CCNA Ms Security Capabilities Questions

75 of 470 questions · Page 2/7 · Ms Security Capabilities topic · Answers revealed

76
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Purview Information Protection policy in JSON format. The policy defines two sensitivity labels. What is the key difference between the 'Confidential' label and the 'Highly Confidential' label?

A.Only the 'Confidential' label applies encryption
B.The 'Highly Confidential' label restricts edit rights
C.The 'Highly Confidential' label allows printing
D.The 'Confidential' label is a parent label
AnswerB

Correct: 'Highly Confidential' only allows VIEW, while 'Confidential' allows VIEW and EDIT.

Why this answer

The 'Confidential' label grants VIEW and EDIT rights, while 'Highly Confidential' grants only VIEW. Option B is correct. Option A is incorrect because both have encryption.

Option C is incorrect because both are sublabels? Not necessarily. Option D is incorrect because the JSON does not mention sublabels.

77
Multi-Selectmedium

A security team uses Microsoft Defender XDR to respond to incidents. Which THREE components are part of Microsoft Defender XDR?

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Intune
E.Microsoft Defender for Identity
AnswersA, B, E

Correct: Part of XDR.

Why this answer

Defender for Endpoint, Office 365, and Identity are core components. Sentinel is separate, and Intune is MDM.

78
MCQmedium

An organization uses Microsoft 365 Defender. The security team receives an alert about a potential malware outbreak on multiple endpoints, and they need an integrated view that correlates signals from various Microsoft security solutions. Which Microsoft 365 Defender portal component provides this unified view?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender portal (security.microsoft.com)
C.Azure Sentinel
D.Microsoft Defender for Identity
AnswerB

This portal provides a unified view of threats across endpoints, email, identities, and apps, with integrated incident response.

Why this answer

The Microsoft 365 Defender portal (security.microsoft.com) is the correct answer because it provides a unified view of alerts and incidents across Microsoft 365 Defender components, including Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This integrated correlation enables security teams to see the full scope of a potential malware outbreak across multiple endpoints by combining signals from these solutions into a single incident timeline.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal with Azure Sentinel, mistakenly thinking a SIEM is required for correlation, whereas the Microsoft 365 Defender portal already provides built-in, cross-product correlation without needing a separate SIEM tool.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, on-premises, and multi-cloud resources, not on providing a unified view of endpoint malware alerts from Microsoft 365 Defender. Option C is wrong because Azure Sentinel is a cloud-native SIEM and SOAR solution that ingests logs from various sources, but it is not the portal component that natively correlates signals from Microsoft 365 Defender solutions; that correlation happens within the Microsoft 365 Defender portal itself. Option D is wrong because Microsoft Defender for Identity is a specific component that protects on-premises Active Directory identities using behavioral analytics, but it does not provide the integrated, cross-solution view of alerts from multiple Microsoft security solutions.

79
MCQeasy

Your organization wants to prevent users from installing unapproved apps on company-managed Windows devices. Which Microsoft Intune feature should you use?

A.App control policies
B.Device configuration profiles
C.Conditional Access
D.Device compliance policies
AnswerA

Correct: App control policies (e.g., Windows Defender Application Control) block unapproved apps.

Why this answer

Intune app protection policies (APP) protect data, but app control policies (e.g., Windows Defender Application Control) prevent unapproved apps. Option D is correct. Option A (Conditional Access) controls access, not app installation.

Option B (Compliance policies) check settings. Option C (Device configuration) manages settings but not app installation control.

80
MCQmedium

A company has a hybrid environment with on-premises Active Directory. The security team wants to detect advanced attacks such as pass-the-hash, malicious Kerberos ticket activity, and abnormal service account behavior. They want alerts from the on-premises environment to be integrated into Microsoft Defender for Cloud for centralized monitoring. Which Microsoft security solution should they deploy on their domain controllers?

A.Microsoft Defender for Cloud (agentless)
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Entra ID Protection
AnswerB

Defender for Identity installs sensors on domain controllers to monitor AD traffic and identify advanced attacks. It integrates alerts into Microsoft Defender for Cloud, providing unified visibility.

Why this answer

Microsoft Defender for Identity (MDI) is the correct solution because it is specifically designed to detect advanced on-premises Active Directory attacks like pass-the-hash, malicious Kerberos ticket activity (e.g., Golden Ticket, Silver Ticket), and abnormal service account behavior. It integrates directly with Microsoft Defender for Cloud to provide centralized monitoring and alerting, fulfilling the requirement for on-premises domain controller protection.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (agentless) with Microsoft Defender for Identity, assuming the cloud-based solution can monitor on-premises AD attacks without understanding that MDI is the dedicated on-premises identity threat detection tool.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud (agentless) provides vulnerability assessment and security posture management for cloud workloads, but it does not natively detect on-premises AD attack patterns like pass-the-hash or Kerberos ticket abuse. Option C is wrong because Microsoft Defender for Office 365 protects email, SharePoint, and Teams from phishing and malware, not on-premises Active Directory or domain controller activities. Option D is wrong because Microsoft Entra ID Protection focuses on cloud-based identity risks (e.g., leaked credentials, risky sign-ins) for Azure AD, not on-premises AD domain controller behavior or Kerberos attacks.

81
MCQeasy

Your organization, Northwind Traders, uses Microsoft Intune to manage Windows 10 devices. You have created a compliance policy that requires devices to have BitLocker enabled. After assigning the policy, you notice that some devices are reporting as non-compliant due to BitLocker not being enabled. You have verified that the devices support BitLocker and that the policy is correctly assigned. You need to ensure that BitLocker is enabled on these devices automatically. What should you do?

A.Modify the compliance policy to allow non-compliant devices
B.Create an endpoint protection configuration profile to enable BitLocker
C.Create a Windows update ring policy
D.Use a PowerShell script to enable BitLocker manually
AnswerB

Configuration profiles can automatically enable BitLocker on devices.

Why this answer

Option A is correct because a device configuration profile for endpoint protection can enable BitLocker automatically. Option B is wrong because the compliance policy only reports compliance, it does not remediate. Option C is wrong because Windows Update policies do not configure BitLocker.

Option D is wrong because scripts are not the standard method for BitLocker enabling via Intune.

82
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps? (Choose TWO.)

Select 2 answers
A.Session control
B.Vulnerability management
C.Threat intelligence
D.Cloud discovery
E.Information protection
AnswersA, D

Session control provides real-time monitoring and control of app sessions.

Why this answer

Microsoft Defender for Cloud Apps provides cloud discovery (identifying cloud apps in use), and session control (real-time monitoring and control of app sessions). Information protection is part of Microsoft Purview, not Defender for Cloud Apps. Vulnerability management is part of Defender for Endpoint.

Threat intelligence is from Microsoft Sentinel or Defender Threat Intelligence.

83
Multi-Selectmedium

Which TWO capabilities are provided by Microsoft Defender for Cloud Apps? (Choose two.)

Select 2 answers
A.Mobile device management
B.Device compliance enforcement
C.Session controls for real-time monitoring of app usage
D.Email filtering and anti-phishing
E.Cloud app discovery to identify shadow IT
AnswersC, E

Session controls allow real-time monitoring and control of user activities in cloud apps.

Why this answer

Microsoft Defender for Cloud Apps provides cloud app discovery (shadow IT) and session controls for real-time monitoring. Option B is incorrect because device management is Intune. Option D is incorrect because email security is Defender for Office 365.

Option E is incorrect because device compliance is Intune and Conditional Access.

84
MCQmedium

Your company uses Microsoft Defender for Identity to monitor on-premises Active Directory. You receive an alert about a potential lateral movement attack involving a service account. The alert indicates that the account was used to log in to multiple servers from a non-domain-joined machine. You need to investigate the alert and determine if the account is compromised. What should you do first?

A.Check if the account is a member of any privileged groups.
B.Immediately reset the service account password.
C.Review the account’s activity timeline in Microsoft Defender for Identity to see all logins and accessed resources.
D.Contact the user to verify if they performed the logins.
AnswerC

This helps determine if the activity is anomalous.

Why this answer

Option B is correct because checking the account’s recent activity in Microsoft Defender for Identity will show the timeline of events. Option A is wrong because resetting the password may lock out a legitimate user. Option C is wrong because checking group membership is not immediate.

Option D is wrong because the alert is about lateral movement, not a user report.

85
MCQmedium

An organization wants to protect its Azure PaaS services, such as Azure SQL Database and Azure Key Vault, by detecting and alerting on suspicious activities like SQL injection attempts or unusual access patterns. They also need to integrate these alerts into a central security information and event management (SIEM) system for further analysis. Which Microsoft security solution provides the threat detection capability described?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Identity
AnswerB

Defender for Cloud offers unified security management and advanced threat protection for Azure PaaS services, including SQL, Key Vault, and storage, with built-in threat detection alerts.

Why this answer

Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud workloads, including Azure PaaS services like Azure SQL Database and Azure Key Vault. It detects suspicious activities such as SQL injection attempts and unusual access patterns using built-in behavioral analytics and integrates alerts into a central SIEM system via Azure Monitor or directly to Microsoft Sentinel.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with the threat detection capability itself, but Sentinel ingests alerts rather than generating them for PaaS services, making Defender for Cloud the correct answer for native threat detection.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests security data from various sources, but it does not natively detect threats within Azure PaaS services like SQL injection or unusual access patterns—it relies on other security solutions (e.g., Defender for Cloud) for such detections. Option C is wrong because Microsoft Defender for Endpoint is designed to protect endpoints (e.g., desktops, servers, mobile devices) from threats like malware and ransomware, not Azure PaaS services such as Azure SQL Database or Key Vault. Option D is wrong because Microsoft Defender for Identity focuses on detecting identity-based threats (e.g., lateral movement, privilege escalation) using on-premises Active Directory signals, not on monitoring Azure PaaS services for SQL injection or access anomalies.

86
Multi-Selecteasy

Which TWO of the following are capabilities of Microsoft Defender for Cloud?

Select 2 answers
A.Enable just-in-time access to virtual machines
B.Centralize security event log analysis from multiple sources
C.Monitor domain controllers for malicious activity
D.Assess and improve the security posture of your cloud resources
E.Manage mobile devices and enforce compliance policies
AnswersA, D

Defender for Cloud includes just-in-time VM access.

Why this answer

Microsoft Defender for Cloud provides cloud security posture management (CSPM) and workload protection. Option B is correct because it offers CSPM via secure score. Option D is correct because it provides just-in-time VM access.

Option A is wrong because that is Microsoft Defender for Identity. Option C is wrong because that is Microsoft Sentinel. Option E is wrong because that is Microsoft Intune.

87
MCQhard

You are investigating an alert in Microsoft Defender XDR. Based on the exhibit, what is the primary detection source for this alert?

A.Microsoft Sentinel
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerC

The detection source is explicitly stated.

Why this answer

The exhibit shows an alert from Microsoft Defender XDR with a detection source of 'Microsoft Defender for Identity'. Defender for Identity uses on-premises Active Directory signals and network traffic to detect identity-based threats like lateral movement, privilege escalation, and compromised credentials. The alert details indicate suspicious activity tied to an on-premises domain controller, which is the core focus of Defender for Identity.

Exam trap

The trap here is that candidates confuse Microsoft Defender XDR's unified alert interface with the underlying detection source, assuming that because the alert appears in the XDR portal, it must come from a more familiar product like Defender for Endpoint or Sentinel, rather than recognizing the identity-specific indicators (e.g., domain controller involvement, Kerberos anomalies) that point to Defender for Identity.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR platform that ingests alerts from multiple sources but is not itself a primary detection source for this specific alert; the exhibit shows the detection source as Defender for Identity, not Sentinel. Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint-level threats (malware, fileless attacks, EDR) and would show a detection source like 'Microsoft Defender for Endpoint' in the alert, not the identity-based source shown. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB focused on cloud application usage and shadow IT, not on-premises Active Directory identity attacks; its detection source would be 'Microsoft Defender for Cloud Apps'.

88
MCQhard

A SOC analyst in Microsoft Sentinel needs to create a custom detection rule that triggers an incident when more than 10 failed logins occur from a single IP address within 5 minutes. Which rule type should they use?

A.Anomaly analytics rule
B.Near-real-time (NRT) analytics rule
C.Microsoft security analytics rule
D.Scheduled query analytics rule
AnswerD

Scheduled rules allow custom KQL with aggregation and threshold conditions.

Why this answer

Correct: Scheduled query rule allows custom KQL and schedule. Option A: NRT rule is for near-real-time but limited. Option B: Microsoft Security rule is for built-in detections.

Option D: Anomaly rule is for ML-based anomalies.

89
Multi-Selecteasy

Which TWO Microsoft security solutions can be used to detect and respond to identity-based threats? (Choose two.)

Select 2 answers
A.Microsoft Defender for Cloud Apps
B.Microsoft Purview
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
E.Microsoft Entra ID Protection
AnswersC, E

Detects identity-based attacks.

Why this answer

Microsoft Defender for Identity (option C) is a cloud-based security solution that uses on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. It specifically focuses on identity-based attacks such as pass-the-hash, Kerberos golden ticket, and brute-force attempts by analyzing network traffic and behavior.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB) with identity threat detection, but it is primarily for cloud app security, not on-premises identity attacks, while Microsoft Defender for Identity and Entra ID Protection are the two dedicated identity-focused solutions.

90
MCQmedium

Your company uses Microsoft Defender for Endpoint. You need to investigate a potential malware outbreak on a specific device. Which feature should you use to get real-time visibility into running processes and network connections?

A.Threat analytics
B.Device inventory
C.Automated investigation
D.Live response
AnswerD

Live response provides a remote shell to collect real-time data.

Why this answer

Live response in Microsoft Defender for Endpoint allows security analysts to remotely connect to a device and run commands to collect forensic data. Option C is correct. Option A is wrong because device inventory is static.

Option B is wrong because threat analytics provides threat intelligence. Option D is wrong because automated investigation is for automatic response.

91
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email via the Outlook mobile app. Which policy type should you configure?

A.Device configuration policies
B.App protection policies
C.Device compliance policies
D.Conditional Access policies in Microsoft Entra ID
AnswerD

Conditional Access policies can require device compliance to grant access to cloud apps.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID can enforce device compliance before granting access to cloud apps like Outlook. Option A is wrong because compliance policies define what compliance means but do not enforce access control. Option B is wrong because app protection policies (MAM) protect data within apps but do not require device compliance.

Option C is wrong because device configuration policies configure device settings, not access control.

92
MCQhard

A global enterprise has a hybrid environment that includes on-premises Active Directory, Azure resources, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The security team needs a single solution to collect security logs from all these sources, detect threats using advanced analytics and threat intelligence, and automate incident response via playbooks. They already have Microsoft Defender for Cloud protecting their Azure workloads. Which Microsoft security solution should they add to meet these requirements?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft Defender for Identity
D.Microsoft Cloud App Security
AnswerA

Microsoft Sentinel is a scalable, cloud-native SIEM and SOAR that can ingest logs from on-premises, Azure, AWS, GCP, and many other sources. It provides threat detection and automated response via playbooks, making it the correct solution for the described need.

Why this answer

Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs from a wide range of sources, including on-premises, Azure, AWS, and GCP. It provides advanced analytics, threat detection, and automated response through playbooks. Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection solution; while it does collect some logs and can send alerts to Sentinel, it does not provide the full SIEM/SOAR capabilities needed for multi-cloud aggregation and automation beyond Azure.

Microsoft Defender for Identity focuses on on-premises AD threats but not multi-cloud. Microsoft Cloud App Security is a CASB for SaaS apps, not a SIEM for infrastructure logs.

93
MCQhard

A company uses a third-party SaaS CRM application. The security team needs to monitor user sessions in real-time when sales representatives access the CRM from personal, unmanaged devices. The goal is to prevent the download of sensitive customer data to local drives. The solution should block download actions and show a warning to the user. Which Microsoft security solution should the team deploy to enforce these session controls?

A.Microsoft Defender for Cloud Apps
B.Microsoft 365 Defender
C.Microsoft Sentinel
D.Microsoft Defender for Endpoint
AnswerA

Correct: Defender for Cloud Apps, with Conditional Access App Control, can monitor user sessions in real time and enforce granular controls like block download actions for unmanaged devices.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) provides session-level controls via its Conditional Access App Control feature. This allows real-time monitoring and control of user sessions in third-party SaaS apps like CRM, enabling actions such as blocking downloads and displaying warnings based on device compliance (e.g., unmanaged devices). The solution integrates with Azure AD Conditional Access to enforce these policies at the session layer without modifying the underlying SaaS application.

Exam trap

The trap here is that candidates often confuse the broad detection and response capabilities of Microsoft 365 Defender or Defender for Endpoint with the specific session-level enforcement provided by Defender for Cloud Apps, which is the only solution that can intercept and control user actions inside a third-party SaaS application in real time.

How to eliminate wrong answers

Option B is wrong because Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that correlates signals across endpoints, identities, email, and apps, but it does not provide granular, real-time session-level controls for third-party SaaS applications. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution for security information and event management, not a tool for enforcing real-time session policies or blocking downloads in a SaaS app. Option D is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) and device-level protection, not on controlling user sessions within a third-party SaaS CRM application.

94
MCQmedium

Refer to the exhibit. An analyst runs a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.To retrieve the most recent 10 malware alerts.
B.To find the single highest severity alert.
C.To count the total number of malware alerts in the last 24 hours.
D.To list all computers with malware alerts.
AnswerA

The query orders by time descending and takes 10.

Why this answer

The query filters alerts with AlertName 'Malware detected', projects relevant columns, orders by time descending, and takes the top 10. This retrieves the 10 most recent malware alerts. Option A is wrong because it does not count.

Option B is wrong because it retrieves multiple alerts, not just one. Option D is wrong because it does not aggregate by computer.

95
MCQmedium

A company uses Microsoft 365 and is concerned about phishing attacks targeting employees. They want to deploy a solution that can automatically analyze email messages for malicious links and attachments, and also provide click-time protection by rewriting URLs. Which Microsoft 365 Defender component should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 includes Safe Links, Safe Attachments, and anti-phishing policies to protect email and collaboration tools.

Why this answer

Microsoft Defender for Office 365 (MDO) is the correct component because it is specifically designed to protect against email-borne threats such as phishing. It includes Safe Links and Safe Attachments features that automatically scan email messages for malicious links and attachments, and it rewrites URLs to provide click-time protection by checking the link against a dynamic threat intelligence feed at the moment of the click.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, mistakenly thinking endpoint protection includes email security, but MDO is the only solution that provides email-specific URL rewriting and attachment sandboxing.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on protecting endpoints (devices) from malware and advanced attacks, not on email-level phishing protection or URL rewriting. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that controls access to cloud applications and detects shadow IT, but it does not analyze email messages or rewrite URLs for phishing protection. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks like Kerberos abuse or lateral movement, not email phishing analysis or URL rewriting.

96
MCQmedium

A company uses Microsoft Sentinel to centralize security logs. They want to correlate AWS CloudTrail logs with Azure AD sign-in logs. Which Microsoft Sentinel feature should they use?

A.Workbooks
B.Playbooks
C.Analytics rules
D.Hunting
AnswerC

Analytics rules can correlate events across data connectors.

Why this answer

Analytics rules in Sentinel can correlate data from multiple sources. Option A is correct. Option B (Workbooks) visualize data.

Option C (Playbooks) automate responses. Option D (Hunting) is proactive threat search.

97
MCQhard

A company is designing a Microsoft 365 Defender incident response workflow. They want to automatically isolate a compromised device when a ransomware alert is triggered. Which Microsoft 365 component should be used to execute the automated response action?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Sentinel
D.Microsoft Purview
AnswerA

It includes AIR capabilities that can automatically isolate devices upon alert.

Why this answer

Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can isolate a device from the network when a ransomware alert is triggered. This is the correct component because it provides endpoint detection and response (EDR) with built-in playbooks for automatic containment actions like device isolation.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's SOAR capabilities (which can trigger isolation via playbooks) with the native automated response engine in Defender for Endpoint, but Sentinel is an orchestrator, not the component that directly executes the endpoint isolation action.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., phishing, malware in attachments) but does not have the ability to isolate endpoints or execute device-level automated response actions. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR platform that can orchestrate response actions via playbooks, but it is not the native component for directly isolating a device; it would typically trigger a Defender for Endpoint action via an API. Option D is wrong because Microsoft Purview focuses on data governance, compliance, and information protection (e.g., DLP, retention labels) and has no endpoint isolation capabilities.

98
MCQmedium

Refer to the exhibit. An administrator runs the PowerShell command against Microsoft Defender for Endpoint. The output shows an alert with Severity 'High' and Status 'New'. What should the administrator do next to investigate the alert?

A.Change the severity to Medium to reduce false positives
B.Resolve the alert as a false positive
C.Create a Microsoft Sentinel analytics rule from the alert
D.Investigate the alert details in the Microsoft Defender XDR portal
AnswerD

The portal provides detailed information and actions.

Why this answer

Option A is correct because the administrator should investigate the alert in the Microsoft Defender XDR portal to understand the context and determine next steps. Option B is wrong because severity is already high, so it's not about adjusting. Option C is wrong because the alert is new, not resolved.

Option D is wrong because the alert is already in Defender, no need to create a Sentinel rule first.

99
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Sentinel? (Select THREE.)

Select 3 answers
A.Security information and event management (SIEM)
B.User and entity behavior analytics (UEBA)
C.Mobile device management
D.Security orchestration, automation, and response (SOAR)
E.Data loss prevention
AnswersA, B, D

Sentinel is a cloud-native SIEM.

Why this answer

Correct: SIEM (B), SOAR (C), and UEBA (E). Option A: Device management is Intune. Option D: DLP is Purview.

100
MCQeasy

A company uses Microsoft Intune to manage devices. They want to ensure that only devices with a specific minimum operating system version can access corporate email. What should they configure?

A.Deploy an app protection policy for the email app
B.Create a device compliance policy specifying minimum OS version
C.Create a device configuration profile for OS settings
D.Configure a conditional access policy in Entra ID to block non-compliant devices
AnswerB

Compliance policies define OS requirements.

Why this answer

Option A is correct because compliance policies in Intune define rules for device compliance, including OS version. Option B is wrong because configuration policies set settings but don't enforce access. Option C is wrong because conditional access in Entra ID integrates with Intune compliance.

Option D is wrong because app protection policies manage app-level security.

101
MCQmedium

Your organization is adopting Microsoft 365 Copilot for enterprise users. Which Microsoft Purview capability should you configure to prevent sensitive data from being inadvertently shared during Copilot interactions?

A.Customer Lockbox
B.Data Loss Prevention (DLP) policies
C.Sensitivity labels
D.eDiscovery
AnswerB

DLP can block sharing of sensitive data in Copilot.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can be extended to cover Copilot interactions. Option A is wrong because Sensitivity labels are for classification, but DLP is the enforcement mechanism. Option C is wrong because eDiscovery is for search and export, not prevention.

Option D is wrong because Customer Lockbox is for access control, not data loss prevention.

102
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. Which Microsoft Entra ID feature should you use?

A.Conditional Access
B.Privileged Identity Management
C.Self-Service Password Reset
D.Identity Protection
AnswerA

Conditional Access can require compliant devices.

Why this answer

Option A is correct because Conditional Access in Microsoft Entra ID can enforce device compliance for access. Option B is wrong because Identity Protection handles risk, not compliance. Option C is wrong because Privileged Identity Management manages privileged roles.

Option D is wrong because Self-Service Password Reset is for password reset.

103
MCQmedium

A company uses Exchange Online. The security team wants to protect users from malicious email attachments. They need a solution that detonates attachments in a sandbox environment to check for malware behavior before the email is delivered to the recipient. Which Microsoft Defender for Office 365 feature should they enable?

A.Safe Attachments
B.Safe Links
C.Anti-phishing
D.Anti-spam
AnswerA

Safe Attachments uses a sandbox to detonate attachments and detect malware before delivery.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a virtual sandbox environment before delivery, analyzing behavior for malicious activity. This matches the requirement to check attachments for malware behavior prior to inbox arrival, a capability unique to Safe Attachments within Defender for Office 365.

Exam trap

The trap here is that candidates confuse Safe Attachments (sandbox detonation of attachments) with Safe Links (URL scanning at click-time), as both are part of Defender for Office 365 but address different threat vectors.

How to eliminate wrong answers

Option B is wrong because Safe Links protects users by scanning URLs in emails and documents at time-of-click, not by detonating attachments in a sandbox. Option C is wrong because Anti-phishing policies protect against phishing attempts by analyzing sender reputation and impersonation, not by sandboxing attachments. Option D is wrong because Anti-spam policies filter unwanted bulk mail and spam based on message content and sender reputation, not by detonating attachments for malware behavior analysis.

104
MCQhard

Your organization uses Microsoft Defender for Cloud to protect Azure subscriptions. You need to enforce that all storage accounts must have encryption at rest enabled. You have enabled Azure Policy to audit this configuration. However, you notice that some storage accounts are non-compliant. You need to automatically remediate non-compliant storage accounts. What should you do?

A.Create a Microsoft Defender for Cloud recommendation to enable encryption.
B.Use the compliance dashboard to manually enable encryption on non-compliant accounts.
C.Add a 'deployIfNotExists' policy to automatically enable encryption on storage accounts.
D.Change the policy effect from 'audit' to 'deny' to prevent creation of non-compliant accounts.
AnswerC

This remediates non-compliant accounts automatically.

Why this answer

Option C is correct because a 'deployIfNotExists' policy assignment in Azure Policy can automatically remediate non-compliant storage accounts by enabling encryption at rest. This policy effect triggers a remediation task that deploys the required configuration (e.g., setting the 'Encryption' property to 'Enabled' on the storage account resource) without manual intervention. The audit policy only reports non-compliance, while deployIfNotExists actively enforces the desired state.

Exam trap

The trap here is that candidates confuse 'deny' (which only blocks future non-compliant resources) with 'deployIfNotExists' (which remediates existing resources), or assume Defender for Cloud recommendations can automatically fix non-compliance without additional policy configuration.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud recommendations are advisory and do not automatically remediate resources; they require manual approval or integration with Azure Policy for automation. Option B is wrong because manually enabling encryption via the compliance dashboard is not an automated solution and contradicts the requirement for automatic remediation. Option D is wrong because changing the policy effect to 'deny' only prevents creation or modification of non-compliant storage accounts in the future, but does not remediate existing non-compliant accounts.

105
MCQmedium

An organization wants to protect its fleet of Windows 10 laptops from advanced malware and ransomware. The solution must detect suspicious behavior (e.g., a process encrypting files) and provide security teams with the ability to isolate an infected device from the network for investigation. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Office 365
AnswerB

Defender for Endpoint provides next-generation protection, endpoint detection and response (EDR), and device isolation capabilities for device security.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR) capabilities, including behavioral-based detection of advanced malware and ransomware (e.g., detecting a process encrypting files via machine learning and behavioral analytics). It also includes automated investigation and remediation features, such as the ability to isolate an infected device from the network (device isolation) to prevent lateral movement while allowing security teams to investigate.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud workload protection tool) with endpoint protection, or they assume Defender for Office 365 covers all devices, when in fact only Defender for Endpoint provides the specific behavioral detection and device isolation for Windows 10 laptops.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, on-premises, and multi-cloud environments, not designed to protect Windows 10 laptops or provide endpoint isolation. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on securing cloud applications (e.g., SaaS apps) and detecting shadow IT, not on endpoint-level malware detection or device isolation. Option D is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange Online, SharePoint) from threats like phishing and malicious attachments, but does not include endpoint behavioral detection or network isolation for laptops.

106
Multi-Selecteasy

Which TWO of the following are benefits of using Microsoft Entra ID Conditional Access? (Choose two.)

Select 2 answers
A.Allow users to reset their own passwords
B.Block access from locations that are not trusted
C.Automatically grant temporary admin access
D.Enforce multi-factor authentication based on user risk
E.Eliminate the need for passwords entirely
AnswersB, D

Conditional Access can block based on location.

Why this answer

Options A and C are correct. A: Conditional Access can require MFA based on conditions. C: It can block access from untrusted locations.

Options B, D, and E are incorrect: B is a benefit of passwordless; D is a benefit of SSPR; E is a benefit of PIM.

107
Multi-Selectmedium

Which TWO Microsoft Purview solutions can be used to protect sensitive data in Microsoft Teams chats and channels? (Choose two.)

Select 2 answers
A.Microsoft Purview Communication Compliance
B.Microsoft Purview Data Loss Prevention (DLP) policies
C.Microsoft Purview Sensitivity Labels
D.Microsoft Purview Information Barriers
E.Microsoft Purview Retention Policies
AnswersA, B

Communication Compliance can detect inappropriate sharing of sensitive information.

Why this answer

Options A and D are correct. Microsoft Purview Data Loss Prevention (DLP) policies can prevent sharing of sensitive data in Teams. Microsoft Purview Communication Compliance can detect policy violations in chats.

Option B is wrong because Sensitivity Labels are applied to files, not chats. Option C is wrong because Retention Policies manage data retention, not protection. Option E is wrong because Information Barriers restrict communication between groups, but don't protect sensitive data per se.

108
MCQmedium

Your organization has Microsoft Sentinel deployed. The security operations team needs to automatically respond to a security incident by opening an incident in ServiceNow and sending a notification to a Teams channel. What should you configure?

A.An automation rule with a playbook
B.A workbook
C.An analytics rule
D.A watchlist
AnswerA

Automation rules can run playbooks that integrate with ServiceNow and Teams to respond to incidents automatically.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can trigger playbooks (based on Azure Logic Apps) that integrate with external systems like ServiceNow and Teams. Option B is wrong because analytics rules create alerts, not automated responses. Option C is wrong because workbooks provide visualizations, not automation.

Option D is wrong because watchlists are for correlation, not response.

109
Multi-Selecthard

Which TWO Microsoft Security Copilot capabilities can help security analysts during incident response?

Select 2 answers
A.Provide guided response steps
B.Generate incident summary reports
C.Provision user accounts
D.Configure firewall rules
E.Automatically block malicious emails
AnswersA, B

Copilot offers recommendations.

Why this answer

Microsoft Security Copilot is an AI-powered security analysis tool that integrates with Microsoft 365 Defender and Sentinel. It can provide guided response steps (option A) by suggesting playbook actions and remediation workflows based on the incident context, and it can generate incident summary reports (option B) by synthesizing data from alerts, entities, and investigations into a concise narrative. These capabilities directly assist analysts in understanding and responding to incidents more efficiently.

Exam trap

The trap here is that candidates may confuse Security Copilot's analytical and advisory capabilities with automated remediation actions (like blocking emails or configuring firewalls), which are handled by separate Microsoft security products such as Defender for Office 365 or Azure Firewall policies.

110
MCQmedium

A company uses Microsoft 365 E5 and is concerned about advanced phishing attacks that use adversary-in-the-middle (AiTM) techniques to steal session cookies and bypass multifactor authentication. Which Microsoft Defender for Office 365 feature should they configure to specifically protect against this type of attack?

A.Safe Attachments
B.Safe Links
C.Anti-Phishing (advanced policies)
D.Campaign Views
AnswerC

Advanced anti-phishing policies in Defender for Office 365 include protection against adversary-in-the-middle (AiTM) attacks through impersonation analysis, advanced thresholds, and real-time signal detection. This helps block phishing aimed at hijacking sessions.

Why this answer

Advanced anti-phishing policies in Defender for Office 365 include protection against adversary-in-the-middle (AiTM) attacks by using machine learning models and impersonation detection to analyze and block phishing attempts that aim to steal session cookies and bypass multifactor authentication. This feature specifically detects and mitigates sophisticated phishing techniques that traditional anti-spam or link-checking mechanisms might miss, such as real-time credential harvesting and session hijacking via proxy servers.

Exam trap

The trap here is that candidates often confuse Safe Links (which protects against malicious URLs) with the broader anti-phishing protection needed for AiTM attacks, not realizing that AiTM attacks exploit the authentication process itself rather than just the URL, requiring advanced impersonation and proxy detection capabilities found only in anti-phishing policies.

How to eliminate wrong answers

Option A is wrong because Safe Attachments protects against malware in email attachments by detonating them in a sandbox, but it does not address session cookie theft or AiTM phishing techniques. Option B is wrong because Safe Links provides time-of-click protection against malicious URLs, but it focuses on blocking known malicious links at the point of click, not on detecting the proxy-based credential and session cookie interception used in AiTM attacks. Option D is wrong because Campaign Views is a reporting and analysis tool that provides visibility into phishing campaigns after they have been detected, not a proactive protection feature that prevents AiTM attacks.

111
MCQeasy

Your organization uses Microsoft Defender for Endpoint. You need to investigate a potential malware outbreak on several endpoints. Which feature allows you to search for indicators of compromise (IOCs) across all endpoints?

A.Incidents and alerts
B.Advanced hunting
C.Threat analytics
D.Device inventory
AnswerB

Advanced hunting uses KQL to search for IOCs across endpoints in Defender for Endpoint.

Why this answer

Option C is correct because Advanced hunting in Microsoft Defender for Endpoint enables KQL queries to search for IOCs across endpoints. Option A is wrong because the Device page shows details, not search. Option B is wrong because the Threat analytics dashboard provides threat intelligence, not interactive search.

Option D is wrong because alerts are for incidents, not for searching IOCs.

112
Multi-Selecteasy

Which TWO capabilities are part of Microsoft Entra ID Protection? (Choose two.)

Select 2 answers
A.Passwordless authentication
B.Risk-based conditional access policies
C.Just-in-time privileged access
D.Reports on risky users and sign-ins
E.Conditional access policies for device compliance
AnswersB, D

ID Protection allows policies based on user risk level.

Why this answer

Options B and D are correct. Entra ID Protection includes risk-based policies and reporting for risky users. Option A is incorrect because passwordless authentication is a feature of Entra ID, but not specifically ID Protection.

Option C is incorrect because privileged identity management is Microsoft Entra Privileged Identity Management (PIM). Option E is incorrect because conditional access is a broader feature, but ID Protection provides risk-based conditional access.

113
MCQeasy

Your organization's security team wants to automatically investigate and respond to sophisticated email threats like business email compromise (BEC) without manual intervention. Which Microsoft 365 security solution should you use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365
AnswerD

Defender for Office 365 provides automated investigation and response for email threats like BEC.

Why this answer

Option C is correct because Microsoft Defender for Office 365 includes automated investigation and response capabilities for email threats. Option A is wrong because Defender for Identity focuses on on-premises identity threats. Option B is wrong because Defender for Endpoint is for endpoint security.

Option D is wrong because Defender for Cloud Apps is for cloud app security.

114
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender for Cloud Apps?

Select 2 answers
A.Information protection for files in Microsoft 365
B.Session controls to monitor and control app access in real time
C.Cloud discovery to identify shadow IT
D.Identity governance and access reviews
E.Vulnerability assessment for Azure virtual machines
AnswersB, C

Session controls are a key CASB feature.

Why this answer

Microsoft Defender for Cloud Apps provides session controls that leverage reverse proxy architecture to monitor and control user app access in real time, enabling conditional access policies for cloud apps. Cloud discovery uses traffic logs from network appliances or Windows endpoints to identify shadow IT by analyzing app usage and risk scores.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Cloud (formerly Azure Security Center) or Microsoft Purview, leading them to select options like vulnerability assessment or information protection that belong to other services.

115
MCQmedium

A company maintains an on-premises Active Directory environment with over 10,000 domain-joined computers. The security team is concerned about advanced attacks that use stolen credentials to move laterally, such as pass-the-hash attacks or DCSync attacks targeting domain controllers. They need a solution that monitors on-premises Active Directory traffic and event logs to detect these identity-based threats and provides alerts for investigation. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerA

Defender for Identity profiles network traffic and event logs from domain controllers to detect suspicious activities such as pass-the-hash and DCSync, providing alerts for security teams.

Why this answer

Microsoft Defender for Identity is the correct solution because it is specifically designed to monitor on-premises Active Directory traffic and event logs to detect advanced identity-based threats like pass-the-hash, pass-the-ticket, and DCSync attacks. It uses behavioral analytics and machine learning to identify suspicious activities, such as anomalous Kerberos ticket requests or replication attempts, and provides real-time alerts for investigation.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Sentinel, assuming that a SIEM is always the best choice for threat detection, but Sentinel lacks the specialized Active Directory protocol-level analysis and behavioral models that Defender for Identity provides natively.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., workstations, servers) for malware, file-less attacks, and vulnerability management, not on monitoring Active Directory traffic or detecting DCSync attacks. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that protects cloud applications (e.g., Office 365, AWS) and does not monitor on-premises Active Directory traffic or event logs. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that aggregates logs from multiple sources, but it is not a dedicated identity threat detection tool; while it can ingest AD logs, it lacks the specialized Active Directory protocol analysis and behavioral models that Defender for Identity provides out-of-the-box.

116
MCQhard

Your organization uses Microsoft Defender XDR (formerly Microsoft 365 Defender). A user reports receiving a suspicious email with a link. The email was not blocked by Exchange Online Protection (EOP). Which feature should you use to investigate the link's reputation in real time?

A.Exchange Online Protection (EOP) filtering
B.Anti-phish policy
C.Safe Attachments policy
D.Safe Links policy
AnswerD

Safe Links protects and allows investigation of URLs in emails.

Why this answer

Option B is correct because Safe Links in Defender for Office 365 provides real-time link protection and investigation. Option A is incorrect because Safe Attachments is for file attachments. Option C is incorrect because anti-phish policies handle phishing detection but not link investigation.

Option D is incorrect because EOP is the baseline but not for real-time link analysis.

117
MCQmedium

Your company uses Microsoft Purview to protect sensitive data in SharePoint Online. You need to automatically apply a 'Confidential' sensitivity label to documents containing credit card numbers. What should you create?

A.An auto-labeling policy
B.A Data Loss Prevention (DLP) policy
C.A retention policy
D.An eDiscovery case
AnswerA

Auto-labeling policies apply labels based on patterns.

Why this answer

Option B is correct because auto-labeling policies in Microsoft Purview can automatically apply labels based on sensitive info types. Option A is wrong because a retention policy is for retention, not labeling. Option C is wrong because a DLP policy can block or warn but not auto-label.

Option D is wrong because an eDiscovery case is for search and legal hold.

118
MCQhard

A security analyst wants to create a custom detection rule that tracks a specific multi-stage attack pattern: a user receives a phishing email, clicks a link, and then a script is executed on their device. The analyst needs to write a Kusto Query Language (KQL) query to detect this pattern and schedule it to run automatically, generating alerts. Which Microsoft 365 Defender capability should they use?

A.Advanced hunting
B.Custom detection rules
C.Automation
D.Threat analytics
AnswerB

Correct. Custom detection rules allow you to create a KQL query from advanced hunting and schedule it to run automatically, generating alerts for matching events.

Why this answer

Custom detection rules in Microsoft 365 Defender allow security analysts to write KQL queries that run on a schedule and automatically generate alerts when the query returns results. This capability is specifically designed to detect multi-stage attack patterns, such as the phishing email → link click → script execution chain described, by querying advanced hunting data and triggering incident creation.

Exam trap

The trap here is that candidates confuse Advanced hunting (a query tool) with Custom detection rules (a scheduled alerting engine), assuming that writing a KQL query in Advanced hunting alone is sufficient for automated detection, when in fact it requires the custom detection rule framework to run on a schedule and generate alerts.

How to eliminate wrong answers

Option A is wrong because Advanced hunting is an interactive query interface for exploring raw data, but it does not natively support scheduled execution or automatic alert generation; it requires manual execution or integration with custom detection rules. Option C is wrong because Automation in Microsoft 365 Defender refers to automated investigation and response (AIR) playbooks that react to alerts, not to the creation of custom detection queries or scheduled alert rules. Option D is wrong because Threat analytics provides curated threat intelligence reports and pre-built detections from Microsoft, but it does not allow users to write custom KQL queries or schedule their own detection logic.

119
MCQmedium

A security team wants to discover which cloud applications (such as Dropbox, Salesforce, or unsanctioned file-sharing apps) are being used by employees, even if those apps are not sanctioned by IT. They need to analyze usage patterns, risk levels, and identify potential shadow IT. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.App Connectors (API connectors)
B.Cloud Discovery
C.Conditional Access App Control
D.Microsoft Defender for Endpoint
AnswerB

Cloud Discovery uses traffic logs to identify all cloud apps in use, providing a comprehensive view of shadow IT.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs from firewalls and proxies to identify cloud app usage, including unsanctioned apps like Dropbox or Salesforce, without requiring API integration. It provides risk scores, usage patterns, and shadow IT detection by comparing discovered apps against Microsoft's cloud app catalog of over 31,000 apps.

Exam trap

The trap here is that candidates often confuse Cloud Discovery (passive log analysis for unsanctioned apps) with App Connectors (active API integration for sanctioned apps), assuming both can discover shadow IT, but only Cloud Discovery identifies apps not already connected via API.

How to eliminate wrong answers

Option A is wrong because App Connectors (API connectors) require explicit admin consent and API access to sanctioned apps, so they cannot discover unsanctioned or unknown shadow IT apps. Option C is wrong because Conditional Access App Control enforces real-time access policies on sanctioned apps via reverse proxy, not discovery of unsanctioned apps. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution focused on malware, vulnerabilities, and device threats, not cloud app discovery.

120
MCQmedium

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. You have discovered a new cloud app that employees are using to store corporate data. The app is not sanctioned. You need to sanction the app but also ensure that users cannot upload sensitive data to it. You have configured a session policy to monitor the app. What additional step should you take?

A.Create a file policy in Microsoft Defender for Cloud Apps that detects sensitive data and blocks uploads.
B.Block the app entirely by adding it to the blocked list.
C.Configure a Conditional Access policy to require device compliance for the app.
D.Use the session policy to block all uploads to the app.
AnswerA

File policies can block uploads of sensitive data.

Why this answer

Option C is correct because you need to create a file policy in Defender for Cloud Apps to block uploads of sensitive data. Option A is wrong because blocking the app is too restrictive. Option B is wrong because the session policy only monitors, not blocks.

Option D is wrong because blocking all uploads is too broad.

121
Multi-Selecteasy

Which TWO features are available in Microsoft Entra ID P2 licenses? (Choose two.)

Select 2 answers
A.Self-service password reset (SSPR)
B.Privileged Identity Management (PIM)
C.Multifactor authentication (MFA)
D.Identity Protection (risk-based policies)
E.Password hash synchronization
AnswersB, D

P2 feature for just-in-time access.

Why this answer

Options B and D are correct. P2 includes Identity Protection and Privileged Identity Management. Option A is wrong because MFA is in P1 and also included in P2 but it's not exclusively P2; however, typically MFA is in P1 and free? Actually MFA is available in all tiers but P2 adds risk-based MFA.

The question asks for features available in P2, and Identity Protection and PIM are key P2 features. Option C is wrong because password hash sync is free. Option E is wrong because self-service password reset is free or P1.

122
Multi-Selecteasy

Which THREE are capabilities of Microsoft Defender for Cloud?

Select 3 answers
A.Just-in-time (JIT) VM access
B.Vulnerability assessment for virtual machines
C.Cloud Security Posture Management (CSPM)
D.DDoS protection
E.SIEM and security orchestration
AnswersA, B, C

Reduces attack surface with managed access.

Why this answer

Just-in-time (JIT) VM access is a capability of Microsoft Defender for Cloud that reduces the attack surface by locking down inbound traffic to Azure VMs. It uses Network Security Group (NSG) rules to allow access only when requested by an authorized user, for a specified time window, and from a specific IP address. This prevents persistent open management ports like RDP (TCP 3389) or SSH (TCP 22) from being exposed to the internet.

Exam trap

The trap here is that candidates confuse the 'recommendations' or 'alerts' shown in Defender for Cloud (which may mention DDoS or SIEM integration) with Defender for Cloud's own native capabilities, leading them to incorrectly select D or E as direct features.

123
MCQeasy

A company wants to use Microsoft Entra ID (Azure AD) to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. Which security feature should they implement?

A.Privileged Identity Management (PIM)
B.Conditional Access policies
C.Password Protection
D.Identity Protection policies
AnswerB

Conditional Access can require MFA for specific apps.

Why this answer

Conditional Access policies allow administrators to require MFA based on conditions like application sensitivity. Option B is incorrect because Identity Protection detects risk, not enforces MFA. Option C is incorrect because Privileged Identity Management (PIM) manages access for privileged roles.

Option D is incorrect because password protection prevents weak passwords.

124
MCQmedium

A security operations team needs to protect Windows servers from ransomware and other advanced threats. They require a solution that provides endpoint detection and response (EDR), automated investigation, and the ability to isolate compromised machines from the network. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerD

Defender for Endpoint delivers endpoint detection and response, automated investigation, and device isolation for Windows servers and clients.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR), automated investigation and remediation, and network isolation capabilities specifically for Windows servers and endpoints. These features directly address the requirement to protect against ransomware and advanced threats by detecting suspicious behavior, automatically investigating alerts, and allowing admins to isolate compromised machines from the network to prevent lateral movement.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud security posture tool) with Microsoft Defender for Endpoint (an endpoint protection platform), especially since both names include 'Defender' and 'Cloud' can be misassociated with server workloads.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for Azure, on-premises, and multi-cloud environments; it does not provide endpoint-level EDR or machine isolation for Windows servers. Option B is wrong because Microsoft Defender for Identity is an identity-based security solution that detects threats using Active Directory signals and behavioral analytics; it does not include endpoint detection, automated investigation, or network isolation for servers. Option C is wrong because Microsoft Defender for Office 365 protects against threats in email, SharePoint, OneDrive, and Teams; it does not provide EDR or isolation capabilities for Windows server endpoints.

125
MCQhard

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. The JSON snippet shows a rule designed to create an incident when a high-severity alert is generated. However, the rule is not triggering. What is the most likely reason?

A.The logicAppResourceId is missing a required parameter.
B.The action should be of type 'Microsoft.SecurityInsights/AlertRule/Alert' instead.
C.Automation rules triggered on alert creation cannot create incidents; they can only run playbooks.
D.The trigger type is incorrect; it should be 'Microsoft.SecurityInsights/Incident'.
AnswerC

Alert-triggered automation rules can only run playbooks, not directly create incidents.

Why this answer

The JSON shows a trigger type 'Microsoft.SecurityInsights/AlertRule' which is used for automation rules that run on alert creation. However, the action type is 'Microsoft.SecurityInsights/AlertRule/Incident' which is intended to create an incident from an alert. The issue is that automation rules that trigger on alert creation cannot directly create incidents; they can only run playbooks.

To create an incident from an alert, you need to use an automation rule triggered on incident creation or use an analytics rule. Option B is correct. Option A is wrong because the syntax is correct.

Option C is wrong because the resource ID is present. Option D is wrong because the trigger is on alert, not incident.

126
MCQhard

Your company uses Microsoft Defender for Cloud to secure multicloud workloads. You need to ensure that regulatory compliance frameworks (e.g., SOC 2, ISO 27001) are continuously assessed and any drift is reported. What should you implement?

A.Regulatory compliance standards in Microsoft Defender for Cloud
B.Microsoft Sentinel analytics rules
C.Azure Policy initiatives
D.Microsoft Defender for Cloud Apps session policies
AnswerA

Defender for Cloud includes built-in compliance standards that continuously assess resources against frameworks like SOC 2 and ISO 27001.

Why this answer

Option A is correct because regulatory compliance standards in Defender for Cloud provide continuous assessment against frameworks. Option B is wrong because Azure Policy is used for policy enforcement, not assessment of compliance frameworks. Option C is wrong because Microsoft Sentinel is for SIEM/SOAR, not compliance assessment.

Option D is wrong because Defender for Cloud Apps focuses on cloud app security.

127
MCQhard

Refer to the exhibit. A security analyst is reviewing an alert from Microsoft 365 Defender. The alert is associated with an incident. What is the best first step to investigate this alert?

A.Open the associated incident to view all related alerts and entities.
B.Isolate the affected user's device immediately.
C.Mark the alert as resolved.
D.Run an automated simulation to test the alert.
AnswerA

Investigating the incident provides a holistic view of the attack.

Why this answer

The alert is tagged as 'Malware' and has an incident ID, indicating it is part of a larger incident. The best practice is to open the incident to see correlated alerts and entities. Option A is wrong because ignoring the incident loses context.

Option B is wrong because the alert is already high severity; mark as resolved later. Option D is wrong because running a simulation on a live alert is not appropriate.

128
MCQeasy

A company wants to use Microsoft Sentinel to collect security logs from on-premises servers and send them to Azure. Which data connector should they use?

A.Azure Monitor Agent (AMA)
B.Syslog connector
C.Microsoft Monitoring Agent (MMA)
D.Office 365 connector
AnswerA

AMA is the current recommended agent for collecting logs from servers.

Why this answer

Azure Monitor Agent (AMA) is the recommended agent for collecting logs from Windows and Linux machines and sending to Log Analytics workspaces for Sentinel. Option A is wrong because MMA is legacy. Option C is wrong because the Syslog connector is for Linux but AMA also supports Syslog.

Option D is wrong because the Office 365 connector is for cloud services.

129
MCQmedium

A company uses Azure virtual machines and on-premises Windows servers. The security team wants a single solution that provides vulnerability assessment, a regulatory compliance dashboard (e.g., for ISO 27001), and integrated threat detection such as fileless malware and anomalous logins. Which Microsoft security solution should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Microsoft Sentinel
AnswerB

Defender for Cloud offers vulnerability assessment, compliance dashboards, and threat detection for Azure, on-premises, and multicloud workloads.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is the correct choice because it provides unified security management across Azure VMs and on-premises servers. It includes built-in vulnerability assessment (via Qualys or Microsoft Defender Vulnerability Management), a regulatory compliance dashboard with built-in standards like ISO 27001, and integrated threat detection for fileless malware, anomalous logins, and other advanced attacks. This single solution meets all the requirements listed in the question.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud with Microsoft 365 Defender, mistakenly thinking the latter covers all security workloads, but Microsoft 365 Defender is limited to Microsoft 365 services and does not manage Azure infrastructure or on-premises servers.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, but it does not provide a regulatory compliance dashboard for standards like ISO 27001 or native vulnerability assessment across hybrid infrastructure. Option C is wrong because Microsoft 365 Defender is a suite that correlates signals from Microsoft 365 services (e.g., Defender for Endpoint, Defender for Office 365) and is not designed to manage security posture or compliance for Azure VMs and on-premises servers. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution for log collection and incident response, but it does not include built-in vulnerability assessment or a pre-configured regulatory compliance dashboard; those capabilities require additional integration and configuration.

130
MCQmedium

A company uses Microsoft 365 and needs to protect endpoints from ransomware attacks that encrypt files. The security team wants automated investigation and response capabilities for malware incidents on Windows devices. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerD

Defender for Endpoint provides endpoint protection, EDR, automated investigation, and response for devices, making it the correct choice.

Why this answer

Microsoft Defender for Endpoint (D) is the correct answer because it provides endpoint detection and response (EDR) capabilities, including automated investigation and remediation for malware incidents on Windows devices. It uses behavioral sensors, cloud analytics, and threat intelligence to detect ransomware encryption behavior and automatically contain or remediate affected endpoints, aligning with the requirement for automated response.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Office 365 (which protects email and collaboration) with endpoint protection, failing to recognize that automated investigation and response for Windows devices specifically requires an endpoint-focused solution like Microsoft Defender for Endpoint.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 protects email, SharePoint, and Teams from phishing and malware, not endpoints like Windows devices. Option B is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs cloud app usage and data, not endpoint-level ransomware protection. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based attacks (e.g., Kerberos abuse), not file-encrypting ransomware on endpoints.

131
MCQhard

A company is implementing Microsoft Purview Information Protection. They want to automatically apply a 'Highly Confidential' sensitivity label to emails containing a specific credit card pattern. Which solution should they use?

A.Microsoft Sentinel
B.Microsoft Purview Data Loss Prevention
C.Microsoft Defender for Cloud Apps
D.Microsoft Purview Audit
AnswerB

DLP policies can automatically apply sensitivity labels based on sensitive data detection.

Why this answer

Microsoft Purview Data Loss Prevention policies include rules that can automatically apply sensitivity labels based on sensitive info types like credit card numbers. Option A is incorrect because Microsoft Purview Audit only logs activities. Option B is incorrect because Microsoft Defender for Cloud Apps focuses on app access control.

Option D is incorrect because Microsoft Sentinel is for SIEM/SOAR.

132
MCQhard

Refer to the exhibit. You run the PowerShell command to retrieve a conditional access policy's conditions. The output shows Applications: All, Users: All, and Locations: All trusted. You need to ensure that only trusted locations are used when accessing Microsoft 365. What change should you make?

A.Modify the Locations condition to include all trusted locations and exclude untrusted locations
B.Add a condition to block legacy authentication
C.Under Grant, require multi-factor authentication
D.Set sign-in frequency to 4 hours
AnswerA

This ensures access only from trusted locations.

Why this answer

Option C is correct because the current policy applies to all locations (including untrusted) but requires trusted? Actually the condition says Locations: All trusted, meaning it only applies to trusted locations? The stem says 'ensure that only trusted locations are used' meaning block untrusted. The exhibit says Locations: All trusted? That would apply only to trusted locations. To enforce only trusted locations, you should change Locations to 'All' and then grant access only from trusted locations.

Wait, re-reading: 'All trusted' likely means the condition includes all trusted locations? The right answer is to modify the condition to exclude untrusted locations. Option C is correct: modify the Locations condition to include trusted and exclude untrusted. Option A is wrong because blocking legacy auth doesn't affect locations.

Option B is wrong because grant controls are not about location. Option D is wrong because sign-in frequency doesn't control locations.

133
Multi-Selecteasy

Your organization uses Microsoft Purview to manage data sensitivity and compliance. Which TWO capabilities are provided by Microsoft Purview Information Protection?

Select 2 answers
A.Define retention labels to keep data for a specified period.
B.Detect and manage insider risk activities such as data theft by employees.
C.Enforce Data Loss Prevention (DLP) policies to prevent accidental sharing of sensitive data.
D.Create and publish sensitivity labels that can be applied to documents and emails.
E.Automatically classify data based on sensitive information types and machine learning models.
AnswersD, E

Sensitivity labels are a core capability of Information Protection.

Why this answer

Microsoft Purview Information Protection includes sensitivity labels and data classification. Data Loss Prevention (DLP) is a separate policy, and insider risk management is a different solution. Retention policies are part of Microsoft Purview Records Management.

134
MCQmedium

A company uses Microsoft Defender for Cloud Apps to secure its cloud applications. The security team wants to monitor and control data activities in a third-party cloud app (e.g., Box) in real time. Specifically, they need to block downloads of files that have a 'Confidential' sensitivity label when users access the app from unmanaged devices. Which capability of Microsoft Defender for Cloud Apps should they configure?

A.Cloud Discovery
B.App connector
C.Conditional Access App Control
D.Information protection
AnswerC

Correct. This feature provides session-level control to monitor and restrict data access in real time.

Why this answer

Conditional Access App Control (CAAC) is the correct capability because it enforces real-time session policies that can block downloads based on sensitivity labels and device compliance. By integrating with Microsoft Defender for Cloud Apps, CAAC intercepts user sessions to third-party apps like Box and applies granular controls, such as blocking file downloads when the device is unmanaged and the file carries a 'Confidential' label.

Exam trap

The trap here is confusing API-based app connectors (which control data at rest) with reverse proxy-based Conditional Access App Control (which controls data in motion during user sessions).

How to eliminate wrong answers

Option A is wrong because Cloud Discovery is used to identify shadow IT and assess the risk of cloud apps in the environment, not to enforce real-time data control policies. Option B is wrong because an App connector enables API-based monitoring and control of data at rest (e.g., file quarantine or governance actions), but it cannot block downloads in real time during a user session. Option D is wrong because Information protection refers to Microsoft Purview's sensitivity labels and encryption, which define the classification but do not themselves enforce session-level access controls like blocking downloads from unmanaged devices.

135
MCQeasy

Your organization uses Microsoft Purview to govern data in Azure Data Lake Storage. You need to create a data classification policy that automatically tags files containing personally identifiable information (PII) such as social security numbers. Which scanning solution should you use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Audit
D.Microsoft Purview Data Map scanning
AnswerD

Data Map scans data sources and applies classification rules.

Why this answer

Option B is correct because Microsoft Purview Data Map scans and classifies data sources. Option A is wrong because Data Loss Prevention (DLP) is for data protection, not classification. Option C is wrong because Information Protection focuses on labels and encryption.

Option D is wrong because Audit logs record activities, not scan data.

136
MCQhard

A company runs Windows Server virtual machines (VMs) on-premises and in Azure. The security team wants a unified view of missing security updates and known vulnerabilities (CVEs) across all VMs. They want to enable agentless scanning for Azure VMs and deploy a lightweight agent for on-premises machines. The results should be consolidated in a single dashboard with prioritized remediation recommendations. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Identity
AnswerA

Defender for Cloud includes vulnerability assessment capabilities that cover VMs in Azure and on-premises (via Azure Arc). It provides a single dashboard showing missing patches and CVEs with actionable recommendations, and supports both agentless and agent-based scanning.

Why this answer

Microsoft Defender for Cloud provides unified visibility into security vulnerabilities and missing updates across hybrid workloads, including on-premises and Azure VMs. It supports agentless scanning for Azure VMs (using the cloud-based scanner) and allows deployment of the Azure Monitor Agent (or legacy Log Analytics agent) for on-premises machines, consolidating findings in a single dashboard with prioritized remediation recommendations based on the Secure Score and integrated vulnerability assessment (e.g., Qualys or Microsoft Defender Vulnerability Management).

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud security posture management and workload protection solution) with Microsoft Defender for Endpoint (an endpoint detection and response tool), assuming both provide identical vulnerability scanning capabilities, but only Defender for Cloud offers agentless scanning for Azure VMs and a unified hybrid dashboard for missing updates and CVEs.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, including vulnerability management, but it does not natively provide agentless scanning for Azure VMs or a unified hybrid dashboard for missing updates and CVEs across both on-premises and Azure VMs in the way Defender for Cloud does. Option C (Microsoft Sentinel) is wrong because it is a SIEM/SOAR solution for security information and event management, not a vulnerability assessment or update management tool; it can ingest vulnerability data but does not perform agentless scanning or provide prioritized remediation recommendations natively. Option D (Microsoft Defender for Identity) is wrong because it is designed to detect and investigate on-premises Active Directory threats using signals from domain controllers, not to scan VMs for missing security updates or CVEs.

137
MCQhard

You are troubleshooting a Conditional Access policy in Microsoft Entra ID. The policy in the exhibit is not blocking some sign-ins that you expected to block. What is the most likely reason?

A.The policy only blocks based on user risk, not sign-in risk
B.The policy is not assigned to any users
C.The grant control is set to allow access
D.The policy excludes certain users
AnswerA

The conditions only include userRiskLevels, not signInRiskLevels.

Why this answer

Option B is correct because the policy only blocks based on user risk level 'high', not sign-in risk. Sign-ins with high sign-in risk but low user risk are not blocked. Option A is wrong because there is no exclude clause.

Option C is wrong because the policy does block. Option D is wrong because the policy is not assigned to a user group in this snippet.

138
Multi-Selecthard

A company has deployed Microsoft 365 Defender to unify threat detection and response. Which two components are included within the Microsoft 365 Defender integrated solution? (Select all that apply.)

Select 2 answers
A.Microsoft Defender for Endpoint
B.Microsoft Defender for Cloud
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswersA, C

Defender for Endpoint is a core component of Microsoft 365 Defender, providing endpoint security and threat detection.

Why this answer

Microsoft 365 Defender is an integrated threat protection suite that unifies detection and response across an organization's Microsoft 365 environment. It includes Microsoft Defender for Endpoint, which provides endpoint detection and response (EDR) capabilities for devices, and Microsoft Defender for Office 365, which protects against email, phishing, and collaboration threats. These two components work together within the Microsoft 365 Defender portal to correlate alerts and automate response across endpoints and Office 365 workloads.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a cloud security solution) with Microsoft Defender for Cloud Apps (a CASB component of Microsoft 365 Defender), leading them to incorrectly select Defender for Cloud as part of the integrated solution.

139
MCQeasy

A company wants to use Microsoft Intune to enforce that mobile devices have a PIN of at least 6 characters to access corporate resources. What should they configure?

A.Device compliance policy
B.Conditional access policy
C.App protection policy
D.Device configuration profile
AnswerA

Defines compliance rules like PIN length.

Why this answer

A device compliance policy in Microsoft Intune defines the rules that devices must meet to be considered compliant, such as requiring a PIN of at least 6 characters. When a device is marked non-compliant, Conditional Access can block access to corporate resources. This is the correct mechanism to enforce the PIN requirement at the device level before granting access.

Exam trap

The trap here is confusing the enforcement of device settings (Device Compliance Policy) with the configuration of settings (Device Configuration Profile) or app-level protection (App Protection Policy), leading candidates to select D or C instead of A.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies evaluate signals (like device compliance) to allow or block access, but they do not directly enforce device settings like PIN length; they rely on compliance policies to report that status. Option C is wrong because App Protection Policies (MAM) manage data protection within apps (e.g., copy/paste, encryption) and can require a PIN for app access, but they apply to apps on unmanaged devices and do not enforce device-level PIN requirements for all corporate resource access. Option D is wrong because Device Configuration Profiles push settings (e.g., Wi-Fi, VPN, email) to devices but do not enforce compliance or block access; they are for configuration, not conditional access enforcement.

140
MCQhard

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP). You need to prevent users from sharing sensitive credit card numbers via email. The DLP policy must trigger automatically when a user attempts to send an email containing a credit card number. Which DLP configuration should you use?

A.Create a DLP policy with a condition that matches the Credit Card Number sensitive info type and an action to block the email
B.Configure Double Key Encryption for the Exchange Online mailbox
C.Configure a Safe Links policy in Microsoft Defender for Office 365
D.Use Microsoft Purview Customer Key for encryption
AnswerA

This is the correct DLP configuration to block emails with credit card numbers.

Why this answer

Option C is correct because a DLP policy with a rule that uses a sensitive info type (Credit Card Number) and an action to block the email is the standard approach. Option A is wrong because Microsoft Defender for Office 365 is for anti-phishing and malware, not DLP. Option B is wrong because Customer Key is for encryption, not DLP.

Option D is wrong because Double Key Encryption is for protecting data with two keys, not for blocking sharing.

141
MCQhard

Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. You need to ensure that when a user clicks a malicious link in an email, the user is warned and the action is blocked. Which policy should you configure?

A.Safe Attachments policy
B.Safe Links policy
C.Anti-spam policy
D.Anti-phishing policy
AnswerB

Safe Links provides time-of-click protection, blocking and warning users when they click malicious links.

Why this answer

Option B is correct because Safe Links in Defender for Office 365 provides real-time time-of-click protection against malicious links. Option A is wrong because Safe Attachments scans attachments, not links. Option C is wrong because anti-phishing policies protect against spoofing and impersonation but do not block links at click time.

Option D is wrong because anti-spam policies filter spam, not malicious links.

142
MCQmedium

A company uses Microsoft Sentinel for security information and event management (SIEM). The security team needs to detect and automatically respond to a potential privilege escalation attack where an attacker attempts to add a new user to the Global Administrator role in Microsoft Entra ID. What should the security team configure?

A.Deploy a device compliance policy in Microsoft Intune
B.Configure a data classification label in Microsoft Purview
C.Create a policy in Microsoft Defender for Cloud Apps
D.Create an analytics rule with an automated playbook in Microsoft Sentinel
AnswerD

Sentinel can detect the event and trigger a playbook for automated response.

Why this answer

Option D is correct because Microsoft Sentinel can create analytics rules to detect the event and automated response using playbooks. Option A is wrong because Microsoft Defender for Cloud Apps handles cloud app security, not Entra ID role changes. Option B is wrong because Microsoft Purview is for data governance.

Option C is wrong because Microsoft Intune manages devices, not identity roles.

143
MCQmedium

A company uses Microsoft Defender for Cloud Apps to monitor SaaS app usage. The security team wants to receive an alert when a user downloads more than 10 files from SharePoint Online within 5 minutes. Which type of policy should they create?

A.Session policy
B.Anomaly detection policy
C.OAuth app policy
D.File policy
AnswerB

Anomaly detection policies identify unusual user behavior, such as mass downloads, based on learned baselines.

Why this answer

Anomaly detection policies use machine learning to detect unusual user behavior based on historical baselines, such as mass file downloads. Activity policies are rule-based but require explicit thresholds; however, the scenario describes behavior that is best detected by an anomaly detection policy because it adapts to typical usage patterns. Option A is wrong because session policies control real-time access.

Option C is wrong because OAuth app policies govern app permissions. Option D is wrong because file policies apply to specific files or metadata.

144
MCQmedium

Your company uses Microsoft Sentinel to centralize security event monitoring. You need to create a custom analytics rule that triggers an alert when a user account is created outside of business hours. Which rule type should you use?

A.Microsoft Security incident creation rule
B.Anomaly analytics rule
C.Near-real-time (NRT) analytics rule
D.Scheduled query analytics rule
AnswerD

Scheduled query rules allow custom KQL queries to detect specific events.

Why this answer

Option D is correct because scheduled query rules run on a schedule and can detect patterns like account creation outside business hours. Option A is wrong because NRT rules are for near-real-time detection but are limited in logic. Option B is wrong because Microsoft Security incident creation rules create incidents from other alerts.

Option C is wrong because Anomaly rules use ML for behavioral anomalies, not specific conditions.

145
MCQhard

An organization uses Microsoft Entra ID for identity management. They want to implement a risk-based conditional access policy that requires multi-factor authentication (MFA) when sign-in risk is medium or high. Which policy settings should they configure?

A.Assign 'User risk' condition to 'Medium and above' and grant 'Require MFA'
B.Assign 'Device compliance' condition to 'Compliant' and grant 'Require MFA'
C.Assign 'Location' condition to 'All trusted locations' and grant 'Require MFA'
D.Assign 'Sign-in risk' condition to 'Medium and above' and grant 'Require MFA'
AnswerD

Sign-in risk directly addresses suspicious sign-in patterns.

Why this answer

Option D is correct because the scenario explicitly requires a risk-based conditional access policy that triggers MFA based on sign-in risk level. In Microsoft Entra ID, the 'Sign-in risk' condition evaluates the likelihood that the authentication attempt is not legitimate, using signals such as anonymous IP addresses, atypical travel, or malware-linked IPs. By setting this condition to 'Medium and above' and granting 'Require MFA', the policy enforces MFA only when the sign-in risk is assessed as medium or high, directly matching the requirement.

Exam trap

The trap here is confusing 'User risk' (which targets compromised user accounts) with 'Sign-in risk' (which targets suspicious authentication attempts), leading candidates to incorrectly select Option A when the question specifically asks about sign-in risk.

How to eliminate wrong answers

Option A is wrong because 'User risk' condition evaluates the risk level of the user account (e.g., leaked credentials, suspicious activity), not the risk of the current sign-in session; this would address compromised accounts rather than risky sign-ins. Option B is wrong because 'Device compliance' condition checks whether the device meets compliance policies (e.g., BitLocker enabled, OS updates), which is unrelated to sign-in risk; this would enforce MFA based on device health, not risk level. Option C is wrong because 'Location' condition with 'All trusted locations' would typically exclude trusted locations from requiring MFA, or apply MFA only from untrusted locations, which does not align with a risk-based approach based on sign-in risk signals.

146
Multi-Selectmedium

Your organization is deploying Microsoft Purview. You need to automatically apply a sensitivity label to documents that contain passport numbers. Which TWO components must you configure?

Select 2 answers
A.Sensitive information type for passport numbers
B.Retention label
C.Data loss prevention (DLP) policy
D.Auto-labeling policy
E.Trainable classifier
AnswersA, D

Sensitive information types define the pattern to detect passport numbers.

Why this answer

Options A and D are correct. Sensitive information types (A) define the pattern for passport numbers, and auto-labeling policies (D) apply the label automatically. Option B is wrong because DLP policies prevent data loss but do not apply labels.

Option C is wrong because retention labels manage retention, not sensitivity. Option E is wrong because trainable classifiers are for machine learning-based classification, not for simple pattern matching like passport numbers.

147
MCQmedium

An organization runs workloads in Azure, an on-premises data center, and multiple third-party cloud environments. The security team needs a single, cloud-native solution that provides a unified view of the security posture across all these environments, along with a secure score and actionable recommendations. They also want to protect these workloads with advanced threat detection. Which Microsoft security solution should they implement?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender
D.Microsoft Defender for Endpoint
AnswerB

Microsoft Defender for Cloud provides cloud security posture management (CSPM) and cloud workload protection (CWP) across hybrid and multi-cloud environments. It delivers a secure score, actionable recommendations, and advanced threat detection for servers, containers, databases, and more.

Why this answer

Microsoft Defender for Cloud is the correct choice because it provides a unified cloud-native security posture management (CSPM) solution that covers Azure, on-premises, and multi-cloud environments (including AWS and GCP). It delivers a secure score based on security controls and actionable recommendations via Azure Policy, and includes advanced threat detection (e.g., fileless attack detection, network anomaly detection) for workloads across these environments.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with a CSPM tool, but Sentinel does not provide a secure score or native multi-cloud posture recommendations; Defender for Cloud is the dedicated CSPM and workload protection solution.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution focused on log ingestion, threat hunting, and incident response, not a unified security posture management tool with a secure score and CSPM recommendations. Option C is wrong because Microsoft 365 Defender is a suite for protecting Microsoft 365 services (Exchange, SharePoint, Teams) and endpoints, not designed for multi-cloud workload security posture or cross-environment secure score. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution for devices (Windows, macOS, Linux), not a multi-cloud workload protection platform with CSPM capabilities.

148
MCQhard

A security team monitors user activities in third-party cloud apps like Box and Dropbox. They want to automatically detect when a user performs an anomalous file download after signing in from an unusual location, and then suspend the user's account and initiate an investigation. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerB

Defender for Cloud Apps is designed to secure cloud apps (e.g., Box, Dropbox) with anomaly detection and automated actions such as user suspension.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it provides Cloud Access Security Broker (CASB) functionality, including anomaly detection for user activities across third-party cloud apps like Box and Dropbox. It can automatically detect anomalous file downloads after unusual sign-in locations using behavioral analytics and then trigger automated actions such as suspending the user account and initiating an investigation via integration with Microsoft 365 Defender.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Identity, thinking both handle user behavior, but MDCA focuses on cloud app usage while MDI focuses on on-premises identity attacks.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email and collaboration tools (Exchange Online, SharePoint, Teams) from threats like phishing and malware, not on monitoring user activities in third-party cloud apps like Box or Dropbox. Option C is wrong because Microsoft Defender for Identity is designed to detect on-premises Active Directory attacks (e.g., Kerberos abuse, lateral movement) using domain controller traffic, not user behavior in SaaS apps. Option D is wrong because Microsoft Defender for Endpoint protects endpoints (Windows, macOS, Linux) from malware and advanced attacks, not user activities in cloud apps.

149
MCQmedium

A security analyst needs to investigate a phishing campaign that targeted multiple users. They want to correlate email threat data with user actions and device signals. Which Microsoft security solution should they use as the primary investigation console?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft 365 Defender
D.Microsoft Sentinel
AnswerC

It provides cross-domain incident correlation and investigation across email, endpoints, identities, and cloud apps.

Why this answer

Microsoft 365 Defender provides a unified investigation experience across email, endpoints, identities, and cloud apps. Option A is wrong because Microsoft Defender for Endpoint is for endpoint threats only. Option B is wrong because Microsoft Defender for Office 365 is for email only.

Option C is wrong because Microsoft Sentinel is a SIEM that can ingest data but is not the primary console for Defender incident investigation.

150
MCQeasy

Your company wants to use Microsoft Purview to classify and protect sensitive data in Microsoft 365. The compliance team needs to automatically detect credit card numbers in emails and apply a label that encrypts the email. What should they configure?

A.A trainable classifier for credit card numbers
B.A retention label for credit card information
C.A data loss prevention (DLP) policy
D.A sensitivity label with auto-labeling for sensitive information types
AnswerD

Auto-labeling can apply encryption based on sensitive data detection.

Why this answer

Sensitivity labels with auto-labeling can detect sensitive data and apply encryption automatically. Option B is incorrect because retention labels are for retention, not protection. Option C is incorrect because DLP policies block or warn, not label.

Option D is incorrect because trainable classifiers are for data classification, not automatic labeling.

← PreviousPage 2 of 7 · 470 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ms Security Capabilities questions.