0% found this document useful (0 votes)
440 views351 pages

MS-102-Dec 2024

Fabrikam, Inc. plans to implement a Microsoft 365 Enterprise subscription, migrating email and shared documents while conducting two pilot projects for the sales department. The company has specific technical, application, and security requirements to ensure seamless email communication and user authentication during the transition. Key roles and DNS records are identified for successful implementation, alongside group-based licensing strategies.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
440 views351 pages

MS-102-Dec 2024

Fabrikam, Inc. plans to implement a Microsoft 365 Enterprise subscription, migrating email and shared documents while conducting two pilot projects for the sales department. The company has specific technical, application, and security requirements to ensure seamless email communication and user authentication during the transition. Key roles and DNS records are identified for successful implementation, alongside group-based licensing strategies.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 351

MS-102 Actual Exam Questions

Last updated on Dec. 16, 2024.

Question #1Topic 1

Overview -
Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.
Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -


The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.
All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].
Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -
Each office has a high-speed connection to the Internet.
Each office contains two domain controllers. All domain controllers are configured as DNS servers.
The public zone for fabrikam.com is managed by an external DNS server.
All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.
All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -
Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.
Fabrikam plans to implement two pilot projects:
Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.
Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.

Technical Requirements -
Fabrikam identifies the following technical requirements:
All users must be able to exchange email messages successfully during Project1 by using their
current email address.
Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
Microsoft 365 Apps for enterprise applications must be installed from a network share only.
Disruptions to email access must be minimized.

Application Requirements -
Fabrikam identifies the following application requirements:
An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -
Fabrikam identifies the following security requirements:
After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
The principle of least privilege must be used.
You are evaluating the required processes for Project1.
You need to recommend which DNS record must be created while adding a domain name for the
project.
Which DNS record should you recommend?

• A. host (A)

• B. host information (HINFO)

• C. text (TXT) Most Voted

• D. pointer (PTR)

Hide Solution Discussion 8

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #2Topic 1

Overview -
Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.
Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -


The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.
All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].
Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -
Each office has a high-speed connection to the Internet.
Each office contains two domain controllers. All domain controllers are configured as DNS servers.
The public zone for fabrikam.com is managed by an external DNS server.
All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.
All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -
Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.
Fabrikam plans to implement two pilot projects:
Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.
Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.

Technical Requirements -
Fabrikam identifies the following technical requirements:
All users must be able to exchange email messages successfully during Project1 by using their
current email address.
Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
Microsoft 365 Apps for enterprise applications must be installed from a network share only.
Disruptions to email access must be minimized.

Application Requirements -
Fabrikam identifies the following application requirements:
An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -
Fabrikam identifies the following security requirements:
After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
The principle of least privilege must be used.
You need to ensure that all the sales department users can authenticate successfully during Project1
and Project2.
Which authentication strategy should you implement for the pilot projects?

• A. pass-through authentication

• B. pass-through authentication and seamless SSO

• C. password hash synchronization and seamless SSO

• D. password hash synchronization

Reveal Solution Discussion 9

Question #3Topic 1

Overview -
Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.
Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -


The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.
All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].
Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -
Each office has a high-speed connection to the Internet.
Each office contains two domain controllers. All domain controllers are configured as DNS servers.
The public zone for fabrikam.com is managed by an external DNS server.
All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.
All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -
Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.
Fabrikam plans to implement two pilot projects:
Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.
Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.

Technical Requirements -
Fabrikam identifies the following technical requirements:
All users must be able to exchange email messages successfully during Project1 by using their
current email address.
Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
Microsoft 365 Apps for enterprise applications must be installed from a network share only.
Disruptions to email access must be minimized.

Application Requirements -
Fabrikam identifies the following application requirements:
An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -
Fabrikam identifies the following security requirements:
After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
The principle of least privilege must be used.
Which role should you assign to User1?

• A. Hygiene Management

• B. Security Reader Most Voted

• C. Security Administrator

• D. Records Management

Hide Solution Discussion 10

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #4Topic 1

HOTSPOT -

Overview -
Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.
Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -


The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.
All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].
Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -
Each office has a high-speed connection to the Internet.
Each office contains two domain controllers. All domain controllers are configured as DNS servers.
The public zone for fabrikam.com is managed by an external DNS server.
All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.
All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -
Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.
Fabrikam plans to implement two pilot projects:
Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.
Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.

Technical Requirements -
Fabrikam identifies the following technical requirements:
All users must be able to exchange email messages successfully during Project1 by using their
current email address.
Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
Microsoft 365 Apps for enterprise applications must be installed from a network share only.
Disruptions to email access must be minimized.

Application Requirements -
Fabrikam identifies the following application requirements:
An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -
Fabrikam identifies the following security requirements:
After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
The principle of least privilege must be used.
You create the Microsoft 365 tenant.
You implement Azure AD Connect as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 18

Correct
Answer:
Question #5Topic 1

Your company has a Microsoft 365 subscription.


You need to identify all the users in the subscription who are licensed for Office 365 through a group
membership. The solution must include the name of the group used to assign the license.
What should you use?

• A. Active users in the Microsoft 365 admin center

• B. Reports in Microsoft Purview compliance portal

• C. the Licenses blade in the Microsoft Entra admin center Most Voted

• D. Reports in the Microsoft 365 admin center

Hide Solution Discussion 26

Correct Answer: C 🗳️

Community vote distribution

C (96%)

4%

Question #6Topic 1

HOTSPOT -
You have a Microsoft 365 subscription that contains the users shown in the following table.

You need to configure a dynamic user group that will include the guest users in any department that
contains the word Support.
How should you complete the membership rule? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 11

Correct
Answer:

Question #7Topic 1

HOTSPOT -
Your company uses a legacy on-premises LDAP directory that contains 100 users.
The company purchases a Microsoft 365 subscription.
You need to import the 100 users into Microsoft 365 by using the Microsoft 365 admin center.
Which type of file should you use and which properties are required? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6

Correct
Answer:
Question #8Topic 1

You have a Microsoft 365 subscription that contains the users shown in the following table.

You need to configure group-based licensing to meet the following requirements:


To all users, deploy an Office 365 E3 license without the Power Automate license option.
To all users, deploy an Enterprise Mobility + Security E5 license.
To the users in the research department only, deploy a Power BI Pro license.
To the users in the marketing department only, deploy a Visio Plan 2 license.
What is the minimum number of deployment groups required?

• A. 1

• B. 2

• C. 3 Most Voted

• D. 4

• E. 5

Hide Solution Discussion 5

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #9Topic 1
You have a Microsoft 365 subscription.
You view the Service health Overview as shown in the following exhibit.

You need to ensure that a user named User1 can view the advisories to investigate service health
issues.
Which role should you assign to User1?

• A. Message Center Reader

• B. Reports Reader

• C. Service Support Administrator Most Voted

• D. Compliance Administrator

Hide Solution Discussion 11

Correct Answer: C 🗳️
Community vote distribution

C (100%)

Question #10Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You add the following assignment for the User Administrator role:

Scope type: Directory -

Selected members: Group1 -

Assignment type: Active -

Assignment starts: Mar 15, 2023 -

Assignment ends: Aug 15, 2023 -


You add the following assignment for the Exchange Administrator role:

Scope type: Directory -

Selected members: Group2 -

Assignment type: Eligible -

Assignment starts: Jun 15, 2023 -

Assignment ends: Oct 15, 2023 -


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 26


Correct
Answer:

Question #11Topic 1

You have a Microsoft 365 subscription.


You have an Azure AD tenant that contains the users shown in the following table.

You configure Tenant properties as shown in the following exhibit.

Which users will be contacted by Microsoft if the tenant experiences a data breach?

• A. User1 only

• B. User2 only Most Voted

• C. User3 only

• D. User1 and User2 only

• E. User2 and User3 only

Hide Solution Discussion 47

Correct Answer: B 🗳️

Community vote distribution

B (76%)
D (24%)

Question #12Topic 1

Your network contains an Active Directory forest named contoso.local.


You purchase a Microsoft 365 subscription.
You plan to move to Microsoft 365 and to implement a hybrid deployment solution for the next 12
months.
You need to prepare for the planned move to Microsoft 365.
What is the best action to perform before you implement directory synchronization? More than one
answer choice may achieve the goal. Select the BEST answer.

• A. Purchase a third-party X.509 certificate.

• B. Create an external forest trust.

• C. Rename the Active Directory forest.

• D. Purchase a custom domain name. Most Voted

Hide Solution Discussion 11

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #13Topic 1

You have a Microsoft 365 subscription.


You configure a new Azure AD enterprise application named App1. App1 requires that a user be
assigned the Reports Reader role.
Which type of group should you use to assign the Reports Reader role and to access App1?

• A. a Microsoft 365 group that has assigned membership

• B. a Microsoft 365 group that has dynamic user membership

• C. a security group that has assigned membership Most Voted

• D. a security group that has dynamic user membership

Hide Solution Discussion 9

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #14Topic 1

You have a new Microsoft 365 E5 tenant.


You need to enable an alert policy that will be triggered when an elevation of Microsoft Exchange
Online administrative privileges is detected.
What should you do first?

• A. Enable auditing. Most Voted

• B. Enable Microsoft 365 usage analytics.


• C. Create an Insider risk management policy.

• D. Create a communication compliance policy.

Hide Solution Discussion 13

Correct Answer: A 🗳️

Community vote distribution

A (89%)

11%

Question #15Topic 1

Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains 1,000 Windows 10 devices.
You perform a proof of concept (PoC) deployment of Microsoft Defender for Endpoint for 10 test
devices. During the onboarding process, you configure Microsoft Defender for Endpoint-related data
to be stored in the United States.
You plan to onboard all the devices to Microsoft Defender for Endpoint.
You need to store the Microsoft Defender for Endpoint data in Europe.
What should you do first?

• A. Delete the workspace.

• B. Create a workspace.

• C. Onboard a new device.

• D. Offboard the test devices. Most Voted

Hide Solution Discussion 21

Correct Answer: D 🗳️

Community vote distribution

D (80%)

B (20%)

Question #16Topic 1

You have a Microsoft 365 E5 subscription that contains a user named User1.
User1 exceeds the default daily limit of allowed email messages and is on the Restricted entities list.
You need to remove User1 from the Restricted entities list.
What should you use?

• A. the Exchange admin center

• B. the Microsoft Purview compliance portal

• C. the Microsoft 365 admin center

• D. the Microsoft 365 Defender portal Most Voted

• E. the Microsoft Entra admin center

Hide Solution Discussion 14


Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #17Topic 1

Your company has a Microsoft 365 E5 subscription.


Users in the research department work with sensitive data.
You need to prevent the research department users from accessing potentially unsafe websites by
using hyperlinks embedded in email messages and documents. Users in other departments must not
be restricted.
What should you do?

• A. Create a data loss prevention (DLP) policy that has a Content is shared condition.

• B. Modify the safe links policy Global settings.

• C. Create a data loss prevention (DLP) policy that has a Content contains condition.

• D. Create a new safe links policy. Most Voted

Hide Solution Discussion 7

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #18Topic 1

HOTSPOT -
You have an Azure AD tenant that contains the users shown in the following table.

Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint contains the
roles shown in the following table.
Microsoft Defender for Endpoint contains the device groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 9

Correct
Answer:
Question #19Topic 1

HOTSPOT -
You have a Microsoft 365 E5 tenant.
You need to ensure that administrators are notified when a user receives an email message that
contains malware. The solution must use the principle of least privilege.
Which type of policy should you create, and which Microsoft Purview solutions role is required to
create the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 25

Correct
Answer:
Question #20Topic 1

You have a Microsoft 365 E5 subscription.


You need to compare the current Safe Links configuration to the Microsoft recommended
configurations.
What should you use?

• A. Microsoft Purview

• B. Azure AD Identity Protection

• C. Microsoft Secure Score

• D. the configuration analyzer Most Voted

Hide Solution Discussion 14

Correct Answer: D 🗳️
Question #21Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
When users attempt to access the portal of a partner company, they receive the message shown in
the following exhibit.
You need to enable user access to the partner company's portal.
Which Microsoft Defender for Endpoint setting should you modify?

• A. Alert notifications

• B. Alert suppression

• C. Custom detections

• D. Advanced hunting

• E. Indicators Most Voted

Hide Solution Discussion 4

Correct Answer: E 🗳️

Community vote distribution

E (100%)

Question #22Topic 1

HOTSPOT -
You have a Microsoft 365 E3 subscription.
You plan to launch Attack simulation training for all users.
Which social engineering technique and training experience will be available? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 11

Correct
Answer:

Question #23Topic 1
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You need to ensure that users are prevented from opening or downloading malicious files from
Microsoft Teams, OneDrive, or SharePoint Online.
What should you do?

• A. Create a new Anti-malware policy.

• B. Configure the Safe Links global settings.

• C. Create a new Anti-phishing policy.

• D. Configure the Safe Attachments global settings. Most Voted

Hide Solution Discussion 14

Correct Answer: D 🗳️

Community vote distribution

D (93%)

7%

Question #24Topic 1

HOTSPOT -
Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint includes the
device groups shown in the following table.

You onboard a computer named computer1 to Microsoft Defender for Endpoint as shown in the
following exhibit.
Use the drop-down menus to select the answer choice that completes each statement.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 17

Correct
Answer:
Question #25Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365.
The subscription has the default inbound anti-spam policy and a custom Safe Attachments policy.
You need to identify the following information:
The number of email messages quarantined by zero-hour auto purge (ZAP)
The number of times users clicked a malicious link in an email message
Which Email & collaboration report should you use? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6

Correct
Answer:
Question #26Topic 1

You have a Microsoft 365 tenant.


You plan to manage incidents in the tenant by using the Microsoft 365 Defender.
Which Microsoft service source will appear on the Incidents page of the Microsoft 365 Defender
portal?

• A. Microsoft Sentinel

• B. Microsoft Defender for Cloud

• C. Azure Arc

• D. Microsoft Defender for Identity Most Voted

Hide Solution Discussion 11

Correct Answer: D 🗳️

Community vote distribution

D (100%)
Question #27Topic 1

Your network contains an on-premises Active Directory domain named contoso.local. The domain
contains five domain controllers.
Your company purchases Microsoft 365 and creates an Azure AD tenant named
contoso.onmicrosoft.com.
You plan to install Azure AD Connect on a member server and implement pass-through
authentication.
You need to prepare the environment for the planned implementation of pass-through authentication.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. From a domain controller, install an Authentication Agent.

• B. From the Microsoft Entra admin center, configure an authentication method.

• C. From Active Directory Domains and Trusts, add a UPN suffix. Most Voted

• D. Modify the email address attribute for each user account.

• E. From the Microsoft Entra admin center, add a custom domain name. Most Voted

• F. Modify the User logon name for each user account. Most Voted

Hide Solution Discussion 28

Correct Answer: CEF 🗳️

Community vote distribution

CEF (89%)

7%

Question #28Topic 1

HOTSPOT -
You have a new Microsoft 365 E5 tenant.
Enable Security defaults is set to Yes.
A user signs in to the tenant for the first time.
Which multi-factor authentication (MFA) method can the user use, and how many days does the user
have to register for MFA? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hide Solution Discussion 7

Correct
Answer:

Question #29Topic 1

Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the objects shown in the following table.

You configure Azure AD Connect to sync contoso.com to Azure AD.


Which objects will sync to Azure AD?

• A. Group1 only

• B. User1 and User2 only

• C. Group1 and User1 only

• D. Group1, User1, and User2 Most Voted

Hide Solution Discussion 23

Correct Answer: D 🗳️

Community vote distribution

D (81%)

Other

Question #30Topic 1

You have a Microsoft 365 E5 subscription.


You need to create Conditional Access policies to meet the following requirements:
All users must use multi-factor authentication (MFA) when they sign in from outside the corporate
network.
Users must only be able to sign in from outside the corporate network if the sign-in originates from a
compliant device.
All users must be blocked from signing in from outside the United States and Canada.
Only users in the R&D department must be blocked from signing in from both Android and iOS
devices.
Only users in the finance department must be able to sign in to an Azure AD enterprise application
named App1. All other users must be blocked from signing in to App1.
What is the minimum number of Conditional Access policies you should create?

• A. 3

• B. 4 Most Voted

• C. 5

• D. 6

• E. 7

• F. 8

Hide Solution Discussion 12

Correct Answer: B 🗳️

Community vote distribution

B (73%)

A (27%)

Question #41Topic 1

You have a Microsoft 365 E5 tenant.


Users store data in the following locations:

Microsoft Teams -

Microsoft OneDrive -

Microsoft Exchange Online -

Microsoft SharePoint -
You need to retain Microsoft 365 data for two years.
What is the minimum number of retention policies that you should create?

• A. 1

• B. 2

• C. 3 Most Voted

• D. 4

Hide Solution Discussion 14

Correct Answer: C 🗳️

Community vote distribution


C (85%)

B (15%)

Question #42Topic 1

HOTSPOT -
You have a Microsoft 365 tenant.
You plan to create a retention policy as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:
Question #43Topic 1

You have a Microsoft 365 subscription.


You need to configure a compliance solution that meets the following requirements:
Defines sensitive data based on existing data samples
Automatically prevents data that matches the samples from being shared externally in Microsoft
SharePoint or email messages
Which two components should you configure? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. a trainable classifier Most Voted

• B. a sensitive info type

• C. an insider risk policy

• D. an adaptive policy scope

• E. a data loss prevention (DLP) policy Most Voted

Hide Solution Discussion 14

Correct Answer: AE 🗳️

Community vote distribution

AE (88%)

13%

Question #44Topic 1

HOTSPOT -
You have a Microsoft 365 subscription that contains a Microsoft SharePoint site named Site1. Site1
has the files shown in the following table.
For Site1, users are assigned the roles shown in the following table.

You create a data loss prevention (DLP) policy named Policy1 that contains a rule as shown in the
following exhibit.
How many files will be visible to User1 and User2 after Policy1 is applied to Site1? To answer, select
the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8


Correct Answer:

Question #45Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.

The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)
User2 fails to authenticate to Azure AD when signing in as [email protected].
You need to ensure that User2 can access the resources in Azure AD.
Solution: From the Microsoft Entra admin center, you assign User2 the Security Reader role. You
instruct User2 to sign in as [email protected].
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #46Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.

The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)
User2 fails to authenticate to Azure AD when signing in as [email protected].
You need to ensure that User2 can access the resources in Azure AD.
Solution: From the on-premises Active Directory domain, you set the UPN suffix for User2 to
@contoso.com. You instruct User2 to sign in as [email protected].
Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (63%)

B (38%)

Question #47Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.
The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)

User2 fails to authenticate to Azure AD when signing in as [email protected].


You need to ensure that User2 can access the resources in Azure AD.
Solution: From the Microsoft Entra admin center, you add fabrikam.com as a custom domain. You
instruct User2 to sign in as [email protected].
Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 14

Correct Answer: A 🗳️

Community vote distribution

A (65%)

B (35%)

Question #48Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure
AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations
completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: You run idfix.exe and export the 10 user accounts.
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #49Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure
AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations
completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From Azure AD Connect, you modify the Azure AD credentials.
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 1

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #50Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure
AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations
completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From the Synchronization Rules Editor, you create a new outbound synchronization rule.
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 19

Correct Answer: B 🗳️

Community vote distribution

B (82%)

A (18%)

Question #41Topic 1

You have a Microsoft 365 E5 tenant.


Users store data in the following locations:

Microsoft Teams -

Microsoft OneDrive -

Microsoft Exchange Online -

Microsoft SharePoint -
You need to retain Microsoft 365 data for two years.
What is the minimum number of retention policies that you should create?

• A. 1

• B. 2

• C. 3 Most Voted

• D. 4

Hide Solution Discussion 14

Correct Answer: C 🗳️

Community vote distribution

C (85%)

B (15%)

Question #42Topic 1

HOTSPOT -
You have a Microsoft 365 tenant.
You plan to create a retention policy as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:

Question #43Topic 1

You have a Microsoft 365 subscription.


You need to configure a compliance solution that meets the following requirements:
Defines sensitive data based on existing data samples
Automatically prevents data that matches the samples from being shared externally in Microsoft
SharePoint or email messages
Which two components should you configure? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. a trainable classifier Most Voted

• B. a sensitive info type

• C. an insider risk policy

• D. an adaptive policy scope

• E. a data loss prevention (DLP) policy Most Voted

Hide Solution Discussion 14

Correct Answer: AE 🗳️

Community vote distribution

AE (88%)

13%

Question #44Topic 1

HOTSPOT -
You have a Microsoft 365 subscription that contains a Microsoft SharePoint site named Site1. Site1
has the files shown in the following table.

For Site1, users are assigned the roles shown in the following table.

You create a data loss prevention (DLP) policy named Policy1 that contains a rule as shown in the
following exhibit.
How many files will be visible to User1 and User2 after Policy1 is applied to Site1? To answer, select
the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8


Correct Answer:

Question #45Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.

The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)
User2 fails to authenticate to Azure AD when signing in as [email protected].
You need to ensure that User2 can access the resources in Azure AD.
Solution: From the Microsoft Entra admin center, you assign User2 the Security Reader role. You
instruct User2 to sign in as [email protected].
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #46Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.

The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)
User2 fails to authenticate to Azure AD when signing in as [email protected].
You need to ensure that User2 can access the resources in Azure AD.
Solution: From the on-premises Active Directory domain, you set the UPN suffix for User2 to
@contoso.com. You instruct User2 to sign in as [email protected].
Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (63%)

B (38%)

Question #47Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.
The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)

User2 fails to authenticate to Azure AD when signing in as [email protected].


You need to ensure that User2 can access the resources in Azure AD.
Solution: From the Microsoft Entra admin center, you add fabrikam.com as a custom domain. You
instruct User2 to sign in as [email protected].
Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 14

Correct Answer: A 🗳️

Community vote distribution

A (65%)

B (35%)

Question #48Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure
AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations
completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: You run idfix.exe and export the 10 user accounts.
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #49Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure
AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations
completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From Azure AD Connect, you modify the Azure AD credentials.
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 1

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #50Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure
AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations
completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From the Synchronization Rules Editor, you create a new outbound synchronization rule.
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 19

Correct Answer: B 🗳️

Community vote distribution

B (82%)

A (18%)

Question #51Topic 1

HOTSPOT -
You have a Microsoft 365 subscription.
You need to review metrics for the following:
The daily active users in Microsoft Teams

Recent Microsoft service issues -


What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:
Question #52Topic 1

DRAG DROP -
You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2.
You need to ensure that each group can perform the tasks shown in the following table.

The solution must use the principle of least privilege.


Which role should you assign to each group? To answer, drag the appropriate roles to the correct
groups. Each role may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct Answer:

Question #53Topic 1

You have a Microsoft 365 subscription.


You need to add additional onmicrosoft.com domains to the subscription. The additional domains
must be assignable as email addresses for users.
What is the maximum number of onmicrosoft.com domains the subscription can contain?

• A. 1

• B. 2

• C. 5 Most Voted

• D. 10

Hide Solution Discussion 15

Correct Answer: C 🗳️

Community vote distribution

C (75%)

A (25%)

Question #54Topic 1

HOTSPOT -
You have an Azure AD tenant that contains the administrative units shown in the following table.

You have the following users:

• A user named User1 that is assigned the Password Administrator for AU1 and AU2.
• A user named User2 that is assigned the User Administrator for AU1.
• A user named User3 that is assigned the User Administrator for the tenant.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 24

Correct
Answer:
Question #55Topic 1

Your network contains an Active Directory domain named adatum.com that is synced to Azure AD.
The domain contains 100 user accounts.
The city attribute for all the users is set to the city where the user resides.
You need to modify the value of the city attribute to the three-letter airport code of each city.
What should you do?

• A. From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser
cmdlets. Most Voted

• B. From Azure Cloud Shell, run the Get-ADUser and Set-ADUser cmdlets.

• C. From Windows PowerShell on a domain controller, run the Get-MgUser and Update-
MgUser cmdlets.

• D. From Azure Cloud Shell, run the Get-MgUser and Update-MgUser cmdlets.

Hide Solution Discussion 5

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #56Topic 1

HOTSPOT -
Your company has a Microsoft 365 E5 subscription.
You need to perform the following tasks:
View the Adoption Score of the company.
Create a new service request to Microsoft.
Which two options should you use in the Microsoft 365 admin center? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 4

Correct Answer:
Question #57Topic 1

You have a Microsoft 365 subscription that uses an Azure AD tenant named contoso.com. The tenant
contains the users shown in the following table.

You add another user named User5 to the User Administrator role.
You need to identify which two management tasks User5 can perform.
Which two tasks should you identify? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

• A. Delete User2 and User4 only. Most Voted

• B. Reset the password of User4 only.

• C. Reset the password of any user in Azure AD.

• D. Delete User1, User2, and User4 only.

• E. Reset the password of User2 and User4 only. Most Voted

• F. Delete any user in Azure AD.

Hide Solution Discussion 15

Correct Answer: AE 🗳️

Community vote distribution

AE (100%)

Question #58Topic 1

HOTSPOT -
You have a Microsoft 365 subscription that contains a Microsoft 365 group named Group1. Group1 is
configured as shown in the following exhibit.
An external user named User1 has an email address of [email protected].
You need to add User1 to Group1.
What should you do first, and which portal should you use? To answer, select the appropriate options
in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:
Question #59Topic 1

You have a Microsoft 365 subscription that contains a user named User1.
User1 requires admin access to perform the following tasks:
Manage Microsoft Exchange Online settings.
Create Microsoft 365 groups.
You need to ensure that User1 only has admin access for eight hours and requires approval before
the role assignment takes place.
What should you use?

• A. Azure AD Identity Protection

• B. Microsoft Entra Verified ID

• C. Conditional Access

• D. Azure AD Privileged Identity Management (PIM) Most Voted

Hide Solution Discussion 4

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #60Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.

All the groups are deleted.


Which groups can be restored, and what is the retention period? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct
Answer:

Question #61Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription.
From Azure AD Privileged Identity Management (PIM), you configure Role settings for the Global
Administrator role as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 26

Correct
Answer:
Question #62Topic 1

HOTSPOT -
You have a Microsoft 365 subscription.
A user named [email protected] was recently provisioned.
You need to use PowerShell to assign a Microsoft Office 365 E3 license to User1. Microsoft Bookings
must NOT be enabled.
How should you complete the command? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:
Question #63Topic 1

You have a Microsoft E5 subscription.


You need to ensure that administrators who need to manage Microsoft Exchange Online are assigned
the Exchange Administrator role for five hours at a time.
What should you implement?

• A. Azure AD Privileged Identity Management (PIM) Most Voted

• B. a conditional access policy

• C. a communication compliance policy

• D. Azure AD Identity Protection

• E. groups that have dynamic membership

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #64Topic 1

You have a Microsoft 365 subscription.


You suspect that several Microsoft Office 365 applications or services were recently updated.
You need to identify which applications or services were recently updated.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
• A. From the Microsoft 365 admin center, review the Service health blade.

• B. From the Microsoft 365 admin center, review the Message center blade. Most Voted

• C. From the Microsoft 365 admin center, review the Products blade.

• D. From the Microsoft 365 Admin mobile app, review the messages. Most Voted

Hide Solution Discussion 11

Correct Answer: BD 🗳️

Community vote distribution

BD (75%)

AB (25%)

Question #65Topic 1

You have a Microsoft 365 subscription that contains the domains shown in the following exhibit.

Which domain name suffixes can you use when you create users?

• A. only Sub1.contoso221018.onmicrosoft.com

• B. onlycontoso221018.onmicrosoft.com and Sub2.contoso221018.onmicrosoft.com

• C. only contoso221018.onmicrosoft.com, Sub.contoso221018.onmicrosoft.com, and


Sub2.contoso221018.onmicrosoft.com

• D. all the domains in the subscription Most Voted

Hide Solution Discussion 37

Correct Answer: D 🗳️

Community vote distribution

D (53%)
B (41%)

6%

Question #66Topic 1

You have a Microsoft 365 subscription.


You plan to implement Microsoft Purview Privileged Access Management.
Which Microsoft Office 365 workloads support privileged access?

• A. Microsoft Exchange Online only Most Voted

• B. Microsoft Teams only

• C. Microsoft Exchange Online and SharePoint Online only

• D. Microsoft Teams and SharePoint Online only

• E. Microsoft Teams, Exchange Online, and SharePoint Online

Hide Solution Discussion 29

Correct Answer: A 🗳️

Community vote distribution

A (69%)

E (31%)

Question #67Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You plan to provide User4 with early access to Microsoft 365 feature and service updates.
You need to identify which Microsoft 365 setting must be configured, and which user can modify the
setting. The solution must use the principle of least privilege.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 14

Correct

Answer:

Question #68Topic 1

HOTSPOT -
You have a Microsoft 365 subscription.
You are planning a threat management solution for your organization.
You need to minimize the likelihood that users will be affected by the following threats:
Opening files in Microsoft SharePoint that contain malicious content
Impersonation and spoofing attacks in email messages
Which policies should you create in Microsoft 365 Defender? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 4

Correct
Answer:

Question #69Topic 1

HOTSPOT -
You have a Microsoft 365 E5 tenant.
You have the alerts shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 10

Correct
Answer:

Question #70Topic 1

You have a Microsoft 365 E3 subscription that uses Microsoft Defender for Endpoint Plan 1.
Which two Defender for Endpoint features are available to the subscription? Each correct answer
presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. advanced hunting

• B. security reports Most Voted

• C. digital certificate assessment

• D. device discovery

• E. attack surface reduction (ASR) Most Voted

Hide Solution Discussion 5

Correct Answer: BE 🗳️
Community vote distribution

Question #71Topic 1

You are reviewing alerts in the Microsoft 365 Defender portal.


How long are the alerts retained in the portal?

• A. 30 days

• B. 60 days

• C. 3 months

• D. 6 months Most Voted

• E. 12 months

Hide Solution Discussion 21

Correct Answer: D 🗳️

Community vote distribution

D (81%)

Other

Question #72Topic 1

You have a Microsoft 365 E5 subscription.


From the Microsoft 365 Defender portal, you plan to export a detailed report of compromised users.
What is the longest time range that can be included in the report?

• A. 1 day

• B. 7 days

• C. 30 days Most Voted

• D. 90 days

Hide Solution Discussion 31

Correct Answer: C 🗳️

Community vote distribution

C (50%)

A (40%)

10%

Question #73Topic 1

HOTSPOT -
You have a Microsoft 365 subscription.
You deploy the anti-phishing policy shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7

Correct
Answer:
Question #74Topic 1

HOTSPOT -
You use Microsoft Defender for Endpoint.
You have the Microsoft Defender for Endpoint device groups shown in the following table.

You plan to onboard computers to Microsoft Defender for Endpoint as shown in the following table.

To which device group will each computer be added? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 9


Correct

Answer:

Question #75Topic 1

DRAG DROP -
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You need to configure policies to meet the following requirements:
Customize the common attachments filter.
Enable impersonation protection for sender domains.
Which type of policy should you configure for each requirement? To answer, drag the appropriate
policy types to the correct requirements. Each policy type may be used once, more than once, or not
at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6

Correct
Answer:
Question #76Topic 1

You have an Azure AD tenant and a Microsoft 365 E5 subscription. The tenant contains the users
shown in the following table.

You plan to implement Microsoft Defender for Endpoint.


You verify that role-based access control (RBAC) is turned on in Microsoft Defender for Endpoint.
You need to identify which user can view security incidents from the Microsoft 365 Defender portal.
Which user should you identify?

• A. User1 Most Voted

• B. User2

• C. User3

• D. User4

Hide Solution Discussion 13

Correct Answer: A 🗳️

Community vote distribution

A (69%)

C (31%)

Question #77Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription.
All company-owned Windows 11 devices are onboarded to Microsoft Defender for Endpoint.
You need to configure Defender for Endpoint to meet the following requirements:
Block a vulnerable app until the app is updated.
Block an application executable based on a file hash.
The solution must minimize administrative effort.
What should you configure for each requirement? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:

Question #78Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains the
devices shown in the following table.

Defender for Endpoint has the device groups shown in the following table.
You create an incident email notification rule configured as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 10

Correct
Answer:

Question #79Topic 1

You have a Microsoft 365 tenant that contains two users named User1 and User2.
You create the alert policy shown in the following exhibit.
User2 runs a script that modifies a file in a Microsoft SharePoint library once every four minutes and
runs for a period of two hours.
How many alerts will User1 receive?

• A. 2 Most Voted

• B. 5

• C. 10

• D. 25

• E. 30

Hide Solution Discussion 18

Correct Answer: A 🗳️

Community vote distribution

A (69%)
D (31%)

Question #80Topic 1

Your company has 10,000 users who access all applications from an on-premises data center.
You plan to create a Microsoft 365 subscription and to migrate data to the cloud.
You plan to implement directory synchronization.
User accounts and group accounts must sync to Azure AD successfully.
You discover that several user accounts fail to sync to Azure AD.
You need to resolve the issue as quickly as possible.
What should you do?

• A. From Active Directory Administrative Center, search for all the users, and then modify the
properties of the user accounts.

• B. Run idfix.exe, and then click Edit. Most Voted

• C. From Windows PowerShell, run the start-AdSyncSyncCycle -PolicyType Delta command.

• D. Run idfix.exe, and then click Complete.

Hide Solution Discussion 3

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #81Topic 1

HOTSPOT -
Your network contains an on-premises Active Directory forest named contoso.com. The forest
contains the following domains:

Contoso.com -

East.contoso.com -
The forest contains the users shown in the following table.

The forest syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:
Question #82Topic 1

HOTSPOT -
Your network contains an on-premises Active Directory domain. The domain contains the servers
shown in the following table.

You purchase a Microsoft 365 E5 subscription.


You need to implement Azure AD Connect cloud sync.
What should you install first and on which server? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:
Question #83Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named
Site1 and the users shown in the following table.

The devices are configured as shown in the following table.

You have a Conditional Access policy named CAPolicy1 that has the following settings:

Assignments -
Users or workload identities: Group1
Cloud apps or actions: Office 365 SharePoint Online

Conditions -
Filter for devices: Exclude filtered devices from the policy
Rule syntax: device.displayName -startsWith "Device"

Access controls -

Grant -

Grant: Block access -


Session: 0 controls selected -

Enable policy: On -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 17

Correct
Answer:

Question #84Topic 1

You have a Microsoft 365 E5 subscription.


Conditional Access is configured to block high-risk sign-ins for all users.
All users are in France and are registered for multi-factor authentication (MFA).
Users in the media department will travel to various countries during the next month.
You need to ensure that if the media department users are blocked from signing in while traveling, the
users can remediate the issue without administrator intervention.
What should you configure?

• A. an exclusion group

• B. the MFA registration policy

• C. named locations
• D. self-service password reset (SSPR) Most Voted

Hide Solution Discussion 26

Correct Answer: D 🗳️

Community vote distribution

D (68%)

B (20%)

12%

Question #85Topic 1

You have a Microsoft 365 E5 subscription that contains the following user:

Name: User1 -

UPN: [email protected] -
Email address: [email protected]

MFA enrollment status: Disabled -


When User1 attempts to sign in to Outlook on the web by using
the [email protected] email address, the user cannot sign in.
You need to ensure that User1 can sign in to Outlook on the web by
using [email protected].
What should you do?

• A. Assign an MFA registration policy to User1.

• B. Reset the password of User1.

• C. Add an alternate email address for User1.

• D. Modify the UPN of User1. Most Voted

Hide Solution Discussion 14

Correct Answer: D 🗳️

Community vote distribution

D (77%)

C (23%)

Question #86Topic 1

HOTSPOT -
Your network contains an Active Directory domain named fabrikam.com. The domain contains the
objects shown in the following table.
The groups have the members shown in the following table.

You are configuring synchronization between fabrikam.com and an Azure AD tenant.


You configure the Domain/OU Filtering settings in Azure AD Connect as shown in the Domain/OU
Filtering exhibit (Click the Domain/OU Filtering tab.)

You configure the Filtering settings in Azure AD Connect as shown in the Filtering exhibit. (Click the
Filtering tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 11

Correct
Answer:
Question #87Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription.
From Azure AD Identity Protection on August 1, you configure a Multifactor authentication registration
policy that has the following settings:

Assignments: All users -


Controls: Require Azure AD multifactor authentication registration

Enforce Policy: On -
On August 3, you create two users named User1 and User2.
Users authenticate by using Azure Multi-Factor Authentication (MFA) for the first time on the dates
shown in the following table.

By which dates will User1 and User2 be forced to complete their Azure MFA registration? To answer,
select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7

Correct Answer:

Question #88Topic 1

Your on-premises network contains an Active Directory domain.


You have a Microsoft 365 subscription.
You need to sync the domain with the subscription. The solution must meet the following
requirements:
On-premises Active Directory password complexity policies must be enforced.
Users must be able to use self-service password reset (SSPR) in Azure AD.
What should you use?

• A. password hash synchronization

• B. Azure AD Identity Protection

• C. Azure AD Seamless Single Sign-On (Azure AD Seamless SSO)

• D. pass-through authentication Most Voted

Hide Solution Discussion 16

Correct Answer: D 🗳️

Community vote distribution

D (92%)

8%

Question #89Topic 1

You have a Microsoft 365 E5 subscription.


Users access Microsoft 365 from both their laptop and a corporate Virtual Desktop Infrastructure
(VDI) solution.
From Azure AD Identity Protection, you enable a sign-in risk policy.
Users report that when they use the VDI solution, they are regularly blocked when they attempt to
access Microsoft 365.
What should you configure?

• A. the Tenant restrictions settings in Azure AD

• B. a trusted location Most Voted

• C. a Conditional Access policy exclusion

• D. the Microsoft 365 network connectivity settings

Hide Solution Discussion 10

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #90Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains a user named User1.
Azure AD Password Protection is configured as shown in the following exhibit.
User1 attempts to update their password to the following passwords:

F@lcon -

Project22 -

T4il$pin45dg4 -
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 30


Correct
Answer:

Question #91Topic 1

You have a hybrid deployment of Microsoft 365 that contains the users shown in the following table.

Azure AD Connect has the following settings:

Password Hash Sync: Enabled -


Pass-through authentication: Enabled
You need to identify which users will be able to authenticate by using Azure AD if connectivity
between on-premises Active Directory and the internet is lost.
Which users should you identify?

• A. none

• B. User1 only Most Voted

• C. User1 and User2 only

• D. User1, User2, and User3

Hide Solution Discussion 23

Correct Answer: B 🗳️

Community vote distribution

B (66%)

A (29%)

6%

Question #92Topic 1
Your network contains an on-premises Active Directory domain named contoso.com.
For all user accounts, the Logon Hours settings are configured to prevent sign-ins outside of business
hours.
You plan to sync contoso.com to an Azure AD tenant
You need to recommend a solution to ensure that the logon hour restrictions apply when synced
users sign in to Azure AD.
What should you include in the recommendation?

• A. pass-through authentication Most Voted

• B. conditional access policies

• C. password synchronization

• D. Azure AD Identity Protection policies

Hide Solution Discussion 13

Correct Answer: A 🗳️

Community vote distribution

A (86%)

14%

Question #93Topic 1

Your network contains three Active Directory forests. There are forests trust relationships between the
forests.
You create an Azure AD tenant.
You plan to sync the on-premises Active Directory to Azure AD.
You need to recommend a synchronization solution. The solution must ensure that the
synchronization can complete successfully and as quickly as possible if a single server fails.
What should you include in the recommendation?

• A. one Azure AD Connect sync server and one Azure AD Connect sync server in staging
mode Most Voted

• B. three Azure AD Connect sync servers and one Azure AD Connect sync server in staging
mode

• C. six Azure AD Connect sync servers and three Azure AD Connect sync servers in staging
mode

• D. three Azure AD Connect sync servers and three Azure AD Connect sync servers in staging
mode

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #94Topic 1

You have a Microsoft 365 subscription.


You have the retention policies shown in the following table.
Both policies are applied to a Microsoft SharePoint site named Site1 that contains a file named
File1.docx.
File1.docx was created on January 1, 2022 and last modified on January 31,2022. The file was NOT
modified again.
When will File1.docx be deleted automatically?

• A. January 1, 2023

• B. January 1, 2024

• C. January 31, 2023

• D. January 31, 2024 Most Voted

• E. never

Hide Solution Discussion 22

Correct Answer: D 🗳️

Community vote distribution

D (81%)

E (19%)

Question #95Topic 1

You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.

You plan to publish a sensitivity label named Label1.


To which groups can you publish Label1?

• A. Group1 only

• B. Group1 and Group2 only

• C. Group1 and Group4 only

• D. Group1, Group2, and Group3 only Most Voted

• E. Group1, Group2, Group3, and Group4


Hide Solution Discussion 17

Correct Answer: D 🗳️

Community vote distribution

D (88%)

8%

Question #96Topic 1

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint site named Site1 and
a data loss prevention (DLP) policy named DLP1. DLP1 contains the rules shown in the following
table.

Site1 contains the files shown in the following table.

Which policy tips are shown for each file? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 17

Correct Answer:

Question #97Topic 1

You have a Microsoft 365 subscription.


You configure a data loss prevention (DLP) policy.
You discover that users are incorrectly marking content as false positive and bypassing the DLP
policy.
You need to prevent the users from bypassing the DLP policy.
What should you configure?

• A. actions

• B. incident reports

• C. exceptions

• D. user overrides Most Voted

Hide Solution Discussion 3

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #98Topic 1

You have a Microsoft 365 E5 tenant.


You create a retention label named Retention1 as shown in the following exhibit.

When users attempt to apply Retention1, the label is unavailable.


You need to ensure that Retention1 is available to all the users.
What should you do?

• A. Create a new label policy. Most Voted

• B. Modify the Authority type setting for Retention1.

• C. Modify the Business function/department setting for Retention1.

• D. Use a file plan CSV template to import Retention1.

Hide Solution Discussion 7

Correct Answer: A 🗳️

Community vote distribution


A (100%)

Question #99Topic 1

You have a Microsoft 365 E5 subscription that has published sensitivity labels shown in the following
exhibit.

Which labels can users apply to content?

• A. Label1, Label2, and Label5 only

• B. Label3, Label4, and Label6 only

• C. Label1, Label3, Label4, and Label6 only Most Voted

• D. Label1, Label2, Label3, Label4, Label5, and Label6

Hide Solution Discussion 12

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #100Topic 1

HOTSPOT -
Your company has a Microsoft 365 E5 tenant
Users at the company use the following versions of Microsoft Office:
Microsoft 365 Apps for enterprise

Office for the web -

Office 2016 -

Office 2019 -
The company currently uses the following Office file types:
.docx
.xlsx
.doc
.xls
You plan to use sensitivity labels.
You need to identify the following:
Which versions of Office require an add-in to support the sensitivity labels.
Which file types support the sensitivity labels.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 17

Correct
Answer:

Question #101Topic 1

HOTSPOT -
You have a Microsoft 365 tenant.
You create a retention label as shown in the Retention Label exhibit. (Click the Retention Label tab.)
You create a label policy as shown in the Label Policy exhibit. (Click the Label Policy tab.)

The label policy is configured as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:

Question #102Topic 1

You have a Microsoft 365 subscription.


Your company has a customer ID associated to each customer. The customer IDs contain 10
numbers followed by 10 characters. The following is a sample customer ID: 12-456-7890-abc-de-fghij.
You plan to create a data loss prevention (DLP) policy that will detect messages containing customer
IDs.
What should you create to ensure that the DLP policy can detect the customer IDs?

• A. a PowerShell script

• B. a sensitivity label

• C. a sensitive information type Most Voted

• D. a retention label

Hide Solution Discussion 5

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #103Topic 1

You have a Microsoft 365 E5 subscription.


You define a retention label that has the following settings:
Retention period: 7 years -
Start the retention period based on: When items were created
You need to prevent the removal of the label once the label is applied to a file.
What should you select in the retention label settings?

• A. Retain items forever or for a specific period

• B. Mark items as a regulatory record Most Voted

• C. Mark items as a record

• D. Retain items even if users delete

Hide Solution Discussion 15

Correct Answer: B 🗳️

Community vote distribution

B (86%)

8%

Question #104Topic 1

HOTSPOT -
You configure a data loss prevention (DLP) policy named DLP1 with a rule configured as shown in the
following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:

Question #105Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the users shown in the following table.

The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the
Exhibit tab.)
User2 fails to authenticate to Azure AD when signing in as [email protected].
You need to ensure that User2 can access the resources in Azure AD.
Solution: From the on-premises Active Directory domain, you assign User2 the Allow logon locally
user right. You instruct User2 to sign in as [email protected].
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #106Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and
policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the SharePoint Administrator
role.
Does this meet the goal?

• A. Yes
• B. No Most Voted

Hide Solution Discussion 6

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #107Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and
policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft Entra admin center, you assign SecAdmin1 the Security Administrator
role.
Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 24

Correct Answer: A 🗳️

Community vote distribution

A (84%)

B (16%)

Question #108Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and
policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the Exchange Administrator
role.
Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 3


Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #109Topic 1

HOTSPOT
-

Overview
-

Litware, Inc. is a consulting company that has a main office in Montreal and a branch office in Seattle.

Litware collaborates with a third-party company named A. Datum Corporation.

Environment
-

On-Premises Environment
-

The network of Litware contains an Active Directory domain named litware.com. The domain contains
three organizational units (OUs) named LitwareAdmins, Montreal Users, and Seattle Users and the
users shown in the following table.

The domain contains 2,000 Windows 10 Pro devices and 100 servers that run Windows Server 2019.

Cloud Environment
-

Litware has a pilot Microsoft 365 subscription that includes Microsoft Office 365 Enterprise E3
licenses and Azure AD Premium P2 licenses.

The subscription contains a verified DNS domain named litware.com.

Azure AD Connect is installed and has the following configurations:

• Password hash synchronization is enabled.


• Synchronization is enabled for the LitwareAdmins OU only.

Users are assigned the roles shown in the following table.


Self-service password reset (SSPR) is enabled.

The Azure AD tenant has Security defaults enabled.

Problem Statements
-

Litware identifies the following issues:

• Admin1 cannot create conditional access policies.


• Admin4 receives an error when attempting to use SSPR.
• Users access new Office 365 service and feature updates before the updates are reviewed by
Admin2.

Requirements
-

Planned Changes
-

Litware plans to implement the following changes:

• Implement Microsoft Intune.


• Implement Microsoft Teams.
• Implement Microsoft Defender for Office 365.
• Ensure that users can install Office 365 apps on their device.
• Convert all the Windows 10 Pro devices to Windows 10 Enterprise ES.
• Configure Azure AD Connect to sync the Montreal Users OU and the Seattle Users OU.

Technical Requirements
-

Litware identifies the following technical requirements:

• Administrators must be able to specify which version of an Office 365 desktop app will be available
to users and to roll back to previous versions.
• Only Admin2 must have access to new Office 365 service and feature updates before they are
released to the company.
• Litware users must be able to invite A. Datum users to participate in the following activities:
• Join Microsoft Teams channels.
• Join Microsoft Teams chats.
• Access shared files.
• Just in time access to critical administrative roles must be required.
• Microsoft 365 incidents and advisories must be reviewed monthly.
• Office 365 service status notifications must be sent to Admin2.
• The principle of least privilege must be used.

You need to configure the Office 365 service status notifications and limit access to the service and
feature updates. The solution must meet the technical requirements.

What should you configure in the Microsoft 365 admin center? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:

Question #110Topic 1

Overview -

Litware, Inc. is a consulting company that has a main office in Montreal and a branch office in Seattle.

Litware collaborates with a third-party company named A. Datum Corporation.

Environment -
On-Premises Environment -

The network of Litware contains an Active Directory domain named litware.com. The domain contains
three organizational units (OUs) named LitwareAdmins, Montreal Users, and Seattle Users and the
users shown in the following table.

The domain contains 2,000 Windows 10 Pro devices and 100 servers that run Windows Server 2019.

Cloud Environment -

Litware has a pilot Microsoft 365 subscription that includes Microsoft Office 365 Enterprise E3
licenses and Azure AD Premium P2 licenses.

The subscription contains a verified DNS domain named litware.com.

Azure AD Connect is installed and has the following configurations:

• Password hash synchronization is enabled.


• Synchronization is enabled for the LitwareAdmins OU only.

Users are assigned the roles shown in the following table.

Self-service password reset (SSPR) is enabled.

The Azure AD tenant has Security defaults enabled.

Problem Statements -

Litware identifies the following issues:

• Admin1 cannot create conditional access policies.


• Admin4 receives an error when attempting to use SSPR.
• Users access new Office 365 service and feature updates before the updates are reviewed by
Admin2.
Requirements -

Planned Changes -

Litware plans to implement the following changes:

• Implement Microsoft Intune.


• Implement Microsoft Teams.
• Implement Microsoft Defender for Office 365.
• Ensure that users can install Office 365 apps on their device.
• Convert all the Windows 10 Pro devices to Windows 10 Enterprise ES.
• Configure Azure AD Connect to sync the Montreal Users OU and the Seattle Users OU.

Technical Requirements -

Litware identifies the following technical requirements:

• Administrators must be able to specify which version of an Office 365 desktop app will be available
to users and to roll back to previous versions.
• Only Admin2 must have access to new Office 365 service and feature updates before they are
released to the company.
• Litware users must be able to invite A. Datum users to participate in the following activities:
• Join Microsoft Teams channels.
• Join Microsoft Teams chats.
• Access shared files.
• Just in time access to critical administrative roles must be required.
• Microsoft 365 incidents and advisories must be reviewed monthly.
• Office 365 service status notifications must be sent to Admin2.
• The principle of least privilege must be used.

You need to configure Azure AD Connect to support the planned changes for the Montreal Users and
Seattle Users OUs.

What should you do?

• A. From PowerShell, run the Add-ADSyncConnectorAttributeInclusion cmdlet.

• B. From the Microsoft Azure AD Connect wizard, select Manage federation.

• C. From the Microsoft Azure AD Connect wizard, select Customize synchronization


options. Most Voted

• D. From PowerShell, run the Start-ADSyncSyncCycle cmdlet.

Hide Solution Discussion 5

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #111Topic 1
Overview -

Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.

Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -

The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.

All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].

Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -

Each office has a high-speed connection to the Internet.

Each office contains two domain controllers. All domain controllers are configured as DNS servers.

The public zone for fabrikam.com is managed by an external DNS server.

All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.

All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -

Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.

Fabrikam plans to implement two pilot projects:

• Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
• Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.

Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.
Technical Requirements -

Fabrikam identifies the following technical requirements:

• All users must be able to exchange email messages successfully during Project1 by using their
current email address.
• Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
• A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
• Microsoft 365 Apps for enterprise applications must be installed from a network share only.
• Disruptions to email access must be minimized.

Application Requirements -

Fabrikam identifies the following application requirements:

• An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
• The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -

Fabrikam identifies the following security requirements:

• After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
• The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
• After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
• The principle of least privilege must be used.

You are evaluating the required processes for Project1.

You need to recommend which DNS record must be created while adding a domain name for the
project.

Which DNS record should you recommend?

• A. host (A)

• B. alias (CNAME)

• C. text (TXT) Most Voted

• D. host (AAAA)

Hide Solution Discussion 10

Correct Answer: C 🗳️

Community vote distribution


C (100%)

Question #112Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 E5 subscription.

You create an account for a new security administrator named SecAdmin1.

You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and
policies for Microsoft Teams, SharePoint, and OneDrive.

Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the Teams Administrator role.

Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #113Topic 1

HOTSPOT
-

Your network contains an on-premises Active Directory domain named contoso.com.

Your company purchases Microsoft 365 subscription and establishes a hybrid deployment of Azure
AD by using password hash synchronization. Password writeback is disabled in Azure AD Connect.

You create a new user named User10 on-premises and a new user named User20 in Azure AD.

You need to identify where an administrator can reset the password of each new user.

What should you identify? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 7

Correct Answer:

Question #114Topic 1

HOTSPOT
-

You have an Azure AD tenant that contains the groups shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct
Answer:

Question #115Topic 1

You have a Microsoft 365 E5 subscription that is linked to an Azure AD tenant named contoso.com.

You purchase 100 Microsoft 365 Business Voice add-on licenses.

You need to ensure that the members of a group named Voice are assigned a Microsoft 365
Business Voice add-on license automatically.

What should you do?

• A. From the Licenses page of the Microsoft 365 admin center, assign the licenses.

• B. From the Microsoft Entra admin center, modify the settings of the Voice group. Most Voted

• C. From the Microsoft 365 admin center, modify the settings of the Voice group.
Hide Solution Discussion 28

Correct Answer: B 🗳️

Community vote distribution

B (47%)

A (36%)

C (17%)

Question #116Topic 1

You have a Microsoft 365 E5 subscription that uses Endpoint security.

You need to create a group and assign the Endpoint Security Manager role to the group.

Which type of group can you use?

• A. Microsoft 365 only

• B. security only

• C. mail-enabled security and security only

• D. mail-enabled security, Microsoft 365, and security only Most Voted

• E. distribution, mail-enabled security, Microsoft 365, and security

Hide Solution Discussion 23

Correct Answer: D 🗳️

Community vote distribution

D (81%)

Other

Question #117Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that contains the users shown in the following table.

You create a new administrative unit named AU1 and configure the following AU1 dynamic
membership rule.

(user.department -eq "Engineering") and (user.jobTitle -notContains "Executive")

The subscription contains the role assignments shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct
Answer:

Question #118Topic 1

You have a Microsoft 365 subscription.

You need to be notified to your personal email address when a Microsoft Exchange Online service
issue occurs.

What should you do?

• A. From the Exchange admin center, create a contact.

• B. From the Microsoft Outlook client, configure an Inbox rule.


• C. From the Microsoft 365 admin center, update the technical contact details.

• D. From the Microsoft 365 admin center, customize the Service health settings. Most Voted

Hide Solution Discussion 8

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #119Topic 1

HOTSPOT
-

Your company has an Azure AD tenant that contains the users shown in the following table.

The tenant includes a security group named Admin1. Admin1 will be used to manage administrative
accounts. External collaboration settings have default configuration.

You need to identify which users can perform the following administrative tasks:

• Create guest user accounts.


• Add User3 to Admin1.

Which users should you identify for each task? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 19

Correct
Answer:

Question #120Topic 1

You have a Microsoft 365 subscription.

All users are assigned Microsoft 365 Apps for enterprise licenses.

You need to ensure that reports display the names of users that have activated Microsoft 365 apps
and on how many devices.

What should you modify in the Microsoft 365 admin center?

• A. the Reports reader role

• B. Organization information
• C. Org settings for Privacy profile

• D. Org settings for Reports Most Voted

Hide Solution Discussion 4

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #121Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You need to configure the Org settings to meet the following requirements:

• Sign users out of Microsoft Office 365 web apps after one hour of inactivity.
• Integrate an internal support tool with Office.

Which settings should you configure for each requirement? To answer, select the appropriate options
in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 10

Correct
Answer:
Question #122Topic 1

You have a Microsoft 365 subscription.

You add a domain named contoso.com.

When you attempt to verify the domain, you are prompted to send a verification email
to [email protected].

You need to change the email address used to verify the domain.

What should you do?

• A. Add a TXT record to the DNS zone of the domain.

• B. From the domain registrar, modify the contact information of the domain. Most Voted

• C. From the Microsoft 365 admin center, change the global administrator of the Microsoft 365
subscription.

• D. Modify the NS records for the domain.

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (80%)

C (20%)

Question #123Topic 1

HOTSPOT
-

Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint contains the
device groups shown in the following table.
You onboard computers to Microsoft Defender for Endpoint as shown in the following table.

Of which groups are Computer1 and Computer2 members? To answer, select the appropriate options
in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct Answer:

Question #124Topic 1

HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You are implementing Microsoft Defender for Endpoint.

You need to enable role-based access control (RBAC) to restrict access to the Microsoft 365
Defender portal.

Which users can enable RBAC, and which users will no longer have access to the Microsoft 365
Defender portal after RBAC is enabled? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 10

Correct
Answer:
Question #125Topic 1

Your company has a Microsoft 365 E5 subscription.

You onboard a device on the company's network to Microsoft Defender for Endpoint.

In the Microsoft 365 Defender portal, you notice that the device inventory displays many devices that
have an Onboarding status of Can be onboarded.

You need to ensure that onboarded devices are prevented from polling the network for device
discovery but can still discover devices with which they communicate directly.

What should you configure in the Microsoft 365 Defender portal?

• A. standard discovery

• B. device discovery exclusions

• C. basic discovery Most Voted

• D. a network assessment job

Hide Solution Discussion 15

Correct Answer: C 🗳️

Community vote distribution

C (80%)

8%

8%

Question #126Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that uses Microsoft Intune and contains the devices shown
in the following table.

You need to onboard Device1 and Device2 to Microsoft Defender for Endpoint.

What should you use to onboard each device? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 6

Correct
Answer:

Question #127Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription.

You need to create two groups named Group1 and Group2. The solution must meet the following
requirements:

• Group1 must be mail-enabled and have an associated Microsoft SharePoint Online site.
• Group2 must support dynamic membership and role assignments but must NOT be mail-enabled.
Which types of groups should you create? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct Answer:

Question #128Topic 1

DRAG DROP
-

You have a Microsoft 365 subscription.

You need to meet the following requirements:

• Report a Microsoft 365 service issue.


• Request help on how to add a new user to an Azure AD tenant.

What should you use in the Microsoft 365 admin center? To answer, drag the appropriate features to
the correct requirements. Each feature may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12

Correct Answer:

Question #129Topic 1

You have a Microsoft 365 E5 subscription that contains the groups shown in the following exhibit.

To which groups can you assign Microsoft 365 E5 licenses?

• A. Group1 and Group2 only

• B. Group2 and Group3 only

• C. Group3 and Group4 only

• D. Group1, Group2, and Group3 only

• E. Group2, Group3, and Group4 only Most Voted


Hide Solution Discussion 7

Correct Answer: E 🗳️

Community vote distribution

E (100%)

Question #130Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription.

From the Microsoft 365 admin center, you open the Microsoft 365 Apps usage report as shown in the
following exhibit.

You need ensure that the report meets the following requirements:

• The Username column must display the actual name of each user.
• Usage of the Microsoft Teams mobile app must be displayed.

What should you modify for each requirement? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6


Correct
Answer:

Previous Questions

Viewing page 13 out of 37 pages.

Viewing questions 121-130 out of 365 questions

Question #131Topic 1

Your company has on-premises servers and an Azure AD tenant.

Several months ago, the Azure AD Connect Health agent was installed on all the servers.

You review the health status of all the servers regularly.

Recently, you attempted to view the health status of a server named Server1 and discovered that the
server is NOT listed on the Azure AD Connect Servers list.

You suspect that another administrator removed Server1 from the list.

You need to ensure that you can view the health status of Server1.

What are two possible ways to achieve the goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

• A. From Windows PowerShell, run the Register-AzureADConnectHealthSyncAgent cmdlet.

• B. From Azure Cloud shell, run the Connect-AzureAD cmdlet.

• C. From Server1, reinstall the Azure AD Connect Health agent.

• D. From Server1, change the Azure AD Connect Health services Startup type to Automatic.

• E. From Server1, change the Azure AD Connect Health services Startup type to Automatic
(Delayed Start).

Reveal Solution Discussion 5

Question #132Topic 1

DRAG DROP
-

Your company has an Azure AD tenant named contoso.onmicrosoft.com.


You purchase a domain named contoso.com from a registrar and add all the required DNS records.

You create a user account named User1. User1 is configured to sign in


as [email protected].

You need to configure User1 to sign in as [email protected].

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Hide Solution Discussion 7

Correct Answer:

Question #133Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Intune.

You need to access service health alerts from a mobile phone.

What should you use?

• A. the Microsoft Authenticator app

• B. the Microsoft 365 Admin mobile app Most Voted

• C. Intune Company Portal

• D. the Intune app

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)
Question #134Topic 1

HOTSPOT
-

Your company has a Microsoft 365 subscription that contains the domains shown in the following
exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 13

Correct
Answer:
Question #135Topic 1

DRAG DROP
-

You have a Microsoft 365 subscription.

You need to review reports to identify the following:

• The storage usage of files stored in Microsoft Teams


• The number of active users per team

Which report should you review for each requirement? To answer, drag the appropriate reports to the
correct requirements. Each report may be used once, more than once, or not at all. You may need to
drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 9

Correct Answer:

Question #136Topic 1
HOTSPOT
-

You work at a company named Contoso, Ltd.

Contoso has a Microsoft 365 subscription that is configured to use the DNS domains shown in the
following table.

Contoso purchases a company named Fabrikam, Inc.

Contoso plans to add the following domains to the Microsoft 365 subscription:

• fabrikam.com
• east.fabrikam.com
• west.contoso.com

You need to ensure that the devices in the new domains can register by using Autodiscover.

How many domains should you verify, and what is the minimum number of enterpriseregistration DNS
records you should add? To answer, select the appropriate options in the answer area.

Hide Solution Discussion 11

Correct
Answer:
Question #137Topic 1

You have a Microsoft 365 E5 subscription.

You need to recommend a solution for monitoring and reporting application access. The solution must
meet the following requirements:

• Support KQL for querying data.


• Retain report data for at least one year.

What should you include in the recommendation?

• A. a security report in Microsoft 365 Defender

• B. Endpoint analytics

• C. Microsoft 365 usage analytics

• D. Azure Monitor workbooks Most Voted

Hide Solution Discussion 3

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #138Topic 1

HOTSPOT
-
You have a Microsoft 365 E5 subscription.

You need to configure a group naming policy.

Which portal should you use, and to which types of groups will the policy apply? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:
Question #139Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.

Which groups can be members of Group1 and Group4? To answer, select the appropriate options in
the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 14

Correct
Answer:
Question #140Topic 1

Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that
includes the users shown in the following table.

Group2 is a member of Group1.

You assign a Microsoft Office 365 Enterprise E3 license to Group1.

How many Office 365 E3 licenses are assigned?

• A. 1

• B. 2

• C. 3 Most Voted

• D. 4

Hide Solution Discussion 19

Correct Answer: C 🗳️

Community vote distribution

C (64%)

B (36%)

Question #141Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that contains the administrative units shown in the following
table.

The groups contain the members shown in the following table.


The users are assigned the roles shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12

Correct
Answer:

Question #142Topic 1
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

Which users can review the Adoption Score in the Microsoft 365 admin center?

• A. User1 only

• B. User2 only

• C. User1 and User2 only

• D. User1 and User3 only

• E. User1, User2, and User3 Most Voted

Hide Solution Discussion 6

Correct Answer: E 🗳️

Community vote distribution

E (93%)

7%

Question #143Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.

The subscription contains the users shown in the following table.


In Azure AD, you configure the External collaboration settings as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 5

Correct
Answer:

Question #144Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You have an Azure AD tenant named contoso.com that contains the following users:

• Admin1
• Admin2
• User1

Contoso.com contains an administrative unit named AU1 that has no role assignments. User1 is a
member of AU1.

You create an administrative unit named AU2 that does NOT have any members or role assignments.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:

Question #145Topic 1

HOTSPOT
-

Your company has a Microsoft 365 subscription that contains the users shown in the following table.

External collaboration settings have default configuration.

You need to identify which users can perform the following administrative tasks:

• Modify the password protection policy.


• Create guest user accounts.

Which users should you identify for each task? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 25

Correct
Answer:

Question #146Topic 1

You have a Microsoft 365 subscription that contains the users shown in the following table.

You plan to use Exchange Online to manage email for a DNS domain.

An administrator adds the DNS domain to the subscription.


The DNS domain has a status of Incomplete setup.

You need to identify which user can complete the setup of the DNS domain. The solution must use
the principle of least privilege.

Which user should you identify?

• A. User1

• B. User2

• C. User3

• D. User4

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

D (100%)

Question #147Topic 1

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You plan to create a Conditional Access policy that will use GPS-based named locations.

Which users can the policy protect?

• A. User2 and User4 only

• B. User1, User2, User3, and User4

• C. User1 only Most Voted

• D. User1 and User3 only

Hide Solution Discussion 10

Correct Answer: C 🗳️

Community vote distribution

C (89%)

11%
Question #148Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You enable self-service password reset (SSPR) for Group1. You configure security questions as the
only authentication method for SSPR.

Which users can use SSPR, and which users must answer security questions to reset their
password? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12

Correct
Answer:
Question #149Topic 1

Your network contains an Active Directory forest named contoso.local.

You have a Microsoft 365 subscription.

You plan to implement a directory synchronization solution that will use password hash
synchronization.

From the Microsoft 365 admin center, you successfully verify the contoso.com domain name.

You need to prepare the environment for the planned directory synchronization solution.

What should you do first?

• A. From the Microsoft 365 admin center, verify the contoso.local domain name.

• B. From the public DNS zone of contoso.com, add a new mail exchanger (MX) record.

• C. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix. Most Voted

• D. From Active Directory Users and Computers, modify the UPN suffix for all users.

Hide Solution Discussion 4

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #150Topic 1

You have a Microsoft 365 ES subscription.

On Monday, you create a new user named User1.

On Tuesday, User1 signs in for the first time and perform the following actions:

• Signs in to Microsoft Exchange Online from an anonymous IP address.


• Signs in to Microsoft SharePoint Online from a device in New York City.
• Establishes Remote Desktop connections to hosts in Berlin and Hong Kong, and then signs in to
SharePoint Online from the Remote Desktop connections.

Which types of sign-in risks will Azure AD Identity Protection detect for User1?

• A. anonymous IP address and atypical travel only

• B. anonymous IP address only Most Voted

• C. unfamiliar sign-in properties and atypical travel only

• D. anonymous IP address and unfamiliar sign-in properties only

• E. anonymous IP address, atypical travel, and unfamiliar sign-in properties

Hide Solution Discussion 12

Correct Answer: B 🗳️

Community vote distribution

B (81%)

E (19%)

Question #151Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that contains the users shown in the following table.

You have the named locations shown in the following table.

You create a conditional access policy that has the following configurations:

• Users or workload identities:


• Include: Group1
• Exclude: Group2
• Cloud apps or actions: Include all cloud apps
• Conditions:
• Include: Any location
• Exclude: Montreal
• Access control: Grant access, Require multi-factor authentication
User1 is on the multi-factor authentication (MFA) blocked users list.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 22

Correct
Answer:

Question #152Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

Each user has an Android device with the Microsoft Authenticator app installed and has set up phone
sign-in.

The subscription has the following Conditional Access policy:

• Name: Policy1
• Assignments
• Users and groups: Group1, Group2
• Cloud apps or actions: All cloud apps
• Access controls
• Grant: Require multi-factor authentication
• Enable policy: On

From Microsoft Authenticator settings for the subscription, the Enable and Target settings are
configured as shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 11


Correct
Answer:

Question #153Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that uses an Azure AD tenant named contoso.com. The tenant
contains the users shown in the following table.

From the Sign-ins blade of the Microsoft Entra admin center, for which users can User1 and User2
view the sign-ins? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7

Correct
Answer:
Question #154Topic 1

You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com.

Corporate policy states that user passwords must not include the word Contoso.

What should you do to implement the corporate policy?

• A. From the Microsoft Entra admin center, create a conditional access policy.

• B. From the Microsoft Entra admin center, configure the Password protection settings. Most
Voted

• C. From the Microsoft 365 admin center, configure the Password policy settings.

• D. From Azure AD Identity Protection, configure a sign-in risk policy.

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #155Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory forest.

You deploy Microsoft 365.

You plan to implement directory synchronization.

You need to recommend a security solution for the synchronized identities. The solution must meet
the following requirements:

• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory
becomes unavailable.
• User passwords must be 10 characters or more.

Solution: Implement pass-through authentication and modify the password settings from the Default
Domain Policy in Active Directory.

Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #156Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory forest.

You deploy Microsoft 365.

You plan to implement directory synchronization.

You need to recommend a security solution for the synchronized identities. The solution must meet
the following requirements:

• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory
becomes unavailable.
• User passwords must be 10 characters or more.

Solution: Implement password hash synchronization and configure password protection in the Azure
AD tenant.

Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 24

Correct Answer: B 🗳️

Community vote distribution

B (71%)
A (29%)

Question #157Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory forest.

You deploy Microsoft 365.

You plan to implement directory synchronization.

You need to recommend a security solution for the synchronized identities. The solution must meet
the following requirements:

• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory
becomes unavailable.
• User passwords must be 10 characters or more.

Solution: Implement pass-through authentication and configure password protection in the Azure AD
tenant.

Does this meet the goal?

• A. Yes

• B. No Most Voted

Hide Solution Discussion 2

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #158Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory forest.

You deploy Microsoft 365.

You plan to implement directory synchronization.

You need to recommend a security solution for the synchronized identities. The solution must meet
the following requirements:
• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory
becomes unavailable.
• User passwords must be 10 characters or more.

Solution: Implement password hash synchronization and modify the password settings from the
Default Domain Policy in Active Directory.

Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (80%)

B (20%)

Question #159Topic 1

HOTSPOT
-

You have a hybrid deployment of Azure AD that contains the users shown in the following table.

You need to identify which users can perform the following tasks:

• View sync errors in Azure AD Connect Health.


• Configure Azure AD Connect Health settings.

Which user should you identify for each task? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 8

Correct
Answer:

Question #160Topic 1

Your company has three main offices and one branch office. The branch office is used for research.

The company plans to implement a Microsoft 365 tenant and to deploy multi-factor authentication.
You need to recommend a Microsoft 365 solution to ensure that multi-factor authentication is enforced
only for users in the branch office.

What should you include in the recommendation?

• A. Azure AD password protection

• B. a Microsoft Intune device configuration profile

• C. a Microsoft Intune device compliance policy

• D. Azure AD conditional access Most Voted

Hide Solution Discussion 4

Correct Answer: D 🗳️

Community vote distribution

Question #161Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

Your network contains an Active Directory domain.

You deploy an Azure AD tenant.

Another administrator configures the domain to synchronize to Azure AD.

You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure
AD. All the other user accounts synchronized successfully.

You review Azure AD Connect Health and discover that all the user account synchronizations
completed successfully.

You need to ensure that the 10 user accounts are synchronized to Azure AD.

Solution: From Azure AD Connect, you modify the filtering settings.

Does this meet the goal?

• A. Yes Most Voted

• B. No

Hide Solution Discussion 15

Correct Answer: A 🗳️

Community vote distribution

A (100%)
Question #162Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You create an administrative unit named AU1 that contains the members shown in the following
exhibit.

The User Administrator role has the assignments shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7


Correct
Answer:

Question #163Topic 1

You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com. The
tenant includes a user named User1.

You enable Azure AD Identity Protection.

You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for
risk. The solution must use the principle of least privilege.

To which role should you add User1?

• A. Security Reader Most Voted

• B. Global Administrator

• C. Owner

• D. User Administrator

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #164Topic 1

HOTSPOT
-

Your company has an Azure AD tenant named contoso.onmicrosoft.com that contains the users
shown in the following table.
You need to identify which users can perform the following administrative tasks:

• Reset the password of User4.


• Modify the value for the manager attribute of User4.

Which users should you identify for each task? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:
Question #165Topic 1

You have a Microsoft 365 E5 subscription.

Users have Android or iOS devices and access Microsoft 365 resources from computers that run
Windows 11 or MacOS.

You need to implement passwordless authentication. The solution must support all the devices.

Which authentication method should you use?

• A. Windows Hello

• B. FIDO2 compliant security keys

• C. Microsoft Authenticator app Most Voted

Hide Solution Discussion 4

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #166Topic 1

HOTSPOT
-

Your company has a hybrid deployment of Microsoft 365.

An on-premises user named User1 is synced to Azure AD.


Azure AD Connect is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:
Question #167Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription and an Azure AD tenant named contoso.com.

All users have computers that run Windows 11, are joined to contoso.com, and are protected by using
BitLocker Drive Encryption (BitLocker).

You plan to create a user named Admin1 that will perform following tasks:

• View BitLocker recovery keys.


• Configure the usage location for the users in contoso.com.

You need to assign roles to Admin to meet the requirements. The solution must use the principle of
least privilege.

Which two roles should you assign? To answer, select the appropriate options in the answer area.
Hide Solution Discussion 18

Correct Answer:
Question #168Topic 1

HOTSPOT
-

You have a Microsoft 365 Enterprise E5 subscription.

You add a cloud-based app named App1 to the Azure AD enterprise applications list.

You need to ensure that two-step verification is enforced for all user accounts the next time they
connect to App1.

Which three settings should you configure from the policy? To answer, select the appropriate settings
in the answer area,

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 2

Correct
Answer:
Question #169Topic 1

You have a Microsoft 365 E5 subscription.

You create a Conditional Access policy that blocks access to an app named App1 when users trigger
a high-risk sign-in event.

You need to reduce false positives for impossible travel when the users sign in from the corporate
network.

What should you configure?


• A. exclusion groups

• B. multi-factor authentication (MFA)

• C. named locations Most Voted

• D. user risk policies

Hide Solution Discussion 6

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #170Topic 1

You have a Microsoft 365 E5 subscription.

You need to create a mail-enabled contact.

Which portal should you use?

• A. the Microsoft 365 admin center Most Voted

• B. the SharePoint admin center

• C. the Microsoft Entra admin center

• D. the Microsoft Purview compliance portal

Hide Solution Discussion 8

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #171Topic 1

HOTSPOT
-

You have an Azure AD tenant that contains the users shown in the following table.

You enable self-service password reset for all users. You set Number of methods required to reset to
1, and you set Methods available to users to Security questions only.

What information must be configured for each user before the user can perform a self-service
password reset? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct
Answer:
Question #172Topic 1

Your on-premises network contains an Active Directory domain.

You have a Microsoft 365 E5 subscription.

You plan to implement a hybrid configuration that has the following requirements:

• Minimizes the number of times users are prompted for credentials when they access Microsoft 365
resources
• Supports the use of Azure AD Identity Protection

You need to configure Azure AD Connect to support the planned implementation.

Which two options should you select? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

• A. Password Hash Synchronization Most Voted

• B. Password writeback
• C. Directory extension attribute sync

• D. Enable single sign-on Most Voted

• E. Pass-through authentication

Hide Solution Discussion 8

Correct Answer: AD 🗳️

Community vote distribution

AD (100%)

Question #173Topic 1

HOTSPOT
-

Your network contains an Active Directory domain and an Azure AD tenant.

You implement directory synchronization for all 10,000 users in the organization.

You automate the creation of 100 new user accounts.

You need to ensure that the new user accounts synchronize to Azure AD as quickly as possible.

Which command should you run? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 9

Correct
Answer:
Question #174Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

Each user has a device with the Microsoft Authenticator app installed.

From Microsoft Authenticator settings for the subscription, the Enable and Target settings are
configured as shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 13

Correct
Answer:

Question #175Topic 1

HOTSPOT
-

Overview
-

Litware, Inc. is a consulting company that has a main office in Montreal and a branch office in Seattle.

Litware collaborates with a third-party company named A. Datum Corporation.

Environment
-
On-Premises Environment
-

The network of Litware contains an Active Directory domain named litware.com. The domain contains
three organizational units (OUs) named LitwareAdmins, Montreal Users, and Seattle Users and the
users shown in the following table.

The domain contains 2,000 Windows 10 Pro devices and 100 servers that run Windows Server 2019.

Cloud Environment
-

Litware has a pilot Microsoft 365 subscription that includes Microsoft Office 365 Enterprise E3
licenses and Azure AD Premium P2 licenses.

The subscription contains a verified DNS domain named litware.com.

Azure AD Connect is installed and has the following configurations:

• Password hash synchronization is enabled.


• Synchronization is enabled for the LitwareAdmins OU only.

Users are assigned the roles shown in the following table.

Self-service password reset (SSPR) is enabled.

The Azure AD tenant has Security defaults enabled.

Problem Statements
-

Litware identifies the following issues:

• Admin1 cannot create conditional access policies.


• Admin4 receives an error when attempting to use SSPR.
• Users access new Office 365 service and feature updates before the updates are reviewed by
Admin2.

Requirements
-

Planned Changes
-

Litware plans to implement the following changes:

• Implement Microsoft Intune.


• Implement Microsoft Teams.
• Implement Microsoft Defender for Office 365.
• Ensure that users can install Office 365 apps on their device.
• Convert all the Windows 10 Pro devices to Windows 10 Enterprise ES.
• Configure Azure AD Connect to sync the Montreal Users OU and the Seattle Users OU.

Technical Requirements
-

Litware identifies the following technical requirements:

• Administrators must be able to specify which version of an Office 365 desktop app will be available
to users and to roll back to previous versions.
• Only Admin2 must have access to new Office 365 service and feature updates before they are
released to the company.
• Litware users must be able to invite A. Datum users to participate in the following activities:
• Join Microsoft Teams channels.
• Join Microsoft Teams chats.
• Access shared files.
• Just in time access to critical administrative roles must be required.
• Microsoft 365 incidents and advisories must be reviewed monthly.
• Office 365 service status notifications must be sent to Admin2.
• The principle of least privilege must be used.

You need to ensure that the Microsoft 365 incidents and advisories are reviewed monthly.

Which users can review the incidents and advisories, and which blade should the users use? To
answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 10

Correct Answer:

Question #176Topic 1

You have a Microsoft 365 tenant that contains a Windows 10 device. The device is onboarded to
Microsoft Defender for Endpoint.

From Microsoft 365 Defender portal, you perform a security investigation.

You need to run a PowerShell script on the device to collect forensic information.

Which action should you select on the device page?

• A. Collect investigation package

• B. Go hunt

• C. Initiate Live Response Session Most Voted

• D. Initiate Automated Investigation

Hide Solution Discussion 3

Correct Answer: C 🗳️

Community vote distribution


C (100%)

Question #177Topic 1

HOTSPOT
-

You configure an anti-phishing policy as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:
Question #178Topic 1

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.

You notice that it takes several days to notify email recipients when an incoming email message is
marked as spam, and then quarantined.

You need to ensure that the email recipients are notified within 24 hours.

What should you do?

• A. Modify the default inbound anti-spam policy.

• B. Modify the DefaultFullAccessPolicy quarantine policy.

• C. Add a custom quarantine policy.

• D. Modify the global settings for quarantine policies. Most Voted

Hide Solution Discussion 10

Correct Answer: D 🗳️

Community vote distribution

D (66%)

C (34%)

Question #179Topic 1

You have a Microsoft 365 E5 subscription.

You need to ensure that administrators receive an email when Microsoft 365 Defender detects a sign-
in from a risky IP address.

What should you create?

• A. a vulnerability notification rule

• B. an alert Most Voted

• C. an incident assignment filter

• D. an incident notification rule

Hide Solution Discussion 5


Correct Answer: B 🗳️

Community vote distribution

B (88%)

13%

Question #180Topic 1

You have a Microsoft 365 E5 subscription that has Microsoft Defender for Endpoint integrated with
Microsoft Intune.

Devices are onboarded by using Microsoft Defender for Endpoint.

You plan to block devices based on the results of the machine risk score calculated by Microsoft
Defender for Endpoint.

What should you create first?

• A. a device configuration policy

• B. a device compliance policy Most Voted

• C. a conditional access policy

• D. an endpoint detection and response policy

Hide Solution Discussion 4

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #181Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You need to configure threat protection for Microsoft 365 to meet the following requirements:

• Limit a user named User1 from sending more than 30 email messages per day.
• Prevent the delivery of a specific file based on the file hash.

Which two threat policies should you configure in Microsoft Defender for Office 365? To answer,
select the appropriate threat policies in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 4

Correct
Answer:
Question #182Topic 1

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.

A Built-in protection preset security policy is applied to the subscription.

Which two policy types will be applied by the Built-in protection policy? Each correct answer presents
a complete solution.

NOTE: Each correct selection is worth one point.

• A. Anti-malware

• B. Safe Attachments Most Voted

• C. Safe Links Most Voted

• D. Anti-phishing

• E. Anti-spam

Hide Solution Discussion 3

Correct Answer: BC 🗳️

Community vote distribution

BC (100%)
Question #183Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

The subscription has the following two anti-spam policies:

• Name: AntiSpam1
• Priority: 0
• Include these users, groups and domains
• Users: User3
• Groups: Group1
• Exclude these users, groups and domains
• Groups: Group2
• Message limits
• Set a daily message limit: 100

• Name: AntiSpam2
• Priority: 1
• Include these users, groups and domains
• Users: User1
• Groups: Group2
• Exclude these users, groups and domains
• Groups: Group3
• Message limits
• Set a daily message limit: 50

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct
Answer:
Question #184Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365.

You have the policies shown in the following table.

All the policies are configured to send malicious email messages to quarantine.

Which policies support a customized quarantine retention period?

• A. Policy1 and Policy2 only Most Voted

• B. Policy1 and Policy3 only

• C. Policy2 and Policy4 only

• D. Policy3 and Policy4 only

Hide Solution Discussion 2

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #185Topic 1

You have a Microsoft 365 E5 subscription.

Your company’s Microsoft Secure Score recommends the actions shown in the following exhibit.
You select Create Safe Links policies for email messages and change Status to Risk accepted in the
Status & action plan settings.

How does the change affect the Secure Score?

• A. remains the same

• B. increases by 1 point

• C. increases by 9 points

• D. decreases by 1 point

• E. decreases by 9 points

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

E (100%)

Question #186Topic 1

DRAG DROP
-

You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.
You need to onboard the devices to Microsoft Defender for Endpoint. The solution must minimize
administrative effort.

What should you use to onboard each type of device? To answer, drag the appropriate onboarding
methods to the correct device types. Each onboarding method may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 21

Correct Answer:

Question #187Topic 1

You have a Microsoft 365 E5 subscription.

You onboard all devices to Microsoft Defender for Endpoint.

You need to use Defender for Endpoint to block access to a malicious website at www.contoso.com.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct answer is worth one point.

• A. Create a web content filtering policy.

• B. Enable Custom network indicators. Most Voted

• C. Enable automated investigation.

• D. Create an indicator. Most Voted


• E. Configure an enforcement scope.

Hide Solution Discussion 9

Correct Answer: BD 🗳️

Community vote distribution

BD (88%)

12%

Question #188Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.

At 08:00, you create an incident notification rule that has the following configurations:

• Name: Notification1
• Notification settings
• Notify on alert severity: Low
• Device group scope: All (3)
• Details: First notification per incident
• Recipients: [email protected], [email protected]

At 08:02, you create an incident notification rule that has the following configurations:

• Name: Notification2
• Notification settings
• Notify on alert severity: Low, Medium
• Device group scope: DeviceGroup1, DeviceGroup2
• Recipients: [email protected]

In Microsoft 365 Defender, alerts are logged as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 16

Correct
Answer:

Question #189Topic 1

HOTSPOT
-

You have Microsoft 365 subscription.

You create an alert policy as shown in the following exhibit.


Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 9

Correct
Answer:

Question #190Topic 1

You have a Microsoft 365 E5 tenant.

You need to create a policy that will trigger an alert when unusual Microsoft Office 365 usage patterns
are detected.

What should you use to create the policy?

• A. the Microsoft Apps admin center

• B. the Microsoft Purview compliance portal

• C. the Microsoft 365 admin center

• D. the Microsoft 365 Defender portal Most Voted

Hide Solution Discussion 19

Correct Answer: D 🗳️
Community vote distribution

D (63%)

B (37%)

Question #191Topic 1

You have a Microsoft 365 subscription.

You plan to use Adoption Score and need to ensure that it can obtain device and software metrics.

What should you do?

• A. Enable privileged access.

• B. Enable Endpoint analytics.

• C. Configure Support integration.

• D. Run the Microsoft 365 network connectivity test on each device.

Hide Solution Discussion 3

Correct Answer: B 🗳️

Question #192Topic 1

HOTSPOT
-

Your network contains an on-premises Active Directory domain named adatum.com that syncs to
Azure AD by using the Azure AD Connect Express Settings. Password writeback is disabled.

You create a user named User1 and enter Pass in the Password field as shown in the following
exhibit.
The Azure AD password policy is configured as shown in the following exhibit.

You confirm that User1 is synced to Azure AD.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12

Correct
Answer:

Question #193Topic 1

HOTSPOT
-

Your company uses Microsoft Defender for Endpoint.

The devices onboarded to Microsoft Defender for Endpoint are shown in the following table.

The alerts visible in the Microsoft Defender for Endpoint alerts queue are shown in the following table.

You create a suppression rule that has the following settings:


• Triggering IOC: Any IOC
• Action: Hide alert
• Suppression scope: Alerts on ATP1 device group

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:

Question #194Topic 1

You have a Microsoft 365 E5 tenant.

You configure sensitivity labels.

Users report that the Sensitivity button is unavailable in Microsoft Word for the web. The Sensitivity
button is available in Microsoft 365 Word.

You need to ensure that the users can apply the sensitivity labels when they use Word for the web.

What should you do?

• A. Enable sensitivity labels for files in Microsoft SharePoint and OneDrive. Most Voted

• B. Publish the sensitivity labels.


• C. Copy policies from Azure Information Protection to the Microsoft Purview compliance
portal.

• D. Create an auto-labeling policy.

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (94%)

6%

Question #195Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You plan to use a mailbox named Mailbox1 to analyze malicious email messages.

You need to configure Microsoft Defender for Office 365 to meet the following requirements:

• Ensure that incoming email is NOT filtered for Mailbox1.


• Detect impersonation and spoofing attacks on all other mailboxes in the subscription.

Which two settings should you configure? To answer, select the appropriate settings in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 6
Correct

Answer:

Question #196Topic 1
HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You plan to implement identity protection by configuring a sign-in risk policy and a user risk policy.

Which type of risk is detected by each policy? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 19

Correct
Answer:

Question #197Topic 1
HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You need to configure Microsoft Defender for Office 365 to meet the following requirements:

• A user's email sending patterns must be used to minimize false positives for spoof protection.
• Documents uploaded to Microsoft Teams, SharePoint Online, and OneDrive must be protected by
using Defender for Office 365.

What should you configure for each requirement? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6

Correct
Answer:

Question #198Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You plan to perform device discovery and authenticated scans of network devices.

You install and register the network scanner on a device named Device1.

What should you do next?

• A. Connect Defender for Endpoint to Microsoft Intune.

• B. Apply for Microsoft Threat Experts - Targeted Attack Notifications.

• C. Create an assessment job. Most Voted


• D. Download and run an onboarding package.

Hide Solution Discussion 4

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #199Topic 1

You have a Microsoft 365 subscription.

You need to receive a notification each time a user in the service desk department grants Full Access
permissions for a user mailbox.

What should you configure?

• A. a data loss prevention (DLP) policy

• B. an alert policy Most Voted

• C. an audit search

• D. an insider risk management policy

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #200Topic 1

You have a Microsoft 365 E5 subscription.

You need to be alerted when Microsoft 365 Defender detects high-severity incidents.

What should you use?

• A. a custom detection rule

• B. a threat policy

• C. an alert policy

• D. a notification rule Most Voted

Hide Solution Discussion 18

Correct Answer: D 🗳️

Community vote distribution

Question #201Topic 1

HOTSPOT
-
You have a Microsoft 365 E5 subscription.

All corporate Windows 11 devices are managed by using Microsoft Intune and onboarded to Microsoft
Defender for Endpoint.

You need to meet the following requirements:

• View an assessment of the device configurations against the Center for Internet Security (CIS)
v1.0.0 benchmark.
• Protect a folder named C:\Folder1 from being accessed by untrusted applications on the devices.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:

Question #202Topic 1

You have a Microsoft 365 subscription that contains the alerts shown in the following table.
Which properties of the alerts can you modify?

• A. Status only

• B. Status and Comment only Most Voted

• C. Status and Severity only

• D. Status, Severity, and Comment only

• E. Status, Severity, Comment and Category

Hide Solution Discussion 2

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #203Topic 1

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.

All the devices in your organization are onboarded to Microsoft Defender for Endpoint.

You need to ensure that an alert is generated if malicious activity was detected on a device during the
last 24 hours.

What should you do?

• A. From the Microsoft Purview compliance portal, create a data loss prevention (DLP) policy.

• B. From Alerts queue, create a suppression rule and assign an alert.

• C. From Advanced hunting, create a query and a detection rule. Most Voted

• D. From the Microsoft Purview compliance portal, create an audit log search.

Hide Solution Discussion 5

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #204Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 tenant that connects to Microsoft Defender for Endpoint.
You have devices enrolled in Microsoft Intune as shown in the following table.

You plan to use risk levels in Microsoft Defender for Endpoint to identify whether a device is
compliant. Noncompliant devices must be blocked from accessing corporate resources.

You need to identify which devices can be onboarded to Microsoft Defender for Endpoint, and which
Endpoint security policies must be configured.

What should you identify? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 10

Correct
Answer:
Question #205Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You configure a new alert policy as shown in the following exhibit.

You need to identify the following:

• How many days it will take to establish a baseline for unusual activity
• Whether alerts will be triggered during the establishment of the baseline

What should you identify? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 2

Correct
Answer:

Question #206Topic 1

You have a Microsoft 365 E5 tenant.

You create a retention label named Retention1 as shown in the following exhibit.
You apply Retention1 to all the Microsoft OneDrive content.

On January 1, 2020, a user stores a file named File1 in OneDrive.

On January 10, 2020, the user modifies File1.

On February 1, 2020, the user deletes File1.

When will File1 be removed permanently and unrecoverable from OneDrive?

• A. February 1, 2020

• B. July 1, 2020 Most Voted

• C. July 10, 2020

• D. August 1, 2020

Hide Solution Discussion 6


Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #207Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains a SharePoint site named Site1. Site1 contains
the files shown in the following table.

You have the users shown in the following table.

You create a data loss prevention (DLP) policy with an advanced DLP rule and apply the policy to
Site1. The DLP rule is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 16

Correct
Answer:

Question #208Topic 1

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint site named site1.

You need to ensure that site1 meets the following requirements:

• Retains all data for 10 years


• Prevents the sharing of data outside the organization

Which two items should you create and apply to site1? Each correct answer presents part of the
solution.

NOTE: Each correct selection is worth one point.

• A. a retention policy Most Voted

• B. a data loss prevention (DLP) policy Most Voted

• C. a retention label policy

• D. a sensitive info type

• E. a retention label
• F. a sensitivity label

Hide Solution Discussion 12

Correct Answer: AB 🗳️

Community vote distribution

AB (83%)

AF (17%)

Question #209Topic 1

You have a Microsoft 365 E5 subscription.

From the Microsoft Purview compliance portal, you create a new data loss prevention (DLP) policy
named DLP1 that protects financial data from being shared by using Microsoft Teams messages. You
apply DLP1 to the users in the finance department.

An incident is raised when a finance department user named User1 shares financial data in a Teams
channel that includes external members.

When User1 uses Teams to send the same message in a 1:1 chat or a private channel, the message
is blocked as expected.

You need to ensure that User1 is prevented from sharing financial data in Teams channels that
include external members.

What should you do?

• A. Edit the settings of the team that contains the channel.

• B. Edit the Locations settings of DLP1. Most Voted

• C. Modify the licenses assigned to User1.

• D. Edit the policy rules of DLP1.

Hide Solution Discussion 22

Correct Answer: B 🗳️

Community vote distribution

B (57%)

D (43%)

Question #210Topic 1

You have a Microsoft 365 subscription.

You need to create a data loss prevention (DLP) policy that is configured to use the Set headers
action.

To which location can the policy be applied?

• A. Exchange email Most Voted


• B. OneDrive accounts

• C. SharePoint sites

• D. Teams chat and channel messages

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

Question #211Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You have labels in Microsoft 365 as shown in the following table.

The content in Microsoft 365 is assigned labels as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 8

Correct
Answer:

Question #212Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains two users


named [email protected] and [email protected] and a Microsoft SharePoint site named Site1.

You create a data loss prevention (DLP) policy named DLP1 that has the advanced DLP rules shown
in the following table.

DLP1 is applied to Site1.

You have the files shown in the following table.


You copy the files to Site1.

How many notifications will each user receive? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 31


Correct Answer:

Question #213Topic 1

You need to notify the manager of the human resources department when a user in the department
shares a file or folder from the department's Microsoft SharePoint site.

What should you do?

• A. From the SharePoint admin center, modify the sharing settings.

• B. From the SharePoint site, create an alert.

• C. From the Microsoft Purview compliance portal, create a data loss prevention (DLP) policy.

• D. From the Microsoft 365 Defender portal, create an alert policy. Most Voted

Hide Solution Discussion 13

Correct Answer: D 🗳️

Community vote distribution

D (92%)

8%

Question #214Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
From Microsoft Defender for Endpoint, you turn on the Allow or block file advanced feature.

You need to block users from downloading a file named File1.exe.

What should you use?

• A. a suppression rule

• B. an indicator Most Voted

• C. a device configuration profile

Hide Solution Discussion 6

Correct Answer: B 🗳️

Community vote distribution

B (90%)

10%

Question #215Topic 1

You have an Azure AD tenant that contains the users shown in the following table.

You need to compare the permissions of each role. The solution must minimize administrative effort.

Which portal should you use?

• A. the Microsoft Purview compliance portal

• B. the Microsoft 365 admin center Most Voted

• C. the Microsoft 365 Defender portal

• D. the Microsoft Entra admin center

Hide Solution Discussion 19

Correct Answer: B 🗳️

Community vote distribution

B (88%)

13%

Question #216Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.


You plan to create the data loss prevention (DLP) policies shown in the following table.

You need to create DLP rules for each policy.

Which policies support the sender is condition and the file extension is condition? To answer, select
the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6

Correct
Answer:
Question #217Topic 1

You have a Microsoft 365 E5 subscription that contains a user named User1.

You create a retention label named Retention1 that is published to all locations.

You need to ensure that User1 can label email messages by using Retention1 as soon as possible.

Which cmdlet should you run in Microsoft Exchange Online PowerShell?

• A. Start-ManagedFolderAssistant Most Voted

• B. Start-MpScan

• C. Start-AppBackgroundTask

• D. Start-Process

Hide Solution Discussion 5

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #218Topic 1

You have a Microsoft 365 E5 tenant.

You create an auto-labeling policy to encrypt emails that contain a sensitive info type. You specify the
locations where the policy will be applied.

You need to deploy the policy.

What should you do first?

• A. Run the policy in simulation mode.

• B. Configure Azure Information Protection analytics.

• C. Review the sensitive information in Activity explorer.

• D. Turn on the policy.

Hide Solution Discussion 4

Correct Answer: A 🗳️

Question #219Topic 1

HOTSPOT
-

From the Microsoft Purview compliance portal, you create a retention policy named Policy1.

You need to prevent all users from disabling the policy or reducing the retention period.

How should you configure the Azure PowerShell command? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:

Question #220Topic 1

You have a Microsoft 365 E5 subscription. The subscription contains users that have the following
types of devices:

• Windows 10
• Android
• iOS

On which devices can you configure the Endpoint DLP policies?

• A. Windows 10 only Most Voted

• B. Windows 10 and Android only

• C. Windows 10 and iOS only

• D. Windows 10, Android, and iOS

Hide Solution Discussion 3

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #221Topic 1

HOTSPOT
-
Your company has a Microsoft 365 subscription that uses an Azure AD tenant named contoso.com.
The tenant contains the users shown in the following table.

You create a retention label named Label1 that has the following configurations:

• Retains content for five years


• Automatically deletes all content that is older than five years

You turn on Auto labeling for Label1 by using a policy named Policy1. Policy1 has the following
configurations:

• Applies to content that contains the word Merger


• Specifies the OneDrive accounts and SharePoint sites locations

You run the following command.

Set-RetentionCompliancePolicy Policyl -RestrictiveRetention $true -Force

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7

Correct
Answer:
Question #222Topic 1

You are testing a data loss prevention (DLP) policy to protect the sharing of credit card information
with external users.

During testing, you discover that a user can share credit card information with external users by using
email. However, the user is prevented from sharing files that contain credit card information by using
Microsoft SharePoint.

You need to prevent the user from sharing the credit card information by using email and SharePoint.

What should you configure?

• A. the locations of the DLP policy Most Voted

• B. the conditions of the DLP policy rule

• C. the user overrides of the DLP policy rule

• D. the status of the DLP policy

Hide Solution Discussion 5

Correct Answer: A 🗳️

Community vote distribution

A (80%)

B (20%)

Question #223Topic 1

HOTSPOT
-

From the Microsoft Purview compliance portal, you configure a data loss prevention (DLP) policy for a
Microsoft SharePoint site named Site1. Site1 contains the roles shown in the following table.
Prvi creates the files shown in the exhibit. (Click the Exhibit tab.)

Which files can User1 and User2 open? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12


Correct

Answer:

Question #224Topic 1

You have a Microsoft 365 subscription that uses retention policies.

You implement a preservation lock on a retention policy that is assigned to all executive users.

Which two actions can you perform on the retention policy after you implemented the preservation
lock? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

• A. Add locations to the policy. Most Voted

• B. Reduce the duration of policy.

• C. Remove locations from the policy.

• D. Extend the duration of the policy. Most Voted

• E. Disable the policy.

Hide Solution Discussion 10

Correct Answer: AD 🗳️

Community vote distribution

AD (100%)

Question #225Topic 1

You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com. The
tenant contains the users shown in the following table.
You create and assign a data loss prevention (DLP) policy named Policy1. Policy1 is configured to
prevent documents that contain Personally Identifiable Information (PII) from being emailed to users
outside your organization.

To which users can User1 send documents that contain PII?

• A. User2 only

• B. User2 and User3 only

• C. User2, User3, and User4 only

• D. User2, User3, User4, and User5

Hide Solution Discussion 4

Correct Answer: B 🗳️

Question #226Topic 1

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365 and contains a
mailbox named Mailbox1.

You plan to use Mailbox1 to collect and analyze unfiltered email messages.

You need to ensure that Defender for Office 365 takes no action on any inbound emails delivered to
Mailbox1.

What should you do?

• A. Configure a retention policy for Mailbox1.

• B. Create a mail flow rule.

• C. Configure Mailbox1 as a SecOps mailbox. Most Voted

• D. Place a litigation hold on Mailbox1.

Hide Solution Discussion 12

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #227Topic 1
HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint site named Site1.

You need to perform the following tasks:

• Create a sensitive info type named SIT1 based on a regular expression.


• Add a watermark to all new documents that are matched by SIT1.

Which two settings should you use in the Microsoft Purview compliance portal? To answer, select the
appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 6

Correct Answer:
Question #228Topic 1

You have a Microsoft 365 subscription.

You have a data loss prevention (DLP) policy that blocks sensitive data from being shared in email
messages.

You need to modify the policy so that when an email message containing sensitive data is sent to
both external and internal recipients, the message is only prevented from being delivered to the
external recipients.

What should you modify?

• A. the policy rule exceptions

• B. the DLP policy locations

• C. the policy rule conditions

• D. the policy rule actions Most Voted

Hide Solution Discussion 11

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #229Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365 and contains a
user named User1.

User emails a product catalog in the PDF format to 300 vendors. Only 200 vendors receive the email
message, and User1 is blocked from sending email until the next day.

You need to prevent this issue from reoccurring.

What should you configure?

• A. anti-spam policies

• B. Safe Attachments policies

• C. anti-phishing policies

• D. anti-malware policies

Hide Solution Discussion 2

Correct Answer: A 🗳️

Question #230Topic 1

You have a Microsoft 365 E5 subscription that contains the labels shown in the following table.
You have the items shown in the following table.

Which items can you view in Content explorer?

• A. File1 only

• B. File1 and File2 only

• C. File1 and Mail1 only

• D. File2 and Mail2 only

• E. File1, File2, Mail1, and Mail2 Most Voted

Hide Solution Discussion 6

Correct Answer: E 🗳️

Community vote distribution

E (100%)

Question #231Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 tenant.

You create a data loss prevention (DLP) policy to prevent users from using Microsoft Teams to share
internal documents with external users.

To which two locations should you apply the policy? To answer, select the appropriate locations in the
answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 4

Correct
Answer:
Question #232Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 tenant that contains a Microsoft SharePoint site named Site1. Site1
contains the files shown in the following table.

You create a sensitivity label named Sensitivity1 and an auto-label policy that has the following
configurations:

• Name: AutoLabel1
• Label to auto-apply: Sensitivity1
• Choose locations where you want to apply the label: Site1

The Define content that contains sensitive info settings for AutoLabel1 is shown in the following
exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7

Correct
Answer:
Question #233Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint site named Site1.
Site1 contains the files shown in the following table.

You have a data loss prevention (DLP) policy named DLP1 that has the advanced DLP rules shown
in the following table.

You apply DLP1 to Site1.

Which policy tip is displayed for each file? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 13

Correct

Answer:

Question #234Topic 1
Overview -

Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.

Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -

The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.

All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].

Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -

Each office has a high-speed connection to the Internet.

Each office contains two domain controllers. All domain controllers are configured as DNS servers.

The public zone for fabrikam.com is managed by an external DNS server.

All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.

All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -

Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.

Fabrikam plans to implement two pilot projects:

• Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
• Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.

Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.
Technical Requirements -

Fabrikam identifies the following technical requirements:

• All users must be able to exchange email messages successfully during Project1 by using their
current email address.
• Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
• A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
• Microsoft 365 Apps for enterprise applications must be installed from a network share only.
• Disruptions to email access must be minimized.

Application Requirements -

Fabrikam identifies the following application requirements:

• An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
• The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -

Fabrikam identifies the following security requirements:

• After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
• The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
• After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
• The principle of least privilege must be used.

You are evaluating the required processes for Project1.

You need to recommend which DNS record must be created while adding a domain name for the
project.

Which DNS record should you recommend?

• A. mail exchanger (MX) Most Voted

• B. alias (CNAME)

• C. host information (HINFO)

• D. host (AAAA)

Hide Solution Discussion 5

Correct Answer: A 🗳️

Community vote distribution


A (100%)

Question #235Topic 1

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.

You have a Microsoft 365 E5 subscription.

You create an account for a new security administrator named SecAdmin1.

You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and
policies for Microsoft Teams, SharePoint, and OneDrive.

Solution: From the Microsoft Entra admin center, you assign SecAdmin1 the Teams Administrator
role.

Does this meet the goal?

• A. Yes

• B. No

Reveal Solution Discussion 4

Question #236Topic 1

HOTSPOT
-

Overview
-

Litware, Inc. is a consulting company that has a main office in Montreal and a branch office in Seattle.

Litware collaborates with a third-party company named A. Datum Corporation.

Environment
-

On-Premises Environment
-

The network of Litware contains an Active Directory domain named litware.com. The domain contains
three organizational units (OUs) named LitwareAdmins, Montreal Users, and Seattle Users and the
users shown in the following table.
The domain contains 2,000 Windows 10 Pro devices and 100 servers that run Windows Server 2019.

Cloud Environment
-

Litware has a pilot Microsoft 365 subscription that includes Microsoft Office 365 Enterprise E3
licenses and Azure AD Premium P2 licenses.

The subscription contains a verified DNS domain named litware.com.

Azure AD Connect is installed and has the following configurations:

• Password hash synchronization is enabled.


• Synchronization is enabled for the LitwareAdmins OU only.

Users are assigned the roles shown in the following table.

Self-service password reset (SSPR) is enabled.

The Azure AD tenant has Security defaults enabled.

Problem Statements
-

Litware identifies the following issues:

• Admin1 cannot create conditional access policies.


• Admin4 receives an error when attempting to use SSPR.
• Users access new Office 365 service and feature updates before the updates are reviewed by
Admin2.

Requirements
-

Planned Changes
-

Litware plans to implement the following changes:

• Implement Microsoft Intune.


• Implement Microsoft Teams.
• Implement Microsoft Defender for Office 365.
• Ensure that users can install Office 365 apps on their device.
• Convert all the Windows 10 Pro devices to Windows 10 Enterprise ES.
• Configure Azure AD Connect to sync the Montreal Users OU and the Seattle Users OU.

Technical Requirements
-

Litware identifies the following technical requirements:

• Administrators must be able to specify which version of an Office 365 desktop app will be available
to users and to roll back to previous versions.
• Only Admin2 must have access to new Office 365 service and feature updates before they are
released to the company.
• Litware users must be able to invite A. Datum users to participate in the following activities:
• Join Microsoft Teams channels.
• Join Microsoft Teams chats.
• Access shared files.
• Just in time access to critical administrative roles must be required.
• Microsoft 365 incidents and advisories must be reviewed monthly.
• Office 365 service status notifications must be sent to Admin2.
• The principle of least privilege must be used.

You need to ensure that Admin4 can use SSPR.

Which tool should you use, and which action should you perform? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 13


Correct Answer:

Question #237Topic 1

HOTSPOT
-

Overview
-

Litware, Inc. is a consulting company that has a main office in Montreal and a branch office in Seattle.

Litware collaborates with a third-party company named A. Datum Corporation.

Environment
-

On-Premises Environment
-

The network of Litware contains an Active Directory domain named litware.com. The domain contains
three organizational units (OUs) named LitwareAdmins, Montreal Users, and Seattle Users and the
users shown in the following table.

The domain contains 2,000 Windows 10 Pro devices and 100 servers that run Windows Server 2019.

Cloud Environment
-
Litware has a pilot Microsoft 365 subscription that includes Microsoft Office 365 Enterprise E3
licenses and Azure AD Premium P2 licenses.

The subscription contains a verified DNS domain named litware.com.

Azure AD Connect is installed and has the following configurations:

• Password hash synchronization is enabled.


• Synchronization is enabled for the LitwareAdmins OU only.

Users are assigned the roles shown in the following table.

Self-service password reset (SSPR) is enabled.

The Azure AD tenant has Security defaults enabled.

Problem Statements
-

Litware identifies the following issues:

• Admin1 cannot create conditional access policies.


• Admin4 receives an error when attempting to use SSPR.
• Users access new Office 365 service and feature updates before the updates are reviewed by
Admin2.

Requirements
-

Planned Changes
-

Litware plans to implement the following changes:

• Implement Microsoft Intune.


• Implement Microsoft Teams.
• Implement Microsoft Defender for Office 365.
• Ensure that users can install Office 365 apps on their device.
• Convert all the Windows 10 Pro devices to Windows 10 Enterprise ES.
• Configure Azure AD Connect to sync the Montreal Users OU and the Seattle Users OU.

Technical Requirements
-
Litware identifies the following technical requirements:

• Administrators must be able to specify which version of an Office 365 desktop app will be available
to users and to roll back to previous versions.
• Only Admin2 must have access to new Office 365 service and feature updates before they are
released to the company.
• Litware users must be able to invite A. Datum users to participate in the following activities:
• Join Microsoft Teams channels.
• Join Microsoft Teams chats.
• Access shared files.
• Just in time access to critical administrative roles must be required.
• Microsoft 365 incidents and advisories must be reviewed monthly.
• Office 365 service status notifications must be sent to Admin2.
• The principle of least privilege must be used.

You are evaluating the use of multi-factor authentication (MFA).

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8

Correct
Answer:

Question #238Topic 1

Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and a branch office in Seattle.

Litware collaborates with a third-party company named A. Datum Corporation.

Environment -

On-Premises Environment -

The network of Litware contains an Active Directory domain named litware.com. The domain contains
three organizational units (OUs) named LitwareAdmins, Montreal Users, and Seattle Users and the
users shown in the following table.

The domain contains 2,000 Windows 10 Pro devices and 100 servers that run Windows Server 2019.

Cloud Environment -

Litware has a pilot Microsoft 365 subscription that includes Microsoft Office 365 Enterprise E3
licenses and Azure AD Premium P2 licenses.

The subscription contains a verified DNS domain named litware.com.

Azure AD Connect is installed and has the following configurations:

• Password hash synchronization is enabled.


• Synchronization is enabled for the LitwareAdmins OU only.

Users are assigned the roles shown in the following table.

Self-service password reset (SSPR) is enabled.

The Azure AD tenant has Security defaults enabled.

Problem Statements -

Litware identifies the following issues:


• Admin1 cannot create conditional access policies.
• Admin4 receives an error when attempting to use SSPR.
• Users access new Office 365 service and feature updates before the updates are reviewed by
Admin2.

Requirements -

Planned Changes -

Litware plans to implement the following changes:

• Implement Microsoft Intune.


• Implement Microsoft Teams.
• Implement Microsoft Defender for Office 365.
• Ensure that users can install Office 365 apps on their device.
• Convert all the Windows 10 Pro devices to Windows 10 Enterprise ES.
• Configure Azure AD Connect to sync the Montreal Users OU and the Seattle Users OU.

Technical Requirements -

Litware identifies the following technical requirements:

• Administrators must be able to specify which version of an Office 365 desktop app will be available
to users and to roll back to previous versions.
• Only Admin2 must have access to new Office 365 service and feature updates before they are
released to the company.
• Litware users must be able to invite A. Datum users to participate in the following activities:
• Join Microsoft Teams channels.
• Join Microsoft Teams chats.
• Access shared files.
• Just in time access to critical administrative roles must be required.
• Microsoft 365 incidents and advisories must be reviewed monthly.
• Office 365 service status notifications must be sent to Admin2.
• The principle of least privilege must be used.

You need to configure just in time access to meet the technical requirements.

What should you use?

• A. entitlement management

• B. Azure AD Privileged Identity Management (PIM) Most Voted

• C. access reviews

• D. Azure AD Identity Protection

Hide Solution Discussion 3

Correct Answer: B 🗳️

Community vote distribution


B (100%)

Question #239Topic 1

You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com. The
tenant includes a user named User1.

You enable Azure AD Identity Protection.

You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for
risk. The solution must use the principle of least privilege.

To which role should you add User1?

• A. Compliance Administrator

• B. Security Administrator Most Voted

• C. Service Administrator

• D. User Administrator

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #240Topic 1

You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com. The
tenant includes a user named User1.

You enable Azure AD Identity Protection.

You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for
risk. The solution must use the principle of least privilege.

To which role should you add User1?

• A. Compliance Administrator

• B. Security Reader Most Voted

• C. Reports Reader

• D. User Administrator

Hide Solution Discussion 11

Correct Answer: B 🗳️

Community vote distribution

B (80%)

C (20%)

Question #241Topic 1
You have a Microsoft 365 E5 subscription.

You need to create a mail-enabled contact.

Which portal should you use?

• A. the Microsoft Teams admin center

• B. the Intune admin center

• C. the Microsoft 365 Defender portal

• D. the Exchange admin center

Hide Solution Discussion 3

Correct Answer: D 🗳️

Question #242Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

The subscription has the following two anti-spam policies:

• Name: AntiSpam1
• Priority: 0
• Include these users, groups and domains
• Users: User3
• Groups: Group1
• Exclude these users, groups and domains
• Groups: Group2
• Message limits
• Set a daily message limit: 100

• Name: AntiSpam2
• Priority: 1
• Include these users, groups and domains
• Users: User1
• Groups: Group2
• Exclude these users, groups and domains
• Users: User3
• Message limits
• Set a daily message limit: 50

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct

Answer:

Question #243Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains a user named User1 and the administrators
shown in the following table.

User1 reports that after sending 1,000 email messages in the morning, the user is blocked from
sending additional emails.

You need to identify the following:


• What administrators can unblock User1
• What to configure to allow User1 to send at least 2,000 emails per day without being blocked

What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 12

Correct Answer:

Question #244Topic 1

Overview -

Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.

Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -

The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.

All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].

Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -

Each office has a high-speed connection to the Internet.

Each office contains two domain controllers. All domain controllers are configured as DNS servers.

The public zone for fabrikam.com is managed by an external DNS server.

All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.

All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -

Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.

Fabrikam plans to implement two pilot projects:

• Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
• Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.

Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.

Technical Requirements -

Fabrikam identifies the following technical requirements:


• All users must be able to exchange email messages successfully during Project1 by using their
current email address.
• Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
• A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
• Microsoft 365 Apps for enterprise applications must be installed from a network share only.
• Disruptions to email access must be minimized.

Application Requirements -

Fabrikam identifies the following application requirements:

• An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
• The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -

Fabrikam identifies the following security requirements:

• After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
• The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
• After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
• The principle of least privilege must be used.

You are evaluating the required processes for Project1.

You need to recommend which DNS record must be created while adding a domain name to the
tenant for the project.

Which DNS record should you recommend?

• A. alias (CNAME)

• B. host information (HINFO)

• C. host (A)

• D. text (TXT) Most Voted

Hide Solution Discussion 5

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #245Topic 1

HOTSPOT
-
You have a Microsoft 365 E5 subscription.

You create a Conditional Access policy named Policy1 and assign Policy1 to all users.

You need to configure Policy1 to enforce multi-factor authentication (MFA) if the user risk level is high.

Which two settings should you configure in Policy1? To answer, select the appropriate settings in the
answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3


Correct Answer:

Question #246Topic 1

Your network contains an Active Directory domain.

You have an Azure AD tenant that has Security defaults disabled.

Azure AD Connect is configured for directory synchronization. Password hash synchronization and
pass-through authentication are disabled.

You need to enable Azure AD Identity Protection to detect leaked credentials.

What should you do first?

• A. From Azure AD Connect, enable password hash synchronization. Most Voted


• B. From the Microsoft Entra admin center, enable Security defaults.

• C. From the Microsoft Entra admin center, configure verifiable credentials.

• D. From Azure AD Connect, enable pass-through authentication.

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #247Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You configure a multi-factor authentication (MFA) registration policy that has the following settings:

• Assignments:
o Include: Group1
o Exclude: Group2
• Access controls: Require Azure MFA registration
• Enforce Policy: On

You create a conditional access policy that has the following settings:

• Name: Policy 1
• Assignments:
o Include: Group2
o Exclude: Group1
• Access controls:
o Grant, Require multi-factor authentication
• Enable policy: On

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 25

Correct Answer:

Question #248Topic 1

Your network contains an on-premises Active Directory domain.

You have a Microsoft 365 subscription.

You implement a directory synchronization solution that uses pass-through authentication.

You configure Azure AD smart lockout as shown in the following exhibit.


You discover that Active Directory users can use the passwords in the custom banned passwords list.

You need to ensure that banned passwords are banned for all users.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

• A. From a domain controller, install the Azure AD Password Protection Proxy. Most Voted

• B. From Active Directory, modify the Default Domain Policy.

• C. From a domain controller, install the Azure AD Application Proxy connector.

• D. From all the domain controllers, install the Azure AD Password Protection DC Agent. Most
Voted

• E. From Password protection for Windows Server Active Directory, modify the Mode
setting. Most Voted

• F. From Custom banned passwords, modify the Enforce custom list setting.

Hide Solution Discussion 7

Correct Answer: ADE 🗳️

Community vote distribution

ADE (83%)

ADF (17%)

Question #249Topic 1
Your network contains an Active Directory domain and an Azure AD tenant.

The network uses a firewall that contains a list of allowed outbound domains.

You begin to implement directory synchronization.

You discover that the firewall configuration contains only the following domain names in the list of
allowed domains:

• *.microsoft.com
• *.office.com

Directory synchronization fails.

You need to ensure that directory synchronization completes successfully.

What is the best approach to achieve the goal? More than one answer choice may achieve the goal.
Select the BEST answer.

• A. From the firewall, modify the list of allowed outbound domains. Most Voted

• B. From Azure AD Connect, modify the Customize synchronization options task.

• C. From the firewall, create a list of allowed inbound domains.

• D. Deploy an Azure AD Connect sync server in staging mode.

• E. From the firewall, allow the IP address range of the Azure data center for outbound
communication.

Hide Solution Discussion 2

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #250Topic 1

You have a Microsoft 365 E5 subscription that contains users in the United States, Europe, and Asia.

You use Azure AD Identity Protection.

You have a virtual desktop infrastructure (VDI). All VDI servers are located in the United States.

Users connect to Microsoft 365 from laptops and the VDI.

Some VDI users report that they are blocked from signing in to Microsoft 365 due to a high sign-in
risk.

You need to reduce the likelihood that the VDI users will be erroneously blocked from signing in to
Microsoft 365. The solution must ensure that sign-ins from the VDI environment are protected by
using Identity Protection.

What should you configure?

• A. ExpressRoute for Microsoft 365


• B. a trusted location Most Voted

• C. a Satellite Geography location

• D. a Conditional Access policy

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #251Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription.

From Azure AD Privileged Identity Management (PIM), you configure Role settings for the Global
Administrator role as shown in the following exhibit.

You make a user named [email protected] eligible for the Global Administrator role.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 8

Correct
Answer:

Question #252Topic 1

You have a Microsoft 365 subscription that contains more than 2,000 guest users.

You need to ensure that when guest users are added to Microsoft 365 groups in the subscription,
their membership is validated by the group owner every 30 days.

What should you configure?

• A. group expiration policies

• B. retention policies

• C. access reviews

• D. Conditional Access policies

Hide Solution Discussion 2

Correct Answer: C 🗳️

Question #253Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that uses a domain name of adatum.com.

In Azure AD, you set Guest invite restrictions to Only users assigned to specific admin roles can invite
guest users.

A user named [email protected] reports that they can no longer invite external users from a
domain named contoso.com to collaborate in Microsoft Teams.

You need to modify the Azure AD configuration to meet the following requirements:

• Ensure that User1 can invite the contoso.com users to Teams.


• Ensure that only the contoso.com users can be invited as guests to the Azure AD tenant.
• Follow the principle of least privilege.

What should you do for each requirement? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 4

Correct
Answer:

Question #254Topic 1

HOTSPOT
-

Your network contains an on-premises Active Directory domain that is synced to Azure AD as shown
in the following exhibit.
An on-premises Active Directory user account named Allan Yoo is synchronized to Azure AD. You
view Allan’s account from Microsoft 365 and notice that his username is set
to [email protected].

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:
Question #255Topic 1

Your network contains an on-premises Active Directory domain. The domain contains 2,000
computers that run Windows 10.

You purchase a Microsoft 365 subscription.

You implement password hash synchronization and Azure AD Seamless Single Sign-On (Seamless
SSO).

You need to ensure that users can use Seamless SSO from the Windows 10 computers.

What should you do?

• A. Join the computers to Azure AD.

• B. Create a conditional access policy in Azure AD.

• C. Modify the Intranet zone settings by using Group Policy. Most Voted

• D. Deploy an Azure AD Connect staging server.

Hide Solution Discussion 5

Correct Answer: C 🗳️

Community vote distribution

C (86%)

14%

Question #256Topic 1

Your network contains an Active Directory domain named adatum.com that is synced to Azure AD.

The domain contains 100 user accounts.

The city attribute for all the users is set to the city where the user resides.

You need to modify the value of the city attribute to the three-letter airport code of each city.

What should you do?

• A. From Azure Cloud Shell, run the Get-MsolUser and Set-MsolUser cmdlets.
• B. From Windows PowerShell on a domain controller, run the Get-MgUser and Update-
MgUser cmdlets.

• C. From Active Directory Administrative Center, select the Active Directory users, and then
modify the Properties settings. Most Voted

• D. From Azure Cloud Shell, run the Get-MgUser and Update-MgUser cmdlets.

Hide Solution Discussion 8

Correct Answer: C 🗳️

Community vote distribution

C (73%)

D (27%)

Question #257Topic 1

Your network contains an Active Directory domain named adatum.com that is synced to Azure AD.

The domain contains 100 user accounts.

The city attribute for all the users is set to the city where the user resides.

You need to modify the value of the city attribute to the three-letter airport code of each city.

What should you do?

• A. From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser
cmdlets. Most Voted

• B. From Azure Cloud Shell, run the Get-ADUser and Set-ADUser cmdlets.

• C. From Windows PowerShell on a domain controller, run the Get-MgUser and Update-
MgUser cmdlets.

• D. From the Azure portal, select all the Azure AD users, and then use the User settings blade.

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #258Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.

You need to identify the settings that are configured less secure than the Standard protection profile
settings in the preset security policies.

What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 4

Correct Answer:

Question #259Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.

All the devices are onboarded to Microsoft Defender for Endpoint.

You plan to use Microsoft Defender Vulnerability Management to meet the following requirements:

• Detect operating system vulnerabilities.


• Perform a configuration assessment of the operating system.

Which devices support each requirement? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:

Question #260Topic 1

You have a Microsoft 365 E5 tenant.

The Microsoft Secure Score for the tenant is shown in the following exhibit.
You plan to enable Security defaults for Azure AD.

Which three improvement actions will this affect?

NOTE: Each correct selection is worth one point.

• A. Require MFA for administrative roles Most Voted

• B. Ensure all users can complete multi-factor authentication for secure access Most Voted

• C. Enable policy to block legacy authentication Most Voted

• D. Enable self-service password reset

• E. Use limited administrative roles

Hide Solution Discussion 6

Correct Answer: ABC 🗳️

Community vote distribution


Question #261Topic 1

You have a Microsoft 365 E5 subscription that has Microsoft Defender for Endpoint integrated with
Microsoft Intune.

Devices are enrolled to Microsoft Intune and onboarded by using Microsoft Defender for Endpoint.

You plan to block devices based on the results of the machine risk score calculated by Microsoft
Defender for Endpoint.

What should you create first?

• A. a device configuration policy

• B. an endpoint detection and response policy

• C. a device compliance policy Most Voted

Hide Solution Discussion 5

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #262Topic 1

You have a Microsoft 365 subscription.

You create a retention label named Retention1 as shown in the following exhibit.
You apply Retention1 to all the Microsoft OneDrive content.

On January 1, 2020, a user stores a file named File1 in OneDrive.


On January 10, 2020, the user modifies File1.
On February 1, 2020, the user deletes File1.

When will File1 be removed permanently and unrecoverable from OneDrive?

• A. February 1, 2020

• B. July 1, 2020 Most Voted

• C. July 10, 2020

• D. August 1, 2020

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #263Topic 1

You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com. The
tenant includes a user named User1.
You enable Azure AD Identity Protection.

You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for
risk. The solution must use the principle of least privilege.

To which role should you add User1?

• A. Global Administrator

• B. Service Administrator

• C. Security Administrator Most Voted

• D. Reports Reader

Hide Solution Discussion 7

Correct Answer: C 🗳️

Community vote distribution

C (90%)

10%

Question #264Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 tenant.

You have a sensitivity label configured as shown in the Sensitivity label exhibit.
You have an auto-labeling policy as shown in the Auto-labeling policy exhibit.

A user sends an email that contains the components shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct

Answer:

Question #265Topic 1

You have a Microsoft 365 subscription.

You need to implement a passwordless authentication solution that supports the following device
types:
• Windows
• Android
• iOS

The solution must use the same authentication method for all devices.

Which authentication method should you use?

• A. the Microsoft Authentication app Most Voted

• B. FIDO2-compliant security keys

• C. multi-factor authentication (MFA)

• D. Windows Hello for Business

Hide Solution Discussion 17

Correct Answer: A 🗳️

Community vote distribution

A (54%)

B (46%)

Question #266Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription.

You need to configure an auto-apply policy for sensitivity labels that will protect corporate data. The
solution must meet the following requirements:

• Documents containing content that matches a custom regular expression must be classified
automatically.
• Contract documents in a standard format must be classified automatically.

What should you configure for each requirement? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 14

Correct
Answer:

Question #267Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the security groups shown in the following
table.

The subscription contains the users shown in the following table.

You have a Conditional Access policy that has the following settings:

• Assignments
o Users
Include: Group1
Exclude: Group2, Group3
o Target resources
Cloud apps
App1
Access controls
Grant
Block access
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 21

Correct Answer:

Question #268Topic 1

Your company has a Microsoft Entra tenant named contoso.com and a Microsoft 365 subscription.

All users use Windows 10 devices to access Microsoft Office 365 apps.

All the devices are in a workgroup.

You plan to implement password less sign-in to contoso.com.

You need to recommend changes to the infrastructure for the planned implementation.

What should you include in the recommendation?

• A. Join all the devices to contoso.com. Most Voted


• B. Deploy Microsoft Entra Application Proxy.

• C. Deploy X.509.3 certificates to all the users.

• D. Deploy the Microsoft Authenticator app.

Hide Solution Discussion 8

Correct Answer: A 🗳️

Community vote distribution

A (86%)

14%

Question #269Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains two security groups named Group1 and
Group2.

You need to enable multi-factor authentication (MFA) for the members of Group1 and Group2. The
solution must meet the following requirements:

• The Group1 members must be prompted for MFA only when authenticating to Microsoft Entra ID
from Android devices.
• The Group2 members must be prompted for MFA only when accessing Microsoft Exchange Online
from outside the corporate network.
• Administrative effort must be minimized.

What should you configure for each group? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 8

Correct

Answer:

Question #270Topic 1

You have a Microsoft 365 E5 subscription.

You need to create a mail-enabled contact.

Which portal should you use?


• A. the Microsoft 365 admin center Most Voted

• B. the Microsoft Teams admin center

• C. the Intune admin center

• D. the Microsoft Purview compliance portal

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

Question #271Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that contains the users shown in the following table.

The Global Administrator role has the Privileged Identity Management (PIM) settings shown in the
following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 11

Correct
Answer:

Question #272Topic 1

DRAG DROP
-

You have an Azure subscription that is linked to a hybrid Microsoft Entra tenant.

All users sync from Active Directory Domain Services (AD DS) to the tenant by using Express
Settings in Microsoft Entra Connect.

You plan to implement self-service password reset (SSPR).

You need to ensure that when a user resets or changes a password, the password syncs with AD DS.

Which actions should you perform in sequence? To answer, drag the appropriate actions to the
correct order. Each action may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 14

Correct Answer:

Question #273Topic 1

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

You need to compare your company's security configurations to Microsoft best practices and review
improvement actions to increase the security posture.

What should you use?

• A. Microsoft Secure Score Most Voted

• B. Cloud discovery

• C. Exposure distribution

• D. Threat tracker

• E. Exposure score

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #274Topic 1

HOTSPOT
-
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365.

You need to automate Attack simulation training for users when a phishing campaign is detected in
real-time.

Which type of automation should you use, and which condition should you configure for the Attack
simulation training? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct Answer:

Question #275Topic 1

You have two Microsoft 365 tenants. Users have accounts in both tenants.

You plan to deploy a single device to each user. Each device will contain the Microsoft Authenticator
app.

You need to ensure that the users can use their device to authenticate to both tenants by using
passwordless authentication.

Which platform should you provide?


• A. iOS Most Voted

• B. Android

• C. Windows

• D. macOS

Hide Solution Discussion 5

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #276Topic 1

Your network contains an Active Directory domain named adatum.com that is synced to a Microsoft
Entra tenant.

The domain contains 100 user accounts.

The city attribute for all the users is set to the city where the user resides.

You need to modify the value of the city attribute to the three-letter airport code of each city.

What should you do?

• A. From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser
cmdlets. Most Voted

• B. From Azure Cloud Shell, run the Get-MgUser and Update-MgUser cmdlets.

• C. From the Microsoft Entra admin center, select all the Microsoft Entra users, and then use
the User settings blade.

• D. From the Microsoft 365 admin center, select the users, and then use the Bulk actions
option.

Hide Solution Discussion 3

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #277Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription.

You need to identify all users that have an Enterprise Mobility + Security plan, and then provide a list
of the users in the CSV format.

Which settings should you use in the Microsoft 365 admin center, and which option should you
select? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:

Question #278Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription that contains two administrative units named AU1 and AU2.

The subscription contains the users shown in the following table.

The subscription contains the groups shown in the following table.


For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 15

Correct
Answer:

Question #279Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription.

You plan to update the EmployeeType attribute for all the users in a group named Contractors. You
retrieve the GroupId value of the Contractors group.

You need to use Microsoft Graph PowerShell to retrieve all the Contractors group users and set their
EmployeeType attribute to Part-time.
How should you complete the PowerShell script? To answer, select the appropriate options in the
answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct
Answer:

Question #280Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You need to configure Privileged Identity Management (PIM) for the User Administrator role in
Microsoft Entra. Eligible users must meet the following requirements:

• Always be able to request the User Administrator role


• Must provide a reason when requesting the User Administrator role
• Must require multi-factor authentication (MFA) when activating the User Administrator role

The solution must minimize administrative effort.

How should you configure the Role settings for each requirement? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 8

Correct
Answer:

Question #281Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You need to create a Conditional Access policy that will require the use of FIDO2 security keys only
when users join their Windows devices to Microsoft Entra ID.

How should you configure the policy? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 11

Correct Answer:

Question #282Topic 1

Overview -

Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000
employees worldwide.

Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the
United States.

Existing Environment -

Active Directory Environment -

The network contains an Active Directory forest named fabrikam.com. The forest contains all the
identities used for user and computer authentication. Each department is represented by a top-level
organizational unit (OU) that contains several child OUs for user accounts and computer accounts.

All users authenticate to on-premises applications by signing in to their device by using a UPN format
of [email protected].
Fabrikam does NOT plan to implement identity federation.

Network Infrastructure -

Each office has a high-speed connection to the Internet.

Each office contains two domain controllers. All domain controllers are configured as DNS servers.

The public zone for fabrikam.com is managed by an external DNS server.

All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access
their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All
the Exchange servers have the latest cumulative updates installed.

All shared company documents are stored on a Microsoft SharePoint Server farm.

Requirements -

Planned Changes -

Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared
documents to the subscription.

Fabrikam plans to implement two pilot projects:

• Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to
Microsoft 365.
• Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft
365 for the sales department users.

Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft
365 bulk licenses.

Technical Requirements -

Fabrikam identifies the following technical requirements:

• All users must be able to exchange email messages successfully during Project1 by using their
current email address.
• Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
• A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance
portal.
• Microsoft 365 Apps for enterprise applications must be installed from a network share only.
• Disruptions to email access must be minimized.

Application Requirements -

Fabrikam identifies the following application requirements:

• An on-premises web application named App1 must allow users to complete their expense reports
online. App1 must be available to users from the My Apps portal.
• The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

Security Requirements -

Fabrikam identifies the following security requirements:

• After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox
and to SharePoint sites by using their UPN.
• The membership of the UserLicenses group must be validated monthly. Unused user accounts must
be removed from the group automatically.
• After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-
based applications automatically.
• The principle of least privilege must be used.

You are evaluating the required processes for Project1.

You need to recommend which DNS record must be created while adding a domain name for the
project.

Which DNS record should you recommend?

• A. name server (NS)

• B. host information (HINFO)

• C. text (TXT) Most Voted

• D. pointer (PTR)

Hide Solution Discussion 3

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #283Topic 1

You have a Microsoft 365 E5 subscription.

From the Microsoft 365 Defender portal, you review your company’s Microsoft Secure Score.

You discover a large number of recommended actions.

You need to ensure that the actions can be filtered based on specific department names.

What should you create first?

• A. a dynamic security group

• B. a tag Most Voted

• C. an administrative unit

• D. a custom detection rule


Hide Solution Discussion 8

Correct Answer: B 🗳️

Community vote distribution

B (87%)

13%

Question #284Topic 1

You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.

You plan to create an Endpoint security policy by using the Defender Update controls template.

To which devices can you apply the policy?

• A. Device1 only Most Voted

• B. Device1 and Device2 only

• C. Device1 and Device3 only

• D. Device1, Device2, and Device3

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #285Topic 1

You have a Microsoft 365 tenant.

You plan to manage incidents in the tenant by using the Microsoft Defender XDR.

Which Microsoft service source will appear on the Incidents page of the Microsoft 365 Defender
portal?

• A. Microsoft Sentinel

• B. Microsoft Defender for Cloud

• C. Azure Web Application Firewall

• D. Microsoft Defender for Identity Most Voted

Hide Solution Discussion 5


Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #286Topic 1

You have a Microsoft 365 E5 subscription.

You are creating a data loss prevention (DLP) policy applied to the locations as shown in the following
exhibit.

Which condition can you use in the DLP rules of the policy?

• A. sensitive info types Most Voted

• B. sensitivity labels

• C. keywords

• D. content search queries

Hide Solution Discussion 6

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #287Topic 1

You have a Microsoft 365 subscription.

You need to implement a passwordless authentication solution that supports the following device
types:
• Windows
• Android
• iOS

The solution must use the same authentication method for all devices.

Which authentication method should you use?

• A. the Microsoft Authentication app Most Voted

• B. Voice call

• C. multi-factor authentication (MFA)

• D. Windows Hello for Business

Hide Solution Discussion 11

Correct Answer: A 🗳️

Community vote distribution

A (90%)

10%

Question #288Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2.

You plan to configure a data loss prevention (DLP) strategy that meets the following requirements:

• Members of Group1 must be prevented from sharing documents that contain credit card numbers.
• Members of Group2 must be prevented from sharing documents that are classified as internal by
Microsoft Purview Information Protection.
• The solution must minimize administrative effort.

You need to create a DLP policy for each group.

Which condition should you add to each DIP policy rule for each group? To answer, select the
appropriate options in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 3

Correct

Answer:

Question #289Topic 1

You need to notify the manager of the human resources department when a user in the department
shares a file or folder from the department's Microsoft SharePoint site.

What should you do?

• A. From the SharePoint site, create an alert.

• B. From the Microsoft Defender portal, create an alert policy.


• C. From the SharePoint admin center, modify the sharing settings

• D. From the Microsoft 365 admin center, configure SharePoint.org settings.

Hide Solution Discussion 3

Correct Answer: B 🗳️

Question #290Topic 1

You have a Microsoft 365 E5 tenant.

You create an auto-labeling policy to encrypt emails that contain a sensitive info type. You specify the
locations where the policy will be applied.

You need to deploy the policy.

What should you do first?

• A. Run the policy in simulation mode. Most Voted

• B. Turn on co-authoring for files with sensitivity labels.

• C. Review the sensitive information in Activity explorer.

• D. Turn on the policy.

Hide Solution Discussion 3

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #291Topic 1

You have a Microsoft 365 E5 subscription.

You create a data loss prevention (DLP) policy named DLP1.

You need to ensure that endpoint rule actions are available in the advanced DLP rules for DLP1.

To which location should you apply DLP1?

• A. Instances

• B. OneDrive accounts

• C. On-premises repositories

• D. Devices

Hide Solution Discussion 5

Correct Answer: D 🗳️

Question #292Topic 1
You have a Microsoft 365 E5 subscription.

You need to create a mail-enabled contact.

Which portal should you use?

• A. the SharePoint admin center

• B. the Microsoft Defender portal

• C. the Intune admin center

• D. the Microsoft 365 admin center Most Voted

Hide Solution Discussion 3

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #293Topic 1

You have a Microsoft 365 E5 subscription that contains a domain named contoso.com.

You deploy a new Microsoft Defender for Office 365 anti-phishing policy named Policy1 that has user
impersonation protection enabled for a user named [email protected].

You discover that Policy1 blocks email messages from a regular contact
named [email protected].

You need to ensure that the messages are delivered successfully.

What should you do for Policy1?

• A. Select Enable domains to protect.

• B. Configure the Phishing email threshold setting.

• C. Configure which users to protect.

• D. Select Enable mailbox intelligence. Most Voted

Hide Solution Discussion 2

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #294Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You have devices onboarded to Microsoft Defender for Endpoint as shown in the following table.
You create the device groups shown in the following table.

IP address indicators are defined as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:
Question #295Topic 1

Your company has a Microsoft Entra tenant named contoso.com and a Microsoft 365 subscription.

All users use Windows 10 devices to access Microsoft Office 365 apps.

All the devices are in a workgroup.

You plan to implement password less sign-in to contoso.com.

You need to recommend changes to the infrastructure for the planned implementation.

What should you include in the recommendation?

• A. Join all the devices to contoso.com. Most Voted

• B. Deploy Microsoft Entra Application Proxy.

• C. Deploy the Microsoft Entra Connect provisioning agent.

• D. Deploy the Microsoft Authenticator app.

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

A (71%)

D (29%)

Question #296Topic 1

You have a Microsoft 365 E5 subscription.

You plan to implement an authentication policy that will user FIDO2 security key as a user
authentication method.

You need to ensure that during enrollment, each FIDO2 security key is verified by using the FIDO
Alliance Metadata Service.

Which setting should you enable?

• A. Allow self-service setup

• B. Restrict specific keys


• C. Enforce attestation Most Voted

• D. Enforce key restrictions

Hide Solution Discussion 2

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #297Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You are investigating a suspicious email message that generated alerts in the Microsoft Defender
portal.

You need to examine the email message header and submit the message to Microsoft for review.

Which two settings should you use? To answer, select the appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:
Question #298Topic 1

You have a Microsoft 365 E5 subscription.

You create the users shown in the following table.

You plan to use Microsoft Entra ID Protection.

Which users will be added automatically to the User at risk detected alerts list?

• A. Admin1 only

• B. Admin2 only

• C. Admin1 and Admin2 only

• D. Admin1 and Admin3 only Most Voted

• E. Admin1, Admin2, and Admin3

Hide Solution Discussion 2

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #299Topic 1

HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

The subscription contains the groups shown in the following table.

Which users and groups can you delete? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5


Correct Answer:

Question #300Topic 1

You have a Microsoft 365 E5 subscription.

You create a user named Admin1.

You need to ensure that Admin1 can view Endpoint security policies from the Microsoft Defender
portal. The solution must follow the principle of least privilege.

Which Microsoft Entra role should you assign to Admin1?

• A. Cloud Device Administrator

• B. Security Reader

• C. Global Reader

• D. Security Administrator

• E. Security Operator

Hide Solution Discussion 1

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Previous Questions

Viewing page 30 out of 37 pages.

Question #301Topic 1

You have a Microsoft 365 E5 subscription.

You plan to configure multi-factor authentication (MFA).


You need to select an authentication method for users. The solution must ensure that each time a
user is prompted for MFA, the application name that requires MFA is provided.

What should you select?

• A. SMS

• B. Microsoft Authenticator

• C. a voice call

• D. email OTP

• E. a FIDO2 security key

Hide Solution Discussion 1

Correct Answer: B 🗳️

Question #302Topic 1

You have a Microsoft 365 E5 subscription.

You plan to use Microsoft Entra ID Protection.

You need to ensure that account passwords must be changed if account credentials are leaked.

What should you configure?

• A. a user risk policy Most Voted

• B. Password protection

• C. a sign-in risk policy

• D. self-service password reset (SSPR)

Hide Solution Discussion 9

Correct Answer: A 🗳️

Community vote distribution

A (86%)

14%

Question #303Topic 1

HOTSPOT
-

You have a Microsoft Entra tenant that has security defaults enabled.

You create a user named Admin1.

You need to ensure that Admin1 can create and apply Conditional Access policies.

Which two settings should you configure? To answer, select the appropriate settings in the answer
area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 6


Correct Answer:

Question #304Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.

You have a cloud app named App1.

You need to implement a security solution for App1 that meets the following requirements:

• Enables the real-time monitoring of user activities


• Blocks specific activities as needed

What should you include in the solution for each requirement? To answer, select the appropriate
options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 1

Correct
Answer:

Question #305Topic 1

You have a Microsoft 365 E5 subscription.

You plan to ingest syslog data from a supported firewall device to Microsoft Defender for Cloud Apps.

You need to configure automatic log upload.

Which two components should you configure for the log collector? Each correct answer presents a
complete solution.

NOTE: Each correct selection is worth one point.

• A. the receiver type Most Voted

• B. the data source Most Voted


• C. the username and password

• D. a connection string

• E. the host IP address or FQDN

Hide Solution Discussion 8

Correct Answer: AB 🗳️

Community vote distribution

AB (71%)

BE (29%)

Question #306Topic 1

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

From Automatic remediation in the Microsoft Defender portal, you set Automation level to Semi –
require approval for non-temp folders for the endpoints.

You need to identify the impact of the Automation level setting on the endpoints.

Which two actions will occur based on the remediation settings? Each correct answer presents a
complete solution.

NOTE: Each correct selection is worth one point.

• A. Devices will be remediated only after end-user approval.

• B. Devices will be remediated automatically if a threat is detected in the \program files (X86)\*
folder

• C. Devices will be remediated automatically if a threat is detected in the \windows\ folder.

• D. Devices will be remediated automatically if a threat is detected in the \users\*\downloads\*


folder.

Hide Solution Discussion 3

Correct Answer: BD 🗳️

Question #307Topic 1

You have a Microsoft 365 E5 subscription that contains devices onboarded to Microsoft Defender for
Endpoint.

You integrate Microsoft Defender for Cloud Apps with Defender for Endpoint.

You need identify which cloud apps and services were used most during the last 30 days.

What should you do?

• A. Generate a monthly security summary report.

• B. Generate a Cloud Discovery snapshot report. Most Voted

• C. Create a threat analytics alert notification.


• D. Generate a Cloud Discovery executive report.

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #308Topic 1

You have a Microsoft 365 E5 subscription that contains a user named User1.

You create an outbound anti-spam policy named Policy1 as shown in the following exhibit.
You assign Policy1 to User1.

What is the maximum number of email messages that User1 can send in a 24-hour period?

• A. 30

• B. 720
• C. 1000 Most Voted

• D. 1030

Hide Solution Discussion 5

Correct Answer: B 🗳️

Community vote distribution

C (67%)

B (33%)

Question #309Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You connect a cloud app that contains a group named Group1 to Microsoft Defender for Cloud Apps.

You need to configure the Cloud apps settings to monitor all activities performed by the members of
Group1.

Which two settings should you configure? To answer, select the appropriate settings in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 2
Correct Answer:

Question #310Topic 1

You have a Microsoft 365 E5 subscription. The subscription contains a Microsoft SharePoint Online
site named Site1.

Site1 contains the following files:

• File.docx
• ImportantFile.docx
• File_Important.docx

From Microsoft Defender Cloud Apps, you create a file policy named Policy that has the filter shown
in the following exhibit.
To which files will Policy1 apply?

• A. ImportantFile.docx and File_Important.docx only

• B. File.docx only

• C. File_Important.docx only Most Voted

• D. ImportantFile.docx only

• E. File.docx, ImportantFile.docx, and File_Important.docx

Hide Solution Discussion 2

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #311Topic 1

You have a Microsoft 365 E5 subscription. The subscription contains users that have the following
types of devices:

• Windows 10
• Android
• iOS

To which devices can you apply Endpoint DLP policies?

• A. Windows 10 only Most Voted

• B. Windows 10 and Android only

• C. Windows 10 and iOS only

• D. Windows 10, Android, and iOS

Hide Solution Discussion 5

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #312Topic 1

HOTSPOT
-

Your company has an office in London.

You have a Microsoft 365 subscription.

You need to create a Conditional Access policy named Policy that meets the following requirements:

• Only FIDO2 security keys, Windows Hello for Business, and certificates must be supported for
authentication.
• The London office must be marked as a trusted location and excluded from Policy1.

How should you configure Policy1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 7

Correct Answer:

Question #313Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You plan to use Microsoft Graph PowerShell to perform the following tasks:

• Change the Company name property for all users.


• Create new Microsoft 365 groups.

Which PowerShell cmdlet should you run? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct Answer:

Question #314Topic 1

You have a Microsoft 365 E5 subscription.

You plan to use a third-party protection service to scan email messages before they are delivered to
Microsoft 365.

You configure a mail flow rule to bypass spam filtering for incoming messages.

Which two messages will still be scanned by Microsoft 365 and cannot be bypassed by the mail flow
rule? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.


• A. a message that contains malware

• B. a high-confidence phishing message

• C. an encrypted message

• D. a message that includes HTML code

• E. a messages that includes URL links

Hide Solution Discussion 2

Correct Answer: AB 🗳️

Question #315Topic 1

You have a Microsoft 365 E5 subscription.

Administrators are issued FIDO2 security keys.

You need to create a Conditional Access policy that will use a FIDO2 security key as an
authentication method.

Which Access controls option should you select for the policy?

• A. Require approved client app

• B. Require token protection for sign-in sessions

• C. Require multifactor authentication

• D. Require authentication strength

Hide Solution Discussion 4

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #316Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Office 365.

You need to implement a social engineering awareness solution that meets the following
requirements:

• To reset a user’s password, emulate an email message that contains a link.


• Track any user that selects the email message link.
• Suggest further social engineering training.

What should you use in the Microsoft Defender portal?

• A. Attack simulation training Most Voted

• B. Learning hub

• C. Exposure insights

• D. Threat tracker
Hide Solution Discussion 1

Correct Answer: A 🗳️

Community vote distribution

A (100%)

Question #317Topic 1

HOTSPOT
-

You have a Microsoft 365 subscription.

You integrate Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint.

You need to create a policy to block users from accessing discovered apps that have a risk score of 4
or lower.

Which two settings should you configure? To answer, select the appropriate settings in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 2
Correct Answer:

Question #318Topic 1

You have a Microsoft 365 E5 subscription that includes Microsoft Intune.

You manage all iOS devices by using Intune.

You plan to protect corporate-owned iOS devices by using Microsoft Defender for Endpoint. You
configure a connection between Intune and Defender for Endpoint.

You need to onboard the devices to Defender for Endpoint.

What should you do?

• A. Download an onboarding package.


• B. Create an app protection policy.

• C. Enable Microsoft Defender for Cloud.

• D. Add an app to Intune.

Hide Solution Discussion 7

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #319Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.

You register a cloud app named App1 in Microsoft Entra ID.

You need to create an access policy for App1.

What should you do first?

• A. Deploy Conditional Access App Control to App1.

• B. Create an app tag for App1.

• C. Add a security information and event management (SIEM) agent to Defender for Cloud
Apps.

• D. Configure an app connector to Defender for Cloud Apps. Most Voted

Hide Solution Discussion 6

Correct Answer: D 🗳️

Community vote distribution

D (67%)

A (33%)

Question #320Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.

From Policy management, you open Information protection as shown in the following exhibit.
Which type of policy can you create?

• A. session policy

• B. activity policy

• C. OAuth app policy

• D. access policy

• E. file policy Most Voted

Hide Solution Discussion 2

Correct Answer: E 🗳️

Community vote distribution

Question #321Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains three users named User1, User2, and User3.

You use Microsoft Entra ID Protection.

You configure the Users at risk detected alerts setting to send an alert when a user risk level of low or
above is detected.

Users are assigned the risk levels shown in the following table.
By the end of the day, how many alerts were generated for User1, and how many alerts were
generated for User2 and User3? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3


Correct Answer:

Question #322Topic 1

You have a Microsoft 365 E5 subscription.

You plan to implement a data loss prevention (DLP) strategy by using Microsoft Purview.

You need to recommend a classification method for a DLP condition. The classification method must
automatically recognize document types based on existing documents in Microsoft SharePoint Online.

What should you recommend?

• A. sensitive information types (SITs)

• B. sensitivity labels

• C. trainable classifiers Most Voted

• D. exact data match (EDM) classifiers

Hide Solution Discussion 2

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #323Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Endpoint.

You integrate Microsoft Defender for Endpoint with Microsoft Intune.


From Microsoft Defender Vulnerability Management, you review the top security recommendations
and discover a recommendation to update Microsoft Edge (Chromium) to a later version.

You need to ensure that a security task is added to Intune to address the recommendation.

What should you do?

• A. From the Microsoft Intune admin center, configure Windows Autopatch.

• B. From the Microsoft Intune admin center, configure a security baseline.

• C. From the Microsoft Defender portal, select Request remediation. Most Voted

• D. From the Microsoft Defender portal add an incident notification rule.

Hide Solution Discussion 2

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #324Topic 1

HOTSPOT
-

You have an Azure subscription.

You have a Microsoft 365 E5 subscription.

You are licensed to use Microsoft Defender XDR.

You need to monitor activities from suspicious IP addresses and unusual administrative activities in
Azure.

What should you use to monitor the activities, and what should you use to integrate Azure with
Microsoft Defender XDR? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 7

Correct
Answer:

Question #325Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.

The subscription contains users that have Windows 11 devices.

You need to use the Cloud Discovery snapshot report to analyze cloud app usage on the devices.

What should you do before generating a report?

• A. Create an activity policy.

• B. Deploy the Azure Monitor Agent on the devices.

• C. Export traffic logs from firewalls and proxies.

• D. Create an app discovery policy.

Hide Solution Discussion 2

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #326Topic 1

DRAG DROP
-

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.
You need to configure Cloud Discovery to generate a report that identifies top potential risks and
provides a workflow to mitigate and manage the risks.

Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.

Hide Solution Discussion 4

Correct Answer:

Question #327Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.

You need to create a file policy named Policy1 that meets the following requirements:

• Inspects files in connected software as a service (SaaS) apps


• Inspects protected files

Which two settings should you configure? To answer, select the appropriate settings in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 1
Correct Answer:
Question #328Topic 1

You have a Microsoft 365 E5 subscription.

You plan to create an anti-malware policy named Policy1.

You need to ensure that Policy1 can detect malicious email messages that were already delivered to
a user's mailbox.

What should you do in the Microsoft Defender portal?

• A. Enable zero-hour auto purge (ZAP).

• B. Enable enhanced filtering.

• C. Configure a quarantine policy.

• D. Modify the common attachments filter.

Hide Solution Discussion 4

Correct Answer: A 🗳️

Community vote distribution

A (67%)

B (33%)

Question #329Topic 1

You have a Microsoft 365 E5 subscription.

You need to use Microsoft Defender for Cloud Apps to monitor user mailbox activities.

What should you do?

• A. Create an activity policy.

• B. Create an access policy.

• C. Enable mailbox audit logging.

• D. Create an app connector for Microsoft 365.

Hide Solution Discussion 6

Correct Answer: C 🗳️

Community vote distribution

A (60%)

C (40%)

Question #330Topic 1

HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains a user named User1. User1 has a Windows
11 device named Device1 that is onboarded to Microsoft Defender for Endpoint.

User1 reports that various files were deleted from Device1.

You need to create a filter to identify which service deleted the files.

Which settings should you configure, and which type of filter should you create in the Microsoft
Defender portal? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct Answer:

Question #331Topic 1

You have a Microsoft 365 subscription that includes Microsoft Intune and Microsoft Defender XDR.

All users have devices that run Windows 11.

From the Microsoft Defender portal, you review the Microsoft Secure Score recommendations. One of
the top recommendations is to block all Microsoft Office applications from creating child processes.

You need to increase the secure score by addressing the recommendation.

What should you do?

• A. Select Safe Documents for Office clients.

• B. Create a policy for Office applications.

• C. Configure an endpoint detection and response (EDR) policy.

• D. Create an attack surface reduction (ASR) policy.

Hide Solution Discussion 3

Correct Answer: D 🗳️

Question #332Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Office 365.

You need to implement a social engineering awareness solution that meets the following
requirements:

• To reset a user's password, emulate an email message that contains a link.


• Track any users that selects the email message link.
• Suggest further social engineering training.

What should you use in the Microsoft Defender portal?

• A. Exposure insights

• B. Learning hub

• C. Attack simulation training

• D. Threat tracker

Hide Solution Discussion 3

Correct Answer: C 🗳️

Question #333Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Office 365.

You are configuring Attack simulation training that will target all users and use the Credential Harvest
social engineering technique.

You need to ensure that the simulation sends an email message that contains a custom phishing link
and company-based terminology and branding.

How should you configure the simulation?

• A. Create a Tenant payload. Most Voted

• B. Select a Global payload.

• C. Select custom end-user notifications.


• D. Create a tenant landing page.

Hide Solution Discussion 9

Correct Answer: A 🗳️

Community vote distribution

A (55%)

C (45%)

Question #334Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You use Microsoft Entra ID Protection.

For the Users at risk detected alerts setting, you configure the following:

• Recipient: Admin1
• Alert on user risk level at or above: Medium

User1 signs in to Microsoft 365 services and is assigned the detected risk levels shown in the
following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 2

Correct
Answer:

Question #335Topic 1

You have a Microsoft 365 E5 subscription that contains Windows 11 devices.

All the devices are onboarded to Microsoft Defender for Endpoint.

You need to compare the configuration of the devices against industry standard benchmarks.

What should you use?

• A. Initiatives

• B. Events

• C. Security baselines assessment

• D. Attack surface map

Hide Solution Discussion 1

Correct Answer: C 🗳️

Question #336Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Endpoint.
Defender for Endpoint has tamper protection enabled.

You have a device named Device1 that is onboarded to Defender for Endpoint.

You need to configure antivirus and real-time protection for Device1.

What should you do in the Microsoft Defender portal?

• A. Initiate a live response session.

• B. Create a device group. Most Voted

• C. Enable troubleshooting mode.

• D. Isolate Device1.

Hide Solution Discussion 7

Correct Answer: B 🗳️

Community vote distribution

C (50%)

B (50%)

Question #337Topic 1

You have a Microsoft 365 E5 subscription.

You plan to configure Privileged Identity Management (PIM) for the User Administrator role in
Microsoft Entra.

You need to ensure that a user can make a role assignment request for the User Administrator role
only during the next six months.

How should you configure the assignment?

• A. Set Assignment type to Eligible.

• B. Set Assignment type to Active.

• C. Set Allow permanent active to assignment Yes.

• D. Set Allow permanent eligible assignment to Yes.

Hide Solution Discussion 1

Correct Answer: A 🗳️

Question #338Topic 1

DRAG DROP
-

You have a Microsoft 365 E5 subscription that contains two security groups named Group1 and
Group2.

You need to recommend an authentication solution that meets the following requirements:
• Members of Group1 must be able to authenticate by using a hardware token.
• Members of Group2 must be able to authenticate by using a public key infrastructure (PKI).

Which authentication method should you recommend for each group? To answer, drag the
appropriate methods to the correct groups. Each method may be used once, more than once, or not
at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct

Answer:

Question #339Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

Which users can create user objects, and which users can create Microsoft 365 groups? To answer,
select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 3

Correct
Answer:

Question #340Topic 1
HOTSPOT
-

You have a hybrid deployment of Microsoft Entra that contains the users shown in the following table.

You need to identify which users can perform the following tasks:

• View sync errors in Microsoft Entra Connect Health.


• Configure Microsoft Entra Connect Health settings.

Which user should you identify for each task? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct
Answer:
Previous Questions

Viewing page 34 out of 37 pages.

Viewing questions 331-340 out of 365 questions

Question #341Topic 1

You have a Microsoft 365 subscription that contains a Microsoft Entra tenant named contoso.com.
The tenant includes a user named User1.

You enable Microsoft Entra ID Protection.

You need to ensure that User1 can review the list in Microsoft Entra ID Protection of users flagged for
risk. The solution must use the principle of least privilege.

To which role should you add User1?

• A. Security Reader

• B. Reports Reader

• C. Compliance Administrator

• D. Owner

Hide Solution Discussion 1

Correct Answer: A 🗳️

Question #342Topic 1

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets
the stated goals. More than one solution in the set might solve the problem. It is also possible that
none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result these questions
do not appear on the Review Screen.

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Office 365.
You need to implement a threat policy that will apply a balanced baseline protection profile to protect
against spam, phishing, and malware.

Solution: You create a Strict preset security policy.

Does this meet the goal?

• A. Yes

• B. No

Hide Solution Discussion 1

Correct Answer: B 🗳️

Question #343Topic 1

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets
the stated goals. More than one solution in the set might solve the problem. It is also possible that
none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result these questions
do not appear on the Review Screen.

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Office 365.

You need to implement a threat policy that will apply a balanced baseline protection profile to protect
against spam, phishing, and malware.

Solution: You create an anti-malware policy.

Does this meet the goal?

• A. Yes

• B. No

Hide Solution Discussion

Correct Answer: B 🗳️

Question #344Topic 1

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets
the stated goals. More than one solution in the set might solve the problem. It is also possible that
none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result these questions
do not appear on the Review Screen.

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Office 365.

You need to implement a threat policy that will apply a balanced baseline protection profile to protect
against spam, phishing, and malware.
Solution: You create a Standard preset security policy.

Does this meet the goal?

• A. Yes

• B. No

Hide Solution Discussion 3

Correct Answer: A 🗳️

Question #345Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You need to create a Conditional Access policy named Policy1 that meets the following requirements:

• Applies to high-risk users


• Requires multifactor authentication (MFA)

Which two settings should you configure? To answer, select the appropriate settings in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 2
Correct Answer:
Question #346Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You plan to create a Conditional Access policy named Policy1.

You need to ensure that only Passwordless MFA authentication methods are used when
administrators attempt to access the Azure portal. Azure PowerShell, or Azure Command-Line
Interface (CLI).

How should you configure Policy1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2

Correct
Answer:
Question #347Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Endpoint. The subscription
contains the devices shown in the following table.

You need to create the Endpoint security policies shown in the following table.

To which device can you apply each policy? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 8


Correct Answer:

Question #348Topic 1

You have a Microsoft 365 E5 subscription.

You need to create a mail-enabled contact.

Which portal should you use?

• A. the Microsoft Entra admin center

• B. the Intune admin center

• C. the Microsoft Purview compliance portal

• D. the Exchange admin center Most Voted

Hide Solution Discussion 2

Correct Answer: D 🗳️

Community vote distribution

D (100%)

Question #349Topic 1

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets
the stated goals. More than one solution in the set might solve the problem. It is also possible that
none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result these questions
do not appear on the Review Screen.

You have a Microsoft 365 E5 subscription.


You integrate Microsoft Defender for Endpoint with Microsoft Intune.

You need to ensure that devices automatically onboard to Defender for Endpoint when they are
enrolled in Intune.

Solution: You create an endpoint detection and response (EDR) policy.

Does this meet the goal?

• A. Yes

• B. No

Hide Solution Discussion 5

Correct Answer: A 🗳️

Question #350Topic 1

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets
the stated goals. More than one solution in the set might solve the problem. It is also possible that
none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result these questions
do not appear on the Review Screen.

You have a Microsoft 365 E5 subscription.

You integrate Microsoft Defender for Endpoint with Microsoft Intune.

You need to ensure that devices automatically onboard to Defender for Endpoint when they are
enrolled in Intune.

Solution: You enable co-management.

Does this meet the goal?

• A. Yes

• B. No

Hide Solution Discussion 2

Correct Answer: B 🗳️

Question #351Topic 1

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets
the stated goals. More than one solution in the set might solve the problem. It is also possible that
none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result these questions
do not appear on the Review Screen.

You have a Microsoft 365 E5 subscription.


You integrate Microsoft Defender for Endpoint with Microsoft Intune.

You need to ensure that devices automatically onboard to Defender for Endpoint when they are
enrolled in Intune.

Solution: You configure a device configuration profile.

Does this meet the goal?

• A. Yes

• B. No

Hide Solution Discussion 2

Correct Answer: B 🗳️

Question #352Topic 1

You have a Microsoft 365 E5 subscription that contains a user named User1.

You have a Conditional Access policy applied to a cloud-based app named App1. App1 has
Conditional Access App Control deployed.

You need to create a Microsoft Defender for Cloud Apps policy to block User1 from printing from
App1.

Which type of policy should you create?

• A. activity policy

• B. session policy Most Voted

• C. OAuth app policy

• D. Cloud Discovery anomaly detection policy

Hide Solution Discussion 3

Correct Answer: B 🗳️

Community vote distribution

B (100%)

Question #353Topic 1

You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.

You plan to perform a security audit of all the apps detected by Cloud Discovery.

You need to track which apps were audited. The solution must ensure that the list of audited apps can
be displayed in the cloud app catalog.

What should you do?

• A. Define each app as a critical asset.

• B. Deploy Conditional Access App Control.


• C. Enable app governance.

• D. Generate a Cloud Discovery snapshot report.

• E. Apply a custom app tag to each app. Most Voted

Hide Solution Discussion 3

Correct Answer: E 🗳️

Community vote distribution

E (100%)

Question #354Topic 1

You use Microsoft Defender for Office 365.

You plan to automate an attack simulation campaign.

Any users that fail the simulation must take additional training based on the simulation results.

What is the maximum number of days the training will be available to the users after the simulation?

• A. 7

• B. 15

• C. 30 Most Voted

• D. 45

Hide Solution Discussion 2

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #355Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

The subscription contains users that have devices onboarded to Microsoft Defender for Endpoint.
Defender for Endpoint is configured to forward signals to Microsoft Defender for Cloud Apps.

Cloud Discovery identifies a risky web app named App1.

You need to block users from connecting to Appl from Microsoft Edge. Users must be able to bypass
the restriction.

Which type of app tag should you use. and what should you configure to integrate Defender for
Endpoint with Defender for Cloud Apps? To answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 3

Correct

Answer:

Question #356Topic 1

You have a Microsoft 365 E5 subscription.

You need to assign a Microsoft Defender for Endpoint baseline.

Which portal should you use?

• A. the Microsoft Intune admin center Most Voted

• B. the Microsoft Purview compliance portal

• C. the Microsoft Defender portal

• D. the Microsoft 365 admin center

Hide Solution Discussion 9


Correct Answer: A 🗳️

Community vote distribution

A (86%)

14%

Question #357Topic 1

You have a Microsoft 365 E5 subscription.

You need to create a mail-enabled contact.

Which portal should you use?

• A. the Microsoft Entra admin center

• B. the Exchange admin center

• C. the Intune admin center

• D. the SharePoint admin center

Hide Solution Discussion

Correct Answer: B 🗳️

Question #358Topic 1

You have a Microsoft 365 E5 subscription.

You need to be alerted when Microsoft Defender XDR detects high-severity incidents.

What should you use?

• A. a custom detection rule

• B. a threat policy

• C. a notification rule

Hide Solution Discussion 1

Correct Answer: C 🗳️

Community vote distribution

C (100%)

Question #359Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the identities shown in the following table.
From the Microsoft Defender portal, you create an anti-spam inbound policy named Policy1 that has
the following settings:

• Include these users, groups and domains


o Users: User3
o Groups: Group 1
• Exclude these users, groups and domains
o Users: User1

Policy1 has the following Bulk email threshold & spam properties settings:

• Mark as spam
о Empty messages: On
о Object tags in HTML On
о Sensitive words: Off
о Backscatter: On

Policy1 has the following Actions settings:

• Message actions
o Spam: Move message to Junk Email folder
o High confidence spam: Move message to Junk Email folder

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5

Correct
Answer:
Question #360Topic 1

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets
the stated goals. More than one solution in the set might solve the problem. It is also possible that
none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result these questions
do not appear on the Review Screen.

You have a Microsoft 365 E5 subscription.

You integrate Microsoft Defender for Endpoint with Microsoft Intune.

You need to ensure that devices automatically onboard to Defender for Endpoint when they are
enrolled in Intune.

Solution: You configure a compliance policy.

Does this meet the goal?

• A. Yes

• B. No

Hide Solution Discussion 2

Question #361Topic 1

You have a Microsoft 365 subscription and use Microsoft Defender for Office 365.

You need to create a policy to ensure that any email messages containing an attachment that has the
.extl extension is quarantined for inspection.

Which type of policy should you create?

• A. anti-phishing

• B. quarantine

• C. anti-spam

• D. anti-malware

Hide Solution Discussion 3

Correct Answer: D 🗳️
Community vote distribution

D (100%)

Question #362Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.

You plan to create 10 new users and configure group-based licensing to assign each user a Microsoft
365 E5 license.

To which group should you add the users, and which portal should you use to assign the license? To
answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 5


Correct

Answer:

Question #363Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains a Windows 11 device named Device1.
Device1 is onboarded to Microsoft Defender for Endpoint.

You need to ensure that Device1 is blocked from connecting to IP address 131.107.10.15.

What should you configure in the Microsoft Defender Endpoint settings? To answer, select the
appropriate settings in the answer area.

NOTE: Each correct selection is worth one point.

Hide Solution Discussion 2


Correct Answer:

Question #364Topic 1

HOTSPOT
-

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You configure a Multifactor authentication registration policy that has the following settings:

• Assignments:
o Include: Group1
o Exclude: Group2
• Controls: Require Microsoft Entra ID multifactor authentication registration
• Policy enforcement: Enabled

You create a conditional access policy that has the following settings:

• Name: Policy1
• Assignments:
o Include: Group2
o Exclude: Group1
• Grant: Require multifactor authentication
• Enable policy: On

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 6

Correct
Answer:

Question #365Topic 1

HOTSPOT
-

Your company has offices in Montreal, Seattle, and New York City.

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

The offices have the IP addresses shown in the following table.

From Microsoft Defender for Cloud Apps, you create the activity policy shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.


Hide Solution Discussion 2

Correct
Answer:

You might also like