CCNA Ms Security Capabilities Questions

75 of 470 questions · Page 3/7 · Ms Security Capabilities topic · Answers revealed

151
MCQmedium

A security administrator needs to identify users who are repeatedly failing to authenticate from unusual locations. Which Microsoft 365 security feature provides this visibility?

A.Microsoft Purview Insider Risk Management
B.Microsoft Entra ID Protection
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Correct: It detects risky sign-ins and user behavior.

Why this answer

Microsoft Entra ID Protection analyzes sign-in risks and can identify users with multiple failed attempts from atypical locations.

152
MCQmedium

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default filters. You need to create a custom mail flow rule to block similar emails based on specific keywords in the subject line. Which tool should you use?

A.Microsoft 365 Defender portal
B.Microsoft Defender for Cloud Apps portal
C.Exchange admin center
D.Microsoft Entra admin center
AnswerC

Correct: EAC allows creation of mail flow rules (transport rules) to block based on subject keywords.

Why this answer

Exchange admin center (EAC) allows creating mail flow rules (transport rules) based on conditions like subject keywords. Option B is correct. Option A (Security & Compliance Center) includes policies but not mail flow rules.

Option C (Defender for Cloud Apps) is for cloud apps. Option D (Microsoft Entra admin center) is for identity.

153
Multi-Selectmedium

Your organization is planning to use Microsoft Sentinel as a SIEM solution. Which TWO of the following are required components for Sentinel? (Select TWO.)

Select 2 answers
A.A Log Analytics workspace
B.A playbook for automated response
C.Data connectors to ingest security data
D.A workbook for dashboards
E.A KQL query for threat detection
AnswersA, C

Sentinel is built on Log Analytics workspaces.

Why this answer

Options A and C are correct: A Log Analytics workspace is the underlying data store, and data connectors are needed to ingest logs. Option B is wrong because a playbook is optional automation. Option D is wrong because a KQL query is used for analysis but not a required component.

Option E is wrong because a workbook is optional visualization.

154
MCQhard

A company runs Azure VMs and on-premises Windows servers. They need a solution that provides vulnerability assessment, regulatory compliance dashboard, and threat detection for their hybrid workloads. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud offers vulnerability assessment, compliance dashboards, and threat detection for both Azure and on-premises workloads via Azure Arc.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) provides unified security management across hybrid cloud workloads. It includes vulnerability assessment for VMs, a regulatory compliance dashboard with built-in standards like SOC 2 and PCI DSS, and integrated threat detection using behavioral analytics and machine learning. This makes it the correct choice for the described requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's SIEM capabilities with Defender for Cloud's workload protection features, but Sentinel requires manual log ingestion and does not provide native vulnerability scanning or compliance dashboards for VMs.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution focused on log aggregation, incident response, and advanced threat hunting, not a built-in vulnerability assessment or compliance dashboard for VMs. Option C is wrong because Microsoft Defender for Identity is an on-premises identity security solution that detects threats using Active Directory signals, not a workload vulnerability or compliance tool. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB for shadow IT discovery and app governance, not a solution for VM vulnerability assessment or regulatory compliance dashboards.

155
Multi-Selecthard

Your company uses Microsoft Sentinel as a SIEM. You need to collect logs from a third-party firewall. Which THREE methods can you use?

Select 3 answers
A.Microsoft Defender for Cloud
B.Common Event Format (CEF)
C.Data connectors from Microsoft Sentinel
E.Azure Monitor Agent
AnswersB, C, D

CEF is a standard format for security event logs, often used by firewalls.

Why this answer

Options A, C, and D are correct. Syslog (A) is a standard protocol for log forwarding. CEF (C) is a common log format for security devices.

Microsoft Sentinel Data Connectors (D) often include built-in connectors for common firewalls. Option B is wrong because Azure Monitor Agent is for Windows/Linux VMs, not network appliances. Option E is wrong because Microsoft Defender for Cloud is a security posture management tool, not a log collection method.

156
MCQhard

Refer to the exhibit. You run an Advanced Hunting query in Microsoft Defender XDR. What is the primary purpose of this query?

A.Find IP addresses with failed logon attempts.
B.List all interactive logons from Office 365 applications.
C.Detect non-interactive logons to Office 365.
D.Identify accounts with high number of interactive logons, potentially indicating brute-force activity.
AnswerD

The query counts logons per user/IP and filters for >10, which can indicate brute-force attempts.

Why this answer

The query filters for interactive logon events to Office 365 over the past 7 days, groups by user and IP, and counts occurrences. It then filters for accounts with more than 10 logon events, which helps identify accounts with unusually high logon activity, potentially indicating brute-force attacks or compromised accounts. Option A is correct.

157
Multi-Selectmedium

Which THREE of the following are features of Microsoft Purview Communication Compliance?

Select 3 answers
A.Automatically quarantine emails that contain malware
B.Provide policy tips to users when they send potentially non-compliant messages
C.Enforce multi-factor authentication for sensitive roles
D.Create custom keyword dictionaries to detect policy violations
E.Monitor Microsoft Teams chat messages for inappropriate language
AnswersB, D, E

Policy tips can educate users.

Why this answer

Microsoft Purview Communication Compliance helps detect policy violations in communications. Option A is correct because it can analyze Microsoft Teams messages. Option C is correct because it allows custom keyword dictionaries.

Option E is correct because it provides policy tips to users. Option B is wrong because it is a feature of Microsoft Defender for Office 365. Option D is wrong because it is a feature of Microsoft Entra ID.

158
MCQeasy

A security team is evaluating Microsoft security solutions to monitor user activities across multiple SaaS applications, including Salesforce and Dropbox, for signs of compromised accounts and data exfiltration. Which solution is specifically designed for this purpose?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft 365 Defender
AnswerA

Correct. Defender for Cloud Apps is designed as a CASB to monitor and protect SaaS applications like Salesforce and Dropbox from threats such as compromised accounts and data exfiltration.

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides deep visibility, data classification, and threat detection across SaaS applications like Salesforce and Dropbox. It uses behavioral analytics and anomaly detection to identify compromised accounts and data exfiltration by monitoring user activities and applying policies such as activity policies and app governance.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with a CASB, but Sentinel is a log aggregation and analysis platform, not a dedicated SaaS monitoring solution like Defender for Cloud Apps.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., Windows, macOS, Linux) using EDR (Endpoint Detection and Response) and does not natively monitor user activities within SaaS applications like Salesforce or Dropbox. Option C is wrong because Microsoft Sentinel is a SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that aggregates logs from multiple sources but is not specifically designed as a CASB for monitoring SaaS app user activities; it requires data ingestion from other tools. Option D is wrong because Microsoft 365 Defender is an integrated pre- and post-breach enterprise defense suite that covers identities, endpoints, email, and collaboration tools (e.g., Microsoft 365 apps) but does not extend to third-party SaaS applications like Salesforce or Dropbox without additional integration.

159
MCQeasy

A company wants to classify and label documents in SharePoint automatically based on sensitive content like social security numbers. Which Microsoft Purview solution should they use?

A.eDiscovery
B.Auto-labeling policy
C.Audit log
D.Data loss prevention policy
AnswerB

Auto-labeling policies automatically apply sensitivity labels to documents containing sensitive info.

Why this answer

Auto-labeling policies in Microsoft Purview automatically apply sensitivity labels to documents in SharePoint based on sensitive info types. Option B is incorrect because data loss prevention policies can apply labels but are primarily for preventing data leaks. Option C is incorrect because audit logs activities.

Option D is incorrect because eDiscovery is for searching and exporting data.

160
MCQmedium

A company wants to automatically classify documents containing credit card numbers and apply encryption at rest in SharePoint Online. Which Microsoft Purview feature should be used?

A.Sensitivity labels with auto-classification
B.eDiscovery
C.Microsoft Purview Audit
D.Data Loss Prevention (DLP) policies
AnswerA

Sensitivity labels can auto-classify sensitive data and apply encryption.

Why this answer

Sensitivity labels with auto-classification can detect credit card numbers and apply encryption. Option B is correct. Option A (DLP policies) prevent sharing but do not apply encryption.

Option C (Audit) logs activities. Option D (eDiscovery) is for legal discovery.

161
MCQhard

Refer to the exhibit. The KQL query is used in a Microsoft Sentinel analytics rule. What is the primary purpose of this rule?

A.To identify all files shared externally regardless of sensitivity
B.To automatically block external sharing of sensitive files
C.To detect when a file labeled 'Highly Confidential' is shared externally
D.To list all alerts generated by the rule
AnswerC

Correct: The query specifically targets files with that sensitivity label.

Why this answer

The query filters alerts for 'Sensitive file shared externally' and further refines to files with SensitivityLabel 'Highly Confidential'. It projects the file name and owner. Option C is correct.

Option A is too broad (any shared file). Option B mentions 'all alerts'. Option D is incorrect because the query does not block sharing.

162
MCQmedium

A security operations team needs a solution that can detect and stop ransomware attacks on Windows servers and desktops in real time. They also want the ability to automatically isolate affected devices and, if necessary, roll back files modified by ransomware using a built-in recovery feature. Which Microsoft security solution provides these capabilities?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Cloud
AnswerB

Defender for Endpoint provides EDR, threat hunting, automated investigation, and remediation including device isolation and file rollback for ransomware.

Why this answer

Microsoft Defender for Endpoint (MDE) provides real-time detection and automated response to ransomware attacks on Windows servers and desktops. Its built-in attack surface reduction rules, endpoint detection and response (EDR), and automated investigation and remediation capabilities allow automatic device isolation. Additionally, MDE includes a file recovery feature that leverages Volume Shadow Copy to roll back files modified by ransomware, meeting all stated requirements.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud (a cloud workload protection tool) with Microsoft Defender for Endpoint (an endpoint detection and response tool), failing to recognize that only MDE provides the specific combination of real-time endpoint protection, automated device isolation, and built-in file rollback for Windows servers and desktops.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, and Teams from phishing, malware, and spam, not on endpoint-level ransomware detection or device isolation. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that provides visibility and control over cloud app usage, not real-time endpoint ransomware protection or file rollback. Option D is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform for cloud infrastructure (IaaS/PaaS), not designed for on-premises Windows servers and desktops or built-in file recovery.

163
MCQmedium

A company wants to gain visibility into the cloud applications that employees are using (e.g., unsanctioned SaaS apps), assess the risk level of each app based on multiple factors, and block access to high-risk applications. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerC

Defender for Cloud Apps is a CASB that discovers all cloud apps, evaluates their risk, and allows you to control access (e.g., block, restrict).

Why this answer

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility into cloud application usage, assesses risk based on factors like compliance, app store ratings, and security controls, and can block access to high-risk apps via reverse proxy or API integration. This directly matches the requirement to discover unsanctioned SaaS apps and enforce access controls.

Exam trap

The trap here is confusing a CASB (Defender for Cloud Apps) with an EDR (Defender for Endpoint) or SIEM (Sentinel), as candidates often think 'visibility into apps' means endpoint monitoring or log analysis rather than cloud-specific app discovery and risk assessment.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on discovering or blocking cloud applications. Option B is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (e.g., Exchange, SharePoint) from threats like phishing and malware, not from unsanctioned SaaS app usage. Option D is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution for aggregating logs and detecting threats across the environment, not for real-time cloud app discovery and blocking.

164
MCQeasy

Your organization uses Microsoft Purview Communication Compliance to detect potential harassment in Microsoft Teams messages. Which role is required to review and act on policy matches?

A.Communication Compliance admin
B.Communication Compliance analyst
C.Communication Compliance investigator
D.Compliance administrator
AnswerB

Analysts review policy matches and take action.

Why this answer

Communication Compliance roles: 'Communication Compliance admin' can create policies, 'Communication Compliance analyst' can review and act on matches, 'Communication Compliance investigator' has additional remediation capabilities, 'Compliance administrator' has broader compliance admin rights. Option B is correct for reviewing matches.

165
MCQhard

A company runs a mix of on-premises servers and Azure virtual machines. They deploy Microsoft Defender for Endpoint on all servers. The security team wants to create custom queries to hunt for a specific attack pattern that involves a sequence of events across multiple machines, such as a PowerShell script being downloaded and then executed on several servers. They need to write their own detection rules based on advanced hunting data. Which Microsoft 365 Defender capability should they use?

A.Advanced hunting in Microsoft 365 Defender
B.Microsoft Defender for Cloud
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerA

Advanced hunting enables security teams to build custom queries over data from endpoints, Office 365, identities, and apps. They can then create custom detection rules that trigger alerts based on these queries.

Why this answer

Advanced hunting in Microsoft 365 Defender provides a Kusto Query Language (KQL)-based query interface that allows security teams to create custom detection rules by searching raw data across endpoints, email, and identities. This capability directly supports the scenario of writing custom queries to hunt for multi-machine attack patterns, such as a PowerShell script download followed by execution, by correlating events like DeviceProcessEvents and DeviceFileEvents across multiple devices.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's advanced hunting (which is also KQL-based but is a separate Azure service) with the advanced hunting capability native to Microsoft 365 Defender, leading them to select Sentinel even though the question explicitly asks for a Microsoft 365 Defender capability.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that focuses on securing Azure, on-premises, and multi-cloud resources through recommendations and vulnerability assessments, not on providing a custom KQL-based hunting interface for endpoint-specific event sequences. Option C is wrong because Microsoft Defender for Office 365 is designed to protect against threats in email, SharePoint, OneDrive, and Teams, and does not include advanced hunting capabilities for endpoint processes or file events across servers. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution that ingests data from multiple sources and offers advanced hunting, but the question specifically asks for a Microsoft 365 Defender capability; Sentinel is a separate Azure service, not a component of Microsoft 365 Defender.

166
Multi-Selecthard

Which TWO are features of Microsoft Defender for Cloud Apps? (Choose two.)

Select 2 answers
A.Apply sensitivity labels to files
B.Investigate email-borne attacks
C.Vulnerability management for endpoints
D.Cloud Discovery to identify shadow IT
E.App governance for OAuth apps
AnswersD, E

Cloud Discovery discovers cloud app usage.

Why this answer

Options A and D are correct. Cloud Discovery identifies shadow IT. App governance controls OAuth apps.

Option B is wrong because sensitivity labels are in Purview. Option C is wrong because email attack investigation is in Defender for Office 365. Option E is wrong because endpoint vulnerability management is in Defender for Endpoint.

167
MCQhard

Your company has Microsoft Defender for Office 365 and wants to configure anti-phishing policies to protect against spear-phishing attacks targeting executives. Which policy setting should you enable to provide the highest level of protection?

A.Malware filter
B.Impersonation protection for users
C.Bulk email filtering
D.Spoof intelligence
AnswerB

Impersonation protection detects and blocks attempts to impersonate specific users.

Why this answer

Option C is correct because impersonation protection specifically protects against spear-phishing attacks targeting specific users like executives. Option A is wrong because spoof intelligence detects spoofed domains but not user impersonation. Option B is wrong because bulk email filtering reduces bulk mail but not targeted phishing.

Option D is wrong because malware filter handles attachments with malware, not phishing.

168
MCQeasy

You work at a mid-sized company that uses Microsoft Defender for Business (a subscription included with Microsoft 365 Business Premium). The company has 300 devices enrolled in Microsoft Intune. Recently, a malware outbreak occurred on several devices. You need to implement a solution that automatically remediates devices that are found to be infected with malware. The solution should isolate the device from the network and run a full scan. Which action should you take?

A.Create a Conditional Access policy to block access for devices with malware.
B.Create an Intune compliance policy to mark devices as non-compliant if malware is detected.
C.Enable automatic investigation and remediation in Microsoft Defender for Business.
D.Configure Microsoft Defender Antivirus to run a weekly scan.
AnswerC

Defender for Business automatically investigates and remediates threats including isolation and scan.

Why this answer

Correct: A. Defender for Business includes automated investigation and remediation capabilities. Option B: Intune compliance policies enforce compliance but do not automatically remediate malware.

Option C: Conditional Access controls access, not remediation. Option D: Antivirus policies set baseline but do not automate response.

169
MCQeasy

A security operations team uses Microsoft Sentinel to centralize security log analysis. They need to ingest logs from a third-party firewall that does not have a native connector. What should the team use to bring the firewall logs into Microsoft Sentinel?

A.Data connectors
B.Playbooks
C.Workbooks
D.Analytics rules
AnswerA

Data connectors are the feature that collects logs from various sources into Sentinel. For unsupported devices, Syslog or CEF connectors can be used.

Why this answer

Microsoft Sentinel uses data connectors to ingest logs from various sources, including third-party devices that lack native connectors. For a firewall without a built-in connector, the team can use the Common Event Format (CEF) connector or Syslog connector, which are both categorized as data connectors. These connectors allow the firewall to forward logs via Syslog or CEF over UDP/TCP, which Sentinel then parses and ingests into the Log Analytics workspace.

Exam trap

The trap here is that candidates confuse data connectors (which handle ingestion) with playbooks or workbooks (which handle response or visualization), leading them to select a post-ingestion tool instead of the correct ingestion method.

How to eliminate wrong answers

Option B is wrong because playbooks are automated response workflows based on Azure Logic Apps, used for incident response and remediation, not for log ingestion. Option C is wrong because workbooks are interactive dashboards for visualizing and analyzing data already in Sentinel, not a mechanism to bring data in. Option D is wrong because analytics rules are detection rules that generate alerts based on ingested data, not a method for importing logs.

170
MCQhard

A security operations center (SOC) team uses Microsoft Sentinel with User and Entity Behavior Analytics (UEBA) enabled. They notice an alert about a user accessing a sensitive HR application from an unusual IP address at 3 AM. What does UEBA primarily use to detect this anomaly?

A.Static rule-based thresholds defined by the SOC
B.Manual input from the SOC team
C.Historical behavior baselines and machine learning
D.Threat intelligence feeds from Microsoft
AnswerC

UEBA uses ML to learn normal patterns and flag anomalies.

Why this answer

UEBA builds a baseline of normal user behavior over time and uses machine learning to detect deviations. Option A is wrong because static rules do not adapt to user patterns. Option B is wrong because threat intelligence feeds are external.

Option C is wrong because manual analyst input is not the primary mechanism.

171
MCQmedium

Your organization uses Microsoft Defender for Office 365. Users report receiving phishing emails that bypassed the default anti-phishing policy. What should you do to improve protection?

A.Create a custom anti-phishing policy.
B.Enable Safe Attachments.
C.Configure anti-malware policy.
D.Increase the spam confidence level (SCL) threshold.
AnswerA

Custom policies can include impersonation protection and advanced settings.

Why this answer

Correct: Create a custom anti-phishing policy with stricter settings. Option A: Increase spam confidence level is for spam, not phishing. Option C: Enable safe attachments is for attachment scanning.

Option D: Configure anti-malware policy is for malware.

172
Multi-Selectmedium

Which TWO are capabilities of Microsoft Defender for Office 365?

Select 2 answers
A.Safe Attachments
B.Attack surface reduction rules
D.Safe Links
E.Device compliance policies
AnswersA, D

Safe Attachments scans email attachments for malware.

Why this answer

Safe Attachments is a core capability of Microsoft Defender for Office 365 that uses a detonation chamber environment to open and analyze email attachments in real time before delivery. If malicious behavior is detected, the attachment is blocked or replaced with a warning file, protecting users from zero-day threats and advanced malware.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint or broader Microsoft 365 security features, leading them to select attack surface reduction rules (an endpoint protection feature) or device compliance policies (an Intune feature) instead of the email-specific Safe Attachments and Safe Links.

173
MCQhard

Your company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive information. You need to create a policy that prevents users from sharing credit card numbers via email, but allows them to share internally with other employees. The policy should also notify the user when an attempt is made to share externally. What should you configure?

A.Create a DLP policy with the condition 'Content contains credit card number' and action 'Block access to content' for all recipients.
B.Create a DLP policy with the condition 'Content contains credit card number' and action 'Block external sharing' but allow internal sharing, and enable user notifications.
C.Create a DLP policy with the condition 'Content contains credit card number' and action 'Allow override' with a business justification.
D.Create a DLP policy with the condition 'Content contains credit card number' and action 'Notify user with policy tip' but no blocking.
AnswerB

This meets all requirements.

Why this answer

Option B is correct because it uses the credit card number sensitive info type, restricts external sharing, and allows internal sharing. Option A is wrong because it blocks all sharing. Option C is wrong because it only provides user education, not blocking.

Option D is wrong because it requires user override, but still blocks internal sharing.

174
MCQeasy

An organization wants to ensure that only managed and compliant devices can access corporate email in Exchange Online. Which Microsoft Entra ID Conditional Access policy setting should they use?

A.Require device to be marked as compliant
B.Require approved client app
C.Require hybrid Azure AD joined device
AnswerA

Ensures only compliant devices can access.

Why this answer

Correct: 'Require device to be marked as compliant' enforces compliance. Option B: 'Require MFA' is about authentication. Option C: 'Require approved client app' is for app-level.

Option D: 'Require hybrid Azure AD joined' is for domain-joined devices.

175
MCQmedium

A company uses Microsoft 365 and many third-party SaaS apps like Salesforce and Box. The security team wants to detect when a user downloads a large number of files from a cloud storage app after hours, which may indicate data exfiltration. Which Microsoft security solution should be used to detect such anomalous behavior in cloud apps?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Identity
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Cloud
AnswerC

Defender for Cloud Apps provides cloud access security broker capabilities, including anomaly detection for third-party SaaS apps.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it provides Cloud Access Security Broker (CASB) functionality, including anomaly detection policies that can identify unusual user behavior such as downloading a large number of files from a cloud storage app after hours. MDCA uses machine learning to establish a baseline of normal user activity and then triggers alerts when deviations like high-volume downloads occur, which is a classic indicator of data exfiltration.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Cloud, mistakenly thinking the latter covers SaaS app security, when in fact Defender for Cloud is focused on infrastructure workload protection (CSPM/CWPP) and not user behavior in cloud apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email and collaboration tools (Exchange Online, SharePoint, Teams) from threats like phishing and malware, not on detecting anomalous behavior across third-party SaaS apps like Salesforce or Box. Option B is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and hybrid identities for attacks like pass-the-hash or Kerberos abuse, not user activity in cloud apps. Option D is wrong because Microsoft Defender for Cloud is designed for securing cloud workloads (VMs, containers, databases) in Azure and multi-cloud environments, not for detecting user-driven data exfiltration in SaaS applications.

176
MCQmedium

A company must ensure that sensitive data in SharePoint Online is automatically classified and protected. They want to use built-in Microsoft Purview capabilities. Which feature should they implement?

A.Audit logs
B.Sensitivity labels
C.Data Loss Prevention policies
D.Retention policies
AnswerC

Automatically detect and protect sensitive data.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) policies can automatically detect and protect sensitive data. Option A is wrong because sensitivity labels require manual or conditional application. Option B is wrong because retention policies focus on data lifecycle.

Option D is wrong because audit logs track activity but don't protect.

177
MCQhard

A company uses Microsoft 365 and many third-party SaaS apps like Salesforce and Box. The security team needs to discover which unsanctioned cloud apps employees are using (Shadow IT). They also want to get a risk score for each app and receive alerts when a high-risk app is used. Which Microsoft security solution should they use?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Identity
C.Microsoft Defender for Cloud Apps
D.Microsoft Purview Compliance Manager
AnswerC

Defender for Cloud Apps includes Cloud Discovery, which identifies used apps, assigns risk scores, and alerts on high-risk app usage.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it is specifically designed for Cloud Access Security Broker (CASB) functions, including Shadow IT discovery, risk scoring of cloud apps, and policy-based alerts. It integrates with Microsoft 365 and third-party SaaS apps via API connectors and log collectors to identify unsanctioned app usage and assign a risk score based on factors like compliance, security controls, and industry standards.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps with other Defender products (Endpoint or Identity) because they all share the 'Defender' branding, but only Cloud Apps provides CASB capabilities for Shadow IT discovery and app risk scoring.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on discovering unsanctioned cloud app usage or providing app-specific risk scores. Option B is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and hybrid identities for attacks like pass-the-hash, not cloud app discovery or Shadow IT. Option D is wrong because Microsoft Purview Compliance Manager is a compliance management tool for assessing regulatory posture and managing controls, not for discovering unsanctioned cloud apps or generating risk scores for third-party SaaS applications.

178
MCQeasy

A security administrator needs to identify and remediate misconfigurations in Azure resources that could lead to security breaches. They want a central dashboard that provides a secure score based on security controls and recommendations. Which Microsoft solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Intune
AnswerA

Defender for Cloud provides a secure score and actionable recommendations to improve the security posture of cloud and hybrid resources.

Why this answer

Microsoft Defender for Cloud provides a centralized dashboard that continuously assesses Azure resources against security best practices, delivering a secure score based on implemented security controls and actionable recommendations. This directly matches the administrator's need to identify and remediate misconfigurations that could lead to breaches.

Exam trap

The trap here is confusing Microsoft Defender for Cloud's posture management and secure score with Microsoft Sentinel's threat detection capabilities, as both appear under the 'Microsoft security solutions' umbrella but serve fundamentally different purposes.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) solution focused on threat detection, investigation, and response across the enterprise, not on providing a secure score or resource misconfiguration dashboard. Option C is wrong because Microsoft 365 Defender is an extended detection and response (XDR) solution for Microsoft 365 workloads (e.g., email, endpoints, identities), not for Azure resource configuration assessment. Option D is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) service for managing endpoints and compliance policies, not for evaluating Azure resource security posture.

179
MCQhard

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to prevent users from copying credit card numbers from an internal web application to a personal cloud storage app. Which DLP policy setting should they configure?

A.Browser DLP
B.Exchange DLP
C.Teams DLP
D.Endpoint DLP with clipboard control
AnswerD

Endpoint DLP can restrict clipboard operations on Windows devices.

Why this answer

Endpoint DLP policies can monitor and control clipboard operations, including copying sensitive data to unallowed apps. Option A is incorrect because browser DLP only covers browser-based activities. Option C is incorrect because email DLP covers email.

Option D is incorrect because Teams DLP covers Teams chats and channels.

180
MCQmedium

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. What should they configure?

A.App protection policy
B.Device enrollment restriction
C.Compliance policy and conditional access
D.Device configuration profile
AnswerC

Combination enforces access based on device compliance.

Why this answer

Option C is correct because combining a compliance policy (which checks the device OS version against a minimum requirement) with a Conditional Access policy (which blocks access if the device is non-compliant) is the standard Microsoft approach to enforce OS version requirements for accessing corporate email. The compliance policy marks devices below the minimum OS version as non-compliant, and the Conditional Access policy then denies access to Exchange Online or other corporate resources for those non-compliant devices.

Exam trap

The trap here is that candidates confuse Device enrollment restrictions (which set OS version limits at enrollment time) with Compliance policies (which enforce OS version requirements continuously after enrollment), leading them to pick Option B instead of C.

How to eliminate wrong answers

Option A is wrong because App protection policies (MAM) manage how data is handled within apps (e.g., preventing copy/paste or requiring PIN) and do not enforce device-level OS version requirements; they apply to apps regardless of device management. Option B is wrong because Device enrollment restrictions control which devices can enroll in Intune (e.g., by platform or OS version during enrollment) but do not enforce ongoing OS version compliance for already enrolled devices accessing email. Option D is wrong because Device configuration profiles configure device settings (e.g., Wi-Fi, VPN, certificates) but do not enforce compliance checks or block access based on OS version; they are not used for conditional access decisions.

181
MCQmedium

Your organization is using Microsoft Sentinel as a SIEM. You want to automatically respond to a high-severity incident by opening a ticket in ServiceNow and notifying the security team via email. What should you create?

A.An automation rule
B.A workbook
C.An analytics rule
D.A watchlist
AnswerA

Automation rules run playbooks for response.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can trigger playbooks (Logic Apps) for incident response. Option A is wrong because analytics rules create incidents, not automated responses. Option B is wrong because workbooks are for visualization.

Option D is wrong because watchlists are for threat intelligence.

182
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that allows users to sign in using their social media accounts, such as Google or Facebook. What should you configure?

A.Microsoft Authenticator app for passwordless sign-in
B.Privileged Identity Management
C.External identities (B2B) with social identity providers
D.Self-service password reset
AnswerC

B2B collaboration supports social identity providers like Google and Facebook.

Why this answer

Option C is correct because external identities (B2B) allow social identity providers as external identity sources. Option A is incorrect because self-service password reset does not provide sign-in. Option B is incorrect because Privileged Identity Management is for managing privileged roles.

Option D is incorrect because Microsoft Authenticator is for MFA, not social identity.

183
MCQhard

Your company uses Microsoft Purview to manage data across Azure, on-premises SQL Server, and Amazon S3. You need to create a unified map of all data sources and their sensitivity labels. Which Microsoft Purview feature should you use?

A.Microsoft Purview Data Sharing
B.Microsoft Purview Data Map
C.Microsoft Purview Data Estate Insights
D.Microsoft Purview Data Catalog
AnswerB

Data Map automatically scans and classifies data across sources, creating a unified map.

Why this answer

Microsoft Purview Data Map is the correct feature because it provides a unified, automated map of data assets across hybrid and multi-cloud environments (Azure, on-premises SQL Server, and Amazon S3). It automatically scans and classifies data sources, applies sensitivity labels, and maintains a centralized metadata repository, enabling a holistic view of the data landscape and its sensitivity.

Exam trap

The trap here is that candidates often confuse the Microsoft Purview Data Catalog (which is the searchable inventory) with the Data Map (which is the underlying metadata and classification engine), leading them to select Option D instead of B.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Data Sharing is a feature for securely sharing data in-place across organizations or within an organization, not for creating a unified map of data sources and sensitivity labels. Option C is wrong because Microsoft Purview Data Estate Insights provides monitoring, analytics, and reporting on data estate health and usage, but it does not create the foundational map of data sources and labels; it relies on the Data Map. Option D is wrong because Microsoft Purview Data Catalog is a component that builds on the Data Map to enable data discovery and search, but the core mapping and labeling of data sources is performed by the Data Map itself.

184
MCQeasy

Your organization wants to use Microsoft Defender for Cloud Apps to detect anomalous user behavior across cloud applications. Which feature should you enable?

A.Anomaly detection policies
B.App connectors
C.Secure Score
D.Cloud Discovery
AnswerA

Anomaly detection policies use UEBA to detect unusual user behavior.

Why this answer

Option A is correct because Cloud App Security (now part of Defender for Cloud Apps) provides UEBA and anomaly detection. Options B, C, and D are incorrect: Secure Score is for security posture, Cloud Discovery is for discovering shadow IT, and app connectors are for API integration.

185
MCQmedium

A security team wants to discover all cloud applications being used by employees, including unsanctioned file sharing and collaboration apps. They plan to analyze traffic logs from their network firewall to identify usage patterns and assess each app's risk level. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.Cloud Discovery
B.App Connectors
C.Conditional Access App Control
D.Information Protection
AnswerA

Cloud Discovery uses log analysis to uncover all cloud app activity and assess risk, making it the correct feature for this scenario.

Why this answer

Cloud Discovery is the correct feature because it analyzes traffic logs from network firewalls and proxies to identify all cloud applications in use, including unsanctioned ones. It uses the Microsoft Defender for Cloud Apps catalog to assess each app's risk level based on factors like security posture, compliance certifications, and industry standards. This directly matches the scenario of discovering unsanctioned file sharing and collaboration apps from firewall logs.

Exam trap

The trap here is that candidates confuse Cloud Discovery (passive log analysis for unsanctioned app discovery) with App Connectors (active API integration for sanctioned app monitoring), leading them to choose B because they think 'connecting to apps' is needed to discover them.

How to eliminate wrong answers

Option B (App Connectors) is wrong because App Connectors are used to connect directly to sanctioned cloud apps (like Office 365, Salesforce) via APIs to pull data for monitoring and governance, not to discover unsanctioned apps from firewall logs. Option C (Conditional Access App Control) is wrong because it enforces real-time access policies on sanctioned apps using reverse proxy, not for discovering unknown apps from traffic logs. Option D (Information Protection) is wrong because it focuses on classifying and protecting sensitive data within files and emails, not on discovering cloud app usage patterns from network traffic.

186
MCQeasy

You need to ensure that sensitive documents in Microsoft SharePoint Online are automatically classified and protected when they contain credit card numbers. What should you configure?

A.A sensitivity label with auto-labeling for Microsoft Purview Information Protection
B.A retention policy for SharePoint
C.A data loss prevention (DLP) policy
D.A retention label for regulatory compliance
AnswerA

Auto-labeling in sensitivity labels can automatically classify and protect documents based on sensitive info types.

Why this answer

Option A is correct because a sensitivity label with auto-labeling can be configured to detect sensitive info types like credit card numbers. Option B is incorrect because retention labels manage retention, not protection. Option C is incorrect because DLP policies can block or alert but do not apply labels automatically.

Option D is incorrect because a retention policy is for retention, not classification.

187
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to detect anomalous user behavior such as impossible travel. Which type of policy should you configure?

A.Anomaly detection policy
B.Activity policy
C.App discovery policy
D.Session policy
AnswerA

Anomaly detection policies use machine learning to detect unusual patterns like impossible travel.

Why this answer

Anomaly detection policies in Defender for Cloud Apps use UEBA to detect behaviors like impossible travel, ransomware activity, and credential access. Option A is correct. Activity policies are used for specific activities, not behavior patterns.

Session policies control real-time access. App discovery policies identify cloud apps in use.

188
MCQeasy

A security analyst receives an alert from Microsoft Sentinel indicating a potential ransomware attack. The analyst needs to quickly understand the full scope of the attack, including all affected accounts and devices. Which Microsoft Sentinel feature should they use?

A.Analytics rules
B.Workbooks
C.Playbooks
D.Incident investigation
AnswerD

Incident investigation provides a graph view of entities and relationships to understand attack scope.

Why this answer

Incident investigation in Microsoft Sentinel provides a visual graph of entities and relationships, helping to understand the attack scope. Option A is wrong because Workbooks are for reporting; Option B is wrong because Playbooks are for automation; Option D is wrong because Analytics rules are for creating alerts.

189
MCQeasy

Your organization uses Microsoft Defender for Cloud to protect Azure virtual machines. You need to ensure that critical vulnerabilities identified on the VMs are automatically remediated using a just-in-time patching mechanism. What should you configure?

A.Enable adaptive application controls and just-in-time VM access in Defender for Cloud
B.Deploy Microsoft Intune for update management
C.Configure Azure Automation Update Management
D.Enable Azure Update Manager
AnswerA

Adaptive application controls and JIT access can be used to automate patching with least privilege.

Why this answer

Option B is correct because Microsoft Defender for Cloud's adaptive application controls and just-in-time VM access can be combined with update management to automate patching. Option A is wrong because Azure Update Manager does not provide just-in-time patching. Option C is wrong because Azure Automation Update Management requires manual scheduling.

Option D is wrong because Microsoft Intune is for endpoint management, not Azure VMs.

190
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Purview Information Protection? (Choose two.)

Select 2 answers
A.Classify and label sensitive data
B.Block external sharing of files
C.Detect malware in email attachments
D.Apply encryption based on sensitivity labels
E.Monitor user activities in real-time
AnswersA, D

Correct: Core capability of Information Protection.

Why this answer

Microsoft Purview Information Protection allows classification and labeling, and can apply encryption. Activity logging is part of Audit, and DLP is a separate solution.

191
MCQeasy

Your organization needs to prevent sensitive data in SharePoint Online from being shared externally. Which Microsoft Purview solution should you use?

A.Data Loss Prevention (DLP)
B.eDiscovery
C.Sensitivity labels
D.Insider Risk Management
AnswerA

DLP policies can block external sharing of sensitive data.

Why this answer

Data Loss Prevention (DLP) policies can detect and block sharing of sensitive data. Option A is correct. Option B is wrong because sensitivity labels classify data but do not enforce sharing restrictions by themselves.

Option C is wrong because insider risk management detects risky behavior, not external sharing. Option D is wrong because eDiscovery is for legal discovery.

192
MCQeasy

An organization uses Microsoft Defender for Endpoint (MDE). The security team wants to identify devices that have not received a security update in the last 30 days. Which report should they use?

A.Threat analytics report
B.Device health report
C.Vulnerability management dashboard
D.Microsoft Secure Score report
AnswerB

Device health report includes missing updates status.

Why this answer

Correct: Device health report in MDE shows missing updates. Option A: Threat analytics is for threat intelligence. Option B: Vulnerability management dashboard shows vulnerabilities but not specifically missing updates.

Option D: Secure Score is for overall posture.

193
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.An app protection policy in Microsoft 365 admin center
B.A conditional access policy in Microsoft Entra ID
C.A conditional access policy in Azure AD
D.A device compliance policy in Intune
AnswerB

Conditional access policies can require devices to be marked as compliant before granting access.

Why this answer

Option C is correct because conditional access policies in Microsoft Entra ID can require compliant devices. Option A is incorrect because compliance policies define compliance but do not enforce access. Option B is incorrect because in Azure AD, now Entra ID, it's conditional access.

Option D is incorrect because the Microsoft 365 admin center does not configure device compliance enforcement.

194
Multi-Selecthard

Which THREE are features of Microsoft Purview Data Loss Prevention (DLP)?

Select 3 answers
A.DLP policies for Exchange Online
B.Endpoint DLP for Windows 10/11
C.Policy tips in Outlook
D.Sensitivity label auto-classification
E.Insider risk management analytics
AnswersA, B, C

DLP policies can be applied to Exchange Online.

Why this answer

Microsoft Purview DLP includes policy tips to notify users, endpoint DLP to monitor devices, and integration with Microsoft 365 services. Option A is correct. Option B is correct.

Option C is correct. Option D is wrong because sensitivity labels are part of Microsoft Purview Information Protection, not DLP. Option E is wrong because insider risk management is a separate solution.

195
MCQhard

You are a compliance officer at a healthcare organization that uses Microsoft 365. The organization must comply with HIPAA regulations. You have Microsoft Purview, Microsoft Defender for Cloud Apps, and Microsoft Intune. You need to ensure that all devices accessing patient health information (PHI) are compliant with the organization's security policies, which require device encryption, a minimum OS version, and the use of a compliant mobile device management (MDM) provider. Currently, some devices are not managed by Intune. You need to enforce that only compliant devices can access PHI stored in SharePoint Online. What should you do?

A.Create a device compliance policy in Microsoft Intune and assign it to all users
B.Deploy an app protection policy in Microsoft Intune to restrict data access
C.Configure a conditional access policy in Microsoft Entra ID to require compliant devices
D.Create a DLP policy in Microsoft Purview to block access from non-compliant devices
AnswerC

Conditional access can require devices to be marked as compliant.

Why this answer

Option B is correct because conditional access policies in Microsoft Entra ID can require devices to be compliant (managed by Intune) and meet compliance policies before accessing SharePoint. Option A is wrong because DLP policies do not enforce device compliance. Option C is wrong because app protection policies apply to mobile apps but do not require device management.

Option D is wrong because device compliance policies require devices to be enrolled in Intune first; conditional access is needed to enforce the requirement.

196
MCQhard

A company runs critical applications on Windows Server virtual machines in Azure and on-premises. The security team wants to reduce the exposure of administrative ports (e.g., RDP, SSH) by requiring administrators to request just-in-time (JIT) access. The request should require approval from a central team, and the port should be opened only for a limited time. Which Microsoft security solution provides this JIT capability for both Azure and on-premises servers (when connected via Azure Arc)?

A.Microsoft Entra Privileged Identity Management (PIM)
B.Microsoft Defender for Identity
C.Microsoft Defender for Cloud (with just-in-time VM access)
D.Microsoft Defender for Cloud Apps
AnswerC

Defender for Cloud's JIT feature allows you to manage and approve temporary access to management ports (RDP, SSH) on Azure VMs and, via Azure Arc, on on-premises servers, thereby reducing the attack surface.

Why this answer

Microsoft Defender for Cloud's just-in-time (JIT) VM access capability reduces exposure to administrative ports (RDP, SSH) by locking down inbound traffic to Azure VMs and Azure Arc-enabled on-premises servers. It requires administrators to request access, which can be configured to require approval from a central team, and automatically opens the specified ports for a limited time before closing them again. This directly matches the scenario's need for JIT access with approval and time-limited port opening across hybrid environments.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with just-in-time VM access because both involve 'just-in-time' and 'approval,' but PIM controls role activation in Azure AD/Entra ID, not network-level port access to virtual machines.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time activation of Azure AD roles and Azure resource roles (e.g., Contributor), not network-level port access to VMs; it does not open or close RDP/SSH ports. Option B is wrong because Microsoft Defender for Identity is an on-premises Active Directory security solution that detects identity-based attacks (e.g., lateral movement, pass-the-hash) and does not provide any JIT network access control. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that controls access to SaaS applications (e.g., Office 365, Salesforce) and does not manage administrative port access to VMs.

197
MCQmedium

A company runs virtual machines in Azure and also maintains on-premises servers connected via Azure Arc. The security team needs a single dashboard to view security recommendations, detect misconfigurations, and track a secure score across both environments. They also want to enable advanced threat protection features such as just-in-time (JIT) VM access and file integrity monitoring for these workloads. Which Microsoft security solution should they implement?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud provides a unified dashboard with secure score, recommendations, and advanced threat protection for hybrid workloads including on-premises servers via Azure Arc.

Why this answer

Microsoft Defender for Cloud provides a unified dashboard that displays security recommendations, misconfigurations, and a secure score across both Azure and on-premises workloads connected via Azure Arc. It also includes advanced threat protection features like just-in-time (JIT) VM access and file integrity monitoring, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM and workload protection platform) with Microsoft Sentinel (a SIEM), but the question explicitly asks for a single dashboard for security posture, secure score, and advanced threat protection features like JIT and file integrity monitoring, which are exclusive to Defender for Cloud.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution for security information and event management, not a dashboard for security posture management, secure score, or built-in JIT/file integrity monitoring. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on providing a unified secure score or recommendations for Azure and Arc-connected servers. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) for controlling and protecting cloud applications, not for managing VM security configurations or on-premises server posture.

198
MCQhard

Your company is deploying Microsoft Entra ID Governance. They want to automate the review of guest user access to Microsoft Teams and remove access when guests leave the partner organization. Which feature should they implement?

A.Access reviews and connected organizations
B.Entitlement management
C.Terms of use
D.Password policies
AnswerA

Access reviews with connected organizations automate removal.

Why this answer

Access reviews in Microsoft Entra ID Governance allow you to create recurring reviews of guest user access to resources like Microsoft Teams. By configuring the review to include connected organizations, you can automatically remove guest access when the guest's identity is no longer associated with a partner organization, such as when they leave the partner company. This automation is achieved through the integration of access reviews with the connected organization's lifecycle, ensuring that guest access is revoked without manual intervention.

Exam trap

The trap here is that candidates often confuse entitlement management (which handles access requests and provisioning) with access reviews (which handle periodic attestation and automated removal), leading them to choose entitlement management instead of the correct feature for automated removal based on partner organization changes.

How to eliminate wrong answers

Option B is wrong because entitlement management is used to manage access packages and automate the request and approval process for resources, but it does not directly automate the removal of guest access based on the guest leaving a partner organization; that is the function of access reviews with connected organizations. Option C is wrong because terms of use are used to present and require acceptance of legal or policy documents before accessing resources, not to automate access removal based on organizational membership changes. Option D is wrong because password policies control password complexity, expiration, and lockout settings, and have no role in automating the review or removal of guest access based on partner organization membership.

199
MCQhard

Refer to the exhibit. You are creating a Microsoft Purview sensitivity label for HR data. The JSON shows a label configuration. What is the likely effect of setting the sensitivity value to 90?

A.The label automatically encrypts the document
B.The label triggers auditing for 90 days
C.The label sets a 90-day retention period
D.The label will be applied with higher priority than labels with lower sensitivity values
AnswerD

Higher sensitivity values denote higher priority for auto-classification.

Why this answer

Option B is correct because in Microsoft Purview, higher sensitivity values indicate higher priority, and labels with higher sensitivity can auto-classify and override lower labels. Option A is wrong because sensitivity doesn't directly control encryption. Option C is wrong because sensitivity doesn't affect retention.

Option D is wrong because sensitivity doesn't determine audit logging.

200
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Defender XDR (formerly Microsoft 365 Defender)? (Choose three.)

Select 3 answers
A.Identity threat detection
B.Data classification and labeling
C.Endpoint detection and response (EDR)
D.Mobile device management (MDM)
E.Email and collaboration protection
AnswersA, C, E

Defender for Identity is part of XDR.

Why this answer

Options A, B, and D are correct. Microsoft Defender XDR includes Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. Option C is wrong because Microsoft Purview is a separate compliance solution.

Option E is wrong because Microsoft Intune is for device management, not part of XDR.

201
MCQeasy

A company wants to allow users to reset their own passwords from the login screen without contacting IT. Which Microsoft Entra ID feature enables this?

A.Conditional Access
B.Multifactor authentication
C.Self-Service Password Reset
D.Identity Protection
AnswerC

Correct: SSPR enables users to reset passwords without IT intervention.

Why this answer

Self-Service Password Reset (SSPR) is the Microsoft Entra ID feature that allows users to reset their own passwords from the login screen without contacting IT. It is specifically designed to reduce helpdesk workload by enabling password changes or unlocks through a verified authentication method, such as a phone call, text message, or the Microsoft Authenticator app.

Exam trap

The trap here is that candidates often confuse Conditional Access with SSPR because both appear in the login flow, but Conditional Access enforces policies after authentication, whereas SSPR is a separate feature for password recovery before authentication completes.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from specific locations) based on signals like user, device, or location, but it does not provide password reset functionality. Option B is wrong because Multifactor Authentication (MFA) adds an extra layer of security by requiring a second verification factor during sign-in, but it does not enable users to reset their own passwords. Option D is wrong because Identity Protection uses machine learning to detect and respond to identity-based risks (e.g., leaked credentials or anomalous sign-ins), but it does not include a self-service password reset capability.

202
MCQhard

Refer to the exhibit. You run a KQL query in Microsoft Sentinel to investigate ransomware alerts. The query returns: AlertSeverity High: 5, Medium: 3, Low: 2. The security team wants to automate a response for all high-severity ransomware alerts. What should you configure?

A.Create an analytics rule for ransomware
B.Create a hunting query for ransomware
C.Create a workbook to display ransomware alerts
D.Create an automation rule that triggers a playbook for high-severity ransomware incidents
AnswerD

Automation rules enable automated response.

Why this answer

Option D is correct because an automation rule can trigger a playbook for high-severity incidents. Option A is wrong because analytics rules generate alerts, not automate responses. Option B is wrong because hunting queries are proactive.

Option C is wrong because workbooks visualize data.

203
MCQmedium

You are reviewing a Microsoft Purview DLP policy configuration as shown in the exhibit. What is the expected behavior when a user sends an email containing a credit card number to an external recipient?

A.The email is delivered, but the user receives a warning.
B.The email is delivered, and the user is asked to provide a business justification.
C.The email is blocked, but only if the recipient is external and internal recipients are allowed.
D.The email is blocked, and the user receives a policy tip notification.
AnswerD

The policy blocks external sharing and notifies the user.

Why this answer

The policy has a rule that blocks access for external sharing when credit card numbers are detected. Option A is correct because the policy blocks the email and notifies the user with a policy tip. Option B is wrong because the policy blocks external sharing.

Option C is wrong because the policy does not allow override. Option D is wrong because the policy does not allow internal sharing.

204
MCQeasy

Your organization wants to protect against phishing attacks by verifying the sender's identity for incoming emails. Which Microsoft Defender for Office 365 feature should you configure?

A.Anti-malware policy
B.Safe Links policy
C.Anti-phishing policy with SPF/DKIM/DMARC settings
D.Safe Attachments policy
AnswerC

Anti-phishing policies include email authentication checks.

Why this answer

Option C is correct because SPF, DKIM, and DMARC are email authentication protocols in Defender for Office 365. Option A is wrong because Safe Attachments checks attachments. Option B is wrong because Safe Links checks URLs.

Option D is wrong because Anti-malware policies scan for malware.

205
MCQhard

A large enterprise uses a variety of cloud applications, including sanctioned apps like Microsoft 365 and unsanctioned apps that employees adopted without IT approval. The security team wants to discover all cloud applications in use, assess each app's risk score based on more than 80 risk factors, and control data sharing within sanctioned apps to prevent data leakage. Additionally, they need to identify which users are using a new, unknown file-sharing service. Which Microsoft security solution should be deployed to meet these requirements?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerB

Defender for Cloud Apps is a CASB that discovers all cloud apps, assesses their risk using 80+ factors, and allows control over sanctioned apps.

Why this answer

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that provides visibility into both sanctioned and unsanctioned cloud apps through its Cloud Discovery feature. It assesses risk scores based on over 80 risk factors (e.g., encryption standards, data residency, and compliance certifications) and enables data sharing controls via session policies (e.g., Conditional Access App Control) to prevent data leakage. It also supports anomaly detection to identify users of new, unknown file-sharing services by analyzing traffic logs from network appliances or endpoints.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM tool for Azure) with Microsoft Defender for Cloud Apps (a CASB), or they assume that Purview DLP alone can discover and risk-assess unsanctioned apps, when in fact DLP only controls data after the app is already identified and integrated.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and workload protection solution focused on securing Azure resources (e.g., VMs, containers, SQL), not on discovering or controlling cloud applications. Option C is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices from malware and advanced threats, but it lacks native CASB capabilities for discovering unsanctioned cloud apps or assessing their risk scores. Option D is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent accidental sharing of sensitive data across endpoints, email, and cloud apps via content inspection, but it does not discover unknown cloud apps or provide risk scoring for those apps.

206
Multi-Selecteasy

Which THREE are features of Microsoft Entra ID Protection? (Choose THREE.)

Select 3 answers
A.Privileged role management
B.Sign-in risk detection
C.Detection of leaked credentials
D.Risk-based conditional access
E.Identity governance
AnswersB, C, D

Identity Protection detects risky sign-ins such as from anonymous IP addresses.

Why this answer

Sign-in risk detection is a core feature of Microsoft Entra ID Protection. It uses real-time and offline machine learning models to evaluate each sign-in attempt for anomalies such as impossible travel, anonymous IP addresses, or atypical locations, assigning a risk level (low, medium, high). This allows organizations to automatically respond to suspicious sign-ins before compromise occurs.

Exam trap

The trap here is that candidates often confuse Entra ID Protection (focused on risk detection and remediation) with Entra ID Governance (focused on identity lifecycle and access controls), leading them to select Privileged role management or Identity governance as features of ID Protection.

207
MCQeasy

Your organization has deployed Microsoft Intune for mobile device management. You need to ensure that users can only access corporate resources from devices that are compliant with your security policies. Which policy type should you configure?

A.A Conditional Access policy
B.An app protection policy
C.A compliance policy
D.A configuration policy
AnswerA

Conditional Access policies can block or grant access based on device compliance status from Intune.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID can integrate with Intune compliance policies to block non-compliant devices. Option A is wrong because compliance policies define the compliance criteria but do not block access by themselves. Option B is wrong because configuration policies manage settings, not access control.

Option C is wrong because app protection policies manage data in apps, not device-level access.

208
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that when a high-severity incident is created, a Microsoft Teams message is sent to the SOC team automatically. What should you configure?

A.Create an automation rule that triggers on incident creation and runs a playbook.
B.Create a playbook and attach it to an analytics rule.
C.Modify the analytics rule to include an automated response.
D.Configure a workbook to send email alerts.
AnswerA

Automation rules can trigger on incident creation and execute a playbook to send a Teams message.

Why this answer

Automation rules in Microsoft Sentinel allow you to trigger automated responses, such as sending a Teams message, based on incident creation conditions. Playbooks are run by automation rules, but the rule itself defines the trigger. Option B is correct because automation rules are the mechanism to trigger playbooks on incident creation.

Option A is wrong because playbooks are the actions, not the trigger. Option C is wrong because analytics rules create incidents but do not directly send notifications. Option D is wrong because workbooks are for visualization, not automation.

209
MCQmedium

A company runs a production Kubernetes cluster in Azure. The security team needs to continuously monitor the cluster for misconfigurations, such as containers running with privileged access or secrets exposed in environment variables. They also want to detect runtime threats like crypto-mining containers. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
AnswerA

Correct. Defender for Cloud includes CSPM and workload protection for AKS, offering both configuration recommendations and runtime threat detection for containers.

Why this answer

Microsoft Defender for Cloud provides Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities. It continuously assesses Kubernetes clusters against the CIS Kubernetes Benchmark, detecting misconfigurations like privileged containers and exposed secrets in environment variables, and uses behavioral analytics to detect runtime threats such as crypto-mining containers.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's log aggregation capabilities with the proactive, agent-based posture management and runtime detection that Defender for Cloud provides specifically for Kubernetes workloads.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution that ingests logs and alerts from multiple sources, but it does not natively perform continuous Kubernetes configuration scanning or runtime threat detection on clusters. Option C is wrong because Microsoft Defender for Endpoint is designed to protect endpoints (workstations, servers, mobile devices) from malware and advanced attacks, not to monitor Kubernetes cluster configurations or detect container runtime threats. Option D is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that focuses on shadow IT discovery, data protection, and threat detection for SaaS applications, not on Kubernetes workload protection or container misconfiguration scanning.

210
MCQmedium

A company uses a mix of Azure virtual machines and on-premises Windows and Linux servers. The security team wants a single, integrated solution that can continuously assess these servers for missing security updates, weak operating system configurations, and common vulnerabilities. The solution should provide prioritized remediation recommendations. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Identity
D.Microsoft 365 Defender
AnswerA

Correct. Defender for Cloud provides integrated vulnerability assessment and security posture management for Azure, on-premises, and multi-cloud workloads, including patch and configuration recommendations.

Why this answer

Microsoft Defender for Cloud provides a unified infrastructure security management solution that continuously assesses hybrid workloads, including Azure VMs and on-premises Windows/Linux servers. It integrates with Azure Policy and Microsoft Defender Vulnerability Management to detect missing security updates, weak OS configurations, and common vulnerabilities, then delivers prioritized remediation recommendations based on risk scores.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a workload protection and compliance tool) with Microsoft 365 Defender (an endpoint and identity protection suite), leading them to choose the broader-sounding but incorrect option for a specific vulnerability assessment requirement.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution focused on log collection, threat detection, and incident response across the enterprise, not on continuous vulnerability assessment and configuration compliance of servers. Option C is wrong because Microsoft Defender for Identity is an identity-based security solution that uses on-premises Active Directory signals to detect advanced threats like lateral movement and privilege escalation, not for assessing OS-level vulnerabilities or missing updates. Option D is wrong because Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that covers endpoints, email, identities, and cloud apps, but it does not natively provide the continuous vulnerability assessment and configuration compliance scanning for hybrid servers that Defender for Cloud offers.

211
MCQhard

Refer to the exhibit. You are analyzing a Microsoft Sentinel workspace using KQL. The query returns no results, but you know that malware alerts have been generated today. What is the most likely reason?

A.The table does not contain a 'AlertSeverity' column.
B.The 'order by' clause is invalid.
C.The time range is too short.
D.The column name 'AlertName' is incorrect.
AnswerD

The correct column might be 'AlertName' but some tables use 'Title'.

Why this answer

The query uses the table 'SecurityAlert', but in Microsoft Sentinel, alerts are stored in the 'SecurityAlert' table only from some sources. However, for analytics rule alerts, the data is in the 'SecurityIncident' table or the specific alert table. The most common issue is that the table name is incorrect; the correct table for alerts from analytics rules is 'SecurityAlert' but sometimes the data is in 'Alert' or the table name might be case-sensitive.

However, a more common mistake is that the column name should be 'AlertSeverity' but it's correct. The likely issue is that the alerts are stored in a different table, such as 'SecurityIncident' or 'Syslog'. Option B is correct because the query filters by AlertName, but the actual column might be 'AlertName' or 'Title'.

In Sentinel, the standard column is 'AlertName'. Option A is wrong because the time filter is valid. Option C is wrong because the column exists.

Option D is wrong because the syntax is fine.

212
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Defender XDR? (Choose two.)

Select 2 answers
A.Correlate alerts from multiple domains into a single incident
B.Data loss prevention for sensitive information
C.Centralized log analytics for custom queries
D.Identity governance and access reviews
E.Automated investigation and response across domains
AnswersA, E

Defender XDR correlates alerts across endpoints, email, etc.

Why this answer

Microsoft Defender XDR correlates alerts from multiple domains—such as endpoint, email, identity, and cloud apps—into a single incident. This cross-domain correlation is a core capability of the XDR (Extended Detection and Response) solution, enabling security teams to see the full attack story in one place.

Exam trap

The trap here is that candidates confuse the broad security portfolio—such as DLP, SIEM, and identity governance—with the specific cross-domain correlation and automated response capabilities that define Microsoft Defender XDR.

213
Multi-Selectmedium

Which TWO Microsoft Purview features can be used to classify and label sensitive data in Microsoft 365?

Select 2 answers
A.Auto-labeling policies
B.Data Loss Prevention policies
C.Retention policies
D.Sensitivity labels
E.Audit policies
AnswersA, D

Automatically apply sensitivity labels.

Why this answer

Auto-labeling policies (A) are correct because they allow organizations to automatically apply sensitivity labels to data based on conditions such as sensitive information types or pattern matching, enabling classification and labeling without manual user intervention. Sensitivity labels (D) are correct because they are the core mechanism in Microsoft Purview for classifying and protecting sensitive data by applying persistent labels that can enforce encryption, access restrictions, and visual markings across Microsoft 365 services.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention policies with classification and labeling, but DLP policies only enforce actions based on existing labels or sensitive info types, not create or apply the labels themselves.

214
Multi-Selectmedium

A security administrator is configuring Microsoft Entra ID Conditional Access. Which THREE conditions can be included in a policy?

Select 3 answers
A.User risk
B.Location
C.Authentication strength
D.Application
E.Device platform
AnswersB, D, E

Correct: Condition.

Why this answer

Device platform, location, and application are standard conditions. User risk is from Identity Protection. Authentication strength is a control, not a condition.

215
MCQhard

Your company uses Microsoft Defender for Endpoint. A security analyst reports that a device is showing multiple alerts for the same malware variant, but the alerts are being automatically suppressed after the initial detection. What is the most likely reason for this behavior?

A.Alert suppression is enabled to reduce noise from repeated detections
B.The alerts are classified as low severity
C.The device is not properly onboarded to Microsoft Defender for Endpoint
D.Automatic investigation and remediation resolved the alerts
AnswerA

Defender for Endpoint automatically suppresses duplicate alerts for the same malware to reduce alert fatigue.

Why this answer

Option C is correct because alert suppression is a built-in feature to reduce alert fatigue for repeated detections. Option A is incorrect because suppression is not due to low severity—it's based on duplicate detection. Option B is incorrect because automatic investigation and remediation may run, but suppression is separate.

Option D is incorrect because suppression is not a configuration error.

216
MCQeasy

Your organization needs to monitor and respond to security threats across on-premises, cloud, and hybrid environments. Which Microsoft solution provides a unified SIEM and SOAR capability?

A.Microsoft Defender XDR
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Intune
AnswerC

Correct: Sentinel provides SIEM and SOAR across environments.

Why this answer

Microsoft Sentinel is the correct answer because it is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution. It provides unified threat monitoring, detection, and response across on-premises, cloud, and hybrid environments by ingesting data from various sources, using built-in analytics, and enabling automated playbooks.

Exam trap

The trap here is that candidates often confuse Microsoft Defender XDR (an XDR tool) with a full SIEM/SOAR solution, but Sentinel is the only Microsoft offering that provides both SIEM and SOAR capabilities natively.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender XDR is an extended detection and response (XDR) solution that correlates alerts across endpoints, email, identities, and cloud apps, but it does not provide the full SIEM data ingestion and SOAR orchestration capabilities of Sentinel. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) that focuses on securing cloud resources, not a unified SIEM/SOAR solution. Option D is wrong because Microsoft Intune is a cloud-based endpoint management and mobile device management (MDM) service, with no SIEM or SOAR functionality.

217
MCQmedium

A user reports that they cannot access a sensitive document in SharePoint Online. The document has a 'Highly Confidential' sensitivity label. You verify the label is applied correctly. What is the most likely reason for the access issue?

A.The label's encryption settings restrict access to specific users
B.The sensitivity label is missing
C.A DLP policy is blocking access
D.A retention policy is blocking access
AnswerA

Encryption can limit access.

Why this answer

Option C is correct because sensitivity labels can have encryption and rights management that restrict access. Option A is wrong because the label is applied correctly, not missing. Option B is wrong because retention policies do not block access.

Option D is wrong because DLP policies block sharing, not access by authorized users.

218
MCQmedium

Refer to the exhibit. You are a security analyst using Microsoft Sentinel. You run this KQL query. What does the query return?

A.High-severity alerts that do not have an incident assigned.
B.High-severity alerts that were closed within the last hour.
C.Incident IDs for high-severity alerts that have an open incident.
D.All incidents created in the last hour.
AnswerC

The query filters for high-severity alerts, joins with incidents, and filters out closed ones.

Why this answer

The query returns incident IDs for high-severity alerts that have an associated incident that is not closed. Option A is incorrect because it returns incidents with status not closed, not all. Option B is incorrect because it filters high severity.

Option C is incorrect because it joins alerts with incidents, not just alerts without incidents.

219
MCQhard

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. The security team wants to automatically block the use of a newly discovered high-risk cloud app across all users. What is the most efficient approach?

A.Create a Conditional Access policy to block the app for all users.
B.Manually add the app to the blocked list in the cloud discovery settings.
C.Create an app discovery policy with governance action to unsanction the app.
D.Configure session controls to monitor app usage.
AnswerC

A policy can automatically unsanction (block) the app.

Why this answer

Defender for Cloud Apps can generate a governance action to block the app via the API. Option A is incorrect because manual blocking is not automatic. Option C is incorrect because Conditional Access policies block at the identity level, not app level.

Option D is incorrect because session controls are for monitoring, not blocking.

220
MCQhard

Refer to the exhibit. You are deploying a custom assessment automation in Microsoft Defender for Cloud using Bicep. The deployment fails with an error that the resource type is not valid. What is the most likely reason?

A.The API version is not supported.
B.The property 'supportedCloud' should be 'supportedClouds' as an array.
C.The name property is missing.
D.The resource type is misspelled.
AnswerB

The correct property is 'supportedClouds' (plural) and expects an array.

Why this answer

The resource type 'Microsoft.Security/customAssessmentAutomations' is a valid type, but the API version '2021-07-01-preview' may not be correct. However, the more likely issue is that the property 'supportedCloud' should be 'supportedClouds' (plural) and the value should be an array. Option D is correct.

Option A is wrong because the resource type exists. Option B is wrong because the API version might be valid but not the latest. Option C is wrong because the name is valid.

221
MCQeasy

Your company uses Microsoft Purview to govern data across on-premises and cloud sources. You need to classify sensitive data such as credit card numbers and social security numbers automatically. What should you create?

A.Data loss prevention policies
B.Sensitivity labels
C.Sensitive information types
D.Retention labels
AnswerC

Sensitive information types define patterns for automatic detection of sensitive data like credit card numbers.

Why this answer

Option B is correct because sensitive information types (like built-in types for credit card numbers and SSNs) are used in Microsoft Purview to automatically classify data. Option A is wrong because sensitivity labels are used for applying protection based on classification, but classification itself uses sensitive information types. Option C is wrong because retention labels are for data retention policies.

Option D is wrong because data loss prevention policies use classification but are not the classification mechanism itself.

222
MCQmedium

Your company uses Microsoft 365 E5 licenses and wants to prevent sensitive data from being shared externally via email. You need to configure a solution that automatically scans outgoing emails for credit card numbers and blocks them if detected. What should you use?

A.Microsoft Defender for Office 365 Safe Attachments policy
B.Microsoft Purview Data Loss Prevention (DLP) policy for Exchange Online
C.Microsoft Intune App Protection policy
D.Microsoft Entra ID Conditional Access policy
AnswerB

DLP policies can detect and block sensitive data in emails.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can scan emails for sensitive data like credit card numbers and block them. Option A is wrong because Microsoft Defender for Office 365 focuses on threat protection, not DLP. Option C is wrong because Microsoft Entra ID is for identity and access management.

Option D is wrong because Microsoft Intune is for device management.

223
MCQeasy

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to improve their secure score. What should they do?

A.Implement the security recommendations
B.Remove all virtual machines from the subscription
C.Increase the Azure budget
D.Disable Microsoft Defender for Cloud
AnswerA

Following recommendations directly improves secure score.

Why this answer

Option D is correct because a higher secure score is achieved by implementing security recommendations. Option A is wrong because disabling services lowers score. Option B is wrong because removing compute resources doesn't improve score.

Option C is wrong because increasing budget is unrelated.

224
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Purview Communication Compliance? (Choose two.)

Select 2 answers
A.Automatically encrypt emails containing sensitive data
B.Review messages for potential regulatory compliance violations
C.Detect and review emails containing confidential information
D.Prevent the sharing of sensitive data with external users
E.Enforce retention policies for communications
AnswersB, C

Communication Compliance helps organizations detect compliance violations.

Why this answer

Options A and D are correct. Communication Compliance can detect and review sensitive information and ensure regulatory compliance. Option B is incorrect because automatic encryption is not a feature of Communication Compliance.

Option C is incorrect because retention policies are separate. Option E is incorrect because DLP policies are separate.

225
MCQmedium

Your organization uses Microsoft Purview to label and protect sensitive data. The compliance team wants to automatically apply a 'Confidential' label to documents containing personally identifiable information (PII) stored in SharePoint Online. What should they create?

A.A DLP policy to detect PII
B.A trainable classifier for PII
C.A retention label policy for PII
D.An auto-labeling policy for sensitivity labels
AnswerD

Auto-labeling applies labels automatically to detected sensitive data.

Why this answer

Auto-labeling policies can automatically apply sensitivity labels to documents based on sensitive information types. Option B is incorrect because retention labels are for retention. Option C is incorrect because trainable classifiers are for pattern detection but do not apply labels automatically.

Option D is incorrect because DLP policies block actions.

← PreviousPage 3 of 7 · 470 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ms Security Capabilities questions.