CCNA Ms Security Capabilities Questions

75 of 470 questions · Page 4/7 · Ms Security Capabilities topic · Answers revealed

226
MCQmedium

A security analyst needs to query Microsoft 365 audit logs to find all activities where a user deleted a file from SharePoint Online in the last 24 hours. Which tool should they use?

A.Microsoft Sentinel
B.Microsoft Purview compliance portal audit search
C.Microsoft Graph PowerShell
D.Microsoft Defender for Cloud Apps
AnswerB

Provides native audit log search capabilities.

Why this answer

Microsoft Purview compliance portal audit search is the correct tool because it provides a dedicated, searchable interface for querying the Microsoft 365 unified audit log. This log records all user and admin activities, including file deletions from SharePoint Online, and supports time-based filters (e.g., last 24 hours) to retrieve specific events. It is purpose-built for compliance and security investigations without requiring additional licensing or complex scripting.

Exam trap

The trap here is that candidates may confuse Microsoft Sentinel (a SIEM) with a simple audit log search tool, but Sentinel is designed for advanced threat detection and correlation, not for direct, ad-hoc queries of the unified audit log without additional setup.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM that ingests audit logs from multiple sources, but it requires additional licensing and configuration to query Microsoft 365 audit logs; it is not the direct tool for a simple audit log query. Option C is wrong because Microsoft Graph PowerShell can retrieve audit log data via cmdlets like Search-UnifiedAuditLog, but it requires PowerShell scripting and module installation, making it less straightforward than the Purview portal for a one-off query. Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud app discovery, session controls, and anomaly detection, not on directly querying the unified audit log for historical file deletion events.

227
MCQmedium

A company uses Microsoft 365 and allows employees to access corporate email and documents from their personal devices. The security team wants to protect against malicious links in emails and Microsoft Teams messages. When a user clicks a link, it should be checked in real-time to see if it leads to a known malicious site. If it does, access should be blocked. Which Microsoft security solution provides this capability?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Defender for Office 365 includes Safe Links and Safe Attachments to protect against phishing and malicious URLs in email and Teams.

Why this answer

Microsoft Defender for Office 365 includes Safe Links, which provides real-time URL scanning at the time of click. When a user clicks a link in an email or Teams message, the URL is rewritten and checked against a dynamic list of known malicious sites. If the link is determined to be malicious, access is blocked, and the user is redirected to a warning page.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 (which handles email and collaboration security) with Microsoft Defender for Endpoint (which handles device-level threats), leading them to choose the endpoint solution for a link-scanning scenario.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR), antivirus, and device-level threat protection, not on scanning links in email or Teams messages. Option C is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that provides visibility and control over cloud app usage, but it does not perform real-time link scanning in email or Teams. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks, such as lateral movement or privilege escalation, and does not inspect links in communications.

228
MCQeasy

You are the security administrator for a company using Microsoft Defender XDR. A user reports receiving a suspicious email with a link. What Microsoft Defender XDR feature should you use to investigate the email's threat level?

A.Email & collaboration in Microsoft Defender XDR
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerA

This provides email threat investigation.

Why this answer

Option C is correct because Email & collaboration in Microsoft Defender XDR provides detailed analysis of email threats. Option A is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security, not email. Option B is wrong because Microsoft Defender for Identity focuses on identity threats.

Option D is wrong because Microsoft Defender for Endpoint focuses on endpoint threats.

229
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.A device compliance policy
B.A conditional access policy
C.A device configuration policy
D.An app protection policy
AnswerB

Conditional access can require compliant device for access.

Why this answer

Conditional access policies in Microsoft Entra ID can require device compliance for accessing cloud apps like Exchange Online. Option D is correct. Option A is wrong because compliance policies only define compliance, they don't enforce access.

Option B is wrong because device configuration policies set settings, not access. Option C is wrong because app protection policies manage data, not device compliance.

230
MCQeasy

Your company uses Microsoft Intune to manage devices. You need to ensure that only devices that are compliant with your security policies can access corporate email via Microsoft Outlook. What should you implement?

A.Windows Information Protection
B.Device compliance policies
C.App protection policies
D.Conditional Access policies
AnswerD

Conditional Access policies enforce access controls based on conditions like device compliance.

Why this answer

Option C is correct because Conditional Access policies in Entra ID can enforce device compliance as a condition for accessing cloud apps like Exchange Online. Option A is wrong because app protection policies protect data within apps but do not control access based on device compliance. Option B is wrong because device compliance policies define compliance requirements but do not enforce access control.

Option D is wrong because Windows Information Protection (WIP) protects corporate data on devices but does not control access to email.

231
MCQhard

You are reviewing a Microsoft Purview DLP policy rule represented in JSON. What is the effect of this rule?

A.It blocks the sending of an email if it contains 10 or more credit card numbers with high confidence
B.It notifies the user when a single credit card number is detected in email
C.It triggers a policy tip when a single credit card number is detected
D.It blocks access to a SharePoint site containing credit card numbers
AnswerA

The condition specifies instanceCount 10 and high confidence, and the action is BlockAccess.

Why this answer

Option A is correct because the JSON rule defines a condition where the DLP policy blocks email transmission when the count of credit card numbers detected with high confidence meets or exceeds 10. The 'BlockAccess' action in the rule enforces this by preventing the email from being sent, and the 'NotifyUser' action with 'NotifyOnly' set to false ensures the user is notified of the block. This matches the behavior of a Microsoft Purview DLP policy that uses a threshold-based condition with high confidence to block sensitive data sharing.

Exam trap

The trap here is that candidates often confuse the 'NotifyUser' action with a simple policy tip or notification, overlooking that the 'BlockAccess' action combined with a threshold count (10) means the email is blocked, not just flagged, and that the rule is scoped to Exchange, not SharePoint.

How to eliminate wrong answers

Option B is wrong because the rule specifies a minimum count of 10 credit card numbers (via the 'Count' parameter set to 10), not a single instance, and the action is 'BlockAccess' with notification, not merely a notification without blocking. Option C is wrong because a policy tip is a type of notification that appears in Outlook or other apps, but the rule's 'NotifyUser' action with 'NotifyOnly' set to false indicates a block occurs, not just a tip; a policy tip alone would require 'NotifyOnly' set to true. Option D is wrong because the rule's 'Location' is set to 'Exchange' (email), not SharePoint; DLP policies are location-specific, and this rule applies to email transport, not SharePoint site access.

232
Multi-Selecthard

An organization uses Microsoft Purview Audit to meet compliance requirements. Which TWO types of audit logs can be accessed?

Select 2 answers
A.Windows Security event logs
B.Azure Active Directory audit logs
C.Purview advanced audit logs
D.Microsoft 365 unified audit log
E.Azure SQL Database audit logs
AnswersC, D

Correct: Part of Purview Audit.

Why this answer

Microsoft 365 unified audit log covers most services. Purview audit also includes advanced audit features. Azure AD audit logs are separate.

Windows event logs are not directly. Azure SQL audit logs are separate.

233
Multi-Selecteasy

Which TWO Microsoft Purview solutions can help detect and prevent data exfiltration?

Select 2 answers
A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Audit
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Compliance Manager
E.Microsoft Purview eDiscovery
AnswersA, C

Correct: Insider Risk Management detects risky user activities that may lead to exfiltration.

Why this answer

Data Loss Prevention (DLP) and Insider Risk Management are both designed to detect and prevent data exfiltration. Option A (Audit) logs but does not prevent. Option E (Compliance Manager) manages compliance posture.

Option D (eDiscovery) is for legal discovery.

234
MCQmedium

Your organization recently deployed Microsoft Defender for Cloud Apps. You need to identify which users are using a personal Dropbox account to access corporate files. Which feature should you use?

A.Activity policies
B.Cloud Discovery
C.File policies
D.App permissions
AnswerB

Cloud Discovery analyzes traffic logs to identify shadow IT and unsanctioned cloud apps.

Why this answer

Option B is correct because Cloud Discovery identifies shadow IT usage, such as personal Dropbox. Option A is incorrect because file policies are for DLP, not discovery. Option C is incorrect because app permissions focus on OAuth apps.

Option D is incorrect because activity policies monitor activities but do not discover apps.

235
MCQmedium

A company uses Microsoft Sentinel for security operations. They want to automatically create an incident and assign it to a senior analyst when a high-severity alert is generated. Which feature should they use?

A.Analytics rule
B.Automation rule
C.Workbook
D.Playbook
AnswerB

Automation rules can create incidents and assign them automatically.

Why this answer

Automation rules in Microsoft Sentinel allow you to define automated responses to incidents, including creating incidents, assigning them, and running playbooks. Option A is incorrect because analytics rules generate alerts, not manage incident actions. Option B is incorrect because playbooks are triggered by automation rules but don't create incidents themselves.

Option D is incorrect because workbooks provide visualization, not automation.

236
MCQmedium

You are a security administrator for a company that uses Microsoft 365. The company has a Microsoft Purview Data Loss Prevention (DLP) policy that blocks sharing of Social Security Numbers (SSNs) externally. Recently, a user accidentally sent an email containing SSNs to an external partner after overriding the policy by selecting a business justification. Management wants to prevent users from overriding the policy for SSNs. You need to update the DLP policy to ensure that users cannot override the block for SSNs. What should you do?

A.Modify the rule to set 'Allow override' to 'No' in the policy tip configuration.
B.Increase the rule priority to ensure it is enforced before other rules.
C.Remove the policy tip from the rule to prevent users from overriding.
D.Change the action from 'Block with override' to 'Block' and remove the policy tip.
AnswerA

This disables the override option while keeping the policy tip.

Why this answer

Option A is correct because the 'Allow override' setting in the policy tip configuration directly controls whether users can bypass a DLP block action by providing a business justification. Setting this to 'No' prevents any override for the rule that blocks SSNs, ensuring that the block is enforced without exception. This is the specific mechanism in Microsoft Purview DLP to disable user overrides for a given rule.

Exam trap

The trap here is that candidates may think removing the policy tip or changing the action to 'Block' is necessary, but the correct approach is to keep the policy tip and disable the override setting, which is a subtle but distinct configuration in the DLP rule properties.

How to eliminate wrong answers

Option B is wrong because increasing rule priority only affects the order in which rules are evaluated, not the ability to override a rule; it does not change the override behavior. Option C is wrong because removing the policy tip would hide the notification from users, but the underlying 'Block with override' action would still allow override via other methods (e.g., Outlook client override prompts). Option D is wrong because changing the action to 'Block' and removing the policy tip would indeed prevent override, but this is not the intended method—the correct approach is to keep the policy tip and set 'Allow override' to 'No', which maintains user awareness while disabling the override capability.

237
MCQeasy

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that company data on personal devices is protected if the device is lost or stolen. What should you configure?

A.Compliance policy with device health requirements
B.Conditional Access policy requiring compliant devices
C.Full wipe action
D.Selective wipe action
AnswerD

Selective wipe removes only managed company data, preserving personal data.

Why this answer

Selective wipe (Option D) is the correct configuration because it removes only corporate data from a personal device while preserving the user's personal apps, photos, and settings. In Microsoft Intune, a selective wipe targets managed app data and company email profiles via Exchange ActiveSync, leaving the device usable for personal purposes. This is the appropriate action for protecting company data on a lost or stolen BYOD device without overstepping into the user's private information.

Exam trap

The trap here is that candidates often confuse 'selective wipe' with 'full wipe' or assume that a Conditional Access policy alone can retroactively protect data already on a device, when in fact only a selective wipe actively removes company data from a lost or stolen personal device.

How to eliminate wrong answers

Option A is wrong because a compliance policy with device health requirements (e.g., requiring encryption or a minimum OS version) does not actively remove data; it only marks the device as noncompliant and can trigger Conditional Access blocks, but it does not wipe or protect data after loss. Option B is wrong because a Conditional Access policy requiring compliant devices blocks access from noncompliant devices but does not remove existing company data already stored on the device; it is a preventive control, not a remediation action. Option C is wrong because a full wipe resets the entire device to factory defaults, deleting all personal data, which is inappropriate for personal devices in a BYOD scenario and violates user privacy; it is intended for corporate-owned devices.

238
MCQmedium

A company has multiple Azure virtual machines running various workloads. They want a central solution that continuously assesses their security posture, identifies vulnerabilities, and provides recommendations to harden the environment. Which Azure service should they use?

A.Azure Firewall
B.Microsoft Defender for Cloud
C.Azure DDoS Protection
D.Microsoft Sentinel
AnswerB

Microsoft Defender for Cloud (formerly Microsoft Defender for Cloud) provides continuous assessment, security recommendations, and vulnerability management for Azure resources, including virtual machines.

Why this answer

Microsoft Defender for Cloud is the correct service because it provides continuous security posture assessment, vulnerability identification, and actionable hardening recommendations across Azure, on-premises, and multi-cloud environments. It integrates with Azure Policy and uses the Secure Score to quantify security posture, making it the central solution described in the scenario.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a posture management and workload protection platform) with Microsoft Sentinel (a SIEM/SOAR for threat detection), because both are security services under the 'Defender' umbrella, but Sentinel focuses on log-based threat hunting rather than continuous vulnerability assessment and hardening recommendations.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a stateful network firewall that filters traffic based on rules (e.g., source/destination IP, port, protocol) but does not perform continuous security posture assessment or vulnerability scanning. Option C is wrong because Azure DDoS Protection is a dedicated service that mitigates Distributed Denial-of-Service attacks at the network layer (L3/L4) and does not assess vulnerabilities or provide hardening recommendations. Option D is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution that ingests logs and alerts for threat detection and incident response, not a continuous posture assessment and vulnerability management tool.

239
MCQmedium

Your company uses Microsoft Purview Data Lifecycle Management. You need to automatically delete all emails in users' mailboxes that are older than three years, except for emails that have a legal hold. What should you configure?

A.A retention policy with a retention action of 'Delete items' and an adaptive scope for Exchange mailboxes
B.A data loss prevention (DLP) policy for Exchange
C.A retention label with auto-labeling for all Exchange emails
D.A sensitivity label with mandatory labeling
AnswerA

Retention policies can automatically delete items after a specified period, and adaptive scopes allow targeting all mailboxes.

Why this answer

Option A is correct because a retention policy with retention action 'Delete items' and an adaptive scope can target all mailboxes. Option B is incorrect because a retention label with auto-labeling is for classification, not automatic deletion. Option C is incorrect because a DLP policy does not delete items.

Option D is incorrect because a sensitivity label does not delete items.

240
Multi-Selecthard

Which TWO of the following are examples of Microsoft Copilot for Security use cases?

Select 2 answers
A.Configuring firewall rules in Azure
B.Answering a natural language question about a KQL query
C.Resetting a user's password in Entra ID
D.Creating a new DLP policy in Microsoft Purview
E.Summarizing an incident investigation in natural language
AnswersB, E

Copilot can explain and generate KQL queries from natural language.

Why this answer

Copilot for Security can generate incident summaries and suggest remediation steps (A) and provide natural language queries for KQL (C). Creating DLP policies (B) is a Purview task. Resetting passwords (D) is an IT admin task.

Configuring network firewalls (E) is infrastructure.

241
MCQmedium

A security team wants to discover which cloud applications are being used by employees, including unsanctioned file-sharing and collaboration apps. They plan to upload network traffic logs from their firewall to analyze app usage and risk levels. Which feature of Microsoft Defender for Cloud Apps should they enable?

A.App Governance
B.Cloud Discovery
C.Conditional Access App Control
D.Information Protection
AnswerB

Cloud Discovery ingests firewall and proxy logs to reveal cloud app usage, identify unsanctioned apps, and assess risk scores.

Why this answer

Cloud Discovery is the correct feature because it analyzes network traffic logs (uploaded from firewalls or proxies) to identify which cloud applications are in use, including unsanctioned file-sharing and collaboration apps. It provides a risk score for each discovered app, enabling the security team to assess usage and enforce governance policies.

Exam trap

The trap here is that candidates confuse Cloud Discovery (which analyzes uploaded logs to find unsanctioned apps) with Conditional Access App Control (which enforces policies on already-discovered apps), leading them to pick Option C instead of B.

How to eliminate wrong answers

Option A is wrong because App Governance focuses on monitoring and managing OAuth-enabled apps that have access to Microsoft 365 data, not on analyzing firewall logs to discover unsanctioned cloud apps. Option C is wrong because Conditional Access App Control enforces access policies in real-time for cloud apps (e.g., blocking downloads), but it does not perform discovery of apps from uploaded traffic logs. Option D is wrong because Information Protection deals with classifying, labeling, and protecting sensitive data (e.g., via sensitivity labels), not with discovering cloud app usage from network traffic.

242
MCQhard

Refer to the exhibit. A compliance administrator is configuring role-based access control (RBAC) in Microsoft Purview compliance portal. Which role group would provide the permissions shown?

A.Compliance Administrator
B.Security Reader
C.Data Classification
D.Information Protection
AnswerD

Information Protection role group includes the listed permissions.

Why this answer

The permissions (Sensitive Info Types, Data Classifiers, Content Explorer) are part of the Information Protection role group. Option A is correct. Option B (Data Classification) is a role within Information Protection, not a group.

Option C (Compliance Administrator) is a higher-level role. Option D (Security Reader) is read-only.

243
MCQmedium

Your organization uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to create a custom assessment for a new internal policy. What should you do first?

A.Define the score calculation method for the assessment
B.Create control actions and assign them to the assessment
C.Create a custom template with your internal controls
D.Use an existing Microsoft template and modify the improvement actions
AnswerC

Custom assessments require a custom template first.

Why this answer

In Microsoft Purview Compliance Manager, assessments are built from templates that define the controls, improvement actions, and scoring parameters. To create a custom assessment for a new internal policy, you must first create a custom template that includes your own controls, because assessments cannot be created from scratch without a template. This template serves as the foundation for the assessment, allowing you to define the specific controls and actions that map to your internal policy.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking they can directly create an assessment or modify an existing template, when the correct first step is always to create a custom template that contains the internal controls.

How to eliminate wrong answers

Option A is wrong because defining the score calculation method is a configuration step that occurs after the template and assessment are created, not the first step. Option B is wrong because control actions are assigned to controls within a template, not directly to an assessment; you must first have a template with controls defined. Option D is wrong because modifying an existing Microsoft template's improvement actions would alter the built-in regulatory template, which is not intended for custom internal policies; you should instead create a new custom template from scratch.

244
MCQhard

Your organization uses Microsoft Sentinel. You need to create a custom analytics rule that triggers an incident when a specific user account logs in from an unusual geographic location. Which KQL function should you use to evaluate location?

A.search
B.ioc
C.evaluate
D.parse_json
AnswerB

The 'ioc' function can match IP addresses against threat intelligence including geographic context.

Why this answer

Option B is correct because the 'ioc' function is used for indicator of compromise matching, but more accurately, to evaluate location you would use 'geo_info_from_ip_address' or similar. However, among the options, 'ioc' is a placeholder; the actual function is 'geoip_lookup' but not listed. Given the choices, the best is 'ioc' as it can match IPs from threat intel including location.

Option A is wrong because 'parse_json' parses JSON, not location. Option C is wrong because 'search' is generic. Option D is wrong because 'evaluate' is used for plugins, not location.

245
MCQhard

Refer to the exhibit. The exhibit shows an alert from Microsoft Defender for Endpoint. The SOC team needs to decode the PowerShell command to understand the malicious intent. Which tool or method should they use?

A.Search for the SHA256 hash in threat intelligence feeds
B.Decrypt the command using the device's decryption keys
C.Use PowerShell script block logging to capture the decoded command
D.Decode the Base64 string using a built-in decoder or online tool
AnswerD

The -EncodedCommand parameter uses Base64 encoding.

Why this answer

Option A is correct because the command is Base64 encoded (the string after -EncodedCommand). Decoding it reveals a download cradle. Option B is wrong because the command is not encrypted.

Option C is wrong because there is no script block to log. Option D is wrong because the hash is for identification, not decoding.

246
Multi-Selecteasy

Which TWO are capabilities of Microsoft Intune? (Choose two.)

Select 2 answers
A.Mobile application management (MAM)
B.Identity protection
C.Security posture management
D.Data loss prevention
E.Mobile device management (MDM)
AnswersA, E

MAM manages apps and data on devices.

Why this answer

Intune provides mobile device management (MDM) and mobile application management (MAM). Option C is for Microsoft Purview; Option D is for Microsoft Defender for Cloud; Option E is for Microsoft Entra ID.

247
MCQmedium

A security administrator receives an alert about a suspicious sign-in from an unfamiliar location. The user verified the sign-in as legitimate. Which Microsoft Entra ID feature should be used to reduce false positives for this user?

A.Passwordless authentication
B.Privileged Identity Management
C.Identity Protection confirm user safe
D.Conditional Access policies
AnswerC

This action suppresses future false-positive alerts for that user.

Why this answer

Entra ID Identity Protection allows marking a user as safe to reduce false positives. Option D is correct. Option A (Conditional Access) controls access but does not directly affect risk signals.

Option B (Privileged Identity Management) manages roles. Option C (Passwordless authentication) improves security but does not address false positives.

248
MCQmedium

A company runs workloads in Microsoft Azure and in Google Cloud Platform (GCP). The security team needs a single dashboard to view the security posture of both cloud environments, get recommendations for misconfigurations based on best practices, and track compliance with industry standards such as ISO 27001 and PCI DSS. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Endpoint
AnswerA

Defender for Cloud provides multicloud security posture management, including recommendations and compliance dashboards across Azure, AWS, and GCP.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides a unified dashboard for assessing and improving the security posture of multicloud environments, including Azure and GCP. It offers continuous assessment against best practices (e.g., the Microsoft cloud security benchmark), generates actionable recommendations for misconfigurations, and tracks compliance with industry standards like ISO 27001 and PCI DSS through built-in regulatory compliance dashboards.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM for threat detection) with Defender for Cloud (a CSPM for posture management), because both appear under the 'Microsoft security solutions' umbrella and both can ingest data from multiple clouds, but Sentinel is not designed for compliance tracking or misconfiguration recommendations.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution focused on threat detection, investigation, and response across the enterprise, not on providing a single dashboard for security posture assessment, misconfiguration recommendations, or compliance tracking against standards like ISO 27001. Option C is wrong because Microsoft Defender for Cloud Apps is a CASB (Cloud Access Security Broker) that focuses on discovering and controlling shadow IT, enforcing access policies, and protecting data across SaaS applications, not on assessing the security posture of cloud infrastructure workloads or tracking compliance with industry standards. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices (workstations, servers, mobile) from threats, but it does not provide a multicloud security posture dashboard or compliance tracking for cloud environments like GCP.

249
MCQeasy

A company wants to deploy a single security operations portal that provides a unified view of alerts and incidents from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Which Microsoft portal should the security team use?

A.Azure Portal
B.Microsoft 365 Defender portal
C.Microsoft 365 admin center
D.Azure Active Directory admin center
AnswerB

The Microsoft 365 Defender portal provides a single-pane-of-glass view for security alerts, incidents, and advanced hunting across Defender for Endpoint, Office 365, Identity, and Cloud Apps.

Why this answer

The Microsoft 365 Defender portal (https://security.microsoft.com) is the correct answer because it provides a unified security operations center (SOC) experience, aggregating alerts and incidents from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This portal enables security teams to triage, investigate, and respond to cross-domain threats in a single pane of glass, leveraging automated incident correlation and advanced hunting capabilities.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal with the Azure Portal or the Microsoft 365 admin center, mistakenly thinking that security alerts are managed in the same place as Azure resources or tenant administration, when in fact the security portal is a dedicated, cross-workload console.

How to eliminate wrong answers

Option A is wrong because the Azure Portal (https://portal.azure.com) is designed for managing Azure resources, subscriptions, and services like Azure Security Center or Azure Sentinel, not for providing a unified view of Microsoft 365 Defender workloads. Option C is wrong because the Microsoft 365 admin center (https://admin.microsoft.com) is used for tenant-level administrative tasks such as user management, licensing, and service configuration, not for security incident response or alert aggregation. Option D is wrong because the Azure Active Directory admin center (https://aad.portal.azure.com) focuses on identity and access management, including user accounts, groups, and conditional access policies, and does not consolidate security alerts from Defender products.

250
MCQmedium

Refer to the exhibit. Your company uses Microsoft Defender for Cloud. You find the policy snippet in your policy assignments. What is the primary goal of this policy?

A.To block deployment of virtual machines without a specific extension
B.To identify virtual machines missing vulnerability assessment
C.To ensure virtual machines have endpoint protection installed
D.To audit virtual machines that are not configured to send logs to Azure Monitor
AnswerD

The Microsoft Monitoring Agent collects logs and forwards them to Azure Monitor; the policy identifies VMs without this agent.

Why this answer

Option D is correct because the policy audits virtual machines to ensure they have the Microsoft Monitoring Agent extension installed, which is used for log collection and security monitoring. Option A is wrong because the effect is 'AuditIfNotExists', not 'Deny'. Option B is wrong because the policy checks for the Monitoring Agent, not Endpoint Protection.

Option C is wrong because the policy does not check for vulnerability assessment.

251
MCQhard

A company uses Microsoft Defender for Cloud to secure its hybrid cloud workload. The security team needs to ensure that all virtual machines (VMs) have Just-In-Time (JIT) VM access enabled. What should they use to enforce this across subscriptions?

A.Assign an Azure Policy initiative that requires JIT VM access
B.Use Azure Blueprints to deploy JIT access configuration
C.Enable the Defender for Cloud servers plan
D.Implement a Secure Score recommendation for JIT access
AnswerA

Azure Policy can enforce JIT access and remediate non-compliant resources.

Why this answer

Option B is correct because Azure Policy can enforce JIT VM access via a built-in initiative. Option A is wrong because Secure Score recommendations are advisory, not enforcement. Option C is wrong because Defender for Cloud plans enable features but don't enforce configuration.

Option D is wrong because Azure Blueprints are deprecated.

252
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to prevent users from sharing credit card numbers in emails to external recipients. Which DLP rule action should you configure?

A.Audit the activity only
B.Allow the message but notify the user
C.Block the message from being sent
D.Allow the message with a policy tip
AnswerC

Blocking the message prevents data loss by stopping the email from being sent.

Why this answer

Option A is correct because blocking the message from being sent is the appropriate action to prevent data loss. Option B is wrong because allowing override with justification does not prevent sharing. Option C is wrong because notifying the user without blocking still allows the email to be sent.

Option D is wrong because auditing alone does not block the action.

253
MCQeasy

Your organization wants to use Microsoft Entra ID to require multi-factor authentication (MFA) for all users when accessing a financial application. What should you configure?

A.Identity Protection policy
B.Conditional Access policy
C.Per-user MFA
D.MFA registration policy
AnswerB

Conditional Access policies grant access based on conditions, including requiring MFA.

Why this answer

Conditional Access policies allow you to enforce MFA based on application and user conditions. Option B is incorrect because MFA registration policy only enforces registration, not usage. Option C is incorrect because identity protection focuses on risk.

Option D is incorrect because per-user MFA is a legacy method; Conditional Access is the modern approach.

254
MCQmedium

A security operations team uses multiple Microsoft security products, including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Entra ID Protection. They want to aggregate alerts from these sources into a single dashboard, correlate them to create incidents, and use automated playbooks to respond to threats. The team also wants to query historical security data for threat hunting. Which Microsoft solution should they deploy?

A.Microsoft Sentinel
B.Microsoft 365 Defender portal
C.Microsoft Defender for Cloud
D.Azure Monitor
AnswerA

Microsoft Sentinel is the appropriate SIEM + SOAR solution that can ingest alerts from multiple Microsoft security services, create incidents, and use automated playbooks. It also supports threat hunting with KQL.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that ingests alerts from multiple sources, including Microsoft Defender for Endpoint, Defender for Office 365, and Entra ID Protection, into a single dashboard. It correlates these alerts into incidents using analytics rules and supports automated playbooks via Azure Logic Apps. Additionally, Sentinel provides a Kusto Query Language (KQL)-based workspace for querying historical security data, enabling threat hunting.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal (which does unify alerts and incidents from Defender products) with a full SIEM/SOAR solution, overlooking that it lacks native automated playbook orchestration and long-term historical data querying for threat hunting, which are core to Microsoft Sentinel.

How to eliminate wrong answers

Option B is wrong because the Microsoft 365 Defender portal (now unified in the Microsoft Defender portal) provides a unified view of alerts and incidents from Microsoft 365 Defender products (e.g., Defender for Endpoint, Office 365) but does not natively support custom automated playbooks or long-term historical data querying for threat hunting; it relies on Microsoft Sentinel for those capabilities. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, on-premises, and multi-cloud resources, not a SIEM/SOAR solution for aggregating and correlating alerts from multiple security products into a single dashboard with automated playbooks and threat hunting. Option D is wrong because Azure Monitor is a monitoring and diagnostics service for Azure resources and applications, collecting metrics and logs for operational health, but it lacks native SIEM capabilities like incident correlation, automated playbooks, and dedicated threat hunting features; it is not designed to aggregate security alerts from multiple security products into a single security dashboard.

255
Multi-Selecthard

Which TWO capabilities are provided by Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Secure score and security recommendations
B.Endpoint detection and response (EDR)
C.Vulnerability assessment for VMs
D.Cloud Access Security Broker (CASB)
E.Security Information and Event Management (SIEM)
AnswersA, C

Core features for posture management.

Why this answer

Options A and D are correct. Defender for Cloud provides vulnerability assessment and security posture management. Option B is wrong because CASB is Defender for Cloud Apps.

Option C is wrong because SIEM is Sentinel. Option E is wrong because endpoint protection is Defender for Endpoint.

256
MCQmedium

A company uses Microsoft Defender for Endpoint to secure its devices, Microsoft Defender for Office 365 for email security, and Microsoft Defender for Identity for on-premises Active Directory. The security team wants a single console to view correlated incidents across these domains, where an incident might combine a suspicious email, a malicious file download, and a compromised account. Which Microsoft solution provides this unified incident view and automatic correlation?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud
C.Microsoft 365 Defender (now Microsoft Defender XDR)
D.Microsoft Purview Compliance Portal
AnswerC

Defender XDR automatically correlates alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into unified incidents and provides a single console for investigation.

Why this answer

Microsoft 365 Defender (now Microsoft Defender XDR) is the correct answer because it provides a unified incident view across Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity. It automatically correlates alerts from these domains—such as a suspicious email, a malicious file download, and a compromised account—into a single incident, enabling security teams to investigate and respond from one console.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft 365 Defender (an XDR), mistakenly thinking Sentinel provides the same out-of-the-box cross-domain correlation, when in fact Sentinel requires manual configuration and is not the single console for native Defender product integration.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR platform that ingests logs from multiple sources, but it does not natively provide the automatic, built-in correlation across Defender for Endpoint, Office 365, and Identity; it requires custom analytics rules and data connectors to achieve similar correlation. Option B is wrong because Microsoft Defender for Cloud is focused on securing cloud workloads (IaaS, PaaS, and data services) and does not integrate email security or on-premises Active Directory signals into a unified incident view. Option D is wrong because Microsoft Purview Compliance Portal is designed for data governance, compliance, and risk management (e.g., data loss prevention, eDiscovery), not for security incident correlation across endpoint, email, and identity domains.

257
MCQmedium

Your company uses Microsoft Sentinel to manage security incidents. You need to automatically assign incidents to a specific analyst team based on the incident category (e.g., phishing incidents to the SOC team). What should you configure?

A.Create a watchlist mapping categories to teams and use it in analytics rules
B.Automation rule with a condition on incident category and an action to assign to the SOC team
C.Configure the analytics rule to set the incident owner in the rule query
D.Playbook triggered by incident creation that assigns the incident
AnswerB

Automation rules can set incident owner based on conditions.

Why this answer

Automation rules in Microsoft Sentinel allow you to define conditions based on incident properties (like category) and automatically take actions such as assigning the incident to a specific team. This is the correct and most efficient method for routing incidents by category without requiring custom code or external playbooks.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing a playbook (Option D) because they think automation rules cannot handle assignment, but Sentinel automation rules natively support the 'Assign incident' action without needing Logic Apps.

How to eliminate wrong answers

Option A is wrong because watchlists are used for correlating data or enriching alerts, not for triggering automated assignment actions based on incident categories. Option C is wrong because analytics rule queries generate alerts but cannot directly set the incident owner; ownership is managed at the incident level after creation. Option D is wrong because while a playbook triggered by incident creation could assign the incident, it is an over-engineered solution compared to the simpler, built-in automation rule, and playbooks require additional configuration and logic apps.

258
Matchingmedium

Match each authentication method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sign in without a password using biometrics or FIDO2

Require two or more verification methods

One credential for multiple applications

Policy-based access controls based on signals

Biometric or PIN-based sign-in for Windows

Why these pairings

These are key authentication concepts in Microsoft identity.

259
MCQmedium

A security team wants to receive a unified security posture assessment for their hybrid workloads including Azure VMs, on-premises SQL servers, and AWS EC2 instances. They need to get actionable recommendations to harden configurations and improve their overall security score. Which Microsoft security solution provides this capability?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud provides CSPM across multi-cloud and hybrid environments, offering recommendations and a unified secure score.

Why this answer

Microsoft Defender for Cloud provides a unified security posture assessment across hybrid and multi-cloud workloads, including Azure VMs, on-premises SQL servers, and AWS EC2 instances. It continuously assesses configurations against security baselines (e.g., Azure Security Benchmark, CIS controls) and generates a secure score with actionable recommendations to harden resources. This aligns directly with the requirement for a single dashboard covering all listed workload types.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (a posture management and CSPM tool) with Microsoft Sentinel (a SIEM), because both can ingest multi-cloud data, but only Defender for Cloud provides the unified secure score and actionable hardening recommendations for hybrid workloads.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices (e.g., workstations, servers) against threats like malware and ransomware, not on unified posture assessment or secure score for hybrid workloads. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR for threat detection, investigation, and response across logs and alerts, not a posture assessment tool for configuration hardening. Option D is wrong because Microsoft Defender for Cloud Apps is a CASB for shadow IT discovery, app permissions, and data protection in SaaS applications, not for assessing the security posture of VMs, SQL servers, or EC2 instances.

260
MCQeasy

Your company uses Microsoft Defender XDR. You need to integrate threat intelligence from external sources to enrich alerts and automate response actions. Which feature should you use?

A.Automation rules
B.Threat analytics
C.Advanced hunting
D.Threat intelligence integration
AnswerD

Threat intelligence integration allows importing custom TI from external sources to enrich alerts.

Why this answer

Option C is correct because Microsoft Defender XDR supports threat intelligence integration via APIs and SIEM connectors, allowing ingestion of external threat intel. Option A is wrong because automation rules are for response actions, not ingestion. Option B is wrong because advanced hunting queries are for investigation.

Option D is wrong because threat analytics provides built-in intelligence, not external ingestion.

261
MCQhard

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices with a compliant antivirus solution can access corporate email. Which policy type should be configured?

A.App protection policy in Microsoft 365
B.Conditional Access policy in Microsoft Entra ID
C.Device compliance policy in Intune
D.Security baseline in Microsoft Defender for Cloud
AnswerB

Correct: Conditional Access can require device compliance, which includes antivirus requirements set in Intune compliance policies.

Why this answer

Conditional Access policies can grant access based on device compliance, and compliance policies in Intune can require antivirus to be installed and active.

262
MCQhard

A security operations team uses Microsoft 365 Defender and wants to detect, investigate, and automatically respond to advanced identity-based attacks targeting on-premises Active Directory, such as Pass-the-Hash (PtH) and Golden Ticket attacks. They also need to integrate these alerts into Microsoft Sentinel for central incident management. Which Microsoft security solution provides these capabilities?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Office 365
AnswerA

Defender for Identity is specifically designed to protect on-premises Active Directory from advanced identity attacks and provides automated investigation and response.

Why this answer

Microsoft Defender for Identity (MDI) is the correct answer because it is specifically designed to detect, investigate, and automatically respond to advanced identity-based attacks targeting on-premises Active Directory, including Pass-the-Hash (PtH) and Golden Ticket attacks. It uses behavioral analytics and machine learning to identify suspicious activities such as anomalous Kerberos ticket requests and NTLM authentication anomalies. MDI also natively integrates with Microsoft Sentinel, allowing alerts to be ingested for central incident management.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity with Microsoft Defender for Cloud Apps, assuming both handle identity threats, but only MDI specifically targets on-premises Active Directory attacks like PtH and Golden Ticket.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps focuses on securing cloud applications (SaaS) and shadow IT, not on-premises Active Directory attacks like PtH or Golden Ticket. Option C is wrong because Microsoft Defender for Endpoint protects endpoints (devices) from malware and file-based threats, but it does not specialize in detecting identity-based attacks on Active Directory. Option D is wrong because Microsoft Defender for Office 365 secures email and collaboration tools (e.g., Exchange Online, SharePoint), not on-premises identity infrastructure.

263
MCQeasy

Your organization wants to use Microsoft Defender for Cloud to secure Azure virtual machines. Which feature should they enable to get vulnerability assessment without additional agents?

A.File integrity monitoring
B.Just-in-time VM access
C.Adaptive application controls
D.Vulnerability assessment
AnswerD

Agentless scanning for VMs.

Why this answer

Microsoft Defender for Cloud includes a built-in vulnerability assessment solution for Azure virtual machines that does not require any additional agents. When enabled, it uses the Qualys scanner integrated directly into the platform to continuously scan for vulnerabilities, providing findings without the need to deploy or manage separate agents on the VMs.

Exam trap

The trap here is that candidates may confuse 'vulnerability assessment' with other security controls like file integrity monitoring or adaptive application controls, not realizing that Defender for Cloud offers a dedicated, agentless vulnerability scanning capability specifically for VMs.

How to eliminate wrong answers

Option A is wrong because File integrity monitoring (FIM) tracks changes to critical files, registries, and system settings, not vulnerability scanning. Option B is wrong because Just-in-time (JIT) VM access reduces the attack surface by controlling network access to VMs, not by assessing vulnerabilities. Option C is wrong because Adaptive application controls create allowlists for running applications to prevent malware, not to scan for software vulnerabilities.

264
Multi-Selecthard

An organization is using Microsoft Purview Compliance Portal to manage data lifecycle. Which THREE actions can be performed using retention labels?

Select 3 answers
A.Trigger a disposition review at the end of retention
B.Automatically delete content after a specified period
C.Apply a retention period to content
D.Block sharing of sensitive information via email
E.Mark content as a regulatory record
AnswersA, C, E

Correct: Labels can trigger review.

Why this answer

Retention labels can apply retention actions, mark as records, and trigger disposition review. They do not automatically delete data without a policy; instead, they work with retention policies. They cannot be used for DLP directly.

265
MCQmedium

Your organization uses Microsoft Intune to manage mobile devices. You need to ensure that devices with a jailbroken or rooted OS cannot access corporate resources. What should you configure?

A.A device compliance policy in Microsoft Intune
B.An app protection policy in Microsoft Intune
C.A device configuration policy in Microsoft Intune
D.A conditional access policy in Microsoft Entra ID
AnswerA

Compliance policies can detect jailbroken devices.

Why this answer

Option A is correct because a compliance policy in Intune can detect jailbroken devices and mark them as noncompliant. Option B is wrong because a configuration policy sets settings, not compliance. Option C is wrong because an app protection policy manages app data, not device state.

Option D is wrong because a conditional access policy in Entra ID uses compliance results but does not detect jailbreak.

266
MCQmedium

A company uses Microsoft 365 and wants to deploy a security solution that can automatically detect and remediate advanced attacks on endpoints (workstations and servers), such as ransomware and fileless attacks. They also want to provide incident response teams with detailed forensic data and the ability to isolate an infected machine from the network. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerB

Defender for Endpoint provides EDR, automatic investigation, and isolation to protect devices from advanced attacks.

Why this answer

Microsoft Defender for Endpoint (MDE) is the correct solution because it provides endpoint detection and response (EDR) capabilities, including automatic detection and remediation of advanced attacks like ransomware and fileless attacks. It also offers detailed forensic data for incident response and the ability to isolate an infected machine from the network, meeting all the specified requirements.

Exam trap

The trap here is that candidates confuse the endpoint-focused capabilities of Microsoft Defender for Endpoint with the email/identity/cloud-specific scopes of the other Defender products, failing to recognize that only MDE provides automated endpoint remediation and network isolation for workstations and servers.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email, SharePoint, and Teams from threats like phishing and malware, not on endpoint-level attacks or machine isolation. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and cloud identities for compromised credentials and lateral movement, but does not provide endpoint detection, forensic data, or network isolation for workstations and servers. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that governs and protects cloud applications, not endpoints; it cannot detect fileless attacks on workstations or isolate machines from the network.

267
Multi-Selecthard

Which THREE Microsoft Purview solutions help protect sensitive data in Microsoft 365? (Choose three.)

Select 3 answers
A.Data Loss Prevention
B.Information Protection (sensitivity labels)
C.Insider Risk Management
D.Audit
E.eDiscovery
AnswersA, B, C

DLP prevents accidental sharing of sensitive data.

Why this answer

Microsoft Purview Data Loss Prevention, Information Protection (sensitivity labels), and Insider Risk Management all help protect sensitive data. Option B is incorrect because Audit is for logging, not protection. Option D is incorrect because eDiscovery is for discovery, not protection.

268
MCQmedium

Your organization uses Microsoft Sentinel. You need to create an analytics rule that triggers an incident when more than 10 failed sign-ins occur from a single IP address within 5 minutes. Which rule type should you use?

A.Fusion rule
B.Scheduled query rule
C.Near-real-time (NRT) rule
D.ML Behavior Analytics rule
AnswerB

Correct: Scheduled rules allow aggregation (e.g., count>10) over time windows.

Why this answer

Scheduled query rules run at intervals and can aggregate events. Option B is correct. Option A (NRT) provides near-real-time but limited aggregation.

Option C (ML Behavior Analytics) uses ML. Option D (Fusion) correlates alerts.

269
MCQhard

A security administrator needs to block legacy authentication protocols across all applications in Microsoft Entra ID. Which conditional access policy setting should they configure?

A.Under 'Grant', select 'Block access'
B.Under 'Conditions', configure 'Locations' to block all locations
C.Set 'Sign-in frequency' to 1 hour
D.Under 'Conditions', configure 'Client apps' to block legacy authentication
AnswerD

Specifically targets legacy authentication protocols.

Why this answer

Option D is correct because legacy authentication protocols (such as POP3, IMAP4, SMTP, and older Office clients) do not support modern authentication methods like MFA or conditional access. By configuring the 'Client apps' condition in a Conditional Access policy to block legacy authentication, the administrator can prevent these insecure sign-in attempts across all applications in Microsoft Entra ID.

Exam trap

The trap here is that candidates may confuse 'Block access' under 'Grant' (which is a general block) with the specific condition needed to target legacy protocols, or they may think that location or sign-in frequency settings can address protocol-level restrictions.

How to eliminate wrong answers

Option A is wrong because 'Block access' under 'Grant' is a control that blocks all access after conditions are evaluated, but it does not specifically target legacy authentication protocols; it would block all users regardless of client type. Option B is wrong because configuring 'Locations' to block all locations would prevent sign-ins from any geographic location, which is unrelated to blocking legacy authentication protocols. Option C is wrong because setting 'Sign-in frequency' to 1 hour controls session lifetime and reauthentication prompts, not the type of authentication protocol used during sign-in.

270
MCQeasy

Your company is adopting Microsoft Copilot for Microsoft 365 to improve productivity. The security team is concerned about data leakage, as Copilot can access emails, documents, and other content. You need to ensure that sensitive data, such as credit card numbers and social security numbers, is not inadvertently exposed by Copilot. The organization uses Microsoft Purview sensitivity labels and DLP. You need to configure a solution that automatically detects and prevents Copilot from accessing or generating content containing these sensitive data types. What should you do?

A.Configure Microsoft Defender for Cloud Apps to control Copilot
B.Disable Copilot for users who handle sensitive data
C.Apply sensitivity labels to all documents containing sensitive data
D.Create a DLP policy in Microsoft Purview that detects sensitive data types and blocks Copilot actions
AnswerD

DLP can monitor and block Copilot interactions with sensitive data.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention policies can be configured to monitor Copilot interactions and block or warn when sensitive data is detected. Option A is wrong because sensitivity labels help but do not prevent Copilot from accessing data; DLP is needed. Option B is wrong because disabling Copilot is not a targeted solution.

Option D is wrong because Microsoft Defender for Cloud Apps is for cloud apps, not specifically for Copilot in Microsoft 365.

271
MCQeasy

Your organization wants to enable passwordless authentication for users. Which Microsoft Entra ID feature should you use?

A.Conditional Access
B.Privileged Identity Management
C.Identity Protection
D.Passwordless authentication methods
AnswerD

Passwordless methods enable authentication without passwords.

Why this answer

Passwordless authentication methods is the correct feature because it is the specific Microsoft Entra ID capability that allows users to sign in without a password, using methods such as Windows Hello for Business, the Microsoft Authenticator app, FIDO2 security keys, or phone sign-in. This directly enables the organization's goal of passwordless authentication.

Exam trap

The trap here is that candidates may confuse Conditional Access (which can require passwordless methods as a grant control) with the actual feature that enables passwordless authentication, but Conditional Access only enforces policies, not the underlying authentication methods themselves.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals, but it does not itself provide or enable passwordless authentication methods. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews for Azure AD roles and Azure resources, not passwordless sign-in capabilities. Option C is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, impossible travel) using risk policies, but it does not configure or offer passwordless authentication methods.

272
MCQmedium

You are the security architect for a financial services company that uses Microsoft 365 E5. The company has recently deployed Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. The security team wants to detect when users are accessing corporate data from personal devices that are not managed by Microsoft Intune. You need to implement a solution that alerts the security team when a user accesses Microsoft 365 resources from an unmanaged device. The solution should also allow the user to continue working but with limited capabilities, such as preventing download of files. Which of the following should you configure?

A.Create a session policy in Microsoft Defender for Cloud Apps that monitors and controls access based on device compliance
B.Create a device compliance policy in Microsoft Intune that marks unmanaged devices as non-compliant
C.Create an app protection policy in Microsoft Intune that prevents data transfer from managed apps
D.Create a conditional access policy in Microsoft Entra ID that blocks access from unmanaged devices
AnswerA

Session policies can proxy user sessions and restrict actions like download for unmanaged devices.

Why this answer

Option A is correct because session policies in Microsoft Defender for Cloud Apps can control actions based on device management status. Option B is incorrect because conditional access policies can block access but do not provide granular control like preventing downloads. Option C is incorrect because compliance policies define compliance but do not enforce access restrictions.

Option D is incorrect because app protection policies apply to mobile apps, not browser sessions.

273
MCQeasy

A company uses a third-party SaaS project management application. The security team wants to monitor and control user sessions when employees access the application from personal, unmanaged devices. Specifically, they want to block the download of files to local drives and display a warning message to the user if they attempt to download. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerA

Correct. Defender for Cloud Apps with Conditional Access App Control provides session-level monitoring and control for SaaS apps, enabling actions like blocking downloads.

Why this answer

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is the correct solution because it provides session-level controls via Conditional Access App Control. This allows the security team to monitor and control user sessions in real-time, including blocking file downloads to unmanaged devices and displaying custom warning messages, by proxying the SaaS application traffic through Defender for Cloud Apps.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming all SaaS app protection falls under Office 365, but Defender for Cloud Apps is the cross-SaaS session control solution.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not on controlling user sessions within third-party SaaS applications. Option C (Microsoft Defender for Office 365) is wrong because it protects email and collaboration tools like Exchange Online and SharePoint, not general third-party SaaS project management applications. Option D (Microsoft Defender for Identity) is wrong because it detects on-premises Active Directory identity threats using domain controller traffic, not session-level controls for cloud apps.

274
Multi-Selecthard

Which THREE are features of Microsoft Purview Data Lifecycle Management (formerly Records Management)? (Choose three.)

Select 3 answers
A.Retention policies
B.Data loss prevention
C.Sensitivity labels
D.Retention labels
E.Disposition review
AnswersA, D, E

Retention policies apply retention settings at the container level.

Why this answer

Data Lifecycle Management includes retention labels, retention policies, and disposition review. Option A is for Information Protection; Option E is for Microsoft 365 compliance center general features.

275
MCQhard

A company has deployed Microsoft Defender for Identity and wants to detect pass-the-hash attacks in real time. Which alert type should they monitor?

A.Suspected Kerberoasting attack
B.Suspected Brute Force attack
C.Suspected Pass-the-Hash attack
D.Suspected Golden Ticket attack
AnswerC

Correct: Defender for Identity can detect pass-the-hash by monitoring NTLM authentication anomalies.

Why this answer

Microsoft Defender for Identity uses behavioral analytics to detect lateral movement and credential theft, including pass-the-hash attacks, and generates security alerts.

276
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst needs to receive an alert whenever a user accesses a cloud app from a new IP address that is not in the organization's trusted IP range. What should the analyst configure?

A.A file policy
B.A session policy
C.An app permission policy
D.An anomaly detection policy
AnswerD

Anomaly detection policies can detect impossible travel, unfamiliar sign-in properties, and other suspicious behaviors including new IPs.

Why this answer

Option A is correct because anomaly detection policies in Defender for Cloud Apps can detect activities from unfamiliar locations/IPs. Option B is wrong because app permissions policies govern third-party app permissions, not access from IPs. Option C is wrong because session policies control real-time session monitoring, not alerting on new IPs.

Option D is wrong because file policies monitor file activities, not login locations.

277
MCQeasy

A security analyst receives an alert about a suspicious process on a device. The security solution automatically investigates the device, gathers evidence, and determines that a known malware variant was detected. It then presents an action plan to the analyst for remediation. Which Microsoft security solution provides this automated investigation and response capability?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365
AnswerB

Correct. Microsoft Defender for Endpoint provides automated investigation and response for endpoint threats, enabling rapid triage and remediation of incidents on devices.

Why this answer

Microsoft Defender for Endpoint provides automated investigation and response (AIR) capabilities that automatically investigate alerts, gather evidence, and determine remediation actions. When a suspicious process is detected, Defender for Endpoint's AIR engine analyzes the device, identifies known malware variants, and presents an action plan to the security analyst for approval or execution.

Exam trap

Microsoft often tests the distinction between endpoint-focused security (Defender for Endpoint) and cloud/identity/email-focused solutions, so candidates mistakenly choose Defender for Cloud Apps or Defender for Identity when the scenario clearly describes on-device process investigation and automated response.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps focuses on cloud application security, shadow IT discovery, and data protection policies, not on-device process investigation and automated response. Option C is wrong because Microsoft Defender for Identity protects on-premises Active Directory environments by detecting identity-based attacks like Kerberos abuse, not by investigating suspicious processes on endpoints. Option D is wrong because Microsoft Defender for Office 365 secures email and collaboration tools against phishing and malware, but does not perform automated investigation of processes on devices.

278
MCQhard

Refer to the exhibit. You are evaluating a custom Azure Policy definition. The policy is intended to audit whether users assigned to a management role have MFA enabled. However, the policy is not triggering alerts for non-compliant users. What is the most likely cause?

A.The 'mfaEnabledPrincipals' parameter is not populated with the list of MFA-enabled users.
B.The policy mode is set to 'All' instead of 'Indexed'.
C.The policy only evaluates role assignments of type 'Microsoft.Authorization/roleAssignments' but not users.
D.The effect 'auditIfNotExists' should be 'deny' to trigger alerts.
AnswerA

Without this parameter, the existenceCondition cannot evaluate compliance.

Why this answer

The policy uses 'auditIfNotExists' but the existenceCondition checks if the principal ID is in the 'mfaEnabledPrincipals' parameter. This parameter must be populated with the list of principals that have MFA enabled, but the policy does not automatically detect MFA status. Option A is incorrect because the mode is 'All', which includes role assignments.

Option C is incorrect because the policy does check for role assignments. Option D is incorrect because the audit effect does not require remediation.

279
MCQmedium

Your company uses Microsoft Purview Information Protection. They want to automatically apply a 'Confidential' sensitivity label to documents containing a credit card number. What should they create?

A.A sensitivity label
B.A data loss prevention (DLP) policy
C.An auto-labeling policy
D.A retention label policy
AnswerC

Auto-labeling policies automatically apply labels based on conditions like sensitive info types.

Why this answer

Correct: Auto-labeling policy in Purview automatically labels documents based on sensitive info types. Option A: Sensitivity label alone defines the label but doesn't auto-apply. Option C: DLP policy prevents sharing but doesn't label.

Option D: Retention label is for retention, not sensitivity.

280
MCQhard

You are analyzing sign-in logs in Microsoft Sentinel. Based on the KQL query in the exhibit, what is the purpose of this query?

A.Identify users who have attempted to sign in with a disabled account more than 10 times in the last 7 days.
B.Identify all sign-in attempts from a specific IP address.
C.Identify impossible travel activity across different locations.
D.Identify locations with the highest number of failed sign-ins.
AnswerA

Result type 50057 indicates user account disabled, and the query filters for attempts over 10.

Why this answer

Option B is correct because the query filters for result type 50057 (user account disabled) and counts attempts per user, then filters for more than 10 attempts. This could indicate a user trying to sign in with a disabled account. Option A is wrong because it filters for a specific error, not all attempts.

Option C is wrong because it counts by user, not IP. Option D is wrong because it does not analyze impossible travel.

281
MCQmedium

A company uses Microsoft Purview to map their data estate. They need to classify data stored in Azure SQL Database and Amazon S3. What should they use?

A.Microsoft Intune
B.Microsoft Sentinel
C.Microsoft Defender for Cloud
D.Microsoft Purview Data Map
AnswerD

Scans and classifies data across sources.

Why this answer

Option B is correct because Purview can scan and classify data across on-premises and multi-cloud sources. Option A is wrong because Defender for Cloud focuses on security posture. Option C is wrong because Sentinel is for SIEM.

Option D is wrong because Intune is for device management.

282
MCQmedium

A company runs workloads in Azure and Amazon Web Services (AWS). The security team wants a single, unified dashboard to assess the security posture of all cloud resources, get prioritized recommendations for misconfigurations, and enable just-in-time (JIT) virtual machine access across both cloud environments. Which Microsoft security solution should they use?

A.Microsoft Sentinel
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Cloud
D.Azure Policy
AnswerC

Microsoft Defender for Cloud provides unified security management and threat protection across hybrid and multi-cloud workloads, including AWS, with features like security posture assessment, recommendations, and just-in-time VM access.

Why this answer

Microsoft Defender for Cloud is the correct solution because it provides a unified dashboard for assessing security posture across multi-cloud environments, including Azure and AWS. It delivers prioritized recommendations for misconfigurations using the Microsoft cloud security benchmark and supports just-in-time (JIT) VM access to reduce attack surfaces by controlling inbound traffic on demand.

Exam trap

The trap here is confusing Microsoft Defender for Cloud (a CSPM and workload protection platform) with Microsoft Sentinel (a SIEM), leading candidates to choose Sentinel because it also aggregates logs from multiple clouds, but it lacks the specific posture assessment dashboard and JIT VM access features described in the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution focused on threat detection, investigation, and response, not a unified dashboard for security posture assessment and JIT VM access. Option B is wrong because Microsoft Defender for Cloud Apps is a CASB that provides visibility and control over SaaS applications, not multi-cloud infrastructure posture management or JIT VM access. Option D is wrong because Azure Policy is an Azure-native service for enforcing compliance rules and tagging, but it does not support AWS resources or provide JIT VM access capabilities.

283
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Microsoft 365 resources. You have configured a Conditional Access policy in Microsoft Entra ID that requires devices to be marked as compliant. However, some users report that they can still access email on their non-compliant Android devices. You need to troubleshoot and resolve the issue. What should you do?

A.Change the Conditional Access policy to block access for non-compliant devices instead of requiring compliance.
B.Check the Conditional Access policy is enabled and includes 'Office 365 Exchange Online' as a cloud app, and that the users have the appropriate licenses for Intune.
C.Ensure that the Android devices are enrolled in Microsoft Intune and have a compliance policy assigned.
D.Verify that the Conditional Access policy includes the users who are accessing email.
AnswerB

This ensures the policy is correctly scoped and users are licensed.

Why this answer

Option D is correct because the Conditional Access policy must be scoped to include all cloud apps, and the user must have the Intune license assigned. Option A is wrong because the device must be enrolled in Intune for compliance to be evaluated. Option B is wrong because the user must be in scope.

Option C is wrong because the policy should grant access only if compliant, not block non-compliant.

284
Multi-Selectmedium

Which THREE components are part of Microsoft Defender XDR? (Choose three.)

Select 3 answers
A.Microsoft Purview
B.Microsoft Defender for Office 365
C.Microsoft Sentinel
D.Microsoft Defender for Identity
E.Microsoft Defender for Endpoint
AnswersB, D, E

Part of the XDR suite.

Why this answer

Options A, B, and C are correct. Defender XDR includes Defender for Office 365, Defender for Endpoint, and Defender for Identity. Option D is wrong because Sentinel is a separate product.

Option E is wrong because Purview is for data governance.

285
MCQmedium

A security analyst needs to detect and investigate compromised identities in on-premises Active Directory. They want to monitor for lateral movement, reconnaissance, and credential theft using behavioral analytics. Which Microsoft security solution is designed specifically for this purpose?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerC

Defender for Identity uses behavioral analytics and integrates with on-premises AD to detect compromised identities, lateral movement, and other attack patterns.

Why this answer

Microsoft Defender for Identity (MDI) is a cloud-based security solution that leverages on-premises Active Directory signals to identify, detect, and investigate advanced threats like lateral movement, reconnaissance, and credential theft. It uses behavioral analytics and machine learning to profile user and entity behavior, alerting on suspicious activities such as Pass-the-Hash, DCSync, and Kerberoasting without requiring agents on domain controllers.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Sentinel, assuming Sentinel's SIEM capabilities automatically cover identity-based behavioral analytics, but Sentinel lacks the native, agentless Active Directory behavioral profiling that MDI provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on email and collaboration threats (phishing, malware in attachments, and malicious links) and does not monitor on-premises Active Directory or lateral movement. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform for Azure, AWS, and GCP resources, not for on-premises Active Directory identity threats. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that can ingest logs from various sources, but it is not purpose-built for detecting compromised identities via behavioral analytics on Active Directory; it requires additional configuration and data connectors to achieve similar functionality.

286
MCQmedium

A security analyst needs to investigate a potential malware outbreak that started on an on-premises Windows server several days ago. They want to trace the attack timeline, see which files were modified, and understand how the attacker moved laterally across the network. Which Microsoft solution provides advanced endpoint detection and response (EDR) for on-premises servers?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Correct. Defender for Endpoint is the Microsoft EDR solution that covers on-premises servers, providing incident investigation, threat hunting, and lateral movement detection.

Why this answer

Microsoft Defender for Endpoint (MDE) provides advanced endpoint detection and response (EDR) capabilities, including behavioral-based detection, automated investigation, and threat analytics. For on-premises Windows servers, MDE can be deployed via Microsoft Defender for Cloud (formerly Azure Security Center) or directly, enabling full attack timeline reconstruction, file modification tracking, and lateral movement path analysis through its rich telemetry and incident graph.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud's 'servers' workload protection with the actual EDR engine, not realizing that Defender for Cloud merely enables MDE on servers but does not replace its dedicated endpoint detection and response capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that can enable MDE on servers but does not itself provide the EDR functionality; it integrates with MDE for that purpose. Option C is wrong because Microsoft Defender for Office 365 protects email, SharePoint, OneDrive, and Teams from malicious content, not on-premises server endpoints or lateral movement analysis. Option D is wrong because Microsoft Defender for Identity is an identity-based threat detection solution that monitors Active Directory signals for attacks like pass-the-hash, not file-level or endpoint-level EDR on servers.

287
MCQmedium

You are responsible for Microsoft Purview Information Protection at a law firm that handles highly confidential client documents. The firm uses Microsoft 365 E5. You need to ensure that any document containing the phrase 'Attorney-Client Privileged' is automatically labeled with a 'Highly Confidential' sensitivity label and encrypted. Additionally, if a user attempts to send such a document via email outside the organization, the action should be blocked and the user should be prompted with a policy tip. You have already created the sensitivity label with encryption settings. What should you do next?

A.Create a DLP policy that detects the phrase and automatically applies the label, then blocks external sharing.
B.Create an auto-labeling policy for the label, and create a DLP policy that detects the label and blocks external sharing with a policy tip.
C.Create an auto-labeling policy for the label, and create a mail flow rule in Exchange to block external emails with that label.
D.Create a manual labeling policy and train users to apply the label, then create a DLP policy.
AnswerB

Auto-labeling automatically applies the label, and DLP blocks sharing and provides policy tip.

Why this answer

Correct: B. Create an auto-labeling policy for the label, and a DLP policy that detects the label and blocks external sharing with policy tip. Option A: Missing DLP policy.

Option C: Manual labeling is not automatic. Option D: DLP policy alone cannot auto-label.

288
Multi-Selecteasy

Which TWO Microsoft security solutions can be used to detect and respond to threats across email, endpoints, and identities? (Choose two.)

Select 2 answers
A.Microsoft Intune
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview
D.Microsoft Sentinel
E.Microsoft Defender XDR
AnswersD, E

Sentinel provides SIEM and SOAR capabilities across multiple sources.

Why this answer

Microsoft Defender XDR (extended detection and response) and Microsoft Sentinel (SIEM/SOAR) can integrate signals across email, endpoints, and identities. Option A is incorrect because Defender for Cloud Apps focuses on cloud apps. Option C is incorrect because Intune is for management.

Option E is incorrect because Purview is for data protection, not threat detection.

289
MCQhard

Refer to the exhibit. You are reviewing an ARM template for an Azure resource. Assuming the resource is a Key Vault, what is the effect of the networkAcls configuration?

A.The Key Vault is accessible from any network.
B.The Key Vault is accessible only from the 10.0.0.0/24 subnet.
C.The Key Vault is accessible from all Azure services.
D.The Key Vault is not accessible from any network.
AnswerB

Correct: The IP rule allows that subnet, and default action denies all others.

Why this answer

The defaultAction is Deny, but an IP rule allows traffic from 10.0.0.0/24. So only that subnet can access the Key Vault. Option D is correct.

Option A is wrong because public network access is disabled, so it's not accessible from the internet. Option B is wrong because the IP rule allows the subnet. Option C is wrong because the default action is Deny, not Allow.

290
Multi-Selecthard

Which TWO Microsoft Purview solutions can help identify and protect sensitive data in Microsoft Teams? (Choose TWO.)

Select 2 answers
A.Communication Compliance
B.Information Protection
C.Data Lifecycle Management
D.Data Loss Prevention
E.Insider Risk Management
AnswersB, D

Information Protection applies labels to Teams files and messages to classify and protect.

Why this answer

Data Loss Prevention (DLP) can scan Teams messages for sensitive data and block sharing. Information Protection applies sensitivity labels to content in Teams. Insider Risk Management detects risky activities but does not directly identify or protect data.

Communication Compliance monitors for policy violations. Data Lifecycle Management manages retention, not protection.

291
Multi-Selecthard

A security administrator wants to use Microsoft Defender for Cloud to protect Azure VMs. Which two of the following should be enabled to meet the requirements? (Choose two.)

Select 2 answers
A.Just-in-Time (JIT) VM access
B.Azure Bastion
C.Adaptive network hardening
D.Vulnerability assessment
AnswersA, C

JIT VM access locks down inbound traffic to VMs, reducing exposure while enabling temporary access for administrators.

Why this answer

Just-in-Time (JIT) VM access reduces the attack surface by locking down inbound traffic to Azure VMs, only opening ports (e.g., RDP 3389, SSH 22) when requested and for a limited time after approval via Microsoft Defender for Cloud. This directly protects Azure VMs by preventing persistent exposure of management ports.

Exam trap

The trap here is that candidates confuse Azure Bastion (a secure connectivity service) with a security protection feature, or think vulnerability assessment is a protective control rather than a detection tool, leading them to select options that do not actively protect VMs from network-based attacks.

292
Multi-Selectmedium

A company uses Microsoft 365 E5 and wants to protect against advanced cyber threats. Which TWO capabilities of Microsoft Defender XDR should they implement?

Select 2 answers
A.Microsoft Intune
B.Microsoft Defender for Office 365
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Endpoint
AnswersB, E

Correct: Protects email and collaboration tools.

Why this answer

Microsoft Defender for Endpoint and Microsoft Defender for Office 365 are core components of Microsoft Defender XDR. Defender for Cloud Apps is a separate product, and Microsoft Sentinel is a SIEM. Microsoft Intune is for device management.

293
MCQhard

A multinational corporation needs to restrict data sharing in Microsoft Teams to comply with regional regulations. Users must not be able to share files with external domains from specific departments. What should the administrator configure?

A.Microsoft Intune device compliance policy
B.Microsoft Defender for Cloud Apps session policy
C.Data Loss Prevention (DLP) policy in Microsoft Purview
D.Sensitivity labels with container management in Microsoft Purview
AnswerD

Correct: Sensitivity labels can be configured to block external sharing for specific groups.

Why this answer

Microsoft Purview Information Protection and sensitivity labels can enforce encryption and access restrictions. Additionally, Microsoft Entra ID Conditional Access can block external sharing from specific groups, but the most direct is using sensitivity labels with container management for Teams.

294
MCQmedium

An organization uses Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared externally. They need to block sharing of credit card numbers in emails and Teams messages. What should they create?

A.A retention label to retain credit card data
B.A DLP policy with a rule that detects credit card numbers and blocks sharing
C.An audit policy to log credit card sharing
D.A sensitivity label that marks credit card data
AnswerB

DLP policies enforce actions on sensitive data.

Why this answer

Option A is correct because DLP policies can detect and block sensitive data like credit card numbers in email and Teams. Option B is wrong because sensitivity labels apply metadata but don't block sharing. Option C is wrong because retention labels manage retention.

Option D is wrong because audit policies log activity but don't block.

295
MCQhard

Your organization uses Microsoft Sentinel as its SIEM. You need to create an analytics rule that detects when a user account is created in Azure AD and then, within 10 minutes, that same account is used to grant admin consent to an application. You have a KQL query that joins AuditLogs and SigninLogs. However, the rule is generating too many false positives. You need to refine the query to reduce false positives. What should you do?

A.Change the rule to alert on every admin consent grant event regardless of account creation.
B.Remove the join with SigninLogs and only use AuditLogs.
C.Add a condition to exclude accounts that are known admin accounts or service accounts.
D.Increase the time window from 10 minutes to 30 minutes.
AnswerC

This filters out legitimate administrative activity.

Why this answer

Option C is correct because known admin or service accounts are often used for legitimate, automated admin consent grants, which can trigger false positives. By excluding these accounts from the detection logic, the rule focuses on anomalous behavior from non-privileged accounts, reducing noise while preserving the core detection of suspicious account creation followed by admin consent grant.

Exam trap

The trap here is that candidates may think widening the time window or simplifying the query will reduce false positives, but in reality, these changes either increase noise or break the correlation logic, whereas excluding known legitimate accounts directly addresses the root cause of false alerts.

How to eliminate wrong answers

Option A is wrong because alerting on every admin consent grant event would massively increase false positives, as many legitimate admin consent grants occur without a preceding account creation. Option B is wrong because removing the join with SigninLogs would eliminate the temporal correlation between account creation and the subsequent sign-in used for consent, breaking the detection logic entirely. Option D is wrong because increasing the time window from 10 to 30 minutes would allow more unrelated events to match, likely increasing false positives rather than reducing them.

296
MCQmedium

A security team wants to detect when a user downloads an unusually large number of files from a third-party cloud storage app (e.g., Box) after logging in from an unfamiliar location. They also want to automatically suspend the user's account if such behavior is detected. Which Microsoft security solution should they use?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
AnswerB

Defender for Cloud Apps provides visibility and control over third-party cloud apps, detects anomalies (e.g., impossible travel, mass download), and can automatically suspend users to stop potential data exfiltration.

Why this answer

Microsoft Defender for Cloud Apps (MDCA) is the correct solution because it provides Cloud Access Security Broker (CASB) capabilities, including anomaly detection for user behavior across third-party cloud apps like Box. It can detect activities such as an unusually large number of file downloads from an unfamiliar location using its built-in behavioral analytics and then automatically apply a governance action, such as suspending the user's account, via policy-driven automated responses.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming that 'cloud apps' only refers to Microsoft 365 services, but MDCA specifically covers third-party SaaS apps like Box, Salesforce, and AWS, while Defender for Office 365 is limited to Microsoft's own collaboration suite.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on protecting email and collaboration tools within Exchange Online, SharePoint Online, and Teams, not on monitoring third-party cloud storage apps like Box for anomalous download behavior. Option C is wrong because Microsoft Defender for Identity is designed to detect on-premises Active Directory attacks (e.g., lateral movement, privilege escalation) using network traffic and event logs, not to monitor user activity in third-party SaaS applications. Option D is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that protects devices (Windows, macOS, Linux) from malware and advanced threats, not cloud app usage or user account suspension in SaaS platforms.

297
MCQeasy

An organization wants to provide a secure way for external partners to access specific SharePoint sites without creating new user accounts. What Microsoft Entra B2B feature should they use?

A.Azure AD B2C
B.Direct federation
C.Azure AD Domain Services
D.B2B collaboration
AnswerD

Enables external user access using their own identities.

Why this answer

B2B collaboration is the correct Microsoft Entra B2B feature because it allows external partners to access specific SharePoint sites using their own identities (e.g., work or social accounts) without requiring new user accounts or passwords to be created in the organization's tenant. This is achieved through invitation-based redemption, where the partner user is represented as a guest user object in the directory, enabling fine-grained access control via SharePoint site sharing policies.

Exam trap

The trap here is that candidates confuse B2B collaboration (for external partner access with existing identities) with Azure AD B2C (for customer-facing identity management), or mistakenly think Direct federation is required for partner access when B2B collaboration already handles the invitation and redemption process without creating new accounts.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C (Business-to-Consumer) is designed for customer-facing applications with self-service sign-up, not for granting external partners access to internal SharePoint sites without creating accounts. Option B is wrong because Direct federation is an authentication method that establishes a trust relationship with an external IdP for inbound SAML/WS-Fed federation, but it does not provide the invitation-based guest access model needed for ad-hoc partner access to SharePoint. Option C is wrong because Azure AD Domain Services provides managed domain services (e.g., LDAP, Kerberos) for legacy applications, not for external partner identity management or SharePoint access.

298
MCQhard

Refer to the exhibit. You run a Kusto query in Microsoft Defender XDR Advanced Hunting. What does this query return?

A.Top 10 high-severity alert titles by number of distinct affected devices
B.Top 10 alert titles by number of distinct devices, including all severities
C.Top 10 devices with the most high-severity alerts
D.Top 10 high-severity alert titles by total number of alerts
AnswerA

Query uses dcount on DeviceName for high-severity alerts.

Why this answer

The query filters for high-severity alerts, then summarizes by AlertTitle and counts distinct DeviceName values. It orders by that count descending and takes the top 10, so it returns the top 10 high-severity alert titles ranked by the number of distinct affected devices.

Exam trap

The trap here is that candidates confuse 'distinct devices' with 'total alerts' or 'devices with the most alerts', and overlook the explicit severity filter, leading them to choose options that ignore the high-severity filter or misidentify the aggregation column.

How to eliminate wrong answers

Option B is wrong because the query explicitly filters for high-severity alerts (where Severity == 'High'), so it does not include all severities. Option C is wrong because the query summarizes by AlertTitle, not by DeviceName; it returns alert titles, not device names. Option D is wrong because the query uses dcount(DeviceName) to count distinct devices, not a count of total alerts (which would use count()).

299
Multi-Selecteasy

Which TWO features are part of Microsoft Defender XDR?

Select 2 answers
A.Automated investigation and response
B.Cloud app discovery
C.Endpoint data loss prevention
D.Identity Protection
E.Incident management across workloads
AnswersA, E

XDR includes AIR capabilities.

Why this answer

Option A is correct because Microsoft Defender XDR includes incident management. Option C is correct because it includes automated investigation and response. Option B is wrong because cloud app security is part of Defender for Cloud Apps, not XDR.

Option D is wrong because identity protection is part of Entra ID Protection. Option E is wrong because endpoint DLP is part of Microsoft Purview.

300
MCQmedium

Your organization, Contoso Ltd., uses Microsoft 365 and Microsoft Defender XDR. You are a security administrator. Recently, a user named John Doe reported that his account is sending phishing emails internally. You suspect his account is compromised. You need to contain the threat immediately while preserving forensic data. The company has the following security solutions: Microsoft Entra ID P2, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Sentinel, and Microsoft Purview. You need to prevent the compromised account from causing further damage. Which action should you take first?

A.Reset the user's password and require a password change
B.Revoke all refresh tokens for the user in Microsoft Entra ID
C.Disable the user account in Microsoft Entra ID
D.Create a mail flow rule in Exchange Online to block the user's emails
AnswerC

Disabling immediately blocks all authentication and access.

Why this answer

Option A is correct because disabling the user account in Microsoft Entra ID is the quickest way to stop the compromised account from sending emails. Option B is wrong because resetting password does not immediately revoke active sessions; tokens may still be valid. Option C is wrong while useful, revoking sessions is not as immediate as disabling the account; also, disabling the account is a stronger containment step.

Option D is wrong because creating a mail flow rule takes time and may not stop the account if it's already authenticated.

← PreviousPage 4 of 7 · 470 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ms Security Capabilities questions.