Reference Solution for

ms-101.vce
MS-101

MS-101

Microsoft 365 Mobility and Security

Version 14.0

Score: 800/1000
Version:
Time Limit: 120 Minutes

1
Licensed to PEAKUP TECHNOLOGY [email protected]
Implement modern device services
(56 questions)

Question 1
You have a hybrid Azure Active Directory (Azure AD) tenant and a Microsoft Endpoint Configuration
Manager deployment.

You have the devices shown in the following table.

You plan to enable co-management.

You need to identify which devices support co-management without requiring the installation of
additional software.

Which devices should you identify?

 Device1 only
 Device2 only
 Device3 only
 Device2 and Device3 only
 Device1, Device2, and Device3

2 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 2
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an on-premises Active Directory domain. The domain contains 2,000
computers that run Windows 8.1 and have applications installed as shown in the following table.

You enroll all the computers in Upgrade Readiness.

You need to ensure that App1 and App2 have an UpgradeDecision status of Ready to upgrade.

Solution: You set the importance status of App2 to Low install count.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

If an app is installed on less than 2% of the targeted devices, it's marked Low install count. Two
percent is the default value. You can adjust the threshold in the readiness settings from 0% to 10%.
Desktop Analytics automatically marks these apps as Ready to upgrade.

Reference:

https://docs.microsoft.com/en-us/configmgr/desktop-analytics/about-deployment-plans

3 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 3
HOTSPOT

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users
shown in the following table.

You integrate Microsoft Intune and

contoso.com as shown in the following exhibit.

You purchase a Windows 10 device named Device1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

4 Licensed to PEAKUP TECHNOLOGY

[email protected]
NOTE: Each correct selection is worth one point.

Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll

5 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 4
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory domain named contoso.com that is synced to Microsoft
Azure Active Directory (Azure AD).

You manage Windows 10 devices by using Microsoft System Center Configuration Manager (Current
Branch).

You configure pilot co-management.

You add a new device named Device1 to the domain. You install the Configuration Manager client on
Device1.

You need to ensure that you can manage Device1 by using Microsoft Intune and Configuration
Manager.

Solution: You create a device configuration profile from the Device Management admin center.

Does this meet the goal?

 Yes
 No

6 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 5
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an on-premises Active Directory domain. The domain contains 2,000
computers that run Windows 8.1 and have applications installed as shown in the following table.

You enroll all the computers in Upgrade Readiness.

You need to ensure that App1 and App2 have an UpgradeDecision status of Ready to upgrade.

Solution: You set the Importance status of App1 to Business critical.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

Business Critical will prevent the app having a status of Ready to upgrade.

References:

https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-identify-apps

7 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 6
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an on-premises Active Directory domain. The domain contains domain
controllers that run Windows Server 2019. The functional level of the forest and the domain is
Windows Server 2012 R2.

The domain contains 100 computers that run Windows 10 and a member server named Server1 that
runs Windows Server 2012 R2.

You plan to use Server1 to manage the domain and to configure Windows 10 Group Policy settings.

You install the Group Policy Management Console (GPMC) on Server1.

You need to configure the Windows Update for Business Group Policy settings on Server1.

Solution: You upgrade Server1 to Windows Server 2019.

Does this meet the goal?

 Yes
 No

Question 7
You have Windows 10 Pro devices that are joined to an Active Directory domain.

You plan to create a Microsoft 365 tenant and to upgrade the devices to Windows 10 Enterprise.

You are evaluating whether to deploy Windows Hello for Business.

What are two prerequisites of the deployment? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

 Microsoft Intune enrollment

 Microsoft Azure Active Directory (Azure AD)
 smartcards
 TPM-enabled devices
Explanation:

Reference:

8 Licensed to PEAKUP TECHNOLOGY

[email protected]
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-
hybrid-aadj-sso-base

Question 8
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an on-premises Active Directory domain. The domain contains domain
controllers that run Windows Server 2019. The functional level of the forest and the domain is
Windows Server 2012 R2.

The domain contains 100 computers that run Windows 10 and a member server named Server1 that
runs Windows Server 2012 R2.

You plan to use Server1 to manage the domain and to configure Windows 10 Group Policy settings.

You install the Group Policy Management Console (GPMC) on Server1.

You need to configure the Windows Update for Business Group Policy settings on Server1.

Solution: You raise the forest functional level to Windows Server 2016. You copy the Group Policy
Administrative Templates from a Windows 10 computer to the Netlogon share on all the domain
controllers.

Does this meet the goal?

 Yes
 No

9 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 9
From the Microsoft Azure Active Directory (Azure AD) Identity Protection dashboard, you view the
risk events shown in the exhibit. (Click the Exhibit tab.)

You need to reduce the likelihood that the sign-ins are identified as risky.

What should you do?

 From the Security & Compliance admin center, create a classification label.
 From the Security & Compliance admin center, add the users to the Security Readers
role group.
 From the Azure Active Directory admin center, configure the trusted IPs for multi-
factor authentication.
 From the Conditional access blade in the Azure Active Directory admin center, create
named locations.
Explanation:

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

10 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 10
You use Microsoft System Center Configuration Manager (Current Branch) to manage devices.

Your company uses the following types of devices:

Windows 10
Windows 8.1
Android
iOS

Which devices can be managed by using co-management?

 Windows 10 and Windows 8.1 only

 Windows 10, Android, and iOS only
 Windows 10 only
 Windows 10, Windows 8.1, Android, and iOS
Explanation:

References:

https://docs.microsoft.com/en-us/sccm/core/plan-design/choose-a-device-management-
solution#bkmk_intune

11 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 11
HOTSPOT

You have three devices enrolled in Microsoft Endpoint Manager as shown in the following table.

The device compliance policies in Endpoint Manager are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

12 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 12
HOTSPOT

Your network contains an Active Directory domain named contoso.com that uses Microsoft System
Center Configuration Manager (Current Branch).

You have Windows 10 and Windows 8.1 devices.

You need to ensure that you can analyze the upgrade readiness of all the Windows 8.1 devices and
analyze the update compliance of all the Windows 10 devices.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-get-started

https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started

13 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 13
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You need to provide a user with the ability to sign up for Microsoft Store for Business for
contoso.com. The solution must use the principle of least privilege.

Which role should you assign to the user?

 Cloud application administrator

 Application administrator
 Global administrator
 Service administrator
Explanation:

References:

https://docs.microsoft.com/en-us/microsoft-store/roles-and-permissions-microsoft-store-for-
business

Question 14
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You are deploying Microsoft Intune.

You successfully enroll Windows 10 devices in Intune.

When you try to enroll an iOS device in Intune, you get an error.

You need to ensure that you can enroll the iOS device in Intune.

Solution: You add your user account as a device enrollment manager.

Does this meet the goal?

 Yes
 No

14 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 15
Your company has a Microsoft 365 subscription that contains the domains shown in the following
table.

The company plans to add a custom domain named fabrikam.com to the subscription, and then to
enable enrollment of devices to Endpoint Manager by using auto-discovery for fabrikam.com.

You need to add a DNS record to the fabrikam.com domain to enable device enrollment by using
auto-discovery.

Which record type should you use for the new record?

 PTR
 SRV
 CNAME
 TXT
Explanation:

Reference:

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#simplify-windows-
enrollment-without-azure-ad-premium

15 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 16
HOTSPOT

You have several devices enrolled in Microsoft Intune.

You have a Microsoft Azure Active Directory (Azure AD) tenant that includes the users shown in the
following table.

The device limit restrictions in Intune are configured as shown in the following table.

You add User3 as a device enrollment manager in Intune.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/intune/device-enrollment-manager-enroll
16 Licensed to PEAKUP TECHNOLOGY
[email protected]
Question 17
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory domain named contoso.com that is synced to Microsoft
Azure Active Directory (Azure AD).

You manage Windows 10 devices by using Microsoft System Center Configuration Manager (Current
Branch).

You configure pilot co-management.

You add a new device named Device1 to the domain. You install the Configuration Manager client on
Device1.

You need to ensure that you can manage Device1 by using Microsoft Intune and Configuration
Manager.

Solution: You add Device1 to an Active Directory group.

Does this meet the goal?

 Yes
 No
Explanation:

References:

https://www.scconfigmgr.com/2017/11/30/how-to-setup-co-management-part-6/

17 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 18
You have computers that run Windows 10 Enterprise and are joined to the domain.

You plan to delay the installation of new Windows builds so that the IT department can test
application compatibility.

You need to prevent Windows from being updated for the next 30 days.

Which two Group Policy settings should you configure? Each correct answer presents part of the
solution.

NOTE: Each correct selection is worth one point.

 Select when Quality Updates are received

 Select when Preview Builds and Feature Updates are received
 Turn off auto-restart for updates during active hours
 Manage preview builds
 Automatic updates detection frequency
Explanation:

References:

https://insider.windows.com/en-us/for-business-organization-admin/

18 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 19
HOTSPOT

You have a Microsoft 365 subscription that contains the users shown in the following table.

You configure an Enrollment Status Page profile as shown in the following exhibit.

You assign the policy to Group1.

You purchase the devices shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

19 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-status

20 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 20
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an on-premises Active Directory domain. The domain contains domain
controllers that run Windows Server 2019. The functional level of the forest and the domain is
Windows Server 2012 R2.

The domain contains 100 computers that run Windows 10 and a member server named Server1 that
runs Windows Server 2012 R2.

You plan to use Server1 to manage the domain and to configure Windows 10 Group Policy settings.

You install the Group Policy Management Console (GPMC) on Server1.

You need to configure the Windows Update for Business Group Policy settings on Server1.

Solution: You copy the Group Policy Administrative Templates from a Windows 10 computer to
Server1.

Does this meet the goal?

 Yes
 No

21 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 21
HOTSPOT

You have a Microsoft 365 subscription that contains the users in the following table.

In Microsoft Endpoint Manager, you create two device type restrictions that have the settings shown
in the following table.

In Microsoft Endpoint Manager, you create three device limit restrictions that have the settings
shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

22 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 22
Your network contains an on-premises Active Directory domain that syncs to Azure Active Directory
(Azure AD).

The domain contains two servers named Server1 and Server2 that run Windows Server 2016. Server1
has the File Server Resource Manager role service installed.

You need to configure Server1 to use the Azure Rights Management (Azure RMS) connector.

You install the Microsoft Management connector on Server1.

What should you do next on Server1?

 Run the GenConnectorConfig.ps1 script.

 Configure the URL of the AIPMigrated group.
 Enable BitLocker Drive Encryption (BitLocker).
 Install a certification authority (CA).
Explanation:

Explanation:

If you want to use the server configuration tool for the RMS connector, to automate the
configuration of registry settings on your on-premises servers, download and run the
GenConnectorConfig.ps1 script.

References:

https://docs.microsoft.com/en-us/azure/information-protection/install-configure-rms-
connector#installing-the-rms-connector

23 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 23
You have two conditional access policies named Policy1 and Policy2.

Policy1 has the following settings:

Assignments:
- Users and groups: User1
- Cloud apps or actions: Office 365 Exchange Online
- Conditions: 0 conditions selected
Access controls:
- Grant: Grant access
- Session: 0 controls selected
Enable policy: On

Policy2 has the following settings:

Assignments:
- Users and groups: User1
- Cloud apps or actions: Office 365 Exchange Online
- Conditions: 0 conditions selected
Access controls:
- Grant: Block access
- Session: 0 controls selected
Enable policy: On

You need to ensure that User1 can access Microsoft Exchange Online only from devices that are
marked as compliant.

What should you do?

 Modify the Grant settings of Policy2.

 Disable Policy2.
 Modify the Conditions settings of Policy2.
 Modify the Grant settings of Policy1.

24 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 24
Your company has 10 offices.

The network contains an Active Directory domain named contoso.com. The domain contains 500
client computers. Each office is configured as a separate subnet.

You discover that one of the offices has the following:

Computers that have several preinstalled applications

Computers that use nonstandard computer names
Computers that have Windows 10 preinstalled
Computers that are in a workgroup

You must configure the computers to meet the following corporate requirements:

All the computers in the office must be joined to the domain.

All the computers in the office must have computer names that use a prefix of CONTOSO.
All the computers in the office must only have approved corporate applications installed.

You need to recommend a solution to redeploy the computers. The solution must minimize the
deployment time.

Which deployment method should you recommend?

 a provisioning package
 wipe and load refresh
 Windows Autopilot
 an in-place upgrade
Explanation:

Explanation:

By using a Provisioning, IT administrators can create a self-contained package that contains all of the
configuration, settings, and apps that need to be applied to a device.

Incorrect Answers:

C: With Windows Autopilot the user can set up pre-configure devices without the need consult their
IT administrator.

D: Use the In-Place Upgrade option when you want to keep all (or at least most) existing applications.

References:

https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

25 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 25
HOTSPOT

Your network contains an Active Directory domain named contoso.com. All client devices run
Windows 10 and are joined to the domain.

You update the Windows 10 devices by using Windows Update for Business.

What is the maximum amount of time you can defer Windows 10 updates? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb

26 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 26
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You sign up for Microsoft Store for Business.

The tenant contains the users shown in the following table.

Microsoft Store for Business has the following Shopping behavior settings:

Make everyone a Basic Purchaser is set to Off.

Allow app requests is set to On.

You need to identify which users can add apps to the Microsoft Store for Business private store.

Which users should you identify?

 User1 and User2 only

 User3 only
 User1 only
 User3 and User4 only

Question 27
A user receives the following message when attempting to sign in to https://myapps.microsoft.com:

“Your sign-in was blocked. We’ve detected something unusual about this sign-in. For example, you
might be signing in from a new location, device, or app. Before you can continue, we need to verify
your identity. Please contact your admin.”

Which configuration prevents the users from signing in?

 Microsoft Azure Active Directory (Azure AD) Identity Protection policies

 Microsoft Azure Active Directory (Azure AD) conditional access policies
 Security & Compliance supervision policies
 Security & Compliance data loss prevention (DLP) policies
Explanation:

References:

27 Licensed to PEAKUP TECHNOLOGY

[email protected]
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Question 28
HOTSPOT

You have the Microsoft Azure Active Directory (Azure AD) users shown in the following table.

Your company uses Microsoft Intune.

Several devices are enrolled in Intune as shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

You create a conditional access policy that has the following settings:

The Assignments settings are configured as follows:

Users and groups: Group1
Cloud apps: Microsoft Office 365 Exchange Online
Conditions: Include All device state, exclude Device marked as compliant
Access controls is set to Block access.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

28 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 29
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory domain named contoso.com that is synced to Microsoft
Azure Active Directory (Azure AD).

You manage Windows 10 devices by using Microsoft System Center Configuration Manager (Current
Branch).

You configure pilot co-management.

You add a new device named Device1 to the domain. You install the Configuration Manager client on
Device1.

You need to ensure that you can manage Device1 by using Microsoft Intune and Configuration
Manager.

Solution: Define a Configuration Manager device collection as the pilot collection. Add Device1 to the
collection.

Does this meet the goal?

 Yes
 No

29 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 30
You have a Microsoft 365 tenant.

You have a line-of-business application named App1 that users access by using the My Apps portal.

After some recent security breaches, you implement a conditional access policy for App1 that uses
Conditional Access App Control.

You need to be alerted by email if impossible travel is detected for a user of App1. The solution must
ensure that alerts are generated for App1 only.

What should you do?

 From Microsoft Cloud App Security, create a Cloud Discovery anomaly detection
policy.
 From Microsoft Cloud App Security, modify the impossible travel alert policy.
 From Microsoft Cloud App Security, create an app discovery policy.
 From the Azure Active Directory admin center, modify the conditional access policy.
Explanation:

References:

https://docs.microsoft.com/en-us/cloud-app-security/cloud-discovery-anomaly-detection-policy

Question 31
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You are deploying Microsoft Intune.

You successfully enroll Windows 10 devices in Intune.

When you try to enroll an iOS device in Intune, you get an error.

You need to ensure that you can enroll the iOS device in Intune.

Solution: You configure the Apple MDM Push certificate.

Does this meet the goal?

 Yes
 No
Explanation:

30 Licensed to PEAKUP TECHNOLOGY

[email protected]
References:

https://docs.microsoft.com/en-us/intune/apple-mdm-push-certificate-get

Question 32
HOTSPOT

You have three devices enrolled in Microsoft Intune as shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

31 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 33
HOTSPOT

Your network contains an Active Directory forest named contoso.com that is synced to Microsoft
Azure Active Directory (Azure AD).

You use Microsoft Endpoint Configuration Manager for device management.

You have the Windows 10 devices shown in the following table.

You configure Endpoint Configuration Manager co-management as follows:

Automatic enrollment in Intune: Pilot

Pilot collection for all workloads: Collection2

You configure co-management workloads as shown in the following exhibit.

32 Licensed to PEAKUP TECHNOLOGY

[email protected]
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

33 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 34
Your company has a Microsoft 365 E5 subscription.

Users in the research department work with sensitive data.

You need to prevent the research department users from accessing potentially unsafe websites by
using hyperlinks embedded in email messages and documents. Users in other departments must not
be restricted.

What should you do from the Security & Compliance admin center?

 Create a data loss prevention (DLP) policy that has a Content is shared condition.
 Modify the default safe links policy.
 Create a data loss prevention (DLP) policy that has a Content contains condition.
 Create a new safe links policy.
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-atp-safe-links-
policies#policies-that-apply-to-specific-email-recipients

34 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 35
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You are deploying Microsoft Intune.

You successfully enroll Windows 10 devices in Intune.

When you try to enroll an iOS device in Intune, you get an error.

You need to ensure that you can enroll the iOS device in Intune.

Solution: You configure the Mobility (MDM and MAM) settings.

Does this meet the goal?

 Yes
 No

35 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 36
HOTSPOT

You have three devices enrolled in Microsoft Endpoint Manager as shown in the following table.

The device compliance policies in Endpoint Manager are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

36 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 37
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

You have a Microsoft 365 subscription.

You need to ensure that administrators can manage the configuration settings for all the Windows 10
devices in your organization.

What should you configure?

 the Enrollment restrictions

 the mobile device management (MDM) authority
 the Exchange on-premises access settings
 the Windows enrollment settings
Explanation:

References:

https://docs.microsoft.com/en-us/intune/mdm-authority-set

Question 38
HOTSPOT

You have an Azure subscription and an on-premises Active Directory domain. The domain contains
50 computers that run Windows 10.

You need to centrally monitor System log events from the computers.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

37 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-windows-computer

Question 39
Your network contains an Active Directory domain named contoso.com. The domain contains 100
Windows 8.1 devices.

You plan to deploy a custom Windows 10 Enterprise image to the Windows 8.1 devices.

You need to recommend a Windows 10 deployment method.

What should you recommend?

 a provisioning package
 an in-place upgrade
 wipe and load refresh
 Windows Autopilot
Explanation:

References:

https://docs.microsoft.com/en-us/microsoft-365/enterprise/windows10-infrastructure

38 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 40
HOTSPOT

Your company has a Microsoft 365 tenant.

You plan to allow users from the engineering department to enroll their mobile device in mobile
device management (MDM).

The device type restrictions are configured as shown in the following table.

The device limit restrictions are configured as shown in the following table.

What is the effective configuration for the members of the Engineering group? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

39 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 41
Your company has a Microsoft 365 E3 subscription.

All devices run Windows 10 Pro and are joined to Microsoft Azure Active Directory (Azure AD).

You need to change the edition of Windows 10 to Enterprise the next time users sign in to their
computer. The solution must minimize downtime for the users.

What should you use?

 Windows Autopilot
 Windows Update
 Subscription Activation
 an in-place upgrade
Explanation:

References:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

40 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 42
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an on-premises Active Directory domain. The domain contains 2,000
computers that run Windows 8.1 and have applications installed as shown in the following table.

You enroll all the computers in Upgrade Readiness.

You need to ensure that App1 and App2 have an UpgradeDecision status of Ready to upgrade.

Solution: You set the ReadyForWindows status of App2 to Highly adopted.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

App1 has a “low install count” (2% or less) so will be Ready to upgrade. We just need to change the
setting for App2.

References:

https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-identify-apps

41 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 43
HOTSPOT

You have 100 computers that run Windows 8.1 and are enrolled in Upgrade Readiness.

Two of the computers are configured as shown in the following table.

From Upgrade Readiness, you view the applications shown in the following table.

You enroll a computer named Computer3 in Upgrade Readiness. Computer3 has the following
configurations:

8 GB of memory
64-bit architecture
An application named App3 installed

App3 is installed on Computer3 only.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

42 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

43 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 44
HOTSPOT

You create two device compliance policies for Android devices as shown in the following table.

You have the Android devices shown in the following table.

The users belong to the groups shown in the following table.

The users enroll their device in Microsoft Intune.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

44 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-android

Question 45
You have a Microsoft 365 tenant.

All users are assigned the Enterprise Mobility + Security license.

You need to ensure that when users join their device to Microsoft Azure Active Directory (Azure AD),
the device is enrolled in Microsoft Intune automatically.

What should you configure?

 Enrollment restrictions from the Device Management admin center

 device enrollment managers from the Device Management admin center
 MAM User scope from the Azure Active Directory admin center
 MDM User scope from the Azure Active Directory admin center
Explanation:

References:

https://docs.microsoft.com/en-us/intune/windows-enroll

45 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 46
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory domain named contoso.com that is synced to Microsoft
Azure Active Directory (Azure AD).

You manage Windows 10 devices by using Microsoft System Center Configuration Manager (Current
Branch).

You configure pilot co-management.

You add a new device named Device1 to the domain. You install the Configuration Manager client on
Device1.

You need to ensure that you can manage Device1 by using Microsoft Intune and Configuration
Manager.

Solution: You add Device1 to a Configuration Manager device collection.

Does this meet the goal?

 Yes
 No

46 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 47
You configure a conditional access policy. The locations settings are configured as shown in the
Locations exhibit. (Click the Locations tab.)

The users and groups settings are configured as shown in the Users and Groups exhibit. (Click Users
and Groups tab.)

Members of the Security reader group report that they cannot sign in to Microsoft Active Directory
(Azure AD) on their device while they are in the office.

You need to ensure that the members of the Security reader group can sign in in to Azure AD on their
device while they are in the office. The solution must use the principle of least privilege.

47 Licensed to PEAKUP TECHNOLOGY

[email protected]
What should you do?

 From the conditional access policy, configure the device state.

 From the Azure Active Directory admin center, create a custom control.
 From the Device Management admin center, create a device compliance policy.
 From the Azure Active Directory admin center, create a named location.
Explanation:

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

Question 48
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com and a
Microsoft 365 subscription.

The company recently hired four new users who have the devices shown in the following table.

You configure the Microsoft 365 subscription to ensure that the new devices enroll in Microsoft
Intune automatically.

Which users have a device that can enroll in Microsoft Intune automatically?

 User1, User2, User3, and User4

 User2 only
 User1 and User2 only
 User1, User2, and User3 only

48 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 49
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory domain named contoso.com that is synced to Microsoft
Azure Active Directory (Azure AD).

You manage Windows 10 devices by using Microsoft System Center Configuration Manager (Current
Branch).

You configure pilot co-management.

You add a new device named Device1 to the domain. You install the Configuration Manager client on
Device1.

You need to ensure that you can manage Device1 by using Microsoft Intune and Configuration
Manager.

Solution: You unjoin Device1 from the Active Directory domain.

Does this meet the goal?

 Yes
 No

Question 50
Your company has a Microsoft 365 subscription. The subscription contains 500 devices that run
Windows 10 and 100 devices that run iOS.

You need to create Microsoft Intune device configuration profiles to meet the following
requirements:

Configure Wi-Fi connectivity to a secured network named ContosoNet.

Require passwords of at least six characters to lock the devices.

What is the minimum number of device configuration profiles that you should create?

 4
 2
 1

49 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 51
You have a Microsoft 365 E5 subscription that uses an Azure Active Directory (Azure AD) tenant
named contoso.com.

You need to ensure that users can enroll devices in Microsoft Endpoint Manager without manually
entering the address of Microsoft Endpoint Manager.

Which two DNS records should you create? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

 a CNAME record for AutoDiscover.contoso.com

 a CNAME record for EnterpriseEnrollment.contoso.com
 a TXT record for EnterpriseRegistration.contoso.com
 an SRV record for _SIP._TLS.contoso.com
 an SRV record for _SIPfederationTLS.contoso.com
 a CNAME record for EnterpriseRegistration.contoso.com
 a TXT record for EnterpriseEnrollment.contoso.com
Explanation:

Reference:

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#simplify-windows-
enrollment-without-azure-ad-premium

50 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 52
HOTSPOT

You have several devices enrolled in Microsoft Endpoint Manager.

You have a Microsoft Azure Active Directory (Azure AD) tenant that includes the users shown in the
following table.

The device type restrictions in Endpoint Manager are configured as shown in the following table.

You add User3 as a device enrollment manager in Endpoint Manager.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

51 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 53
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You are deploying Microsoft Intune.

You successfully enroll Windows 10 devices in Intune.

When you try to enroll an iOS device in Intune, you get an error.

You need to ensure that you can enroll the iOS device in Intune.

Solution: You create an Apple Configurator enrollment profile.

Does this meet the goal?

 Yes
 No

Question 54
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an on-premises Active Directory domain. The domain contains 2,000
computers that run Windows 8.1 and have applications installed as shown in the following table.

You enroll all the computers in Upgrade Readiness.

You need to ensure that App1 and App2 have an UpgradeDecision status of Ready to upgrade.

Solution: You set the ReadyForWindows status of App1 to Highly adopted.

Does this meet the goal?

 Yes
 No
Explanation:
52 Licensed to PEAKUP TECHNOLOGY
[email protected]
Explanation:

App1 has a “low install count” (2% or less) so will be Ready to upgrade. We need to change the
setting for App2.

References:

https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-identify-apps

Question 55
Your company uses Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to
co-manage devices.

Which two actions can be performed only from Endpoint Manager? Each correct answer presents a
complete solution.

NOTE: Each correct selection is worth one point.

 Deploy applications to Windows 10 devices.

 Deploy VPN profiles to iOS devices.
 Deploy VPN profiles to Windows 10 devices.
 Publish applications to Android devices.
Explanation:

References:

https://docs.microsoft.com/en-us/sccm/comanage/overview

https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/create-vpn-profiles

53 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 56
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You are deploying Microsoft Intune.

You successfully enroll Windows 10 devices in Intune.

When you try to enroll an iOS device in Intune, you get an error.

You need to ensure that you can enroll the iOS device in Intune.

Solution: You create the Mobility (MDM and MAM) settings.

Does this meet the goal?

 Yes
 No

54 Licensed to PEAKUP TECHNOLOGY

[email protected]
Case Study (7 questions)
Case Study
Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.

The company has the employees and devices shown in the following table.

Contoso recently purchased a Microsoft 365 E5 subscription.

Existing Environment

The network contains an on-premises Active Directory forest named contoso.com. The forest
contains the servers shown in the following table.

All servers run Windows Server 2016. All desktops and laptops run Windows 10 Enterprise and are
joined to the domain.

The mobile devices of the users in the Montreal and Seattle offices run Android. The mobile devices
of the users in the New York office run iOS.

The domain is synced to Azure Active Directory (Azure AD) and includes the users shown in the
following table.

55 Licensed to PEAKUP TECHNOLOGY

[email protected]
The domain also includes a group named Group1.

Requirements
Planned Changes

Contoso plans to implement the following changes:

Implement Microsoft 365.

Manage devices by using Microsoft Intune.
Implement Azure Advanced Threat Protection (ATP).
Every September, apply the latest feature updates to all Windows computers. Every March, apply the
latest feature updates to the computers in the New York office only.
Technical Requirements

Contoso identifies the following technical requirements:

When a Windows 10 device is joined to Azure AD, the device must enroll in Intune automatically.
Dedicated support technicians must enroll all the Montreal office mobile devices in Intune.
User1 must be able to enroll all the New York office mobile devices in Intune.
Azure ATP sensors must be installed and must NOT use port mirroring.
Whenever possible, the principle of least privilege must be used.
A Microsoft Store for Business must be created.
Compliance Requirements

Contoso identifies the following compliance requirements:

Ensure that the users in Group1 can only access Microsoft Exchange Online from devices that are
enrolled in Intune and configured in accordance with the corporate policy.
Configure Windows Information Protection (WIP) for the Windows 10 devices.

Question 57
HOTSPOT

As of March, how long will the computers in each office remain supported by Microsoft? To answer,
select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

56 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

57 Licensed to PEAKUP TECHNOLOGY

[email protected]
Explanation:

References:

https://www.windowscentral.com/whats-difference-between-quality-updates-and-feature-updates-
windows-10

Question 58
You need to ensure that User1 can enroll the devices to meet the technical requirements.

What should you do?

 From the Azure Active Directory admin center, assign User1 the Cloud device
administrator role.
 From the Azure Active Directory admin center, configure the Maximum number of
devices per user setting.
 From the Endpoint Management admin center, add User1 as a device enrollment
manager.
 From the Endpoint Management admin center, configure the Enrollment restrictions.
Explanation:

References:

https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-devices-with-device-enrollment-
manager

58 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 59
HOTSPOT

You need to meet the technical requirements and planned changes for Intune.

What should you do? To answer, select the appropriate options is the answer area.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/intune/windows-enroll

59 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 60
HOTSPOT

You need to configure a conditional access policy to meet the compliance requirements.

You add Exchange Online as a cloud app.

Which two additional settings should you configure in Policy1? To answer, select the appropriate
settings in the answer area.

NOTE: Each correct selection is worth one point.

60 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/intune/create-conditional-access-intune

Question 61
You need to ensure that the support technicians can meet the technical requirement for the
Montreal office mobile devices.

What is the minimum of dedicated support technicians required?

 1
 4
 7
 31
Explanation:

References:

https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-devices-with-device-enrollment-
manager

61 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 62
HOTSPOT

You need to meet the Intune requirements for the Windows 10 devices.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/intune/windows-enroll

62 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 63
You need to create the Microsoft Store for Business.

Which user can create the store?

 User2
 User3
 User4
 User5
Explanation:

References:

https://docs.microsoft.com/en-us/microsoft-store/roles-and-permissions-microsoft-store-for-
business

63 Licensed to PEAKUP TECHNOLOGY

[email protected]
Case Study (1 questions)
Case Study
Overview

ADatum Corporation is an international financial services company that has 5,000 employees.

ADatum has six offices: a main office in New York and five branch offices in Germany, the United
Kingdom, France, Spain, and Italy.

All the offices are connected to each other by using a WAN link. Each office connects directly to the
Internet.

Existing Environment
Current Infrastructure

ADatum recently purchased a Microsoft 365 subscription.

All user files are migrated to Microsoft 365.

All mailboxes are hosted in Microsoft 365. The users in each office have email suffixes that include
the country of the user, for example, [email protected] or [email protected].

Each office has a security information and event management (SIEM) appliance. The appliance comes
from three different vendors.

ADatum uses and processes Personally Identifiable Information (PII).

Problem Statements

ADatum entered into litigation. The legal department must place a hold on all the documents of a
user named User1 that are in Microsoft 365.

Requirements

Business Goals

ADatum wants to be fully compliant with all the relevant data privacy laws in the regions where is
operates.

ADatum wants to minimize the cost of hardware and software whenever possible.

Technical Requirements

ADatum identifies the following technical requirements:

64 Licensed to PEAKUP TECHNOLOGY

[email protected]
Centrally perform log analysis for all offices.
Aggregate all data from the SIEM appliances to a central cloud repository for later analysis.
Ensure that a SharePoint administrator can identify who accessed a specific file stored in a document
library.
Provide the users in the finance department with access to Service assurance information in
Microsoft Office 365.
Ensure that documents and email messages containing the PII data of European Union (EU) citizens
are preserved for 10 years.
If a user attempts to download 1,000 or more files from Microsoft SharePoint Online within 30
minutes, notify a security administrator and suspend the user’s user account.
A security administrator requires a report that shown which Microsoft 365 users signed in. Based on
the report, the security administrator will create a policy to require multi-factor authentication when
a sign-in is high risk.
Ensure that the users in the New York office can only send email messages that contain sensitive U.S.
PII data to other New York office uses. Email messages must be monitored to ensure compliance.
Auditors in the New York office must have access to reports that show the sent and received email
messages containing sensitive U.S. PII data.

Question 64
You need to recommend a solution for the security administrator. The solution must meet the
technical requirements.

What should you include in the recommendation?

 Microsoft Azure Active Directory (Azure AD) Privileged Identity Management

 Microsoft Azure Active Directory (Azure AD) Identity Protection
 Microsoft Azure Active Directory (Azure AD) conditional access policies
 Microsoft Azure Active Directory (Azure AD) authentication methods
Explanation:

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks

65 Licensed to PEAKUP TECHNOLOGY

[email protected]
Implement Microsoft 365 security and threat management
(58 questions)

Question 65
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are
connected to your on-premises network.

Solution: From the Device Management admin center, you create a trusted location and a
compliance policy

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow
access.

References:

https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Conditional-Access-in-
SharePoint-Online-and-OneDrive-for/ba-p/46678

66 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 66
Your company has digitally signed applications.

You need to ensure that Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
considers the digitally signed applications safe and never analyzes them.

What should you create in the Microsoft Defender Security Center?

 a custom detection rule

 an allowed/blocked list rule
 an alert suppression rule
 an indicator
Explanation:

Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-
atp/manage-indicators

Question 67
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains 1,000 Windows 10 devices.

You perform a proof of concept (PoC) deployment of Microsoft Defender Advanced Threat
Protection (ATP) for 10 test devices. During the onboarding process, you configure Microsoft
Defender ATP-related data to be stored in the United States.

You plan to onboard all the devices to Microsoft Defender ATP.

You need to store the Microsoft Defender ATP data in Europe.

What should you do first?

 Create a workspace.
 Onboard a new device.
 Delete the workspace.
 Offboard the test devices.

67 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 68
HOTSPOT

You have a Microsoft Azure Activity Directory (Azure AD) tenant contains the users shown in the
following table.

Group3 is a member of Group1.

Your company uses Microsoft Defender Advanced Threat Protection (ATP). Microsoft Defender ATP
contains the roles shown in the following table.

Microsoft Defender ATP contains the device groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

68 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 69
HOTSPOT

You have a Microsoft 365 subscription.

You are planning a threat management solution for your organization.

You need to minimize the likelihood that users will be affected by the following threats:

Opening files in Microsoft SharePoint that contain malicious content

Impersonation and spoofing attacks in email messages

Which policies should you create in the Security & Compliance admin center? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

69 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Explanation:

Box 1: ATP Safe Attachments

ATP Safe Attachments provides zero-day protection to safeguard your messaging system, by checking
email attachments for malicious content. It routes all messages and attachments that do not have a
virus/malware signature to a special environment, and then uses machine learning and analysis
techniques to detect malicious intent. If no suspicious activity is found, the message is forwarded to
the mailbox.

Box 2: ATP anti-phishing

ATP anti-phishing protection detects attempts to impersonate your users and custom domains. It
applies machine learning models and advanced impersonation-detection algorithms to avert phishing
attacks.

ATP Safe Links provides time-of-click verification of URLs, for example, in emails messages and Office
files. Protection is ongoing and applies across your messaging and Office environment. Links are
scanned for each click: safe links remain accessible and malicious links are dynamically blocked.

References:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-
atp#configure-atp-policies

70 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 70
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.

Your company purchases a Microsoft 365 subscription.

You need to ensure that User1 is assigned the required role to create file policies and manage alerts
in the Cloud App Security admin center.

Solution: From the Security & Compliance admin center, you assign the Security Administrator role to
User1.

Does this meet the goal?

 Yes
 No
Explanation:

References:

https://docs.microsoft.com/en-us/cloud-app-security/manage-admins

71 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 71
HOTSPOT

Your company uses Microsoft Defender Advanced Threat Protection (ATP). Microsoft Defender ATP
includes the machine groups shown in the following table.

You onboard a computer named computer1 to Microsoft Defender ATP as shown in the following
exhibit.

Use the drop-down menus to select the answer choice that completes each statement.

NOTE: Each correct selection is worth one point.

72 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

73 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 72
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.

Your company purchases a Microsoft 365 subscription.

You need to ensure that User1 is assigned the required role to create file policies and manage alerts
in the Cloud App Security admin center.

Solution: From the Azure Active Directory admin center, you assign the Compliance administrator
role to User1.

Does this meet the goal?

 Yes
 No
Explanation:

References:

https://docs.microsoft.com/en-us/cloud-app-security/manage-admins

74 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 73
DRAG DROP

You have a Microsoft 365 subscription.

You have the devices shown in the following table.

You need to onboard the devices to Microsoft Defender Advanced Threat Protection (ATP). The
solution must avoid installing software on the devices whenever possible.

Which onboarding method should you use for each operating system? To answer, drag the
appropriate methods to the correct operating systems. Each method may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
atp/onboard-downlevel-windows-defender-advanced-threat-protection

75 Licensed to PEAKUP TECHNOLOGY

[email protected]
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
atp/configure-endpoints-windows-defender-advanced-threat-protection

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
atp/configure-server-endpoints-windows-defender-advanced-threat-protection

Question 74
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.

Your company purchases a Microsoft 365 subscription.

You need to ensure that User1 is assigned the required role to create file policies and manage alerts
in the Cloud App Security admin center.

Solution: From the Cloud App Security admin center, you assign the App/instance admin role for all
Microsoft Online Services to User1.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

App/instance admin: Has full or read-only permissions to all of the data in Microsoft Cloud App
Security that deals exclusively with the specific app or instance of an app selected.

Reference:

https://docs.microsoft.com/en-us/cloud-app-security/manage-admins

76 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 75
HOTSPOT

You have a Microsoft Azure Activity Directory (Azure AD) tenant contains the users shown in the
following table.

Group3 is a member of Group1.

Your company uses Microsoft Defender Advanced Threat Protection (ATP). Microsoft Defender ATP
contains the roles shown in the following table.

Microsoft Defender ATP contains the device groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

77 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/user-
roles-windows-defender-advanced-threat-protection

Question 76
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are
connected to your on-premises network.

Solution: From the Device Management admin center, you create a device configuration profile.

Does this meet the goal?

 Yes
 No

78 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 77
You have a Microsoft 365 subscription.

You need to be notified if users receive email containing a file that has a virus.

What should you do?

 From the Exchange admin center, create a spam filter policy.

 From the Security & Compliance admin center, create a data governance event.
 From the Security & Compliance admin center, create an alert policy.
 From the Exchange admin center, create a mail flow rule.
Explanation:

Explanation:

You can create alert policies to track malware activity and data loss incidents. We've also included
several default alert policies that help you monitor activities such as assigning admin privileges in
Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and
external sharing.

The Email messages containing malware removed after delivery default alert generates an alert
when any messages containing malware are delivered to mailboxes in your organization.

Incorrect answers:

A: A spam filter policy includes selecting the action to take on messages that are identified as spam.
Spam filter policy settings are applied to inbound messages.

B: A data governance event commences when an administrator creates it, following which
background processes look for content relating to the event and take the retention action defined in
the label. The retention action can be to keep or remove items, or to mark them for manual
disposition.

D: You can inspect email attachments in your Exchange Online organization by setting up mail flow
rules. Exchange Online offers mail flow rules that provide the ability to examine email attachments as
a part of your messaging security and compliance needs. However, mail flow rules are not used to
detect malware in emails.

Reference:

79 Licensed to PEAKUP TECHNOLOGY

[email protected]
https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies

80 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 78
HOTSPOT

Your company purchases a cloud app named App1.

You plan to publish App1 by using a conditional access policy named Policy1.

You need to ensure that you can control access to App1 by using a Microsoft Cloud App Security
session policy.

Which two settings should you modify in Policy1? To answer, select the appropriate settings in the
answer area.

NOTE: Each correct selection is worth one point.

81 Licensed to PEAKUP TECHNOLOGY

[email protected]
82 Licensed to PEAKUP TECHNOLOGY
[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-aad

83 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 79
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.

Your company purchases a Microsoft 365 subscription.

You need to ensure that User1 is assigned the required role to create file policies and manage alerts
in the Cloud App Security admin center.

Solution: From the Azure Active Directory admin center, you assign the Security administrator role to
User1.

Does this meet the goal?

 Yes
 No
Explanation:

References:

https://docs.microsoft.com/en-us/cloud-app-security/manage-admins

Question 80
You have a Microsoft 365 subscription.

All users have their email stored in Microsoft Exchange Online.

In the mailbox of a user named User1, you need to preserve a copy of all the email messages that
contain the word ProjectX.

What should you do?

 From the Security & Compliance admin center, create a label and a label policy.
 From the Exchange admin center, create a mail flow rule.
 From the Security & Compliance admin center, start a message trace.
 From Exchange admin center, start a mail flow message trace.
Explanation:

References:

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-classification

84 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 81
Your company has five security information and event management (SIEM) appliances. The traffic
logs from each appliance are saved to a file share named Logs.

You need to analyze the traffic logs.

What should you do from Microsoft Cloud App Security?

 Click Investigate, and then click Activity log.

 Click Control, and then click Policies. Create a file policy.
 Click Discover, and then click Create snapshot report.
 Click Investigate, and then click Files.
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/investigate-an-activity-in-office-
365-cas

85 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 82
You have a Microsoft 365 E5 subscription that uses Microsoft Defender Advanced Threat Protection
(Microsoft Defender ATP).

When users attempt to access the portal of a partner company, they receive the message shown in
the following exhibit.

You need to enable user access to the partner company’s portal.

Which Microsoft Defender ATP setting should you modify?

 Custom detections
 Advanced hunting
 Alert notifications
 Indicators
 Alert suppression
Explanation:

Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-
atp/manage-indicators

86 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 83
DRAG DROP

You create a Microsoft 365 subscription.

You need to create a deployment plan for Microsoft Azure Advanced Threat Protection (ATP).

Which four actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

87 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://blog.ahasayen.com/azure-advanced-threat-protection-deployment/

Question 84
Your company has 5,000 Windows 10 devices. All the devices are protected by using Microsoft
Defender Advanced Threat Protection (ATP).

You need to create a filtered view that displays which Microsoft Defender ATP alert events have a
high severity and occurred during the last seven days.

What should you use in Microsoft Defender ATP?

 the threat intelligence API

 Automated investigations
 Threat analytics
 Advanced hunting
Explanation:

References:

88 Licensed to PEAKUP TECHNOLOGY

[email protected]
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
atp/investigate-alerts-windows-defender-advanced-threat-protection

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
atp/automated-investigations-windows-defender-advanced-threat-protection

Question 85
You have a Microsoft 365 subscription.

From the subscription, you perform an audit log search, and you download all the results.

You plan to review the audit log data by using Microsoft Excel.

You need to ensure that each audited property appears in a separate Excel column.

What should you do first?

 From Power Query Editor, transform the JSON data.

 Format the Operations column by using conditional formatting.
 Format the AuditData column by using conditional formatting.
 From Power Query Editor, transform the XML data.
Explanation:

Explanation:

After you search the Office 365 audit log and download the search results to a CSV file, the file
contains a column named AuditData, which contains additional information about each event. The
data in this column is formatted as a JSON object, which contains multiple properties that are
configured as property:value pairs separated by commas. You can use the JSON transform feature in
the Power Query Editor in Excel to split each property in the JSON object in the AuditData column
into multiple columns so that each property has its own column. This lets you sort and filter on one
or more of these properties

References:

https://docs.microsoft.com/en-us/microsoft-365/compliance/export-view-audit-log-records

89 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 86
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are
connected to your on-premises network.

Solution: From the Azure Active Directory admin center, you create a trusted location and a
conditional access policy.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow
access.

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Conditional-Access-in-
SharePoint-Online-and-OneDrive-for/ba-p/46678

90 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 87
You have a Microsoft 365 subscription.

You recently configured a Microsoft SharePoint Online tenant in the subscription.

You plan to create an alert policy.

You need to ensure that an alert is generated only when malware is detected in more than five
documents stored in SharePoint Online during a period of 10 minutes.

What should you do first?

 Enable Microsoft Office 365 Cloud App Security.

 Deploy Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
 Enable Microsoft Office 365 Analytics.

Question 88
You implement Microsoft Azure Advanced Threat Protection (Azure ATP).

You have an Azure ATP sensor configured as shown in the following exhibit.

How long after the Azure ATP cloud service is updated will the sensor update?

 72 hours
 12 hours
 48 hours
 7 days
 24 hours
Explanation:

References:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-whats-new

91 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 89
You have a Microsoft 365 subscription that contains 500 users.

You have several hundred computers that run the 64-bit version of Windows 10 Enterprise and have
the following configurations:

Two volumes that contain data

A CPU that has two cores
TPM disabled
4 GB of RAM

All the computers are managed by using Microsoft Endpoint Manager.

You need to ensure that you can turn on Windows Defender Application Guard on the computers.

What should you do first?

 Modify the edition of Windows 10.

 Create an additional volume.
 Replace the CPU and enable TPM.
 Replace the CPU and increase the RAM.
Explanation:

Explanation:

The computers need 4 CPU cores and 8GB of RAM.

Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
application-guard/reqs-wd-app-guard

Question 90
Your company uses Microsoft Azure Advanced Threat Protection (ATP) and Microsoft Defender ATP.

You need to integrate Microsoft Defender ATP and Azure ATP.

What should you do?

 From Azure ATP, configure the notifications and reports.

 From Azure ATP, configure the data sources.
 From Microsoft Defender Security Center, configure the Machine management
settings.
 From Microsoft Defender Security Center, configure the General settings.
Explanation:

92 Licensed to PEAKUP TECHNOLOGY

[email protected]
References:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/integrate-wd-atp

Question 91
Your network contains an on-premises Active Directory domain.

Your company has a security policy that prevents additional software from being installed on domain
controllers.

You need to monitor a domain controller by using Microsoft Azure Advanced Threat Protection
(ATP).

What should you do? More than one answer choice may achieve the goal. Select the BEST answer.

 Deploy an Azure ATP sensor, and then configure port mirroring.

 Deploy an Azure ATP sensor, and then configure detections.
 Deploy an Azure ATP standalone sensor, and then configure detections.
 Deploy an Azure ATP standalone sensor, and then configure port mirroring.
Explanation:

Reference:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step5

Question 92
You have a Microsoft 365 subscription that uses Microsoft Defender Advanced Threat Protection
(Microsoft Defender ATP).

All the devices in your organization are onboarded to Microsoft Defender ATP.

You need to ensure that an alert is generated if malicious activity was detected on a device during
the last 24 hours.

What should you do?

 From Alerts queue, create a suppression rule and assign an alert

 From the Security & Compliance admin center, create an audit log search
 From Advanced hunting, create a query and a detection rule
 From the Security & Compliance admin center, create a data loss prevention (DLP)
policy
Explanation:

Reference:

93 Licensed to PEAKUP TECHNOLOGY

[email protected]
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-
atp/custom-detection-rules

Question 93
HOTSPOT

Your company has a Microsoft 365 subscription.

You need to configure Microsoft 365 to meet the following requirements:

Malware found in email attachments must be quarantined for 20 days.

The email address of senders to your company must be verified.

Which two options should you configure in the Security & Compliance admin center? To answer,
select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

94 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 94
The users at your company use Dropbox Business to store documents. The users access Dropbox
Business by using the MyApps portal.

You need to ensure that user access to Dropbox Business is authenticated by using a Microsoft 365
identity. The documents must be protected if the data is downloaded to a device that is not trusted.

What should you do?

 From the Device Management admin center, configure conditional access settings.
 From the Azure Active Directory admin center, configure the device settings.
 From the Azure Active Directory admin center, configure application proxy settings.
 From the Device Management admin center, configure device enrollment settings.
Explanation:

Explanation:

Azure Active Directory's Application Proxy provides secure remote access to on-premises web
applications. After a single sign-on to Azure AD, users can access both cloud and on-premises
applications through an external URL or an internal application portal.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy

95 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 95
HOTSPOT

You have Microsoft 365 subscription.

You create an alert policy as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

96 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Explanation:

Note: The Aggregation settings has a 120 minute window

Question 96
You have a Microsoft 365 E5 subscription.

You need to be notified if users receive email containing a file that has a virus.

What should you do?

 From the Exchange admin center, create an in-place eDiscovery & hold.
 From the Exchange admin center, create a spam filter policy.
 From the Exchange admin center, create an anti-malware policy.
 From the Exchange admin center, create a mail flow rule.
Explanation:

97 Licensed to PEAKUP TECHNOLOGY

[email protected]
Reference:

https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-
description/anti-spam-and-anti-malware-protection

Question 97
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You discover that some external users accessed content on a Microsoft SharePoint site. You modify
the SharePoint sharing policy to prevent sharing outside your organization.

You need to be notified if the SharePoint sharing policy is modified in the future.

Solution: From the SharePoint admin center, you modify the sharing settings.

Does this meet the goal?

 Yes
 No

98 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 98
HOTSPOT

From the Microsoft Azure Active Directory (Azure AD) Identity Protection dashboard, you view the
risk events shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Solution:

99 Licensed to PEAKUP TECHNOLOGY

[email protected]
Explanation:

References:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-
policy

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-
named-locations

Question 99
You have a Microsoft 365 subscription.

All users have their email stored in Microsoft Exchange Online.

In the mailbox of a user named User1, you need to preserve a copy of all the email messages that
contain the word ProjectX.

What should you do first?

 From Microsoft Cloud App Security, create an access policy.

 From the Security & Compliance admin center, create an eDiscovery case.
 From Microsoft Cloud App Security, create an activity policy.
 From the Security & Compliance admin center, create a data loss prevention (DLP)
policy.
Explanation:

Explanation:

A DLP policy contains a few basic things:

Where to protect the content: locations such as Exchange Online, SharePoint Online, and OneDrive
for Business sites, as well as Microsoft Teams chat and channel messages.

When and how to protect the content by enforcing rules comprised of:

Conditions the content must match before the rule is enforced. For example, a rule might be
configured to look only for content containing Social Security numbers that's been shared with
people outside your organization.

Actions that you want the rule to take automatically when content matching the conditions is found.
For example, a rule might be configured to block access to a document and send both the user and
compliance officer an email notification.

References:

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies

100 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 100
You have a Microsoft 365 E5 subscription that uses Microsoft Defender Advanced Threat Protection
(Microsoft Defender ATP).

From Microsoft Defender ATP, you turn on the Allow or block file advanced feature.

You need to block users from downloading a file named File1.exe.

What should you use?

 a suppression rule
 an indicator
 a device configuration profile
Explanation:

Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-
atp/respond-file-alerts#allow-or-block-file

Question 101
You have a Microsoft 365 subscription.

Your company purchases a new financial application named App1.

From Cloud Discovery in Microsoft Cloud App Security, you view the Discovered apps page and
discover that many applications have a low score because they are missing information about
domain registration and consumer popularity.

You need to prevent the missing information from affecting the App1 score.

What should you configure from the Cloud Discover settings?

 Organization details
 Default behavior
 Score metrics
 App tags
Explanation:

References:

https://docs.microsoft.com/en-us/cloud-app-security/discovered-app-queries

101 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 102
You have an Azure Active Directory (Azure AD) tenant and a Microsoft 365 E5 subscription. The
tenant contains the users shown in the following table.

You plan to implement Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

You verify that role-based access control (RBAC) is turned on in Microsoft Defender ATP.

You need to identify which user can view security incidents from the Microsoft Defender Security
Center.

Which user should you identify?

 User1
 User2
 User3
 User4

Question 103
You have a Microsoft 365 subscription.

You need to be notified if users receive email containing a file that has a virus.

What should you do?

 From the Exchange admin center, create an in-place eDiscovery & hold.
 From the Security & Compliance admin center, create a data governance event.
 From the Exchange admin center, create an anti-malware policy.
 From the Exchange admin center, create a mail flow rule.
Explanation:

Reference:

https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-
description/anti-spam-and-anti-malware-protection

102 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 104
HOTSPOT

You have a new Microsoft 365 subscription.

A user named User1 has a mailbox in Microsoft Exchange Online.

You need to log any changes to the mailbox folder permissions of User1.

Which command should you run? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

Explanation:

To enable auditing for a single mailbox (in this example, belonging to Holly Sharp), use this
PowerShell command: Set-Mailbox username -AuditEnabled $true

References:

https://support.microsoft.com/en-us/help/4026501/office-auditing-in-office-365-for-admins

https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-
mailbox?view=exchange-ps

103 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 105
DRAG DROP

You have the Microsoft Azure Advanced Threat Protection (ATP) workspace shown in the Workspace
exhibit. (Click the Workspace tab.)

The sensors settings for the workspace are configured as shown in the Sensors exhibit. (Click the
Sensors tab.)

You need to ensure that Azure ATP stores data in Asia.

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Solution:

104 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 106
You have a Microsoft 365 subscription and an on-premises Active Directory domain named
contoso.com. All client computers run Windows 10 Enterprise and are joined to the domain.

You need to enable Microsoft Defender Credential Guard on all the computers.

What should you do?

 From the Security & Compliance admin center, configure the DKIM signatures for the
domain.
 From a domain controller, create a Group Policy object (GPO) that enables the
Restrict delegation of credentials to remote servers setting.
 From the Security & Compliance admin center, create a device security policy.
 From a domain controller, create a Group Policy object (GPO) that enabled the Turn
On Virtualization Based Security setting.
Explanation:

Reference:

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-
guard/credential-guard-manage

Question 107
You have a Microsoft 365 subscription.

You need to be notified if users receive email containing a file that has a virus.

What should you do?

 From the Exchange admin center, create an in-place eDiscovery & hold.
 From the Security & Compliance admin center, create a safe attachments policy.
 From the Security & Compliance admin center, create a data loss prevention (DLP)
policy.
 From the Security & Compliance admin center, create an alert policy.
Explanation:

Reference:

https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies

105 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 108
HOTSPOT

Your company uses Microsoft Defender Advanced Threat Protection (ATP). Microsoft Defender ATP
contains the device groups shown in the following table.

You onboard computers to Microsoft Defender ATP as shown in the following table.

Of which groups are Computer1 and Computer2 members? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

106 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 109
Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD)
tenant named contoso.com. The tenant contains computers that run Windows 10 Enterprise and are
managed by using Microsoft Intune. The computers are configured as shown in the following table.

You plan to implement Windows Defender Application Guard for contoso.com.

You need to identify on which two Windows 10 computers Windows Defender Application Guard can
be installed.

Which two computers should you identify? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

 Computer1
 Computer3
 Computer2
 Computer4
Explanation:

107 Licensed to PEAKUP TECHNOLOGY

[email protected]
Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-
application-guard/reqs-wd-app-guard

Question 110
HOTSPOT

You have a Microsoft 365 subscription. All client devices are managed by Microsoft Endpoint
Manager.

You need to implement Microsoft Defender Advanced Threat Protection (ATP) for all the supported
devices enrolled in mobile device management (MDM).

What should you include in the device configuration profile? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:
108 Licensed to PEAKUP TECHNOLOGY
[email protected]
Explanation:

Reference:

https://docs.microsoft.com/en-us/intune/advanced-threat-protection

Question 111
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You discover that some external users accessed content on a Microsoft SharePoint site. You modify
the SharePoint sharing policy to prevent sharing outside your organization.

You need to be notified if the SharePoint sharing policy is modified in the future.

Solution: From the Security & Compliance admin center, you create a threat management policy.

Does this meet the goal?

 Yes
 No

109 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 112
HOTSPOT

You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant. The
tenant contains a group named Group1 and the users shown in the following table:

The tenant has a conditional access policy that has the following configurations:

Name: Policy1
Assignments:
- Users and groups: Group1
- Cloud aps or actions: All cloud apps
Access controls:
Grant, require multi-factor authentication
Enable policy: Report-only

You set Enabled Security defaults to Yes for the tenant.

For each of the following settings select Yes, if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

110 Licensed to PEAKUP TECHNOLOGY

[email protected]
Explanation:

Report-only mode is a new Conditional Access policy state that allows administrators to evaluate the
impact of Conditional Access policies before enabling them in their environment. With the release of
report-only mode:

Conditional Access policies can be enabled in report-only mode.

During sign-in, policies in report-only mode are evaluated but not enforced.

Results are logged in the Conditional Access and Report-only tabs of the Sign-in log details.

Customers with an Azure Monitor subscription can monitor the impact of their Conditional Access
policies using the Conditional Access insights workbook.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-
access-report-only

Question 113
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are
connected to your on-premises network.

Solution: From the Microsoft 365 admin center, you configure the Organization profile settings.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow
access.

References:
111 Licensed to PEAKUP TECHNOLOGY
[email protected]
https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Conditional-Access-in-
SharePoint-Online-and-OneDrive-for/ba-p/46678A

Question 114
HOTSPOT

Your company uses Microsoft Cloud App Security.

You plan to integrate Cloud App Security and security information and event management (SIEM).

You need to deploy a SIEM agent on a server that runs Windows Server 2016.

What should you do? To answer, select the appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/integrate-your-siem-server-with-
office-365-cas

112 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 115
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

You discover that some external users accessed content on a Microsoft SharePoint site. You modify
the SharePoint sharing policy to prevent sharing outside your organization.

You need to be notified if the SharePoint sharing policy is modified in the future.

Solution: From the SharePoint site, you create an alert.

Does this meet the goal?

 Yes
 No

Question 116
Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD)
tenant named contoso.com.

The tenant is configured to use Azure AD Identity Protection.

You plan to use an application named App1 that creates reports of Azure AD Identity Protection
usage.

You register App1 in the tenant.

You need to ensure that App1 can read the risk event information of contoso.com.

To which API should you delegate permissions?

 Windows Azure Service Management API

 Windows Azure Active Directory
 Microsoft Graph
 Office 365 Management
Explanation:

Reference:

https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-
beta

113 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 117
You have a Microsoft Azure Active Directory (Azure AD) tenant.

The organization needs to sign up for Microsoft Store for Business. The solution must use the
principle of least privilege.

Which role should you assign to the user?

 Global administrator
 Cloud application administrator
 Application administrator
 Service administrator
Explanation:

References:

https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business

114 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 118
HOTSPOT

Your company uses Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

The devices onboarded to Microsoft Defender ATP are shown in the following table.

The alerts visible in the Microsoft Defender ATP alerts queue are shown in the following table.

You create a suppression rule that has the following settings:

Triggering IOC: Any IOC

Action: Hide alert
Suppression scope: Alerts on ATP1 machine group

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

115 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Explanation:

A suppression rule will not affect alerts that are already in the alerts queue. Only new alerts will be
suppressed.

116 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 119
HOTSPOT

You use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

You have the Microsoft Defender ATP machine groups shown in the following table.

You plan to onboard computers to Microsoft Defender ATP as shown in the following table.

To which machine group will each computer be added? To answer, select the appropriate options in
the answer are.

NOTE: Each correct selection is worth one point.

117 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

118 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 120
HOTSPOT

You have a Microsoft 365 subscription.

You create a Microsoft Cloud App Security policy named Risk1 based on the Logon from a risky IP
address template as shown in the following exhibit.

119 Licensed to PEAKUP TECHNOLOGY

[email protected]
120 Licensed to PEAKUP TECHNOLOGY
[email protected]
You have two users named User1 and User2. Each user signs in to Microsoft SharePoint Online from
a risky IP address 10 times within 24 hours.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Solution:

121 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 121
Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD)
tenant named contoso.com.

The company purchases a cloud app named App1 that supports Microsoft Cloud App Security
monitoring.

You configure App1 to be available from the My Apps portal.

You need to ensure that you can monitor App1 from Cloud App Security.

What should you do?

 From the Azure Active Directory admin center, create a conditional access policy.
 From the Azure Active Directory admin center, create an app registration.
 From the Endpoint Management admin center, create an app protection policy.
 From the Endpoint Management admin center, create an app configuration policy.

Question 122
HOTSPOT

You have a Microsoft 365 subscription that links to an Azure Active Directory (Azure AD) tenant
named contoso.onmicrosoft.com.

A user named User1 stores documents in Microsoft OneDrive.

You need to place the contents of User1’s OneDrive account on an eDiscovery hold.

Which URL should you use for the eDiscovery hold? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

122 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/create-ediscovery-holds

123 Licensed to PEAKUP TECHNOLOGY

[email protected]
Case Study (1 questions)
Case Study
Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.

The company has the employees and devices shown in the following table.

Contoso recently purchased a Microsoft 365 E5 subscription.

Existing Environment

The network contains an on-premises Active Directory forest named contoso.com. The forest
contains the servers shown in the following table.

All servers run Windows Server 2016. All desktops and laptops run Windows 10 Enterprise and are
joined to the domain.

The mobile devices of the users in the Montreal and Seattle offices run Android. The mobile devices
of the users in the New York office run iOS.

The domain is synced to Azure Active Directory (Azure AD) and includes the users shown in the
following table.

124 Licensed to PEAKUP TECHNOLOGY

[email protected]
The domain also includes a group named Group1.

Requirements
Planned Changes

Contoso plans to implement the following changes:

Implement Microsoft 365.

Manage devices by using Microsoft Intune.
Implement Azure Advanced Threat Protection (ATP).
Every September, apply the latest feature updates to all Windows computers. Every March, apply the
latest feature updates to the computers in the New York office only.
Technical Requirements

Contoso identifies the following technical requirements:

When a Windows 10 device is joined to Azure AD, the device must enroll in Intune automatically.
Dedicated support technicians must enroll all the Montreal office mobile devices in Intune.
User1 must be able to enroll all the New York office mobile devices in Intune.
Azure ATP sensors must be installed and must NOT use port mirroring.
Whenever possible, the principle of least privilege must be used.
A Microsoft Store for Business must be created.
Compliance Requirements

Contoso identifies the following compliance requirements:

Ensure that the users in Group1 can only access Microsoft Exchange Online from devices that are
enrolled in Intune and configured in accordance with the corporate policy.
Configure Windows Information Protection (WIP) for the Windows 10 devices.

Question 123
On which server should you install the Azure ATP sensor?

 Server1
 Server2
 Server3
 Server4

125 Licensed to PEAKUP TECHNOLOGY

[email protected]
  Server5
Explanation:

References:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning

126 Licensed to PEAKUP TECHNOLOGY

[email protected]
Case Study (1 questions)
Case Study
Overview

ADatum Corporation is an international financial services company that has 5,000 employees.

ADatum has six offices: a main office in New York and five branch offices in Germany, the United
Kingdom, France, Spain, and Italy.

All the offices are connected to each other by using a WAN link. Each office connects directly to the
Internet.

Existing Environment
Current Infrastructure

ADatum recently purchased a Microsoft 365 subscription.

All user files are migrated to Microsoft 365.

All mailboxes are hosted in Microsoft 365. The users in each office have email suffixes that include
the country of the user, for example, [email protected] or [email protected].

Each office has a security information and event management (SIEM) appliance. The appliance comes
from three different vendors.

ADatum uses and processes Personally Identifiable Information (PII).

Problem Statements

ADatum entered into litigation. The legal department must place a hold on all the documents of a
user named User1 that are in Microsoft 365.

Requirements

Business Goals

ADatum wants to be fully compliant with all the relevant data privacy laws in the regions where is
operates.

ADatum wants to minimize the cost of hardware and software whenever possible.

Technical Requirements

ADatum identifies the following technical requirements:

127 Licensed to PEAKUP TECHNOLOGY

[email protected]
Centrally perform log analysis for all offices.
Aggregate all data from the SIEM appliances to a central cloud repository for later analysis.
Ensure that a SharePoint administrator can identify who accessed a specific file stored in a document
library.
Provide the users in the finance department with access to Service assurance information in
Microsoft Office 365.
Ensure that documents and email messages containing the PII data of European Union (EU) citizens
are preserved for 10 years.
If a user attempts to download 1,000 or more files from Microsoft SharePoint Online within 30
minutes, notify a security administrator and suspend the user’s user account.
A security administrator requires a report that shown which Microsoft 365 users signed in. Based on
the report, the security administrator will create a policy to require multi-factor authentication when
a sign-in is high risk.
Ensure that the users in the New York office can only send email messages that contain sensitive U.S.
PII data to other New York office uses. Email messages must be monitored to ensure compliance.
Auditors in the New York office must have access to reports that show the sent and received email
messages containing sensitive U.S. PII data.

Question 124
You need to meet the technical requirement for large-volume document retrieval.

What should you create?

 an activity policy from Microsoft Cloud App Security

 a data loss prevention (DLP) policy from the Security & Compliance admin center
 a file policy from Microsoft Cloud App Security
 an alert policy from the Security & Compliance admin center
Explanation:

Reference:

https://docs.microsoft.com/en-us/office365/securitycompliance/activity-policies-and-alerts

128 Licensed to PEAKUP TECHNOLOGY

[email protected]
Manage Microsoft 365 governance and compliance
(86 questions)

Question 125
You have a Microsoft 365 subscription that uses a default domain named contoso.com.

You have two users named User1 and User2.

From the Security & Compliance admin center, you add User1 to the eDiscovery Manager role group.

From the Security & Compliance admin center, User1 creates a case named Case1.

You need to ensure that User1 can add User2 as a case member. The solution must use the principle
of least privilege.

To which role group should you add User2?

 eDiscovery Manager
 eDiscovery Administrator
 Security Administrator
Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/add-or-remove-members-from-a-case-
in-advanced-ediscovery?view=o365-worldwide

129 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 126
HOTSPOT

You have a Microsoft 365 E5 subscription that contains two users named Admin1 and Admin2.

All users are assigned a Microsoft 365 Enterprise E5 license and auditing is turned on.

You create the audit retention policy shown in the exhibit. (Click the Exhibit tab.)

130 Licensed to PEAKUP TECHNOLOGY

[email protected]
After Policy1 is created, the following actions are performed:

Admin1 creates a user named User1.

Admin2 creates a user named User2.

How long will the audit events for the creation of User1 and User2 be retained? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

131 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-retention-
policies?view=o365-worldwide

Question 127
You have a Microsoft 365 subscription.

You need to view the IP address from which a user synced a Microsoft SharePoint Online library.

What should you do?

 From the SharePoint Online admin center, view the usage reports.
 From the Security & Compliance admin center, perform an audit log search.
 From the Microsoft 365 admin center, view the usage reports.
 From the Microsoft 365 admin center, view the properties of the user’s user account.
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-
and-compliance
132 Licensed to PEAKUP TECHNOLOGY
[email protected]
Question 128
You need to notify the manager of the human resources department when a user in the department
shares a file or folder from the department’s Microsoft SharePoint Online site.

What should you do?

 From the Security & Compliance admin center, create an alert policy.
 From the SharePoint Online site, create an alert.
 From the SharePoint Online admin center, modify the sharing settings.
 From the Security & Compliance admin center, create a data loss prevention (DLP)
policy.
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/create-activity-alerts

133 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 129
HOTSPOT

You have a Microsoft 365 subscription that contains all the user data.

You plan to create the retention policy shown in the Locations exhibit. (Click the Locations tab.)

You configure the Advanced retention settings as shown in the Retention exhibit. (Click the Retention
tab.)

134 Licensed to PEAKUP TECHNOLOGY

[email protected]
The locations specified in the policy include the groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

135 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies

136 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 130
You enable the Azure AD Identity Protection weekly digest email.

You create the users shown in the following table.

Which users will receive the weekly digest email automatically?

 Admin2, Admin3, and Admin4 only

 Admin1, Admin2, Admin3, and Admin4
 Admin2 and Admin3 only
 Admin3 only
 Admin1 and Admin3 only
Explanation:

Explanation:

By default, all Global Admins receive the email. Any newly created Global Admins, Security Readers
or Security Administrators will automatically be added to the recipients list.

137 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 131
HOTSPOT

You have an Azure Active Directory (Azure AD) tenant that contains two users named User1 and
User2.

On September 5, 2019, you create and enforce a terms of use (ToU) in the tenant. The ToU has the
following settings:

Name: Terms1
Display name: Terms1 name
Require users to expand the terms of use: Off
Require users to consent on every device: Off
Expire consents: On
Expire starting on: October 10, 2019
Frequency: Monthly

User1 accepts Terms1 on September 5, 2019. User2 accepts Terms1 on October 5, 2019.

When will Terms1 expire for the first time for each user? To answer, select the appropriate options in
the answer area.

NOTE: Each correct selection is worth one point.

138 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use

139 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 132
HOTSPOT

You have a Microsoft 365 subscription.

You have a group named Support. Users in the Support group frequently send email messages to
external users.

The manager of the Support group wants to randomly review messages that contain attachments.

You need to provide the manager with the ability to review messages that contain attachments sent
from the Support group users to external users. The manager must have access to only 10 percent of
the messages.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

140 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/supervision-policies

Question 133
You deploy Microsoft Azure Information Protection.

You need to ensure that a security administrator named SecAdmin1 can always read and inspect data
protected by Azure Rights Management (Azure RMS).

What should you do?

 From the Security & Compliance admin center, add SecAdmin1 to the eDiscovery
Manager role group.
 From the Azure Active Directory admin center, add SecAdmin1 to the Security Reader
role group.
 From the Security & Compliance admin center, add SecAdmin1 to the Compliance
Administrator role group.
 From Windows PowerShell, enable the super user feature and assign the role to
SecAdmin1.
Explanation:

Explanation:

The super user feature of the Azure Rights Management service from Azure Information Protection
ensures that authorized people and services can always read and inspect the data that Azure Rights
Management protects for your organization. However, the super user feature is not enabled by

141 Licensed to PEAKUP TECHNOLOGY

[email protected]
default. The PowerShell cmdlet Enable-AadrmSuperUserFeature is used to manually enable the super
user feature.

References:

https://docs.microsoft.com/en-us/azure/information-protection/configure-super-users

Question 134
DRAG DROP

You have a Microsoft 365 subscription.

In the Exchange admin center, you have a data loss prevention (DLP) policy named Policy1 that has
the following configurations:

Block emails that contain financial data.

Display the following policy tip text: Message blocked.

From the Security & Compliance admin center, you create a DLP policy named Policy2 that has the
following configurations:

Use the following location: Exchange email.

Display the following policy tip text: Message contains sensitive data.
When a user sends an email, notify the user if the email contains health records.

What is the result of the DLP policies when the user sends an email? To answer, drag the appropriate
results to the correct scenarios. Each result may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

142 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Explanation:

Box 1: The email will be blocked, and the user will receive the policy tip: Message blocked.

If you've created DLP policies in the Exchange admin center, those policies will continue to work side
by side with any policies for email that you create in the Security & Compliance Center. But note that
rules created in the Exchange admin center take precedence. All Exchange mail flow rules are
processed first, and then the DLP rules from the Security & Compliance Center are processed.

Box 2: The email will be allowed, and the user will receive the policy tip: Message contains sensitive
data.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/how-dlp-works-between-admin-
centers

143 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 135
You have a Microsoft 365 subscription.

Some users have iPads that are managed by your company.

You plan to prevent the iPad users from copying corporate data in Microsoft Word and pasting the
data into other applications.

What should you create?

 A conditional access policy.

 A compliance policy.
 An app protection policy.
 An app configuration policy.
Explanation:

References:

https://docs.microsoft.com/en-us/intune/app-protection-policy

Question 136
HOTSPOT

You create a Microsoft 365 subscription.

Your company’s privacy policy states that user activities must NOT be audited.

You need to disable audit logging in Microsoft 365.

How should you complete the command? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

144 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off

Question 137
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a new Microsoft 365 subscription.

You need to prevent users from sending email messages that contain Personally Identifiable
Information (PII).

Solution: From the Security & Compliance admin center, you create a data loss prevention (DLP)
policy.

Does this meet the goal?

 Yes
 No

145 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 138
HOTSPOT

You configure a data loss prevention (DLP) policy named DLP1 as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

146 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-
policies?view=o365-worldwide

Question 139
You have a Microsoft 365 E5 subscription.

Users have the devices shown in the following table.

On which devices can you manage apps by using app configuration policies in Microsoft Endpoint
Manager?

 Device1, Device4, and Device6

 Device2, Device3, and Device5
 Device1, Device2, Device3, and Device6
 Device1, Device2, Device4, and Device5
Explanation:

Explanation:

147 Licensed to PEAKUP TECHNOLOGY

[email protected]
You can create and use app configuration policies to provide configuration settings for both
iOS/iPadOS or Android apps on devices that are and are not enrolled in Microsoft Endpoint Manager.

Reference:

https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

148 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 140
HOTSPOT

You have a Microsoft 365 subscription that uses a default domain named contoso.com. The domain
contains the users shown in the following table.

The domain contains the devices shown in the following table.

The domain contains conditional access policies that control access to a cloud app named App1. The
policies are configured as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

149 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Explanation:

Note: Block access overrides Grant access

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access

150 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 141
HOTSPOT

You have a Microsoft 365 tenant named contoso.com. The tenant contains the users shown in the
following table.

You have the eDiscovery cases shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

151 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/microsoft-365/compliance/assign-ediscovery-permissions

152 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 142
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

From the Security & Compliance admin center, you create a role group named US eDiscovery
Managers by copying the eDiscovery Manager role group.

You need to ensure that the users in the new role group can only perform content searches of
mailbox content for users in the United States.

Solution: From Windows PowerShell, you run the New-ComplianceSecurityFilter cmdlet with the
appropriate parameters.

Does this meet the goal?

 Yes
 No
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/permissions-filtering-for-content-
search

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-content-
search/new-compliancesecurityfilter?view=exchange-ps

153 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 143
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a new Microsoft 365 subscription.

You need to prevent users from sending email messages that contain Personally Identifiable
Information (PII).

Solution: From the Exchange admin center, you create a data loss prevention (DLP) policy.

Does this meet the goal?

 Yes
 No

Question 144
Your company uses on-premises Windows Server File Classification Infrastructure (FCI). Some
documents on the on-premises file servers are classified as Confidential.

You migrate the files from the on-premises file servers to Microsoft SharePoint Online.

You need to ensure that you can implement data loss prevention (DLP) policies for the uploaded files
based on the Confidential classification.

What should you do first?

 From the SharePoint admin center, configure hybrid search.

 From the SharePoint admin center, create a managed property.
 From the Security & Compliance Center PowerShell, run the New-DataClassification
cmdlet.
 From the Security & Compliance Center PowerShell, run the New-DlpComplianceRule
cmdlet.
Explanation:

Reference:

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-dlp/new-
dataclassification?view=exchange-ps

154 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 145
You have a Microsoft 365 subscription.

From the Security & Compliance admin center, you create a content search of a mailbox.

You need to view the content of the mail messages found by the search as quickly as possible.

What should you select from the Content search settings?

 Export report
 Export results
 Re-run
 View results
Explanation:

Explanation:

There is no ‘View Results” option. You can preview results but that will only show up to 100 emails.
To guarantee you’re getting all results, you’ll need to export them to a PST file.

References:

https://docs.microsoft.com/en-us/microsoft-365/compliance/limits-for-content-search

Question 146
HOTSPOT

From the Security & Compliance admin center, you create a retention policy named Policy1.

You need to prevent all users from disabling the policy or reducing the retention period.

Which command should you run? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

155 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-
retention/set-retentioncompliancepolicy?view=exchange-ps

Question 147
You have a Microsoft 365 subscription.

You have a user named User1.

You need to ensure that User1 can place a litigation hold on all mailbox content.

Which role should you assign to User1?

 eDiscovery Manager from the Security & Compliance admin center

 Compliance Management from the Exchange admin center
 User management administrator from the Microsoft 365 admin center
 Information Protection administrator from the Azure Active Directory admin center
Explanation:

References:

https://docs.microsoft.com/en-us/Exchange/permissions/feature-permissions/policy-and-
compliance-permissions?view=exchserver-2019

156 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 148
You have a Microsoft 365 tenant.

You discover that administrative tasks are unavailable in the Microsoft Office 365 audit logs of the
tenant.

You run the Get-AdminAuditLogConfig cmdlet and receive the following output:

You need to ensure that administrative tasks are logged in the Office 365 audit logs.

Which attribute should you modify?

 TestCmdletLoggingEnabled
 UnifiedAuditLogIngestionEnabled
 AdminAuditLogEnabled
Explanation:

References:

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/set-
adminauditlogconfig?view=exchange-ps

157 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 149
HOTSPOT

You configure a data loss prevention (DLP) policy named DLP1 as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Solution:

158 Licensed to PEAKUP TECHNOLOGY

[email protected]
Explanation:

Explanation:

Using a retention label in a policy�is only supported for items in SharePoint Online and OneDrive for
Business.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-
policies?view=o365-worldwide#using-a-retention-label-as-a-condition-in-a-dlp-policy

159 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 150
HOTSPOT

You have a Microsoft 365 subscription that uses a default domain named contoso.com.

Three files were created on February 1, 2019, as shown in the following table.

On March 1, 2019, you create two retention labels named Label1 and Label2.

The settings for Lable1 are configured as shown in the Label1 exhibit. (Click the Label1 tab.)

160 Licensed to PEAKUP TECHNOLOGY

[email protected]
The settings for Lable2 are configured as shown in the Label2 exhibit. (Click the Label2 tab.)

161 Licensed to PEAKUP TECHNOLOGY

[email protected]
You apply the retention labels to Exchange email, SharePoint sites, and OneDrive accounts.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

162 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Explanation:

Box 1: No

Retention overrides deletion.

Box 2: No

Content in a document library will be moved to the first-stage Recycle Bin within 7 days of
disposition, and then permanently deleted another 93 days after that. Thus 100 days in total.

Box 3: No

Items in an Exchange mailbox will be permanently deleted within 14 days of disposition.

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/labels

https://docs.microsoft.com/en-us/office365/securitycompliance/disposition-reviews

163 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 151
HOTSPOT

You have a document in Microsoft OneDrive that is encrypted by using Microsoft Azure Information
Protection as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

164 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-protection

165 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 152
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

From the Security & Compliance admin center, you create a role group named US eDiscovery
Managers by copying the eDiscovery Manager role group.

You need to ensure that the users in the new role group can only perform content searches of
mailbox content for users in the United States.

Solution: From the Security & Compliance admin center, you modify the roles of the US eDiscovery
Managers role group.

Does this meet the goal?

 Yes
 No

166 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 153
HOTSPOT

You have a Microsoft 365 subscription.

You are configuring permissions for Security & Compliance.

You need to ensure that the users can perform the tasks shown in the following table.

The solution must use the principle of least privilege.

To which role should you assign each user? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

167 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/permissions-in-the-security-and-
compliance-center#mapping-of-role-groups-to-assigned-roles

168 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 154
HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains the file
servers shown in the following table.

A file named File1.abc is stored on Server1. A file named File2.abc is stored on Server2. Three apps
named App1, App2, and App3 all open files that have the .abc file extension.

You implement Windows Information Protection (WIP) by using the following configurations:

Exempt apps: App2

Protected apps: App1
Windows Information Protection mode: Block
Network boundary: IPv4 range of: 192.168.1.1-192.168.1.255

You need to identify the apps from which you can open File1.abc.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

References:

169 Licensed to PEAKUP TECHNOLOGY

[email protected]
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-
protection/create-wip-policy-using-intune-azure

Question 155
You have a Microsoft 365 subscription that contains a Microsoft Azure Active Directory (Azure AD)
tenant named contoso.com.

In the tenant, you create a user named User1.

You need to ensure that User1 can publish retention labels from the Security & Compliance admin
center. The solution must use the principle of least privilege.

To which role group should you add User1?

 Security Administrator
 Records Management
 Compliance Administrator
 eDiscovery Manager
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/file-plan-manager

Question 156
You have a Microsoft 365 subscription that uses Security & Compliance retention policies.

You implement a preservation lock on a retention policy that is assigned to all executive users.

Which two actions can you perform on the retention policy? Each correct answer presents a
complete solution.

NOTE: Each correct selection is worth one point?

 Add locations to the policy

 Reduce the duration of policy
 Remove locations from the policy
 Extend the duration of the policy
 Disable the policy

170 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 157
HOTSPOT

You have a Microsoft Office 365 subscription.

You need to delegate eDiscovery tasks as shown in the following table.

The solution must follow the principle of the least privilege.

To which role group should you assign each user? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

171 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/assign-ediscovery-permissions

172 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 158
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You create an Azure Advanced Threat Protection (ATP) workspace named Workspace1.

The tenant contains the users shown in the following table.

You need to modify the configuration of the Azure ATP sensors.

Solution: You instruct User2 to modify the Azure ATP sensor configuration.

Does this meet the goal?

 Yes
 No

173 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 159
DRAG DROP

Your network contains an on-premises Active Directory domain that syncs to Azure Active Directory
(Azure AD). The domain contains the servers shown in the following table.

You use Azure Information Protection.

You need to ensure that you can apply Azure Information Protection labels to the file stores on
Server1.

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Solution:

Explanation:
174 Licensed to PEAKUP TECHNOLOGY
[email protected]
Reference:

https://docs.microsoft.com/en-us/azure/information-protection/install-configure-rms-connector

https://docs.microsoft.com/en-us/azure/information-protection/configure-servers-rms-connector

Question 160
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You create an Azure Advanced Threat Protection (ATP) workspace named Workspace1.

The tenant contains the users shown in the following table.

You need to modify the configuration of the Azure ATP sensors.

Solution: You instruct User3 to modify the Azure ATP sensor configuration.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

Only Azure ATP administrators can modify the sensors.

Any global administrator or security administrator on the tenant's Azure Active Directory is
automatically an Azure ATP administrator.

175 Licensed to PEAKUP TECHNOLOGY

[email protected]
Reference:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-role-groups

Question 161
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a new Microsoft 365 subscription.

You need to prevent users from sending email messages that contain Personally Identifiable
Information (PII).

Solution: From the Cloud App Security admin center, you create an access policy.

Does this meet the goal?

 Yes
 No

Question 162
You are testing a data loss prevention (DLP) policy to protect the sharing of credit card information
with external users.

During testing, you discover that a user can share credit card information with external users by
using email. However, the user is prevented from sharing files that contain credit card information by
using Microsoft SharePoint Online.

You need to prevent the user from sharing the credit card information by using email and SharePoint.

What should you configure?

 the locations of the DLP policy

 the user overrides of the DLP policy rule
 the status of the DLP policy
 the conditions of the DLP policy rule
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies

176 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 163
You have a Microsoft 365 subscription.

You configure a data loss prevention (DLP) policy.

You discover that users are incorrectly marking content as false positive and bypassing the DLP
policy.

You need to prevent the users from bypassing the DLP policy.

What should you configure?

 incident reports
 actions
 exceptions
 user overrides
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies

Question 164
You have a Microsoft 365 subscription.

From the Security & Compliance admin center, you create a content search of all the mailboxes that
contain the work ProjectX.

You need to export the results of the content search.

What do you need to download the report?

 a certification authority (CA) certificate

 an export key
 a password
 a user certificate
Explanation:

Reference:

https://docs.microsoft.com/en-us/office365/securitycompliance/export-search-results

177 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 165
You have a Microsoft 365 subscription.

You need to investigate user activity in Microsoft 365, including from where users signed in, which
applications were used, and increases in activity during the past month. The solution must minimize
administrative effort.

Which admin center should you use?

 Azure ATP
 Security & Compliance
 Cloud App Security
 Flow
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-
and-compliance

178 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 166
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You sign for Microsoft Store for Business.

The tenant contains the users shown in the following table.

Microsoft Store for Business has the following Shopping behavior settings:

Allow users to shop is set to On

Make everyone a Basic Purchaser is set to Off

You need to identify which users can install apps from the Microsoft for Business private store.

Which users should you identify?

 User3 only
 User1 only
 User1 and User2 only
 User3 and User4 only
Explanation:

Explanation:

Allow users to shop controls the shopping experience in Microsoft Store for Education. When this
setting is on, Purchasers and Basic Purchasers can purchase products and services from Microsoft
Store for Education.

References:

https://docs.microsoft.com/en-us/microsoft-store/acquire-apps-microsoft-store-for-business

179 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 167
HOTSPOT

You purchase a new Microsoft 365 subscription.

You create 100 users who are assigned Microsoft 365 E3 licenses.

A manager sends you an email message asking the following questions:

Question1: Who created a team named Team1 14 days ago?

Question2: Who signed in to the mailbox of User1 30 days ago?
Question3: Who modified the list of site collection administrators of a site 60 days ago?

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-
and-compliance?redirectSourcePath=%252farticle%252f0d4d0f35-390b-4518-800e-0c7ec95e946c

https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

180 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 168
Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD)
tenant named contoso.com.

A user named User1 is a member of a dynamic group named Group1.

User1 reports that he cannot access documents shared to Group1.

You discover that User1 is no longer a member of Group1.

You suspect that an administrator made a change that caused User1 to be removed from Group1.

You need to identify which administrator made the change.

Which audit log activity should you search in the Security & Compliance admin center?

 Azure AD group administration activities – Removed member from group

 User administration activities – Updated user
 Azure AD group administration activities – Updated group

Question 169
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

From the Security & Compliance admin center, you create a role group named US eDiscovery
Managers by copying the eDiscovery Manager role group.

You need to ensure that the users in the new role group can only perform content searches of
mailbox content for users in the United States.

Solution: From Windows PowerShell, you run the New-AzureRmRoleAssignment cmdlet with the
appropriate parameters.

Does this meet the goal?

 Yes
 No
Explanation:

References:
181 Licensed to PEAKUP TECHNOLOGY
[email protected]
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-
azurermroleassignment?view=azurermps-6.13.0

Question 170
HOTSPOT

Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD)
tenant named contoso.com.

The company stores 2 TBs of data in SharePoint Online document libraries.

The tenant has the labels shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

182 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

183 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 171
From the Security & Compliance admin center, you create a content export as shown in the exhibit.
(Click the Exhibit tab.)

What will be excluded from the export?

 a 60-MB DOCX file

 a 12-MB BMP file
 a 5-KB RTF file
 an 80-MB PPTX file
Explanation:

Explanation:

Unrecognized file formats are excluded from the search.

184 Licensed to PEAKUP TECHNOLOGY
[email protected]
Certain types of files, such as Bitmap or MP3 files, don't contain content that can be indexed. As a
result, the search indexing servers in Exchange and SharePoint don't perform full-text indexing on
these types of files. These types of files are considered to be unsupported file types.

Incorrect Answers:

A: DOCX is a supported Microsoft PowerPoint file format.

C: RTF is a supported Rich Text File format.

D: PPTX is a supported Microsoft PowerPoint file format.

References:

https://docs.microsoft.com/en-us/microsoft-365/compliance/partially-indexed-items-in-content-
search?view=o365-worldwide

https://docs.microsoft.com/en-us/office365/securitycompliance/export-a-content-search-report

185 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 172
HOTSPOT

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

A user named User1 has files on a Windows 10 device as shown in the following table.

In Azure Information Protection, you create a label named Label1 that is configured to apply
automatically. Label1 is configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

186 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Explanation:

The phrase to match is "im" and it is case sensitive. The phrase must also appear at least twice.

Box 1: No

File1.docx contain the word "import" once only

Box 2: Yes

File2.docx contains two occurrences of the word "import" as well as the word "imported"

187 Licensed to PEAKUP TECHNOLOGY

[email protected]
Box 3: No

File3.docx contains "IM" but his is not the correct letter case.

References:

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-classification

Question 173
You plan to use the Security & Compliance admin center to import several PST files into Microsoft
365 mailboxes.

Which three actions should you perform before you import the data? Each correct answer presents
part of the solution.

NOTE: Each correct selection is worth one point.

 From the Exchange admin center, create a public folder.

 Copy the PST files by using AzCopy.
 From the Exchange admin center, assign admin roles.
 From the Microsoft Azure portal, create a storage account that has a blob container.
 From the Microsoft 365 admin center, deploy an add-in.
 Create a mapping file that uses the CSV file format.
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/use-network-upload-to-import-pst-
files

188 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 174
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You create an Azure Advanced Threat Protection (ATP) workspace named Workspace1.

The tenant contains the users shown in the following table.

You need to modify the configuration of the Azure ATP sensors.

Solution: You instruct User4 to modify the Azure ATP sensor configuration.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

Only Azure ATP administrators can modify the sensors.

Any global administrator or security administrator on the tenant's Azure Active Directory is
automatically an Azure ATP administrator.

References:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-role-groups

189 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 175
You have a Microsoft 365 subscription.

You plan to enable Microsoft Azure Information Protection.

You need to ensure that only the members of a group named PilotUsers can protect content.

What should you do?

 Run the Set-AadrmOnboardingControlPolicy cmdlet.

 Run the Add-AadrmRoleBasedAdministrator cmdlet.
 Create an Azure Information Protection policy.
 Configure the protection activation status for Azure Information Protection.
Explanation:

Reference:

https://blogs.technet.microsoft.com/kemckinn/2018/05/17/creating-labels-for-azure-information-
protection/

Question 176
Your company has a Microsoft 365 tenant.

The company sells products online and processes credit card information.

You need to be notified if a file stored in Microsoft SharePoint Online contains credit card
information. The file must be removed automatically from its current location until an administrator
can review its contents.

What should you use?

 a Security & Compliance data loss prevention (DLP) policy

 a Microsoft Cloud App Security access policy
 a Security & Compliance retention policy
 a Microsoft Cloud App Security file policy
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies

190 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 177
You have a Microsoft 365 subscription that contains an Azure Active Directory (Azure AD) tenant
named contoso.com. The tenant contains the users shown in the following table.

You create and assign a data loss prevention (DLP) policy named Policy1. Policy1 is configured to
prevent documents that contain Personally Identifiable Information (PII) from being emailed to users
outside your organization.

To which users can User1 send documents that contain PII?

 User2 only
 User2 and User3 only
 User2, User3, and User4 only
 User2, User3, User4, and User5
Explanation:

Explanation:

Guest accounts are considered “outside your organization”. Users who have non-guest accounts in a
host organization's Active Directory or Azure Active Directory tenant are considered as people inside
the organization.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-
policies?view=o365-worldwide

191 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 178
HOTSPOT

You have a Microsoft 365 subscription.

Your network uses an IP address space of 51.40.15.0/24.

An Exchange Online administrator recently created a role named Role1 from a computer on the
network.

You need to identify the name of the administrator by using an audit log search.

For which activities should you search and by which field should you filter in the audit log search? To
answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

192 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 179
You have a Microsoft 365 subscription.

All users have their email stored in Microsoft Exchange Online.

In the mailbox of a user named User1, you need to preserve a copy of all the email messages that
contain the word ProjectX.

What should you do?

 From the Security & Compliance admin center, create a data loss prevention (DLP)
policy.
 From the Security & Compliance admin center, create a label and a label policy.
 From the Security & Compliance admin center, start a message trace.
 From Microsoft Cloud App Security, create an activity policy.

193 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 180
HOTSPOT

You have a data loss prevention (DLP) policy.

You need to increase the likelihood that the DLP policy will apply to data that contains medical terms
from the International Classification of Diseases (ICD-9-CM). The solution must minimize the number
of false positives.

Which two settings should you modify? To answer, select the appropriate settings in the answer
area.

NOTE: Each correct selection is worth one point.

194 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies

https://docs.microsoft.com/en-us/office365/securitycompliance/what-the-sensitive-information-
types-look-for#international-classification-of-diseases-icd-9-cm

195 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 181
HOTSPOT

Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD)
tenant named contoso.com. The tenant contains the users shown in the following table.

You create a retention label named Label1 that has the following configurations:

Retains content for five years

Automatically deletes all content that is older than five years

You turn on Auto labeling for Label1 by using a policy named Policy1. Policy1 has the following
configurations:

Applies to content that contains the word Merger

Specifies the OneDrive accounts and SharePoint sites locations

You run the following command.

Set-RetentionCompliancePolicy Policy1 –RestrictiveRetention $true

-Force

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

196 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-
retention/set-retentioncompliancepolicy?view=exchange-ps

197 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 182
HOTSPOT

You configure an anti-phishing policy as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

198 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies#learn-
about-atp-anti-phishing-policy-options

Question 183
You have a Microsoft 365 subscription.

You need to create a data loss prevention (DLP) policy that is configured to use the Set headers
action.

To which location can the policy be applied?

 OneDrive accounts
 Exchange email
 Teams chat and channel messages
 SharePoint sites

199 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 184
You have a Microsoft 365 subscription.

Your company has a customer ID associated to each customer. The customer IDs contain 10 numbers
followed by 10 characters. The following is a sample customer ID: 12-456-7890-abc-de-fghij.

You plan to create a data loss prevention (DLP) policy that will detect messages containing customer
IDs.

What should you create to ensure that the DLP policy can detect the customer IDs?

 a sensitive information type

 a sensitivity label
 a supervision policy
 a retention label
Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/custom-sensitive-info-
types?view=o365-worldwide

Question 185
HOTSPOT

From the Security & Compliance admin center, you create a retention policy named Policy1.

You need to prevent all users from disabling the policy or reducing the retention period.

How should you configure the Azure PowerShell command? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

200 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-
retention/set-retentioncompliancepolicy?view=exchange-ps

201 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 186
From the Security & Compliance admin center, you create a content export as shown in the exhibit.
(Click the Exhibit tab.)

What will be excluded from the export?

 a 10-MB XLSX file

 a 5-MB MP3 file
 a 5-KB RTF file
 an 80-MB PPTX file
Explanation:

Explanation:

Unrecognized file formats are excluded from the search.

202 Licensed to PEAKUP TECHNOLOGY
[email protected]
Certain types of files, such as Bitmap or MP3 files, don't contain content that can be indexed. As a
result, the search indexing servers in Exchange and SharePoint don't perform full-text indexing on
these types of files. These types of files are considered to be unsupported file types.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/partially-indexed-items-in-content-
search?view=o365-worldwide

https://docs.microsoft.com/en-us/office365/securitycompliance/export-a-content-search-report

203 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 187
HOTSPOT

Your company is based in the United Kingdom (UK).

Users frequently handle data that contains Personally Identifiable Information (PII).

You create a data loss prevention (DLP) policy that applies to users inside and outside the company.
The policy is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

204 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies

205 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 188
HOTSPOT

You have a Microsoft Azure Active Directory (Azure AD) tenant named sk180818.onmicrosoft.com.
The tenant contains the users shown in the following table.

In Azure Information Protection, you create a label named Label1 as shown in the following exhibit.

Label1 is applied to a file named File1.

You send File1 as an email attachment to User1, User2, User3, and User4.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

206 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/azure/information-protection/configure-usage-rights#rights-
included-in-permissions-levels

207 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 189
You create a new Microsoft 365 subscription and assign Microsoft 365 E3 licenses to 100 users.

From the Security & Compliance admin center, you enable auditing.

You are planning the auditing strategy.

Which three activities will be audited by default? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

 An administrator creates a new Microsoft SharePoint site collection.

 An administrator creates a new mail flow rule.
 A user shares a Microsoft SharePoint folder with an external user.
 A user delegates permissions to their mailbox.
 A user purges messages from their mailbox.
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-
and-compliance?redirectSourcePath=%252farticle%252f0d4d0f35-390b-4518-800e-0c7ec95e946c

208 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 190
HOTSPOT

You have a Microsoft 365 subscription.

All users are assigned Microsoft Azure Active Directory Premium licenses.

From the Device Management admin center, you set Microsoft Intune as the MDM authority.

You need to ensure that when the members of a group named Marketing join a device to Azure
Active Directory (Azure AD), the device is enrolled automatically in Intune. The Marketing group
members must be limited to five devices enrolled in Intune.

Which two options should you use to perform the configurations? To answer, select the appropriate
blades in the answer area.

NOTE: Each correct selection is worth one point.

209 Licensed to PEAKUP TECHNOLOGY

[email protected]
210 Licensed to PEAKUP TECHNOLOGY
[email protected]
Solution:

Explanation:

Explanation:

Device enrollment manager (DEM) is an Intune permission that can be applied to an Azure AD user
account and lets the user enroll up to 1,000 devices

211 Licensed to PEAKUP TECHNOLOGY

[email protected]
You can create and manage enrollment restrictions that define what devices can enroll into
management with Intune, including the:

Number of devices.

Operating systems and versions.

The Marketing group members must be limited to five devices enrolled in Intune

References:

https://docs.microsoft.com/en-us/intune/enrollment/device-enrollment-manager-enroll

https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set

Question 191
You have a Microsoft 365 subscription.

All users have their email stored in Microsoft Exchange Online.

In the mailbox of a user named User1, you need to preserve a copy of all the email messages that
contain the word ProjectX.

What should you do?

 From the Security & Compliance admin center, create an eDiscovery case.
 From the Exchange admin center, create a mail flow rule.
 From the Security & Compliance admin center, start a message trace.
 From Microsoft Cloud App Security, create an access policy.
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/ediscovery-cases#step-2-create-a-
new-case

212 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 192
HOTSPOT

You have a Microsoft 365 tenant.

You create a retention label as shown in the Retention Label exhibit. (Click the RetentionLabel tab.)

You create a label policy as shown in the Label Policy Exhibit. (Click the Label Policy tab.)

213 Licensed to PEAKUP TECHNOLOGY

[email protected]
The label policy is configured as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

214 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies

215 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 193
HOTSPOT

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You have three applications named App1, App2, and App3. The apps use files that have the same file
extensions.

Your company uses Windows Information Protection (WIP). WIP has the following configurations:

Windows Information Protection mode: Silent

Protected apps: App1
Exempt apps: App2

From App1, you create a file named File1.

What is the effect of the configurations? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

216 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-
protection/create-wip-policy-using-intune-azure

217 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 194
In Microsoft 365, you configure a data loss prevention (DLP) policy named Policy1. Policy1 detects
the sharing of United States (US) bank account numbers in email messages and attachments.

Policy1 is configured as shown in the exhibit. (Click the Exhibit tab.)

You need to ensure that internal users can email documents that contain US bank account numbers
to external users who have an email suffix of contoso.com.

What should you configure?

 an exception
 an action
 a condition
 a group
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies#how-
dlp-policies-work

218 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 195
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a new Microsoft 365 subscription.

You need to prevent users from sending email messages that contain Personally Identifiable
Information (PII).

Solution: From the Azure portal, you create a Microsoft Azure Information Protection label and an
Azure Information Protection policy.

Does this meet the goal?

 Yes
 No

219 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 196
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You create an Azure Advanced Threat Protection (ATP) workspace named Workspace1.

The tenant contains the users shown in the following table.

You need to modify the configuration of the Azure ATP sensors.

Solution: You instruct User1 to modify the Azure ATP sensor configuration.

Does this meet the goal?

 Yes
 No
Explanation:

Explanation:

Only Azure ATP administrators can modify the sensors.

References:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-role-groups

220 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 197
You have a Microsoft 365 subscription that contains a user named User1.

You need to ensure that User1 can search the Microsoft 365 audit logs from the Security &
Compliance admin center.

Which role should you assign to User1?

 View-Only Audit Logs in the Security & Compliance admin center

 View-Only Audit Logs in the Exchange admin center
 Security reader in the Azure Active Directory admin center
 Security Reader in the Security & Compliance admin center
Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-
compliance?view=o365-worldwide

221 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 198
HOTSPOT

You have a Microsoft 365 tenant.

You plan to create a retention policy as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

222 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 199
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 subscription.

From the Security & Compliance admin center, you create a role group named US eDiscovery
Managers by copying the eDiscovery Manager role group.

You need to ensure that the users in the new role group can only perform content searches of
mailbox content for users in the United States.

Solution: From the Azure Active Directory admin center, you create a conditional access policy.

Does this meet the goal?

 Yes
 No

223 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 200
Your company has a Microsoft 365 subscription.

You need to identify which users performed the following privileged administration tasks:

Deleted a folder from the second-stage Recycle Bin of Microsoft SharePoint

Opened a mailbox of which the user was not the owner
Reset a user password

What should you use?

 Microsoft Azure Active Directory (Azure AD) audit logs

 Security & Compliance content search
 Microsoft Azure Active Directory (Azure AD) sign-ins
 Security & Compliance audit log search
Explanation:

References:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-logs-overview

Question 201
Your company has a Microsoft 365 subscription.

You implement Microsoft Azure Information Protection.

You need to automatically protect email messages that contain the word Confidential in the subject
line.

What should you create?

 a mail flow rule from the Exchange admin center

 a message trace from the Security & Compliance admin center
 a supervision policy from the Security & Compliance admin center
 a sharing policy from the Exchange admin center
Explanation:

References:

https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules

224 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 202
HOTSPOT

A user named User1 has files in Microsoft OneDrive as shown in the following table.

On February 1, 2019, you apply a retention policy named Policy1 as shown in the following exhibit.

On February 5, 2019, User1 edits File2.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

225 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Question 203
You have a Microsoft 365 subscription.

You need to identify which administrative users performed eDiscovery searches during the past
week.

What should you do from the Security & Compliance admin center?

 Perform a content search

 Create a supervision policy
 Create an eDiscovery case
 Perform an audit log search

226 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 204
You have a Microsoft 365 E5 subscription.

You run an eDiscovery search that returns the following Azure Rights Management (Azure RMS) –
encrypted content:

Microsoft Exchange emails

Microsoft OneDrive documents
Microsoft SharePoint documents

Which content can be decrypted when you export the eDiscovery search results?

 Exchange emails only

 SharePoint documents, OneDrive documents, and Exchange emails
 OneDrive documents only
 SharePoint documents and OneDrive documents only
 SharePoint documents only
Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/export-search-results?view=o365-
worldwide

227 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 205
HOTSPOT

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

Your company implements Windows Information Protection (WIP).

You need to modify which users and applications are affected by WIP.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-
protection/create-wip-policy-using-intune-azure

228 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 206
HOTSPOT

You have a Microsoft 365 subscription that contains the users shown in the following table.

You run the following cmdlet.

Set-MailboxAuditBypassAssociation –Identity User2

–AuditByPassEnabled $true

The users perform the following actions:

User1 accesses an item in the mailbox of User2.

User2 modifies a mailbox item in the mailbox of User3.
User3 signs in to her mailbox.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

229 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

Reference:

https://docs.microsoft.com/en-us/powershell/module/exchange/set-
mailboxauditbypassassociation?view=exchange-ps

Question 207
You have a Microsoft 365 subscription.

You plan to connect to Microsoft Exchange Online PowerShell and run the following cmdlets:

Search-MailboxAuditLog
Test-ClientAccessRule
Set-GroupMailbox
Get-Mailbox

Which cmdlet will generate an entry in the Microsoft Office 365 audit log?

 Search-MailboxAuditLog
 Test-ClientAccessRule
 Set-GroupMailbox
 Get-Mailbox
Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-
compliance?view=o365-worldwide#exchange-admin-audit-log

230 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 208
You have a Microsoft 365 subscription.

All users are assigned a Microsoft 365 E3 license.

You enable auditing for your organization.

What is the maximum amount of time data will be retained in the Microsoft 365 audit log?

 2 years
 1 year
 30 days
 90 days
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-
and-compliance

231 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 209
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You sign up for Microsoft Store for Business.

The tenant contains the users shown in the following table.

Microsoft Store for Business has the following Shopping behavior settings:
Allow users to shop is set to On.
Make everyone a Basic Purchaser is set to Off.

You need to identify which users can install apps from the Microsoft for Business private store.

Which users should you identify?

 User1 and User2 only

 User1 only
 User1, User2, User3, and User4 only
 User3 and User4 only
 User1, User2, User3, User4, and User5
Explanation:

Explanation:

Allow users to shop controls the shopping experience in Microsoft Store for Education. When this
setting is on, Purchasers and Basic Purchasers can purchase products and services from Microsoft
Store for Education.

Reference:

https://docs.microsoft.com/en-us/microsoft-store/acquire-apps-microsoft-store-for-business

232 Licensed to PEAKUP TECHNOLOGY

[email protected]
Question 210
HOTSPOT

You have retention policies in Microsoft 365 as shown in the following table.

Policy1 is configured as shown in the Policy1 exhibit. (Click the Policy1 tab.)

Policy2 is configured as shown in the Policy2 exhibit. (Click the Policy2 tab.)

233 Licensed to PEAKUP TECHNOLOGY

[email protected]
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

234 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies#the-principles-
of-retention-or-what-takes-precedence

235 Licensed to PEAKUP TECHNOLOGY

[email protected]
Case Study (1 questions)
Case Study
Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.

The company has the employees and devices shown in the following table.

Contoso recently purchased a Microsoft 365 E5 subscription.

Existing Environment

The network contains an on-premises Active Directory forest named contoso.com. The forest
contains the servers shown in the following table.

All servers run Windows Server 2016. All desktops and laptops run Windows 10 Enterprise and are
joined to the domain.

The mobile devices of the users in the Montreal and Seattle offices run Android. The mobile devices
of the users in the New York office run iOS.

The domain is synced to Azure Active Directory (Azure AD) and includes the users shown in the
following table.

236 Licensed to PEAKUP TECHNOLOGY

[email protected]
The domain also includes a group named Group1.

Requirements
Planned Changes

Contoso plans to implement the following changes:

Implement Microsoft 365.

Manage devices by using Microsoft Intune.
Implement Azure Advanced Threat Protection (ATP).
Every September, apply the latest feature updates to all Windows computers. Every March, apply the
latest feature updates to the computers in the New York office only.
Technical Requirements

Contoso identifies the following technical requirements:

When a Windows 10 device is joined to Azure AD, the device must enroll in Intune automatically.
Dedicated support technicians must enroll all the Montreal office mobile devices in Intune.
User1 must be able to enroll all the New York office mobile devices in Intune.
Azure ATP sensors must be installed and must NOT use port mirroring.
Whenever possible, the principle of least privilege must be used.
A Microsoft Store for Business must be created.
Compliance Requirements

Contoso identifies the following compliance requirements:

Ensure that the users in Group1 can only access Microsoft Exchange Online from devices that are
enrolled in Intune and configured in accordance with the corporate policy.
Configure Windows Information Protection (WIP) for the Windows 10 devices.

Question 211
You need to meet the compliance requirements for the Windows 10 devices.

What should you create from the Endpoint Management admin center?

 a device compliance policy

 a device configuration profile

237 Licensed to PEAKUP TECHNOLOGY

[email protected]
  an app protection policy
 an app configuration policy
Explanation:

Reference:

https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-
protection/create-wip-policy-using-intune-azure

238 Licensed to PEAKUP TECHNOLOGY

[email protected]
Case Study (6 questions)
Case Study
Overview

ADatum Corporation is an international financial services company that has 5,000 employees.

ADatum has six offices: a main office in New York and five branch offices in Germany, the United
Kingdom, France, Spain, and Italy.

All the offices are connected to each other by using a WAN link. Each office connects directly to the
Internet.

Existing Environment
Current Infrastructure

ADatum recently purchased a Microsoft 365 subscription.

All user files are migrated to Microsoft 365.

All mailboxes are hosted in Microsoft 365. The users in each office have email suffixes that include
the country of the user, for example, [email protected] or [email protected].

Each office has a security information and event management (SIEM) appliance. The appliance comes
from three different vendors.

ADatum uses and processes Personally Identifiable Information (PII).

Problem Statements

ADatum entered into litigation. The legal department must place a hold on all the documents of a
user named User1 that are in Microsoft 365.

Requirements

Business Goals

ADatum wants to be fully compliant with all the relevant data privacy laws in the regions where is
operates.

ADatum wants to minimize the cost of hardware and software whenever possible.

Technical Requirements

ADatum identifies the following technical requirements:

239 Licensed to PEAKUP TECHNOLOGY

[email protected]
Centrally perform log analysis for all offices.
Aggregate all data from the SIEM appliances to a central cloud repository for later analysis.
Ensure that a SharePoint administrator can identify who accessed a specific file stored in a document
library.
Provide the users in the finance department with access to Service assurance information in
Microsoft Office 365.
Ensure that documents and email messages containing the PII data of European Union (EU) citizens
are preserved for 10 years.
If a user attempts to download 1,000 or more files from Microsoft SharePoint Online within 30
minutes, notify a security administrator and suspend the user’s user account.
A security administrator requires a report that shown which Microsoft 365 users signed in. Based on
the report, the security administrator will create a policy to require multi-factor authentication when
a sign-in is high risk.
Ensure that the users in the New York office can only send email messages that contain sensitive U.S.
PII data to other New York office uses. Email messages must be monitored to ensure compliance.
Auditors in the New York office must have access to reports that show the sent and received email
messages containing sensitive U.S. PII data.

Question 212
HOTSPOT

You need to meet the technical requirement for log analysis.

What is the minimum number of data sources and log collectors you should create from Microsoft
Cloud App Security? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

240 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker

Question 213
DRAG DROP

You need to meet the requirement for the legal department.

Which three actions should you perform in sequence from the Security & Compliance admin center?
To answer, move the appropriate actions from the list of actions to the answer area and arrange
them in the correct order.

241 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://www.sherweb.com/blog/ediscovery-office-365/

Question 214
You need to protect the U.S. PII data to meet the technical requirements.

What should you create?

 a data loss prevention (DLP) policy that contains a domain exception

 a Security & Compliance retention policy that detects content containing sensitive
data
 a Security & Compliance alert policy that contains an activity
 a data loss prevention (DLP) policy that contains a user override
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/create-activity-alerts

Question 215
Which report should the New York office auditors view?

 DLP incidents
 Top Senders and Recipients
 DLP false positives and overrides
 DLP policy matches
Explanation:

References:
242 Licensed to PEAKUP TECHNOLOGY
[email protected]
https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies

Question 216
You need to meet the technical requirement for the EU PII data.

What should you create?

 a data loss prevention (DLP) policy from the Security & Compliance admin center
 a data loss prevention (DLP) policy from the Exchange admin center
 a retention policy from the Exchange admin center
 a retention policy from the Security & Compliance admin center
Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies

Question 217
HOTSPOT

You need to meet the technical requirement for the SharePoint administrator.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

243 Licensed to PEAKUP TECHNOLOGY

[email protected]
Solution:

Explanation:

References:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-
and-compliance#step-3-filter-the-search-results

244 Licensed to PEAKUP TECHNOLOGY

[email protected]