Selecthard

Which THREE of the following are included in Microsoft Defender XDR (Extended Detection and Response)? (Choose three.)

Select 3 answers
A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Azure Information Protection
D.Microsoft Defender for Office 365
E.Microsoft Defender for Cloud
AnswersA, B, D

Correct: Part of XDR.

Why this answer

Microsoft Defender XDR unifies Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and more. Azure Information Protection is not part of XDR.

391
Multi-Selectmedium

Which TWO are capabilities of Microsoft Defender for Cloud Apps? (Choose two.)

Select 2 answers
A.Endpoint detection and response (EDR)
B.Identity protection for user accounts
C.Data classification of on-premises files
D.Session control to monitor user activity in cloud apps
E.Cloud Discovery to identify shadow IT
AnswersD, E

Session control allows real-time monitoring and control of app sessions.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps includes session control capabilities, which allow administrators to monitor and control user activity in real time within cloud applications. This is achieved through reverse proxy integration, enabling granular access policies and data loss prevention (DLP) actions during active sessions.

Exam trap

The trap here is that candidates confuse the broad 'security solutions' umbrella and attribute endpoint or identity features to Defender for Cloud Apps, when in fact each Microsoft security product (Defender for Endpoint, Entra ID Protection, Purview) has a distinct scope and integration point.

392
MCQmedium

A company uses Microsoft 365 and Azure. They want a unified security solution that provides threat protection across email, endpoints, identities, and cloud apps, with automated investigation and response capabilities. Which Microsoft solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender
C.Microsoft Sentinel
D.Microsoft Entra ID Protection
AnswerB

Correct. Microsoft 365 Defender is an extended detection and response (XDR) solution that provides coordinated protection across the Microsoft 365 ecosystem, including email, endpoints, identities, and cloud apps.

Why this answer

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that coordinates detection, prevention, investigation, and response across email, endpoints, identities, and cloud apps. It provides automated investigation and response (AIR) capabilities through its integrated components (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps), making it the correct choice for the described requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool for cloud workloads) with Microsoft 365 Defender (a unified XDR solution for the Microsoft 365 ecosystem), or they mistakenly think Microsoft Sentinel (a SIEM) provides the same built-in, cross-domain automated investigation and response as Microsoft 365 Defender.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, on-premises, and multi-cloud workloads, not a unified solution for email, endpoints, identities, and cloud apps with automated investigation and response. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution that ingests logs and alerts from multiple sources for threat detection and response, but it is not a unified security solution that natively provides threat protection across email, endpoints, identities, and cloud apps with built-in automated investigation and response like Microsoft 365 Defender. Option D is wrong because Microsoft Entra ID Protection is an identity protection service that detects and remediates identity-based risks (e.g., leaked credentials, anomalous sign-ins), but it does not provide threat protection across email, endpoints, or cloud apps, nor does it offer automated investigation and response across those domains.

393
MCQmedium

A company uses a hybrid environment with Azure virtual machines (IaaS) and on-premises Windows servers. The security team needs a single solution that continuously assesses the security posture of these workloads, provides a regulatory compliance dashboard with actionable recommendations, and enables threat detection. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud
D.Microsoft Sentinel
AnswerC

Defender for Cloud delivers continuous assessment of security posture, regulatory compliance monitoring, and threat detection across Azure and hybrid workloads, making it the correct solution.

Why this answer

Microsoft Defender for Cloud is the correct answer because it provides a unified security management platform that continuously assesses the security posture of both Azure VMs (IaaS) and on-premises Windows servers via Azure Arc. It offers a regulatory compliance dashboard with actionable recommendations based on built-in standards like CIS, NIST, and Azure Security Benchmark, and integrates with Microsoft Defender for Cloud's workload protection plans to enable threat detection for these hybrid workloads.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a posture management and threat protection platform) with Microsoft Sentinel (a SIEM), but the question specifically asks for a single solution that includes a compliance dashboard and continuous assessment, which is a core feature of Defender for Cloud, not Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on shadow IT discovery and data protection for SaaS applications, not on assessing the security posture or providing a compliance dashboard for IaaS VMs and on-premises servers. Option B is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that focuses on device-level threat detection and response, but it does not provide a regulatory compliance dashboard or continuous security posture assessment across hybrid workloads. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs and alerts for threat detection and incident response, but it is not primarily designed for continuous security posture assessment or out-of-the-box regulatory compliance dashboards; it requires custom workbooks and analytics rules for compliance reporting.

394
Multi-Selectmedium

Which THREE capabilities are provided by Microsoft Defender XDR? (Choose THREE.)

Select 3 answers
A.Cloud security posture management
B.Advanced hunting
C.Automated investigation and response
D.Incident management
E.Vulnerability management
AnswersB, C, D

Advanced hunting allows KQL queries across data sources.

Why this answer

Microsoft Defender XDR provides incident management (correlated alerts), automated investigation and response (self-healing), and advanced hunting (KQL queries). Vulnerability management is part of Defender for Endpoint, not the XDR platform. Cloud security posture management is from Defender for Cloud.

Defender XDR is for cross-domain threat protection.

395
MCQmedium

Your organization uses Microsoft Defender XDR. You need to investigate a potential lateral movement attack where a compromised user account is used to access multiple workstations. Which feature should you use to visualize the attack path?

A.Attack graph
B.Microsoft Sentinel workbooks
C.Threat analytics in Microsoft 365 Defender
D.Incident queue
AnswerA

Attack graph visualizes lateral movement paths.

Why this answer

Option B is correct because the attack graph in Microsoft Defender XDR provides a visual representation of attack paths. Option A is wrong because the incident queue lists alerts, not attack paths. Option C is wrong because Microsoft Sentinel's workbooks are for custom visualization but not specifically for attack paths.

Option D is wrong because Microsoft 365 Defender's threat analytics provide threat reports, not attack paths.

396
MCQhard

Refer to the exhibit. A Microsoft Purview DLP policy is configured in Test mode. An administrator notices that a user is still able to share a document containing a credit card number. What is the most likely reason?

A.The credit card number is not detected because low confidence threshold
B.The BlockAccess action is not supported for SharePoint Online
C.The policy is in Test mode, so actions are not enforced
D.The policy requires an administrator to approve the action
AnswerC

Test mode only logs, does not block.

Why this answer

Option B is correct because the policy is in Test mode, which means it will not enforce actions like BlockAccess; it only logs alerts. Option A is wrong because the rule is correctly configured to detect credit card numbers with high confidence. Option C is wrong because Test mode does not require approval; it simply doesn't enforce.

Option D is wrong because DLP policies can block access in SharePoint/OneDrive.

397
MCQeasy

Your organization wants to centrally manage security policies for all devices (Windows, iOS, Android) and ensure they meet compliance requirements before accessing corporate resources. Which Microsoft solution should you use?

A.Microsoft Purview Compliance Manager
B.Microsoft Defender for Endpoint
C.Microsoft Intune
D.Microsoft Entra ID
AnswerC

Intune manages devices and enforces compliance policies.

Why this answer

Option A is correct because Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) solution. Option B is wrong because Microsoft Entra ID is for identity, not device management. Option C is wrong because Microsoft Defender for Endpoint is for endpoint detection and response, not configuration management.

Option D is wrong because Microsoft Purview is for data governance.

398
Multi-Selectmedium

Which TWO of the following are features of Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Data classification and labeling
B.Security Information and Event Management (SIEM)
C.Cloud Workload Protection Platform (CWPP)
D.Mobile Threat Defense (MTD)
E.Cloud Security Posture Management (CSPM)
AnswersC, E

Defender for Cloud provides CWPP for workloads across clouds.

Why this answer

Microsoft Defender for Cloud is a Cloud Workload Protection Platform (CWPP) that provides unified security management and advanced threat protection for workloads running in Azure, on-premises, and other clouds. It also includes Cloud Security Posture Management (CSPM) capabilities, which continuously assess your environment against security benchmarks (e.g., CIS, NIST) and provide actionable recommendations to improve your security posture.

Exam trap

The trap here is that candidates often confuse the SIEM and SOAR capabilities of Microsoft Sentinel with the CWPP and CSPM functions of Defender for Cloud, or they mistakenly associate data classification (Purview) with Defender for Cloud's security recommendations.

399
MCQhard

A healthcare organization runs a mix of workloads on Azure (Azure VMs, SQL Database) and on-premises (Windows Servers). They must continuously assess their compliance against the HIPAA and HITRUST regulatory frameworks. They want a unified dashboard that shows their compliance score against these standards and provides step-by-step recommendations to remediate violations. Which Microsoft Defender for Cloud capability should they use?

A.Regulatory compliance dashboard
B.Secure score
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Servers
AnswerA

The regulatory compliance dashboard in Defender for Cloud allows you to add built-in standards (HIPAA, HITRUST) and track compliance status with recommendations and scores.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a unified view of an organization's compliance posture against specific regulatory standards like HIPAA and HITRUST. It displays a compliance score for each selected framework and offers step-by-step remediation recommendations for identified violations, directly meeting the requirement for continuous assessment and guided remediation.

Exam trap

The trap here is that candidates often confuse the Secure score (which measures general security hygiene) with the Regulatory compliance dashboard (which measures adherence to specific regulatory frameworks), leading them to select Secure score when the question explicitly asks for compliance against HIPAA and HITRUST.

How to eliminate wrong answers

Option B (Secure score) is wrong because it measures the overall security posture based on security controls and recommendations, not compliance against specific regulatory frameworks like HIPAA or HITRUST. Option C (Microsoft Defender for Cloud Apps) is wrong because it is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, data protection, and threat detection across SaaS applications, not on assessing compliance against healthcare regulatory standards. Option D (Microsoft Defender for Servers) is wrong because it provides threat detection and advanced protections for server workloads, but does not include a dashboard for regulatory compliance scoring or step-by-step remediation against HIPAA or HITRUST.

400
MCQhard

Contoso uses Microsoft Sentinel. They want to automate response to a high-severity incident by blocking the source IP in Azure Firewall and sending a notification to the SOC team via email. Which feature should they use?

A.Create a hunting query.
B.Create an automation rule.
C.Enable Fusion.
D.Create a workbook.
AnswerB

Automation rules trigger playbooks for incident response.

Why this answer

Correct: Automation rules in Microsoft Sentinel run playbooks based on trigger conditions (e.g., incident creation). Option A: Workbooks are for visualization. Option B: Hunting queries are for proactive threat hunting.

Option D: Fusion is a correlation engine.

401
Multi-Selecteasy

Your company wants to protect sensitive data in Microsoft Teams. Which two Microsoft Purview features can help prevent accidental sharing of confidential information? (Choose two.)

Select 2 answers
A.Data Loss Prevention (DLP) policies for Teams
B.Audit log search for Teams
C.eDiscovery for Teams
D.Retention policies for Teams messages
E.Sensitivity labels for Teams sites and content
AnswersA, E

DLP policies can detect and block sharing of sensitive data.

Why this answer

Options A and D are correct because DLP policies and sensitivity labels protect data. Option B is wrong because retention policies manage lifecycle, not sharing. Option C is wrong because audit logs only record events.

Option E is wrong because eDiscovery is for legal discovery.

402
MCQmedium

Your organization uses Microsoft Purview eDiscovery to manage legal cases. You need to place a hold on a user's mailbox to preserve data for an ongoing litigation. Which role do you need to assign to the eDiscovery manager?

A.Records Management
B.Information Protection
C.eDiscovery Manager (with the Legal Hold role enabled)
D.Compliance Administrator
AnswerC

The eDiscovery Manager role group includes the Legal Hold role, which allows placing holds.

Why this answer

Option D is correct because the eDiscovery Manager role group includes the ability to manage holds (the Legal Hold role). Option A is incorrect because Records Management is for retention labels. Option B is incorrect because Compliance Administrator has broad permissions but is not the recommended role for eDiscovery.

Option C is incorrect because Information Protection is for sensitivity labels.

403
MCQeasy

A company uses Azure virtual machines for a production database. The security team wants to minimize the attack surface by blocking all inbound RDP (port 3389) traffic. However, administrators occasionally need to connect for maintenance. The team needs a solution that allows administrators to request temporary access to the RDP port, which is automatically revoked after a specified time. Which Microsoft Defender for Cloud feature should they use?

A.Adaptive application controls
B.Just-in-time (JIT) VM access
C.File Integrity Monitoring (FIM)
D.Security alerts
AnswerB

JIT locks down inbound traffic to VMs and allows authorized users to request temporary access to specific ports, which is automatically revoked after a set time.

Why this answer

Just-in-time (JIT) VM access is the correct feature because it specifically addresses the need to block inbound RDP (port 3389) traffic by default while allowing administrators to request temporary, time-bound access. When a request is approved, JIT dynamically modifies the network security group (NSG) to open the port for a specified duration, then automatically reverts the rule to deny all inbound traffic after the time expires. This directly minimizes the attack surface by eliminating persistent open management ports.

Exam trap

The trap here is that candidates may confuse 'just-in-time VM access' with 'adaptive application controls' because both are Defender for Cloud features that involve 'control' and 'access,' but JIT specifically manages network port access while adaptive controls manage application execution.

How to eliminate wrong answers

Option A is wrong because Adaptive application controls are used to create allowlists for applications running on Azure VMs, controlling which executables can run, not for managing network port access. Option C is wrong because File Integrity Monitoring (FIM) monitors changes to critical files, registries, and system configurations, not network traffic or port access. Option D is wrong because Security alerts are notifications generated by Defender for Cloud when threats are detected, not a mechanism to grant or revoke temporary network access.

404
MCQmedium

A company wants to protect its employees from phishing attacks delivered via email. The solution must analyze all URLs embedded in incoming emails in real-time. If a URL points to a known malicious site, the link should be blocked at the time of click. Additionally, the solution should sandbox URLs in attachments and provide time-of-click verification. Which Microsoft security solution should they implement?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Cloud App Security
AnswerB

Correct. Defender for Office 365 includes Safe Links and Safe Attachments to protect against malicious URLs and attachments in email.

Why this answer

Microsoft Defender for Office 365 (MDO) is the correct solution because it provides Safe Links, which performs real-time URL scanning and time-of-click verification for URLs embedded in email messages and attachments. It also includes Safe Attachments, which detonates attachments in a sandbox environment to analyze embedded URLs. These capabilities directly address the requirement to block malicious links at click time and sandbox URLs in attachments.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps (a CASB) with Defender for Office 365, because both have 'Defender' in the name and offer cloud security, but only Defender for Office 365 includes the specific Safe Links and Safe Attachments features required for email phishing protection.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) focused on shadow IT discovery, data loss prevention, and session controls for cloud applications, not on real-time email URL scanning or sandboxing of attachments. Option C is wrong because Microsoft Defender for Endpoint is an EDR (Endpoint Detection and Response) solution that protects devices from malware and advanced threats, but it does not provide email-level URL scanning or time-of-click verification for phishing links. Option D is wrong because Microsoft Cloud App Security is the previous name for Defender for Cloud Apps and shares the same CASB functionality; it does not include Safe Links or Safe Attachments for email protection.

405
MCQmedium

A company wants to discover which cloud applications are being used by employees, assess the risk of those apps, and control data sharing in sanctioned apps like Box or Dropbox. Which Microsoft security solution should they implement?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Defender for Cloud Apps offers cloud app discovery (shadow IT), risk assessment, and the ability to apply DLP and governance policies to sanctioned and unsanctioned cloud apps.

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility into shadow IT by discovering cloud app usage, assessing risk based on over 80 risk factors, and enforcing data loss prevention (DLP) policies to control data sharing in sanctioned apps like Box or Dropbox. It integrates with cloud providers via API connectors to monitor and govern data in real time.

Exam trap

The trap here is confusing the CASB functionality of Defender for Cloud Apps with the endpoint-focused or email-specific protections of other Defender products, leading candidates to pick Defender for Office 365 because it also controls data sharing, but only within Microsoft 365, not third-party apps like Box or Dropbox.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on discovering or controlling cloud application usage. Option C is wrong because Microsoft Defender for Office 365 protects email and collaboration tools like Exchange Online and SharePoint, but does not discover or assess risk for third-party cloud apps like Box or Dropbox. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based threats using behavioral analytics, not cloud app discovery or data sharing control.

406
MCQmedium

A company's security operations team needs to centralize security log collection from multiple sources including on-premises firewalls, AWS CloudTrail, and Azure Active Directory sign-in logs. They want to use built-in analytics to detect threats across all data sources and create automated response playbooks, such as isolating a compromised user account when a specific attack pattern is detected. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Defender for Cloud Apps
AnswerB

Sentinel is designed for central log collection, threat detection using analytics, and automated response playbooks across heterogeneous sources.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution that ingests logs from diverse sources (on-premises firewalls via Syslog, AWS CloudTrail via REST API, and Azure AD via diagnostic settings) and provides built-in analytics rules to detect threats across all data. It also integrates with Azure Logic Apps to create automated playbooks (e.g., isolating a compromised user account) triggered by detected attack patterns, fulfilling the requirement for centralized log collection and automated response.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM for multi-source log ingestion and automated response) with Microsoft 365 Defender (an XDR for Microsoft ecosystem threats), failing to recognize that only Sentinel can ingest third-party logs like on-premises firewalls and AWS CloudTrail for centralized threat detection and playbook automation.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform focused on securing Azure, on-premises, and other cloud resources via recommendations and vulnerability assessments, not a centralized SIEM for log collection from multiple sources like firewalls and AWS CloudTrail. Option C is wrong because Microsoft 365 Defender is an extended detection and response (XDR) solution that primarily correlates signals from Microsoft 365 products (e.g., Defender for Endpoint, Defender for Office 365) and does not natively ingest third-party logs like on-premises firewalls or AWS CloudTrail. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on shadow IT discovery and data protection for SaaS applications, not a SIEM for collecting and analyzing logs from firewalls or AWS infrastructure.

407
Matchingmedium

Match each Microsoft identity service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud-based identity and access management

Directory service for Windows domain networks

Collaboration with external partners

Customer identity and access management for apps

Integration of on-premises AD with Azure AD

Why these pairings

These are key identity services in Microsoft's identity platform.

408
MCQhard

You are investigating an alert in Microsoft 365 Defender. The KQL query in the exhibit retrieves evidence for alert-5678. What type of entities does this query filter for?

A.Registry entities
B.Process entities
C.Network entities
D.File entities
AnswerD

The query explicitly filters for EntityType == 'File'.

Why this answer

Option D is correct because the query filters where EntityType == 'File'. Option A is wrong because it filters for File, not Process. Option B is wrong because it filters for File, not Network.

Option C is wrong because it filters for File, not Registry.

409
MCQeasy

Your organization uses Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing the company's financial application. Which security feature should you use?

A.Security defaults
B.Privileged Identity Management
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access policies can require MFA for specific cloud applications.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to enforce MFA based on conditions like application, user, or location. Identity Protection detects risks but does not enforce access. Privileged Identity Management (PIM) manages roles.

Security defaults provide a baseline but do not allow per-application granularity. Option C is correct.

410
MCQmedium

A security team manages a hybrid environment with Azure VMs and on-premises Windows servers. They want a single dashboard that provides continuous assessment of security posture, actionable recommendations to harden configurations, and integration with Microsoft Defender for Cloud to detect threats. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Defender for Endpoint
AnswerB

It provides a unified view of security posture across Azure, on-premises, and other clouds, with recommendations and threat detection.

Why this answer

Microsoft Defender for Cloud (MDC) is the correct solution because it provides a unified dashboard for continuous security posture assessment, actionable hardening recommendations based on the Secure Score, and native integration with Microsoft Defender for Cloud's threat detection capabilities. It supports hybrid environments, covering both Azure VMs and on-premises Windows servers via Azure Arc, and delivers the specific requirements of posture assessment, recommendations, and threat detection in a single pane of glass.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (the posture management and CSPM tool) with Microsoft Defender for Endpoint (the EDR tool), because both have 'Defender' in the name and both provide security, but only MDC offers the single dashboard for continuous assessment and recommendations across hybrid workloads.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) focused on shadow IT discovery, data loss prevention, and app governance for SaaS applications, not on assessing the security posture of VMs or servers. Option C is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution that ingests logs for threat hunting and incident response, but it does not provide continuous posture assessment or hardening recommendations by itself. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices from malware and advanced threats, but it lacks the centralized posture assessment dashboard and configuration hardening recommendations for the entire hybrid infrastructure that MDC offers.

411
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Defender for Cloud Apps alert. Based on the evidence, which action should you take first?

A.Mark the alert as benign
B.Suspend the user account
C.Isolate the device immediately
D.Request file upload for analysis
AnswerD

Uploading the file allows deep analysis to confirm if it is malicious.

Why this answer

Option B is correct because the evidence shows a suspicious file, and requesting file upload for analysis is a standard first step. Option A is incorrect because isolating the device may escalate unnecessarily. Option C is incorrect because suspending the user is premature.

Option D is incorrect because marking as benign without investigation is risky.

412
Multi-Selectmedium

A security analyst is using Microsoft Sentinel to investigate an incident. Which THREE data sources can be ingested into Sentinel?

Select 3 answers
A.Power BI usage metrics
B.Azure Active Directory logs
C.Office 365 logs
D.Windows Security Events
E.Azure DevOps audit logs
AnswersB, C, D

Correct: Azure AD connector available.

Why this answer

Microsoft Sentinel can ingest logs from Office 365, Azure AD, and Windows Security Events via MMA/AMA. Azure DevOps is not a supported data connector. Power BI is not a log source.

413
MCQmedium

Your organization uses Microsoft Entra ID and wants to provide a single sign-on (SSO) experience for a third-party SaaS application that supports SAML 2.0. The app must also enforce multifactor authentication (MFA) for external users. What should you configure?

A.Set up SAML-based federation in Microsoft Entra ID and assign a Conditional Access policy requiring MFA
B.Add the app as a Linked Sign-On application
C.Use password-based SSO in Microsoft Entra ID
D.Configure OAuth 2.0 authorization in Microsoft Entra ID
AnswerA

SAML federation provides SSO; Conditional Access enforces MFA.

Why this answer

Option B is correct because SAML-based federation provides SSO and can be combined with Conditional Access for MFA. Option A is wrong because OAuth 2.0 is for delegated access, not SAML SSO. Option C is wrong because password-based SSO does not support SAML.

Option D is wrong because Linked Sign-On uses existing IdP, not federation.

414
MCQhard

A company's security operations center wants to detect advanced attacks targeting their on-premises Active Directory, such as Kerberos Golden Ticket attacks, pass-the-hash, and skeleton key malware. They need a solution that monitors domain controller traffic, correlates with entity behavior, and integrates with Microsoft Sentinel for incident response. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud
D.Microsoft Sentinel
AnswerA

Defender for Identity specializes in protecting on-premises Active Directory environments. It uses behavioral analytics and machine learning to detect suspicious activities such as abnormal Kerberos ticket requests, pass-the-hash attempts, and other identity-based attacks.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to monitor on-premises Active Directory traffic, including domain controller network traffic, and uses entity behavior analytics to detect advanced attacks like Kerberos Golden Ticket, pass-the-hash, and skeleton key malware. It integrates natively with Microsoft Sentinel to enable automated incident response and investigation.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel as the detection tool itself, when in fact Sentinel is the aggregation and response platform, while Defender for Identity is the dedicated on-premises AD threat detection solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (workstations, servers) and does not monitor domain controller traffic or Active Directory-specific attacks like Golden Tickets. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection solution for Azure, AWS, and GCP resources, not for on-premises Active Directory monitoring. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR platform that ingests alerts from other security tools but does not itself monitor domain controller traffic or perform entity behavior analysis for AD attacks.

415
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Defender for Cloud Apps? (Choose three.)

Select 3 answers
A.Threat detection to identify malicious behavior in cloud apps
B.Cloud Discovery to identify shadow IT
C.Email scanning and remediation
D.Endpoint detection and response (EDR)
E.Information protection to apply labels to files stored in cloud apps
AnswersA, B, E

It detects anomalies and threats in cloud app usage.

Why this answer

Options A, B, and C are correct. Cloud Access Security Brokers (CASB) provide discovery, data protection, and threat detection. Option D is incorrect because endpoint detection is in Defender for Endpoint.

Option E is incorrect because email scanning is in Defender for Office 365.

416
MCQmedium

Refer to the exhibit. The JSON shows a Microsoft Purview DLP policy. A user sends an email with a credit card number to an external recipient. What will happen?

A.The email is delivered normally because TeamsChatAndChannel is false.
B.The email is delivered but an alert is generated.
C.The email is blocked and the user receives a notification.
D.The email is encrypted before delivery.
AnswerC

Correct: Exchange is included, and the rule blocks access with user notification.

Why this answer

The policy is scoped to Exchange, SharePoint, and OneDrive, and includes a rule with BlockAccess action. Since Exchange is included, the email will be blocked and the user notified.

417
MCQmedium

A company runs a web application in Azure that is publicly accessible. They want to protect it against large-scale distributed denial-of-service (DDoS) attacks from multiple sources. Which Azure service is specifically designed for this purpose?

A.Azure Firewall
B.Azure DDoS Protection
C.Microsoft Defender for Cloud
D.Azure Application Gateway with Web Application Firewall (WAF)
AnswerB

This service offers always-on monitoring and automatic mitigation of DDoS attacks, protecting applications deployed in Azure.

Why this answer

Azure DDoS Protection is specifically designed to safeguard Azure resources against large-scale distributed denial-of-service (DDoS) attacks. It leverages the global scale of Microsoft's network to absorb and mitigate multi-gigabit attacks, providing always-on traffic monitoring and adaptive tuning. This service is the only option among the choices that is purpose-built for DDoS mitigation at the network and transport layers (L3/L4), and it also offers application-layer (L7) protection when combined with Application Gateway WAF.

Exam trap

The trap here is that candidates often confuse Azure Firewall or Application Gateway WAF as DDoS solutions, but those services handle different layers of defense—Azure Firewall for network filtering and WAF for application-layer attacks—whereas only Azure DDoS Protection is designed to absorb and mitigate large-scale volumetric attacks from multiple sources.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a stateful network firewall that filters traffic based on rules (e.g., IP addresses, ports, protocols) but does not provide dedicated DDoS mitigation; it cannot absorb volumetric attacks. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that provides threat detection and security recommendations, not a DDoS mitigation service. Option D is wrong because Azure Application Gateway with WAF protects against application-layer attacks (e.g., SQL injection, cross-site scripting) but does not mitigate large-scale volumetric DDoS attacks at the network layer; it can be used in conjunction with Azure DDoS Protection but is not a standalone DDoS solution.

418
MCQeasy

What is the primary purpose of Microsoft Defender for Cloud Apps?

A.Monitor network traffic
B.Manage mobile devices
C.Protect on-premises servers
D.Secure cloud applications and data
AnswerD

Correct: It acts as a CASB for cloud apps.

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility, data controls, and threat protection for cloud applications.

419
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst notices anomalous file downloads from a SharePoint site by a user flagged as high risk. What should the analyst configure to automatically block such activity?

A.Configure a file policy
B.Configure an access policy
C.Configure an app permission policy
D.Configure a session policy
AnswerD

Session policies allow real-time monitoring and control of user activities within apps, such as blocking downloads.

Why this answer

Session policies in Microsoft Defender for Cloud Apps provide real-time control over user activities, including blocking downloads based on risk level. Option A is incorrect because app permissions manage consent, not real-time monitoring. Option B is incorrect because file policies are for static file classification.

Option D is incorrect because access policies control initial access, not ongoing session activities.

420
MCQhard

A company runs critical Windows virtual machines on Azure. To reduce the attack surface, the security team wants to block all inbound RDP (port 3389) traffic from the internet by default. When a security engineer needs to connect via RDP for troubleshooting, they must request access through a portal, and the RDP port will be opened for a limited time (e.g., 4 hours) only to their source IP address. Which Microsoft security solution should they use to implement this control?

A.Microsoft Defender for Cloud's Just-in-time (JIT) VM access
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Azure Network Security Groups (NSGs) with application security groups
AnswerA

Defender for Cloud's JIT VM access provides exactly this capability: controls inbound traffic to VMs, reduces exposure, and grants temporary access with approval.

Why this answer

Microsoft Defender for Cloud's Just-in-time (JIT) VM access is the correct solution because it specifically provides time-limited, request-based opening of inbound ports (such as RDP port 3389) to approved source IP addresses, reducing the attack surface by keeping ports closed by default. This aligns directly with the requirement to block all inbound RDP from the internet by default and allow temporary access only through a portal request.

Exam trap

The trap here is that candidates may confuse network-level controls (NSGs) with a managed security service that automates temporary access, leading them to choose Option D without realizing NSGs lack the time-limited, request-based workflow that JIT provides.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud Apps) is wrong because it is a cloud access security broker (CASB) focused on controlling and monitoring user access to SaaS applications, not on managing inbound network ports to Azure VMs. Option C (Microsoft Defender for Endpoint) is wrong because it is an endpoint detection and response (EDR) solution for securing devices against malware and threats, not a network-level port management tool. Option D (Azure Network Security Groups with application security groups) is wrong because while NSGs can block or allow traffic, they do not provide time-limited, request-based just-in-time access; they require manual rule changes and do not integrate with a portal-based approval workflow.

421
MCQeasy

You are a security administrator for a company that uses Microsoft 365. The compliance team needs to automatically classify and protect sensitive data such as credit card numbers in emails and documents. Which Microsoft Purview solution should you recommend?

A.Microsoft Purview Information Protection
B.Microsoft Purview Records Management
C.Microsoft Purview Insider Risk Management
D.Microsoft Purview Data Loss Prevention
AnswerD

DLP policies detect and protect sensitive data such as credit card numbers in emails and documents.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) policies automatically detect and protect sensitive data like credit card numbers. Option A is wrong because Information Protection focuses on classification and labeling, but DLP enforces actions. Option B is wrong because Insider Risk Management detects risky user activities, not data classification.

Option D is wrong because Records Management manages retention and disposition, not real-time protection.

422
MCQeasy

Your company wants to use Microsoft Security Copilot to help analysts investigate security incidents. Which data source can Security Copilot ingest to provide contextual insights?

A.Alerts from Microsoft Defender XDR
B.Custom IoT device logs
C.Third-party threat intelligence feeds
D.On-premises firewall syslog
AnswerA

Security Copilot integrates with Microsoft 365 Defender.

Why this answer

Option C is correct because Microsoft Security Copilot can ingest alerts from Microsoft Defender XDR. Option A is wrong because Security Copilot does not directly ingest on-premises syslog. Option B is wrong because custom logs from IoT devices require a SIEM.

Option D is wrong because third-party threat feeds are not a primary ingestion source for Security Copilot.

423
MCQmedium

A security team wants to discover all cloud apps being used by employees, including unsanctioned personal apps like unauthorized file-sharing services. They plan to analyze firewall logs to identify traffic patterns and assess each app's risk score. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.Cloud Discovery
B.App Governance
C.Information Protection
D.Conditional Access App Control
AnswerA

Correct. Cloud Discovery uses log analysis to uncover all cloud apps in use and provides risk scores, helping to discover shadow IT.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs (e.g., from firewalls or proxies) to identify all cloud apps in use, including unsanctioned personal apps like unauthorized file-sharing services. It then assesses each app's risk score based on over 80 risk factors, such as encryption standards and data residency, enabling the security team to discover and evaluate shadow IT.

Exam trap

The trap here is that candidates often confuse Cloud Discovery with Conditional Access App Control, mistakenly thinking that real-time session policies can also discover unsanctioned apps, but discovery requires log analysis, not policy enforcement.

How to eliminate wrong answers

Option B (App Governance) is wrong because it focuses on monitoring and managing OAuth-enabled apps that have been granted access to Microsoft 365 data, not on discovering unsanctioned cloud apps from firewall logs. Option C (Information Protection) is wrong because it deals with classifying, labeling, and protecting sensitive data (e.g., via sensitivity labels and DLP), not with discovering cloud app usage or analyzing traffic patterns. Option D (Conditional Access App Control) is wrong because it enforces real-time access policies (e.g., session controls) on sanctioned apps, but it does not perform discovery or risk assessment of unsanctioned apps from firewall logs.

424
MCQeasy

A company wants to enforce conditional access policies that require multifactor authentication (MFA) for all users accessing financial apps from outside the corporate network. Which Microsoft Entra ID license is minimally required to create conditional access policies?

A.Microsoft 365 Business Basic
B.Microsoft Entra ID P2
C.Microsoft Entra ID Free
D.Microsoft Entra ID P1
AnswerD

P1 includes Conditional Access and is the minimum required.

Why this answer

Microsoft Entra ID P1 includes Conditional Access. Option A is wrong because Free does not include Conditional Access. Option C is wrong because P2 includes Identity Protection but Conditional Access is in P1.

Option D is wrong because Microsoft 365 Business Basic includes Entra ID P1 but the question asks for the minimal license, which is Entra ID P1 standalone.

425
MCQmedium

A company uses Microsoft Defender for Cloud Apps to protect its SaaS apps. The security team needs to detect when a user downloads more than 100 files from SharePoint Online within 10 minutes. Which policy type should they create?

A.Anomaly detection policy
B.Activity policy
C.Threat detection policy
D.Compliance policy
AnswerA

Anomaly detection policy uses machine learning to detect unusual user behavior like mass downloads.

Why this answer

Anomaly detection policies in Defender for Cloud Apps use behavioral analytics to detect unusual patterns like mass file download. Activity policy is for specific activities, but anomaly detection is better for this scenario. Option A is wrong because it's a generic term; Option B is wrong because it's for threat detection; Option D is wrong because it's for compliance.

426
MCQhard

A multinational company uses a hybrid infrastructure with on-premises Active Directory and Azure resources. They have deployed Microsoft Defender for Cloud to protect their Azure workloads. They now want to extend threat detection to their on-premises Active Directory by collecting security events from domain controllers to detect attacks like Golden Ticket, DCSync, and malicious Kerberos activity. The solution should integrate with Microsoft Sentinel for automated response. Which security solution should they deploy on the on-premises domain controllers?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerC

Defender for Identity is purpose-built for on-prem AD threat detection, capturing domain controller events to detect Kerberos attacks and privilege escalation.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to monitor on-premises Active Directory signals, including security events from domain controllers, to detect advanced identity-based attacks such as Golden Ticket, DCSync, and malicious Kerberos activity. MDI integrates natively with Microsoft Sentinel to enable automated response workflows, fulfilling the requirement for extending threat detection to on-premises AD.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool) with Microsoft Defender for Identity (an AD-focused identity threat detection tool), because both names include 'Defender' and both can integrate with Sentinel, but only MDI monitors on-premises Active Directory authentication events.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud workload protection platform (CWPP) focused on securing Azure, hybrid, and multi-cloud resources, not on-premises Active Directory domain controllers. Option B is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices like servers and workstations, not for monitoring Active Directory authentication protocols or Kerberos attacks. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR platform that ingests logs and triggers responses, but it does not deploy agents on domain controllers to collect security events; it relies on data connectors from other sources like MDI.

427
MCQmedium

Your organization is deploying Microsoft Defender for Cloud Apps to protect against cloud app threats. You need to ensure that users are prompted for authentication when accessing a sanctioned cloud app from an unmanaged device. Which policy type should you configure?

A.Activity policy
B.Access policy
C.Anomaly detection policy
D.Session policy
AnswerD

Session policies allow real-time monitoring and control of user sessions, including prompting for authentication from unmanaged devices.

Why this answer

Option B is correct because session policies (now called app session policies in Defender for Cloud Apps) allow you to monitor and control user sessions in real-time, including requiring authentication for access from unmanaged devices. Option A is wrong because access policies control access based on conditions but do not provide session-level control. Option C is wrong because activity policies trigger alerts and actions based on activities but not session-level authentication.

Option D is wrong because anomaly detection policies detect suspicious behavior but do not enforce access controls.

428
MCQmedium

A security team needs to continuously assess the security posture of Azure resources, including virtual machines, storage accounts, and SQL databases. They also want to identify vulnerabilities in both Windows and Linux servers running in Azure and on-premises, and receive prioritized recommendations for remediation. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Purview
AnswerA

Defender for Cloud provides vulnerability scanning and security posture assessment for Azure, on-premises, and multi-cloud workloads.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides continuous assessment of Azure resources (VMs, storage accounts, SQL databases) and hybrid workloads, including vulnerability scanning for Windows and Linux servers both in Azure and on-premises. It delivers prioritized remediation recommendations based on the secure score and integrated vulnerability assessment tools like Qualys or Microsoft Defender Vulnerability Management.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM and workload protection solution) with Microsoft Defender for Endpoint (an EDR solution), but the question's focus on assessing security posture of Azure resources and hybrid servers points specifically to Defender for Cloud's CSPM capabilities.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not on assessing the security posture of Azure resources like storage accounts or SQL databases, nor does it provide cloud-specific posture management. Option C (Microsoft Sentinel) is wrong because it is a SIEM/SOAR solution for security information and event management, not a tool for continuous security posture assessment or vulnerability scanning of Azure resources. Option D (Microsoft Purview) is wrong because it is a data governance and compliance solution for data classification and protection, not a security posture assessment or vulnerability management tool.

429
MCQmedium

Your company is deploying Microsoft Defender for Cloud Apps. You need to detect and block the use of unsanctioned cloud apps that exhibit risky behavior. Which feature should you configure?

A.Azure Information Protection labels
B.Conditional Access policies
C.Cloud Discovery
D.Data Loss Prevention (DLP) policies
AnswerC

Cloud Discovery identifies unsanctioned apps and can block them through integration with network appliances.

Why this answer

Option B is correct because Cloud Discovery in Microsoft Defender for Cloud Apps identifies shadow IT and can block unsanctioned apps. Option A is wrong because DLP policies are for data protection, not app discovery. Option C is wrong because Conditional Access controls access based on signals, but does not discover or block unsanctioned apps directly.

Option D is wrong because Azure Information Protection is for data classification and protection.

430
MCQmedium

Refer to the exhibit. You run the Azure PowerShell command for a storage account. What is the current network access configuration?

A.The storage account is accessible only from specific virtual networks.
B.The storage account is accessible from all networks.
C.The storage account is not accessible from any network.
D.The storage account is accessible only from specific IP addresses.
AnswerC

Correct: DefaultAction Deny with no rules blocks all traffic.

Why this answer

DefaultAction is Deny, and no rules are defined. This means all network traffic is denied by default. Option B is correct.

Option A says 'all networks' which would be Allow. Option C says only specific IPs, but IpRules is empty. Option D says only VNets, but VirtualNetworkRules is empty.

431
MCQhard

Refer to the exhibit. You are creating a custom analytics rule in Microsoft Sentinel. What does this rule detect?

A.Sign-ins with high sign-in risk from any location
B.Sign-ins with medium or high risk from the US
C.Sign-ins from users with high user risk outside the US
D.Sign-ins with medium or high risk from outside the US
AnswerD

Matches the query logic.

Why this answer

The rule is configured with 'Risk level: Medium, High' and 'Location: Outside US'. This means it triggers only when both conditions are met: the sign-in risk is medium or high, and the location is outside the US. Option D correctly matches this combination, detecting sign-ins with medium or high risk from outside the US.

Exam trap

The trap here is confusing 'User risk' with 'Sign-in risk' — the rule explicitly uses sign-in risk, and candidates often misread the risk type or overlook the location filter, leading them to choose options that mix up these conditions.

How to eliminate wrong answers

Option A is wrong because the rule includes a location filter ('Outside US'), so it does not detect sign-ins from any location. Option B is wrong because the rule specifies 'Outside US' as the location, not 'from the US'. Option C is wrong because the rule uses 'Sign-in risk' (not 'User risk') as the risk type, and the location filter is 'Outside US', not 'outside the US' for user risk.

432
MCQmedium

A company wants to gain visibility into which cloud applications are being used by employees (shadow IT) and assess the risk level of each app. They use Microsoft Defender for Cloud Apps. Which feature should they enable to discover and analyze these apps?

A.App Governance
B.Cloud Discovery
C.Conditional Access App Control
D.OAuth app policies
AnswerB

Cloud Discovery analyzes traffic logs to identify and assess the risk of cloud applications in use, helping to manage shadow IT.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs against the Microsoft Defender for Cloud Apps catalog of over 31,000 cloud apps to identify shadow IT usage. It provides risk scores based on factors like security certifications, data encryption, and compliance standards, enabling the company to assess each app's risk level.

Exam trap

The trap here is that candidates confuse Cloud Discovery (which finds unknown apps via traffic analysis) with Conditional Access App Control (which controls access to known apps), leading them to pick Option C for a discovery question.

How to eliminate wrong answers

Option A is wrong because App Governance is a policy and monitoring feature for managing OAuth-enabled apps (e.g., permissions and consent), not for discovering unknown cloud apps via traffic analysis. Option C is wrong because Conditional Access App Control is a reverse-proxy feature that enforces session policies on known apps in real time, not a discovery mechanism for shadow IT. Option D is wrong because OAuth app policies are used to control permissions for third-party OAuth apps connected to Microsoft 365, not to discover or analyze cloud applications in use.

433
Multi-Selecteasy

Which TWO of the following are features of Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Identity governance and administration
B.Security information and event management (SIEM)
C.Security orchestration, automation, and response (SOAR)
D.Endpoint detection and response (EDR)
E.Data classification and labeling
AnswersB, C

Sentinel provides SIEM for log collection and analysis.

Why this answer

Microsoft Sentinel provides SIEM and SOAR capabilities. Option A is a capability; Option B is a capability; Option C is a Microsoft Entra feature; Option D is a Microsoft Defender feature; Option E is a Microsoft Purview feature.

434
Multi-Selecteasy

Which TWO of the following are included in Microsoft Entra ID Protection?

Select 2 answers
A.Data loss prevention (DLP)
B.Privileged Identity Management (PIM)
C.Risk-based Conditional Access policies
D.Sign-in risk detections (e.g., anonymous IP address)
E.Passwordless authentication support
AnswersC, D

ID Protection integrates with Conditional Access to respond to risk.

Why this answer

Entra ID Protection includes risk-based conditional access and risk detections like sign-in risk. Privileged Identity Management (B) is a separate feature but related, and is included in Entra ID P2. Passwordless authentication (C) is a feature of Entra ID, not specifically Protection.

DLP (D) is Purview. Identity Governance (E) is Entra ID Governance.

435
MCQeasy

A company uses Microsoft 365 and Microsoft Azure. The security team wants a single portal that provides a unified view of alerts and incidents from their endpoints, email, and cloud applications to accelerate threat investigation and response. Which Microsoft security solution should they use?

A.Microsoft 365 Defender portal
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Purview Compliance Manager
AnswerA

This portal unifies alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into a single incident queue, enabling coordinated investigation and response.

Why this answer

Microsoft 365 Defender portal (now part of the Microsoft 365 Defender unified security operations platform) is designed to aggregate alerts and incidents from endpoints (Microsoft Defender for Endpoint), email (Microsoft Defender for Office 365), and cloud applications (Microsoft Defender for Cloud Apps) into a single queue. This unified view enables security teams to triage and investigate threats across these domains without switching between separate consoles, directly accelerating response times.

Exam trap

The trap here is that candidates often confuse Microsoft 365 Defender portal (a unified incident view for Microsoft 365 security products) with Microsoft Sentinel (a SIEM), not realizing that Sentinel requires additional setup and is not the out-of-the-box single portal for Microsoft's own security alerts.

How to eliminate wrong answers

Option B (Microsoft Defender for Cloud) is wrong because it focuses on securing cloud infrastructure (VMs, containers, PaaS) and provides alerts for those resources, not for endpoints, email, or cloud apps in a unified incident view. Option C (Microsoft Sentinel) is wrong because it is a cloud-native SIEM/SOAR that ingests logs from many sources, but it requires custom configuration and data connectors to unify alerts; it is not a pre-built single portal for Microsoft 365-native alerts and incidents. Option D (Microsoft Purview Compliance Manager) is wrong because it is a compliance management solution for assessing and managing regulatory compliance, not a security incident and alert aggregation tool.

436
MCQmedium

A security operations team uses Microsoft Defender for Cloud and has connected their AWS and GCP accounts. They want to continuously assess the security posture of AWS EC2 instances against the CIS AWS Foundations Benchmark and receive prioritized recommendations. Which feature of Defender for Cloud should they use?

A.Cloud Security Posture Management (CSPM)
B.Microsoft Defender for Servers
C.Security Alerts
D.Workload protections
AnswerA

CSPM assesses resources against built-in benchmarks like CIS, provides a secure score, and offers recommendations for remediation. It works across Azure, AWS, and GCP.

Why this answer

Option A is correct because Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud is specifically designed to continuously assess the security posture of multi-cloud resources (including AWS EC2 instances) against industry benchmarks like the CIS AWS Foundations Benchmark. CSPM provides a compliance dashboard, prioritized recommendations, and automated remediation guidance, directly addressing the team's need for ongoing assessment and prioritized recommendations.

Exam trap

The trap here is that candidates often confuse CSPM with workload protections (Option D) or Microsoft Defender for Servers (Option B), mistakenly thinking that threat detection or server-specific plans automatically include compliance assessment, when in fact CSPM is the dedicated feature for multi-cloud posture management and benchmark compliance.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Servers is a workload protection plan that provides advanced threat detection, just-in-time VM access, and file integrity monitoring for servers, but it does not natively assess compliance against the CIS AWS Foundations Benchmark or provide continuous posture assessment for AWS EC2 instances. Option C is wrong because Security Alerts are generated from threat detection signals (e.g., suspicious activities or attacks) and are not designed to continuously assess security posture against a compliance benchmark like CIS AWS Foundations. Option D is wrong because Workload protections refer to the suite of threat detection and prevention capabilities (e.g., for servers, databases, containers) within Defender for Cloud, but they do not include the compliance assessment and posture scoring features that CSPM provides.

437
MCQeasy

Your company uses Microsoft Defender for Cloud Apps. You want to discover which cloud apps are being used in your organization and assess their risk levels. What should you use?

A.Cloud App Security Catalog
B.Cloud Discovery
C.Microsoft Purview Data Map
D.Microsoft Intune app inventory
AnswerB

Cloud Discovery analyzes traffic logs to discover apps and assess risk.

Why this answer

Microsoft Defender for Cloud Apps provides Cloud Discovery to analyze traffic logs and identify shadow IT. Option B is correct. Option A is wrong because Defender for Cloud Apps does not have a 'Cloud App Security Catalog' feature.

Option C is wrong because Microsoft Intune manages devices, not app discovery. Option D is wrong because Microsoft Purview is for data governance, not app discovery.

438
MCQhard

You are investigating an alert in Microsoft Sentinel. The exhibit shows the JSON output of an alert that was generated from a sign-in log. The alert is linked to an active incident. Which action should you take to prioritize the incident for investigation?

A.Change the incident severity to critical
B.Close the incident as a false positive
C.Delete the alert from the incident
D.Reassign the incident to another analyst
AnswerA

Increasing severity prioritizes the incident for investigation.

Why this answer

Option B is correct because increasing the incident severity to critical will ensure it is prioritized. Option A is wrong because closing the incident would stop investigation. Option C is wrong because changing assignment does not change priority.

Option D is wrong because deleting the alert does not resolve the incident.

439
MCQeasy

Your company uses Microsoft Defender for Cloud to secure Azure resources. You need to assess compliance with the CIS benchmark. What should you enable?

A.Azure Policy
B.Regulatory compliance standards in Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Azure Firewall
AnswerB

Defender for Cloud can assess against CIS.

Why this answer

Option A is correct because regulatory compliance standards in Defender for Cloud include CIS benchmarks. Option B is wrong because Azure Firewall is a network security service, not compliance assessment. Option C is wrong because Microsoft Sentinel is a SIEM.

Option D is wrong because Azure Policy is used for compliance but within Defender for Cloud you enable regulatory compliance standards.

440
Multi-Selecteasy

A company uses Microsoft Defender for Cloud to secure its environment. Which TWO plans are available?

Select 2 answers
A.Cloud Security Posture Management (CSPM)
B.Defender for Servers
C.Microsoft Intune
D.Microsoft Sentinel
E.Microsoft Defender for Identity
AnswersA, B

Correct: Foundational plan.

Why this answer

Cloud Security Posture Management (CSPM) is a foundational plan in Microsoft Defender for Cloud that continuously assesses your Azure, hybrid, and multi-cloud resources against security benchmarks (e.g., CIS, NIST, Azure Security Benchmark) to identify misconfigurations and compliance gaps. It is available as a free, basic plan that provides secure score and recommendations, making it a core offering of Defender for Cloud.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel and Microsoft Defender for Identity as being 'plans' within Defender for Cloud because they are part of the broader Microsoft security ecosystem and integrate with Defender for Cloud, but they are separate services with their own licensing and management interfaces.

441
MCQmedium

A company wants to detect and respond to advanced attacks targeting their on-premises Active Directory infrastructure, such as Kerberos Golden Ticket attacks, pass-the-hash, and brute-force attempts. The solution should integrate with Microsoft Sentinel and Microsoft 365 Defender for cross-domain investigations. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Cloud Apps
AnswerB

This is the correct solution, as it is purpose-built to monitor on-premises Active Directory for advanced threats and integrates with Microsoft 365 Defender and Sentinel.

Why this answer

Microsoft Defender for Identity (MDI) is specifically designed to protect on-premises Active Directory by monitoring for advanced attacks like Kerberos Golden Ticket, pass-the-hash, and brute-force attempts. It integrates natively with Microsoft Sentinel and Microsoft 365 Defender to enable cross-domain investigations, correlating identity signals with endpoint and cloud data.

Exam trap

The trap here is that candidates often confuse Defender for Identity with Defender for Endpoint, assuming endpoint protection covers identity attacks, but MDI is the only solution that directly monitors Active Directory authentication protocols and domain controller traffic for advanced on-premises identity threats.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., workstations, servers) and does not natively monitor Active Directory authentication protocols like Kerberos or NTLM for identity-based attacks. Option C is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange Online, SharePoint) and has no visibility into on-premises Active Directory or Kerberos ticket attacks. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that monitors cloud application usage and shadow IT, not on-premises Active Directory authentication events.

442
Multi-Selecthard

Which TWO Microsoft Entra ID capabilities help detect and remediate identity risks? (Select two.)

Select 2 answers
A.Identity Protection
B.Identity Governance
C.Password protection
D.Privileged Identity Management
E.Conditional Access
AnswersA, E

Identity Protection detects risk detections.

Why this answer

Identity Protection detects risks, and Conditional Access policies can enforce remediation. PIM (Option C) manages privileges. Password protection (Option D) prevents weak passwords.

Identity Governance (Option E) manages access lifecycle.

443
Multi-Selecteasy

Which TWO are capabilities of Microsoft Entra ID Protection?

Select 2 answers
A.Risk-based conditional access policies
B.Device enrollment policies
C.Self-service password reset
D.Privileged role activation
E.Detection of leaked credentials
AnswersA, E

ID Protection allows you to create policies that block or require MFA based on risk level.

Why this answer

Option A is correct because Microsoft Entra ID Protection uses risk-based conditional access policies to automatically respond to detected risks, such as blocking access or requiring multi-factor authentication, based on real-time risk levels. Option E is correct because Entra ID Protection continuously monitors for leaked credentials by analyzing known credential breaches and flagging accounts whose credentials have been exposed, enabling proactive remediation.

Exam trap

The trap here is that candidates confuse Entra ID Protection with other Entra ID features like SSPR or PIM, but Entra ID Protection is specifically about risk detection and automated remediation, not password management or privileged access control.

444
MCQeasy

A company wants to protect against ransomware by detecting and blocking malicious files in email attachments. Which Microsoft security solution should be used?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerC

Correct: It provides email protection against ransomware and malware.

Why this answer

Microsoft Defender for Office 365 includes Safe Attachments and Safe Links to protect against malicious content in email.

445
MCQeasy

A company has enabled Microsoft Defender for Cloud. They want to assess their Azure resources for compliance with security benchmarks like CIS and Azure Security Benchmark, and view a secure score. Which feature of Defender for Cloud provides this capability?

A.Cloud Security Posture Management (CSPM)
B.Microsoft Defender for Servers
C.Microsoft Defender for App Service
D.Just-in-time (JIT) VM access
AnswerA

Correct. CSPM is the built-in module that provides continuous assessment of security posture, secure score, and compliance with benchmarks. It is enabled by default when you enable Defender for Cloud.

Why this answer

Cloud Security Posture Management (CSPM) is the Defender for Cloud feature specifically designed to assess Azure resources against industry security benchmarks such as CIS and the Azure Security Benchmark. It continuously evaluates your environment, provides a secure score based on compliance findings, and offers actionable recommendations to improve your security posture. This directly matches the scenario's requirement for benchmark compliance assessment and secure score visibility.

Exam trap

The trap here is that candidates often confuse workload protection plans (like Defender for Servers) with posture management features, assuming any 'Defender' plan includes compliance assessment, whereas CSPM is the dedicated feature for benchmarks and secure score.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Servers is a workload protection plan that provides advanced threat detection and just-in-time access for virtual machines, not a posture management or compliance benchmarking service. Option C is wrong because Microsoft Defender for App Service is a threat detection service focused on attacks targeting App Service applications, such as DDoS or injection attacks, and does not assess compliance with CIS or Azure Security Benchmark. Option D is wrong because Just-in-time (JIT) VM access is a feature that reduces the attack surface by controlling network access to VMs, but it does not perform compliance assessments or generate a secure score.

446
MCQhard

Your company uses Microsoft Entra ID and is implementing a zero-trust security model. You need to ensure that all access requests to sensitive applications are verified continuously, not just at the initial sign-in. Which Microsoft Entra ID capability should you use?

A.Conditional Access with session controls
B.Access reviews
C.Microsoft Entra Identity Protection
D.Privileged Identity Management
AnswerA

Conditional Access session controls enable continuous access evaluation, verifying access at every request.

Why this answer

Conditional Access with session controls enforces continuous access evaluation (CAE) by intercepting real-time signals—such as user risk, device compliance, or location changes—after the initial authentication. This ensures that access to sensitive applications is verified throughout the session, not just at sign-in, aligning with the zero-trust principle of 'verify explicitly and continuously.'

Exam trap

The trap here is that candidates often confuse periodic reviews (Access reviews) or risk detection (Identity Protection) with real-time enforcement, but only session controls under Conditional Access provide the continuous, event-driven verification required by zero-trust.

How to eliminate wrong answers

Option B is wrong because Access reviews are periodic attestation workflows that require manual or scheduled re-certification of group memberships or application access; they do not provide real-time, continuous verification of each access request. Option C is wrong because Microsoft Entra Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not enforce session-level controls or continuous verification of access to specific applications. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval workflows for privileged roles, not continuous verification of all access requests to sensitive applications.

447
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. Security team wants to be alerted when a user accesses a cloud app from a risky IP address. Which solution should you use to create a policy that triggers an alert based on this activity?

A.Create an activity policy.
B.Create a session policy.
C.Create an app discovery policy.
D.Create an access policy.
AnswerA

Activity policies monitor activities and trigger alerts based on conditions like risky IP.

Why this answer

Correct: Activity policy in Defender for Cloud Apps can monitor specific activities (e.g., logins) and trigger alerts based on risk factors like IP. Option A: Access policies control access, not alerting. Option C: Session policies control sessions.

Option D: App discovery policies are for discovering shadow IT.

448
MCQmedium

Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a user fails to sign in more than five times within an hour. Which rule type should you use?

A.Scheduled query rule
B.Fusion rule
C.Near-real-time (NRT) analytics rule
D.Machine learning (ML) behavioral analytics rule
AnswerA

Scheduled query rules can run KQL queries on a schedule and trigger based on result counts over defined time windows.

Why this answer

Option D is correct because scheduled query rules allow custom KQL queries and can trigger based on conditions like count of events. Option A is incorrect because NRT rules are for near-real-time, but scheduled rules are more appropriate for aggregation. Option B is incorrect because fusion rules use machine learning for multistage attacks.

Option C is incorrect because ML behavioral analytics detect anomalies, not fixed thresholds.

449
MCQmedium

A security team wants to monitor and proactively defend against cyber threats across their entire infrastructure, including Azure virtual machines, on-premises servers, and AWS workloads. They need a unified solution that provides endpoint detection and response (EDR), vulnerability management, and threat hunting capabilities. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerB

Defender for Endpoint is designed for EDR, vulnerability management, and threat hunting on endpoints including servers and cloud VMs, making it the right choice for unified threat defense across hybrid workloads.

Why this answer

Microsoft Defender for Endpoint (B) is the correct answer because it provides unified endpoint detection and response (EDR), vulnerability management, and threat hunting across heterogeneous environments, including Azure VMs, on-premises servers, and AWS workloads. It extends beyond Windows to support Linux and macOS endpoints, and can be onboarded via Microsoft Defender for Cloud for multi-cloud visibility, making it the single solution that meets all the stated requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP) with Microsoft Defender for Endpoint (an EDR), mistakenly thinking that Defender for Cloud alone provides endpoint-level detection and response, when in fact it relies on Defender for Endpoint for those capabilities.

How to eliminate wrong answers

Option A (Microsoft Defender for Cloud) is wrong because it is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that focuses on securing cloud resources and workloads, but it does not provide native endpoint detection and response (EDR) or vulnerability management for endpoints; it relies on Defender for Endpoint for those capabilities. Option C (Microsoft Sentinel) is wrong because it is a cloud-native SIEM and SOAR solution that ingests logs and alerts for security information and event management, but it does not perform endpoint-level EDR, vulnerability scanning, or threat hunting directly on endpoints. Option D (Microsoft Defender for Cloud Apps) is wrong because it is a cloud access security broker (CASB) that focuses on shadow IT discovery, data loss prevention, and threat protection for SaaS applications, not endpoint detection and response or vulnerability management for servers and VMs.

450
MCQmedium

Your organization is using Microsoft Defender for Cloud to secure a multi-cloud environment including Azure and AWS. You need to identify misconfigurations that could lead to security breaches. Which feature should you use?

A.Cloud Security Posture Management (CSPM)
B.Cloud Workload Protection (CWP)
C.Regulatory compliance dashboard
D.Security score
AnswerA

CSPM identifies misconfigurations and provides recommendations to improve security posture.

Why this answer

Option A is correct because Microsoft Defender for Cloud's security posture management (CSPM) continuously assesses resources against security benchmarks and identifies misconfigurations. Option B is wrong because workload protections focus on threats, not configuration. Option C is wrong because the security score provides a score but not specific misconfigurations.

Option D is wrong because regulatory compliance checks against standards, not general misconfigurations.

← PreviousPage 6 of 7 · 470 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft security solutions questions.