Microsoft MS-500 - Microsoft 365 Security Administration - 159 Questions

c The message IS blocked and the administrator is notified
d The message is blocked, both the user and the administrator receives a notification
None of the options are correct
Answer: A
Explanation:
The "Restrict access or encrypt the content" checkbox is not shown, and is assumed to be set to the default setting off .The message is therefore not blocked Both the user and the admin will get a notification
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/create- est-tune-dlp-pol cyQvIew 0365-worldwlde

Which of the below roles do you need if you want to use 0365 ATP Attack Simulator? (Choose three )
A Global Administrator
B Security Administrator
C Organizational Management
D Compliance Administrator
E Security Operator
Answer: A, B, C
Explanation:
Security & Compliance Center as well as the other security products all have their own built-in permissions control and RBAC that is separate from and sometimes overlapping to Azure AD roles This nuance IS probably an exploitable exam tactic Review these With an eye on "implement the principle of least privilege" questions
Reference
https //docs

 

Which of these measures would lower the risk of having too many user accounts with the security administrator role in Azure ADO
A. Configure single sign on
B Configure Intune
C Configure conditional access
D Configure privileged identity' management
D Configure identity protection
Answer: D
Explanation:
SSO will not reduce risk this is a productivity enhancer
Intune, conditional access and identity protection will reduce risk, but it is not specific to privileged administrator accounts
A PIM access review would also reduce the risk, especially If configured to remove access if no longer needed thereby effect vely reducing the number of privileged accoun
Reference
https //docs microsoftcom/en-us/azure/actlve-dlrectory/pnvlleged-identity-management/pim-configure

 

Which of the following URLs provides access to the compliance manger?
A security microsoftcom
B compliance microsoftcom
C servicetrustmicrosoftcom
D protection office com
E securitycenter windows com
Answer: C
Explanation:
Compliance manger IS part of the service trust portal
Compliance center provides compliance score
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/compIiance-manager-ovemew

 

Which of the fol owing authentication methods are available for SSPRQ (Choose all that apply )
A Password
B Security' questions
C Email address
D Authentication app
E OATH token
F Voice call
G App password
Answer: A, B, C, D, E, F
Explanation:
All the authentication methods except app password IS supported for SSPR
Reference
https //docs microsoftcom/en-us/azure/actlve-dlrectory/authentication/concept-authentication-methods

 

 

 

 

How often are newly created retention labels published to Exchange On
A Immediately
B very 4 hours
C Every day
D Every 7 days
Answer: D
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/IabeIsQvIew 0365-worldwlde#published-retention-labels

In order for you to address customer managed actions you must assign, implement, and test controls
a Leave unchanged
b assign
c assign and implement
d implement and test
Answer: A
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/meet-data-protection-and-reguIatory reqs-using-microsoft-cloud?vlew 0365-worldwlde#understanding-the-compliance-score

 

Your organization is GDPR compliant for M365 and Azure
a Leave unchanged
b M365 only
c Azure only
d neither M365 or Azure
Answer: D
Explanation:
Unless you achieve a 100% score for the category, you are considered non-compliant
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/meet-data-protection-and-reguIatory reqs-using-microsoft-cloud?vlew 0365-worldwlde#understanding-the-compliance-score

 

 

Customer managed actions are assessed manually, Microsoft managed actions are assessed manually
a Leave unchanged
b manually; automatically
c automatically, manually
d automatically, automatically
Answer: B
Explanation:
Microsoft will do their assignments automatically, you have to do yours manually
Reference
https //docs mi crosoftcom/en-us/mi crosoft-365/compIi ance/meet-data-protecti on-and-regulatory-reqs-usi ng-mi crosoft-cIoudQvi ew=0365-worIdwi de#understandi ng-the-compli ance-score

 

 

If you deploy more than one AAD Connect server, what are the non-primary servers referred to as?
a Backup servers
b Standby servers
c Cluster servers
d Staging servers
e Fall-over servers
Answer: D
Reference
https //docs microsoftcom/en-us/azure/active-directory/hybrid/how-to-connect-sync-staging-server

 

Your setting up DLP policies in 0365 Security & Compliance Center
Which of the options can you choose to applyyour DLP policy OQ (Choose all that apply )
a Exchange Online
b SharePoint Online
c Teams chat
d SharePoint
e OneDrive
f Teams Channel messages
g Teams file libraries
Answer: A, B, C, E, F
Explanation:
0365 DLP can be applied to 0365 online services, not on premises services
Teams chats and channel messages are really Exchange Online hidden mailboxes
Teams file libraries are really just SharePoint Online Sites
Gett ng 0365 applications to do DLP — aka detect when sensitive information types are being used in an office document you must configure the auto-labelling feature in the sensitivity label
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/data- oss-prevention-poIIaesQvIew 0365-worldwlde

 

 

How long is auditing data retained for in M365?
15 days
30 days
c 90 days
120 days
or ever
Answer: C
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/search-the-audit-Iog-in-security-and-compIianceQview=0365-worIdwide#before-you-begin

 

22. 

 

23. Sensitivity labels can enforce information protection policies if the file was created in SharePoint Online
a Leave unchanged

b in OneDrive
c in Dropbox
d in an Office 365 app
e anywhere
f in any app integrated with Azure Active Directory
Answer: D
Explanation:
The idea here is that only Office apps al ows the selection (and if the label IS configured for protection, encryption) of AIP labels
The OS of the system where the AIP client app is installed can also apply labels, but this is not one of the options MCAS and SharePoint itself can also apply AIP labels to content if configured to do so
apply AIP labels, although one can make a 3rd party app AIP-aware by using the SDK
That would be any Office 365 app On the desktop, on the web or in the mobile apps
Reference
https //docs microsoftcom/en-us/Iearn/moduIes/m365-security-info-ovemew/summary knowledge-check
Usually 3rd party apps cannot

 

24. You are the administrator — admin@company com — of your organization's M365-E5 environment You have deployed AIP and you've seen major adoption of the technology over the past few months many of your labels have been configured to protect documents with encryption One of your users pebbles@company com — leaves the organization and you are tasked with handing over the documents to a new owner — bambam@company com

 

You decide to relabel the files, what is the best course of action to allow Bambam to access the content?
a Reset Pebbles' password, sign-in as Pebbles, relabel the files using PowerShell
b Assign the AIP super users feature to user BamBam
c Assign the AIP super users feature to yourself
d Reset Pebbles' password, sign-in as Pebbles, relabel the files using Windows Explorer
Answer: C
Explanation:
It is not recommended to og in as the user that left —you should be using the super user feature
Reference
https //docs microsoftcom/en-us/azure/information-protectlon/configure-super-users#configuration-for-the-super-user-feature

 

You decide to use the AIP superuser feature to achieve your goal.
Select the correct PowerShell cmdlets in the script below to achieve the above plan (Choose three )
XXX

YYY-EmailAddress zzz

A XXX = Enable-AlpSemce
B XXX = Enable-AlpSemce -SuperlJserFeature $True
C XXX = Enable-AipServiceSuperUserFeature
D YYY= Add-AipServiceSuperUser
E YYY=Set-AlpSemceSuperUserGroup
F YYY = Enable-AlpSemceSuperUserFeature
G ZZZ = pebbles@company com
H ZZZ= admin@companycom
I ZZZ - bambam@company com
Answer: C, D, H
Reference
https //docs microsoftcom/en-us/azure/information-protectlon/configure-super-users#configuration-for-the-super-user-feature

 

Select the correct PowerShell to verify that you have completed the AIP superuser feature configuration correctly
a Get-AipServiceSuperUser
b Get-AlpSemceSuperUserGroup
c Get-AlpSemceAdminLog
Answer: A
Reference
https //docs microsoftcom/en-us/azure/information-protection/configure-super-users#configuration-for-the-super-user-feature

 

 

25. Which of the fol owing 0365 ATP Safe Attachment options delivers the message to the user, regardless whether or not malware was detected in the attachments? (Choose four )
a Off
b Monitor
c Block
d Allow
e Replace
f Dynamic Delivery
Answer: A, B, E, F
Explanation:
Block IS the only option that does not deliver the message to the user
Allow is not a valid setting
Off and monitor delivers the message with attachments
Replace will only del ver the message after attachments have been confirmed safe, any unsafe attachments Will be replaced with a message stating that the attachment contains malware
Dynamic will deliver the message without attachments while they are being scanned and update the message with the safe attachments Unsafe attachment will be replaced by a message stating that the attachment contained malware
Reference
https //docs microsoftcom/en-us/microsoft-365/security/office-365-security/dynamic-deIivery and-previewing

 

Which of the following 0365-ATP safe attachment policies does not cause a message del very delay? (Choose two )
a Off
b Monitor
c Replace
d Block
e Dynamic Delivery
Answer: A, E
Explanation:
All del very options other than dynamic and off requires ATP to sandbox-detonate attachments before del very even monitor
Reference
https //docs microsoftcom/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-poIIaesQvIew 0365-worldwlde

 

26. How do you integrate 0365 ATP with MD-ATPQ Each option is a complete solution (Choose two )
a There is no integration between 0365 ATP and MD-ATP
b Go to protection office com, threat management, explorer, WDATP settings, enable
c Go to securitycenter.windows.com, settings, advanced features, Office 365 threat intelligence connection, enable
d Go to security.microsoft.com, threat management, explorer, WDATP settings, enable
Answer: B, C
Explanation:
0365 ATP is referred to as 0365 threat intelligence in the integration settings You can enable the integration between the two products from either Side You dont have to configure the integration on both sides
This is true for 0365
ATP and MD-ATP but not for all three ATP products Be sure to understand which ATP products can be integrated with each other and when you would need to do so
Reference
https //docs mi crosoft com/en-za/microsoft-365/security/office-365-security/i ntegrate-offi ce-365-ti-wi th-wdatp#to-i ntegrate-offi ce-365-atp-wi th-mi crosoft-defender-atp
https //docs microsoftcom/en-za/microsoft-365/security/office-365-security/office-365

 

27 You are the administrator of your organization's M365 subscription You are managing your users' existing Windows 10 workstations using Intune You want to configure the telemetry settings to only send security-related information to Microsoft
Which of the following do you configure?
a Device configuration profile
b Device configuration pol cy
c Device compliance pol cy
d Device deployment profile
e MDM Security Baseline profile
Answer: A
Explanation:
Device configuration profile allows forcing the configuration settings of the OS
No such thing as a device configuration policy
Device compliance policy has the minimum requirements for the device to be marked as compliant
Device deployment profile is for Autopilot; new installations, not existing
MDM Security baseline is recommended security settings (AKA configuration profile)
Reference
https //docs mi crosoftcom/en-us/mem/i ntune/confi gurati ce-restri cti ons-wi ndows- 1 0#repolti ng-and-telemetry

 

30. The exhibit shows the O365 security&compliance center interface, where would you start a Data Subject Request (DSR) search?

a. Data Loss Prevention

b. Records managemnet

c. Information Governance

d. Data Privacy

e. Search

f. eDiscovery

Answer: D

 

31. You are configuring Azure AD conditional access You want to prevent users from accessing 0365 cloud services on mobile devices' built-in applications, users must use only approved mobile applications or any desktop application

Which section of the exhibit would you use to specify the application restriction?
a Users and groups
b Cloud apps and actions
c Conditions
d Grant
e Session
Answer: D
Explanation:
Require approved client app IS an access control that is configured under the Grant menu
Creating a block access policy that specifies the client app condition will also block legacy desktop applications
Reference
https //docs microsoftcom/en-za/azure/actlve-dlrectory/conditional-access/technical-reference#suppoft-for- egacy authentication

 

32. You configure AAD Connect to synchronize your OPE AD with AAD You choose express settings
Which of the following features are configured?
a Password hash synchronization (PHS)
b Password writeback
c Group writeback
d Device writeback
e All of the options
f None of the options
Answer: A
Explanation:
Express settings configures password hash sync, but none of the others To switch on the others, you must run AAD Connect with custom settings
Reference
https //docs microsoftcom/en-us/azure/actlve-dlrectory/hybrid/how-to-connect-install-select-installation

 

34. A user with the UPN of userl @company com leaves your organization and his user account is deleted 40 days later you are asked to recover a large volume of data from the user's OneDrive Your administrator user account is adminl@company com From the OneDrive admin center, you verify that the days to retain files in OneDrive after a user account is marked for deletion is set to 60 days
What do you do first?
a From M365 admin center, choose userl from the deleted users panel choose restore user
b Issue the following PowerShell: Restore-MsoIlJser -UserPrincipaIName userl @company com
c Issue the following PowerShell: Get-SPODeIetedSite -Identity https //company-my sharepointcom/personal/userl company com
d Issue the following PowerShell: Get-SPODeIetedSIte -Identity userl @company com
Answer: C
Explanation:
Granted, this scenario question is a little contrived due to the limitations of the Cidemy exam system
Reference
https //docs microsoftcom/en-us/onedrive/restore-deleted-onednve
For exam preparation be sure to understand the sequence of events required to restore a deleted OneDrive

 

What do you do second?

a From the M365 admin center, choose deleted Sites, select userl @company corn, choose Restore
b From the SharePoint admin center, choose deleted Sites, select userl @company corn, choose Restore
c Issue the following PowerShell: Restore-SPODeIetedSIte -Identity userl @company com
d Issue the following PowerShell: Restore-SPODeIetedSite -Identity https //company-my sharepointcom/personal/userl company com
Answer: D
Explanation:
Granted, this scenario question is a little contrived due to the limitations of the Udemy exam system
Reference
https //docs microsoftcom/en-us/onedrive/restore-deleted-onednve
For exam preparation be sure to understand the sequence of events required to restore a deleted OneDrive

 

What do you do third?
a From the SharePoint admin center, choose active Sites, select userl @company corn, choose manage admins, add adminl@company com
b From the OneDrive admin center, choose Storage, select userl @company corn, choose manage admins, add adminl@company com
c Issue the following PowerShell: Set-SPOUser -Site https //company-my sharepointcom/personal/userl company com -LoginName user 1 Qcompany com -IsSiteCoIIectionAdmin $True
d Issue the following PowerShell: Set -SPOUser -Site https //company-my sharepointcom/personal/userl company com -LoginName admin1Qcompany com -IsSiteCoIIectionAdmin $True
Answer: D
Explanation:
Granted, this scenario question is a little contrived due to the limitations of the Cidemy exam system For exam preparation be sure to understand the sequence of events required to restore a deleted OneDrive
Reference
https //docs microsoftcom/en-us/onedrive/restore-deleted-onednve

 

35. Select all of the sensitivity labels that are generated by AIP (Choose Five): AIP = Azure Information Protection

a Personal
b Non-Business
c private
d Public
e General
f Business General
g Sensitive
h Confidential
i Secret
j Highly Confidential
Top Secret
Answer: A, D, E, H, J
Reference
https //docs microsoftcom/en-us/azure/information-protection/quickstaft-viewpohcy#create-and-publish-labels

36. Your organization uses SharePoint Online to share files with internal team members as well as occasionally share files with external users Your CISO IS concerned that users in the Retail department is could potentially share files that contain credit card numbers with external recipients from their SharePoint online Site You are tasked to remove external sharing for files where this is already happening, and also prevent it from happening in future You decide to use Microsoft Cloud App Security o accomplish the task
What type of pol cy would you create to accomplish your task?
a Session Policy
b Access Policy
c File policy
d Activity Policy

Answer: C
Reference
https //docs microsoftcom/en-us/cloud-app-security/data-protection-pollaes

 

Which of the fol owing file filters WI you specify? You have to minimize the number of filter conditions you apply (Choose two )
a Access level
b Parent folder
c App
d Classification label
e Collaborators
Answer: A, B
Explanation:
You need access level to indicate external sharing, and you need parent folder to specify the SharePoint site where the files are located
You don't need app if you are using parent folder
The scenario does not mention that any AIP labels are being applied so classification label is not required here.  You'll specify the credit card number as part of the inspection method and dont need the documents to be classified using AIP. 
You will not specify collaborators, because you dont need to filter the users in this case

 

 

37. Which of the fol owing components are required for Azure AD Hybrid Identity with Passthrough Authentication? (Choose three )
a Azure AD Connect
b Federation Proxy
c Federation Server
d Authentication Agent
e Active Directory
Answer: A, D, E
Explanation:
You need the authentication agent which is a separate component from AD Connect Although AD Connect will install that component locally on the AD Connect server when you configure PTA
Reference
https //docs microsoftcom/en-za/azure/security/fundamentals/choose-ad-authn

 

38. You're looking for information regarding Microsoft security, privacy and compliance practices relevant to your M365 subscription. Which of the following resources WI you consult?
a Service Trust Portal
b Compliance Manager
c Trust Center
d Azure Security Center
e Microsoft Compliance Portal
Answer: A
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/get-stalted-wI h-semce-trust-poltal

39. What license level is needed for AAD Connect with pass-through authentication?
a AAD P1
b AAD P2
c 0365 Apps
d AAD free
Answer: D
Reference
https //azure microsoftcom/en-us/pricing/detals/actlve-dlrectory/

 

What license level is needed for AAD Connect with password hash sync (PHS) and password write-back?

Answer A AAD P1

 

 

40. What is the default retention period if you quarantine email messages that contain malware?
7 days
15 days
30 days
go days
Answer: B
Reference
https //docs microsoftcom/en-us/mcrosoft-365/security/office-365-security/manage-quarantined-messages-and-fiIesQvIew 0365-worldwlde

 

41. Which of these are 0365 ATP attack simulator capabilities (Choose three )
a Malware outbreak
b Spam overrun
c Spear phishing
d Brute force password
e Rainbow table password
f Password spray
Answer: C, D, F
Reference
https //docs microsoftcom/en-us/microsoft-365/security/office-365-security/attack-simuIator

 

42. You've deployed WIP (Windows Information Protection) in silent mode, what is the user experience?
a Sensitive content IS blocked without user intervention
b User IS warned not to share sensitive data, but can override the warning
c User IS warned not to share sensitive data, and the action is blocked
d Sensitive data is not blocked
Answer: D
Explanation:
The modes are block, allow overrides, silent and off Silent mode is a monitoring-only mode
Reference
https //docs mi crosoftcom/en-us/wi ndovvs/security/i nformati on-protecti on/wi ndows-i nformati on-protecti on/protect-enterpri se-data-usi ng-WI p#vN p-protecti on-modes

 

43. You need to check your organization's compliance levels against regulatory requirements.
Which tool do you use?
a Azure Monitor
b Office 365 Security & Compliance Center
c M365 Admin Center
d Service Trust Portal
e Trust Center
Answer: D
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/get-stalted-v,NI h-semce-trust-poltal?vlew 0365-worldwlde

 

 

45. You've deployed AIP and need to choose the appropriate AIP client (Azure Information Protection)
You have the following requirements, which AIP client will you choose?
• Your organization requires a HYOK deployment (Hold your own key)
• Your organization requires that you install the client on Windows and MacOS
• Label with file explorer
A Classic
B Unified
C Office
Answer: A
Reference
https //docs microsoftcom/en-us/azure/information-protection/rms-client/use-client

 

46. You are using Attack Surface Reduction (ASR) in Microsoft 365 security center to help reduce your Windows 10 attack surfaces
Which of the fol owing is a prerequisite requirement for deploy ng ASR to Windows 10 devices?
a Intune
b Configuration Manager
c Defender ATP
d M365 license assignment
e Device Guard
Answer: C
Reference
https //docs microsoftcom/en-us/Iearn/moduIes/m365-security-management-endpoints/attack-sufiace-reduction

47. You have a multi-domayn single-forest Active Directory that contains 100 users 10 of your users belong to the Executives group You have a M365-E5 subscription and would like to synchronize your on-premises identities with Azure AD. You have to minimize costs and administrative effort. What do you install to implement directory synchronization?
a. DIRsync
b Azure AD Connect using express settings
c Azure AD Connect using custom settings
d Active Directory Federation Services (ADFS)
Answer: B
Explanation:
You should use AD Connect with express sett ngs Express al ows you to specify multiple domains in a single forest If you had multiple forests, you should be using custom settings
DirSync was replaced by Azure AD Connect
An ADFS implementation does not minimize cost and effort
Reference
https //docs microsoftcom/en-us/azure/active-directory/hybrid/how to-connect-install-express
https //docs microsoftcom/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

 

48. Which of the fol owing are Azure AD Conditional Access controls? (Choose three )
a Group
b Device
c Location
D Require MFA
e Require compliant device
f Require hybrid AAD domain join
g Client app
h Cloud app
i Sign-in risk
Answer: D, E, F
Explanation:
Think of assignments and conditions as the incoming signals that are part of every sign-in The other Side of conditional access IS access controls (or just controls)
access controls are applied for the specified combination of assignments/conditions
Reference
https //docs microsoftcom/en-us/azure/active-directory/conditional-access/ovemew
Assignments and conditions is the incoming information at sign-in, the

 

Which of the fol owing are Azure AD Conditional Access assignments or conditions? (Choose all that apply )
a Group
b Device
c Location
d Require MFA
e Require compliant device
f Require hybrid AAD domain join
g Client app
h Cloud app

i Sing-in risk
j Block
Answer: A, B, C, G,H, I
Explanation:
Think of assignments and conditions as the incoming signals that are part of every sign-in The other Side of conditional access IS access controls (or just controls). Assignments and conditions is the incoming information at sign-in, the access controls are applied for the specified combination of assignments/conditions
Reference
https //docs microsoftcom/en-us/azure/actlve-dlrectory/conditional-access/ovemew

 

 

49. You configure AD Connect group writeback This causes M365 groups to be created in on-premises AD
What type of groups are created?
a Security group
b Mail-enabled security group
c Distribution list
d Dynamic user group
Answer: C
Explanation:
Group writeback creates distribution lists in AD when writing back 0365 groups from Azure AD. This is a preview feature, so it is unlikely o be in the exam
Reference
https //docs microsoftcom/en-us/azure/actlve-dlrectory/hybrid/how-to-connect-prevlew
However, it is included here for future

 

50. Your company's head of IT Security has instructed you to put a continual privileged access review system in place He requires that all privileged accounts be reviewed every seven days Users with administrative privileges must self-assess their access, however, if an administrator doesnt respond within three days of receiving such a request, privileged access must be removed.

What will you select for the Reviewers option of the access review?
a Selected users
b Members
c Administrators
d Privileged users
Answer: B
Explanation:
Only Selected users and members (self) are options Self-assess requires you to select members here
Reference
https //docs microsoftcom/en-us/azure/active-directory/privileged-identity-management/pim-how to-perform-security-review

 

What will you configure as the frequency on the access review?
a One time

b Weekly
c Monthly
d Quarterly
e Annually
Answer: B
Explanation:
The question asks for "privileged accounts be reviewed every seven days" therefore the frequency must be set to weekly
Reference
https //docs mcrosoftcom/en-us/azure/actlve-dlrectory/pnvlleged-identity-management/pim-how to-perform-security-review

 

Where would you configure what happens if a reviewer doesnt respond to the request?
a Upon completion settings
b Advanced sett ngs
c Duration
d Review role membership
Answer: A
Explanation:
Upon completion settings al ows you to specify what happens when a user doesnt respond to the assessment
Reference
https //docs microsoftcom/en-us/azure/actlve-dlrectory/pnvlleged-identity-management/pim-how to-perform-security-review
https //docs microsoftcom/en-us/azure/actlve-directory/privileged-identity-management/pim-how-to-staft-security-revlew

 

 

52.You have user accounts configured as in the exhibit . You ve configured an Azure AD Identity Protection risk policy as in the second exhibit.
Azure AD Identity Protection determines that all instances in this case represents a high risk.

Which of the actions below WI be performed on User1 's accoun ? (Choose three )
a User account WI be blocked
b User account will be allowed access
c User account will be required to change password
d User account will be prompted for MFA
Answer: B, C, D

 

Which of the actions below WI be performed on User3's account

Answer: A User account will be blocked

 

Which of the actions below WI be performed on User4's account
A User account will be blocked
B User account be allowed access
C User account be required to change password
D User account be prompted for MFA
Answer: A

 

Which of the actions below WI be performed on User2's account

Answer:B User account be allowed access

Explanation:We're dealing with a user risk policy because the policy states password reset to be triggered Sign-in risk policies can trigger MFA
With sign-in risk, user risk and conditional access policies, exclusions take precedence over inclusions
If a password reset is triggered by the user risk policy and the user is not registered for SSPR, the account is simply blocked (disabled) A call to the helpdesk/administrator IS required to enable the accoun
Sign-in risk, user risk and conditional access policies can all be applied to Azure AD 82B guest accounts, however, if a password reset is triggered, the account is blocked (disabled) regardless of SSPR registration in the guest user's home tenant
Reference
https //docs mi crosoftcom/en-us/azure/active-di rectory/i dentity-protecti on/howto-i dentity-protecti on-configure-rlsk-polles

53. You create a sensitivity label named secret and enable encryption On the assign permission page, you select all tenant members A user - Sally- creates a team in Teams and invites a guest user
Kevin.  Sally creates a document inWord and applies the secret label She uploads to document to the Teams file library
Select which items are true (Choose three )
a. Sally successfully uploads the document to Teams
b Kevin can see the document listed in the Teams files library
c Kevin can download the document from the Teams files library
d Kevin can open the document and view the content
Answer: A, B, C
Explanation:
Everyone in your organization (the all tenant members sett ng) excludes 82B guest accounts Kevin is a 82B guest in this scenario He can therefore not open the document
DLP settings are not mentioned in the scenario and is the only thing that could prevent uploading of AIP-IabeIIed content to Teams
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/encryption-sensitivity-IabeIs#add-users-or-groups

54. You are using Microsoft Secure Score to improve the posture of the security in your organization
No data to show. 

Which of the following would you choose to correct the situation?
The Secure Score overview page repots your secure score by category as in the exhibit You notice the secure score for Devices repots
A Implement and configure Microsoft Defender Advanced Threat Protection
B Implement and configure Microsoft Cloud App Security
C Implement and configure Azure Information Protection
d Implement and configure Azure Advanced Threat Protection
E Purchase and assign M365-E5 licenses to users
Answer: A
Explanation:
Secure Score gets device data primarily from Defender ATP, and also from Intune

55. You want to detect and respond to possible attacks on the Kerberos protocol
Which M365 security solution would you implement?
a Network Security Group
b Intrusion Detection System (IDS)
c Microsoft Defender ATP
d 0365 ATP

E Azure ATP

F Microsoft Threat Prevention (MTP)
Answer: E
Reference
https //docs microsoftcom/en-us/azure-advanced-threat-protection/suspicious-act vity-guide

 

56. Which of the following classification labels are configurable in O365 (Choose two)
a Encryption label
b Protection label
c Sensitivity' label
d Compliance label
e Retention label
f Policy label
Answer: C, E
Explanation:
https //docs microsoftcom/en-us/microsoft-365/compIiance/protect-informationQview 0365-worldwlde
https //docs microsoftcom/en-us/microsoft-365/compIiance/IabeIsQvIew 0365-worldwlde
https //docs microsoftcom/en-us/microsoft-365/compIiance/sensitivity-IabeIsQvIew 0365-worldwlde

 

57. You have the fol owing 0365 DLP rules defined in priority order You have a file that is uploaded to OneDrive that matches all of the rules in the list below
Rule 1 only notifies users, pol cytip 1
Rule 2 notifies users, restricts access, and allows user overrides, pol cy tip 2
Rule 3 notifies users, restricts access, and does not allow user overrides, pol cy 3
Rule 4 only notifies users, policy tip 4
Rule 5 restricts access, policy tip 5
Rule 6 notifies users, restricts access, and does not allow user overrides, pol cy 6
What is the effective pol cy tip that WI be displayed?
a Policy 1
b Policy IP2
c Policy tip 3
d Policy tip 4
e Policy
f Policy IP6
Answer: C
Explanation:
Most restrictive, pol cy tip from the most restrictive, highest priority (0 IS a higher priority than g) IS shown
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/data- oss-prevention-poIIaesQvIew 0365-worldwlde#the-pnorlty-by which-rules-are-processed

 

59. Which feature do you configure to ensure that password changes comply with Active Directory password policy
a Password Protection
b Identity Protection
c Password writeback
d Privileged Identity Management
e Password hash sync (PHS)
Answer: C
Explanation:
If you enable password writeback, a password changed in Azure AD is checked in real-time against the pol cy
Reference
https //docs microsoftcom/en-us/azure/actlve-dlrectory/authentication/concept-sspr-writeback
n ocal AD

 

60. Which of the fol owing tools are available from the service trust portal? (Choose two )
a Compliance Manager
b Trust Center
c Azure Security Center
d Microsoft Compliance Portal
e 0365 Security & Compliance Center
Answer: A, B

61. Which of these are components provisioned during an Azure ATP installation? (Choose three )
a portal
b Sensor
c Cloud service
d Appliance
d Agent
Answer: A, B, C
Reference
https //docs microsoftcom/en-us/azure-advanced-threat-protection/atp architecture

62. You are configuring a 3rd party DLP solution for your organization You need to give the DLP system the ability o decrypt any data item that has been protected by a AIP label You want to solution to be operational immediately
What should you do? (Choose three )
a Run the Enable-AipServiceSuperUserFeature PowerShell cmdlet
b Run the Add-AipServiceSuperUser PowerShell cmdlet
c Run the Set-AlpSemceSuperUserGroup PowerShell cmdlet
d Run the New-AzureADUser PowerShell cmdlet
e Run the Add-AzureADGroupMember PowerShell cmdlet
Answer: A, B, D
Explanation:
Enable the feature, create a user, add the user to the feature
You can also create a group, add the user to the group and assign the group to the feature, but AIP caches group membership and only updates it periodically — it won't be available immediately as IS required by the question
Reference
https //docs microsoftcom/en-us/povvershell/module/azuread/add-azureadgroupmemberovlew azureadps-2 0

63 You're deploying Defender ATP You want it to apply automatic remediation to all users, except for executives who must be manually remediated. What do you configure to achieve this? 
a Two alerts
b Two Defender roles
c Two machine groups
d Two dynamic groups
e Two device configuration profiles
Answer: C
Reference
https //docs microsoftcom/en-us/windows/securityfthreat-protection/microsoft-defender-atp/machine-groups

 

66. In what format is Azure ATP downloadable repots available?
a PDF
b XLSX
c DOCX
d csv
e All of the above
Answer: B
Reference
https //docs microsoftcom/en-us/azure-advanced-threat-protection/repolts

 

68, You are configuring Azure ATP and have switched on delayed deployment for all sensors
How long after the release of a service update WII the sensors update?
a 12 hours
b 72 hours
c 14 days
d 30 days
e 12 months
Answer: B
Reference
https //docs microsoftcom/en-us/azure-advanced-threat-protection/sensor-update#delayed-sensor-update

 

70. Which two do you need to configure to allow access to your company's Exchange online service from Outlook on mobile devices, but only if the corporate data on the mobile device IS encrypted? (Choose two )
a Cloud App Security access policy
b Information Protection pol cy
c Intune App Protection policy
d Conditional Access policy
e Intune Device Compliance pol cy
Answer: C, D
Explanation:
You need a conditional access pol cy to block access unless Outlook is used (exception)
You need a MAM WE policy to ensure Outlook mobile encrypts the data
Reference
https //docs microsoftcom/en-us/mem/intune/apps/app-protection-pol cy

72. The My Library feature of the service trust portal lets you save your own documents so that you can quickly access them on your My
a True
b False
brary page
Answer: B
Reference
https //docs microsoftcom/en-us/microsoft-365/compIiance/get-stalted-wI h-semce-trust-poftal#my Ibrary

75. Select the appropriate AIP usage rights for the built-in role of Reviewer (Choose all that apply )
a Reply
b Reply all

C. view

d. Edit
e Forward
f Copy
g print
h Change Rights
Answer: A, B, C, D, E
Explanation:
It is unlikely that the exam would ask a question like this outright This question, however, goes to the core of the issue at hand, it is important for you to have an understanding of the different rights each role has The roles have very similar
names and it is easy to confuse them The roles are Viewer, Reviewer, Co-Author, and Co-Owner
Reference
https //docs microsoftcom/en-us/Iearn/moduIes/m365-security-sensitivity-IabeIs/protection-settings

 

Select the appropriate AIP usage rights for the built-in role of Co-Author (Choose all the apply )

Answer: A, B, C, D, E, F, G

 

76. Which of the following role definitions are available for assignment to resources in Azure?
a User Access Administrator
b Global Administrator
c User Administrator
d Billing Administrator
e All of the options
f None of the options
Answer: A
Explanation:
There are two types of roles in Azure Azure AD roles and Azure resource roles
The fundamental roles for Azure resources are Owner, Contributor, Reader, and User Access Administrator
Global administrator, User administrator and billing administrator are all Azure AD roles
Reference
https //docs microsoftcom/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator

 

80. You are adjusting data retention policies in 0365 A colleague has set up a data retention pol cy that retains certain sensitive information types for 7 years As part of your corporate data governance policies you are required to allow users to manually tag items for retention for up to 3 years You open the SCC and create a data retention label with data retention of 3 years A user creates an email that contains a GDPR-reIated sensitive information type The user tags the item with the 3-year retention label
How long will Exchange retain the email item for?
a The item will be retained for 7 years
b The item will be retained for 3 years
c The item will be retained for 10 years
d The item will be retained for 4 years
Answer: A
Explanation:
Retention wins over deletion
Longest retention wins
Explicit inclusion wins (manually apply a label)
Shortest deletion wins
Reference
https //docs microsoftcom/en-za/microsoft-365/compIiance/retention-pohaes#the-principIes-of-retention-or-what-takes-precedence