Carlos N-MS-500: Microsoft 365 Security Administration

How long does the designated approver at the customer organization have to respond to a Customer Lockbox request after it is issued? -12 hours -24 hours -48 hours

12 hours Customer Lockbox requests have a default duration of 12 hours. If the customer designated approver does not respond to a request within 12 hours, the request expires.

Which is the recommended mode to start with when deploying Azure AD Password Protection? -Audit mode -None -Enforced mode

Audit mode Audit mode is the default initial setting, where passwords can continue to be set. Passwords that would be blocked are recorded in the event log.

Which of the following is not an Attack Simulator scenario? -Spear phishing -Password spray -Bitcoin mining

Bitcoin mining Bitcoin mining is not an Attack Simulator scenario.

In which section of the Azure AD Sign-in logs workbook can an administrator find information that users are required to perform multifactor authentication (MFA) to validate their identity. -Sign-in Location -Conditional Access status -Sign-ins by Device.

Conditional Access status The Conditional Access status table shows which users are required to perform MFA to validate their identity.

Which component of sensitive information types uses more evidence to reduce false positives? -Character proximity -Primary pattern -Confidence level

Confidence level

Which of the following cmdlets lets you view your current role groups? -Get-RoleGroup -View-RoleGroup -Display-RoleGroup

Get-RoleGroup Yes, this cmdlet displays the role groups.

Which of the following options is a valid Microsoft 365 Defender for Endpoint onboarding option for Windows 10 devices? -Group policy -Microsoft Store -General install package

Group policy Group policy is a valid deployment option.

Holly Spencer is the Enterprise Administrator for Fabrikam. Fabrikam uses Intune as its mobile device management solution. Holly configured multiple compliance policies and an Intune configuration policy. She later discovered that a couple of the settings from the compliance policies overlapped. How will Intune resolve these policy conflicts? -Intune uses the most secure of these policies -The settings in the compliance policy will take precedence over the settings in the Intune configuration policy -The settings in the Intune configuration policy will apply if it's more secure than the compliance policy

Intune uses the most secure of these policies If policy settings overlap and the organization deployed multiple compliance policies, Intune uses the most secure of these policies.

The workflow for identifying and resolving compliance issues with Microsoft Purview Communication Compliance can be broken down into four phases. In which phase do you review user activity history? -Remediate -Configure -Investigate

Investigate In this step, you look deeper into the issues detected as matching your communication compliance policies.

Which Default Role Assignment policy lets a user edit their address information in the global address list (GAL)? -MyContactInformation -MyMobileInformation -MyPersonalInformation

MyContactInformation Yes, the MyContactInformation Role Assignment policy lets a user edit their address information.

If you want to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates, which policy setting do you select? -Indicators -Policy timeframes -Intelligent detections

Policy timeframes Depending on the template, you select the timeframes available are activation window and past activity detection.

Contoso has chosen to implement Conditional Access policies. Conditional Acccess will enable it to protect the company's regulated content by requiring certain criteria be met before granting access to the content. What prerequisite must Contoso complete to implement Conditional Access policies? -Install Microsoft Intune -Purchase an Azure AD Premium license -Implement Azure AD Identity Governance

Purchase an Azure AD Premium license Conditional Access is an Azure Active Directory capability that's included with an Azure Active Directory Premium license.

With communication compliance policies, you can choose to scan messages in one or more platforms. Which of the following supported communication types includes LinkedIn? -Third-party sources -Microsoft Teams -Skype for Business online

Third-party sources Even though LinkedIn is owned by Microsoft, it is considered a third-party source when scanning. Connectors support LinkedIn and other third-party sources.

What are retention tags used for? -To group retention policies. -To take action on an item. -To apply retention settings to messages and folders.

To apply retention settings to messages and folders. Yes, retention tags apply retention settings. You group multiple tags into a retention policy.

Which one of the following elements cannot be part of the workbook? -Charts -Tables -Videos

Videos A workbook cannot contain videos.

Azure AD group-based licensing makes large-scale management easier. Typically, how soon are license modifications effective after group membership changes are made? -Within the timeframe of local domain controllers being refreshed. -Within minutes of a membership change. -Within 24 hours of a membership change.

Within minutes of a membership change. License modifications that result from group membership changes are typically effective within minutes of a membership change.

How can all messages of a single Exchange mailbox be retained? -Activating litigation hold on the mailbox. -Using single item recovery. -Using a preservation hold library.

Activating litigation hold on the mailbox. Litigation hold is the right answer.

Which of the following items enables you to prevent unintended sharing of documents created from official company templates? -Keyword Dictionary -Document Fingerprinting -Proximity indicators

Document Fingerprinting

What are dynamic groups? -Dynamic groups are Microsoft 365 groups whose memberships consist of Dynamics 365 users, who require special attribute configurations. -Dynamic groups are security groups whose memberships are based on user attributes (such as userType, department, or country/region). -Dynamic groups are groups whose membership numbers fluctuate significantly within a given timeframe

Dynamic groups are security groups whose memberships are based on user attributes (such as userType, department, or country/region). Dynamic groups are security groups whose memberships are based on user attributes.

Which security permission allows the configuration of storage settings? -Manage security settings in Security Center -Manage portal system settings -Advanced commands

Manage portal system settings This permission allows the configuration of storage settings.

Which action do you have to add to a DLP policy when you want to display a tip to your users? -Notify only -Notify the sender with a Policy Tip -Show the sender a Policy Tip -Show all Policy Tips

Notify the sender with a Policy Tip Yes, you need to add the Notify the sender with a Policy Tip action.

Which authentication method requires the least effort regarding deployment, maintenance, and infrastructure? -Password hash synchronization (PHS). -Pass-through authentication (PTA). -Federated authentication.

Password hash synchronization (PHS). PHS requires the least effort regarding deployment, maintenance, and infrastructure. Useful to organizations that only need their users to sign in to Microsoft 365, SaaS apps, and other Azure AD-based resources.

As the Enterprise Administrator for Tailspin Toys, you're investigating the default password policy settings for Microsoft 365 users. Which of the following statements accurately reflects the Microsoft 365 password policy settings? -Passwords expire after 60 days, and users receive an expiration notification 10 days before it occurs -Passwords expire after 45 days, and users receive an expiration notification 7 days before it occurs -Passwords expire after 90 days, and users receive an expiration notification 14 days before it occurs

Passwords expire after 90 days, and users receive an expiration notification 14 days before it occurs Passwords expire after 90 days, and users receive an expiration notification 14 days before it occurs.

A conditional access policy can be created that includes many settings. Which of the following items is an Access Control setting that can be included in a conditional access policy? -Persistent browser session -Users and groups -Device state

Persistent browser session This access control setting allows users to remain signed in after closing and reopening their browser window.

Which of the following threat protection features require a subscription? -Anti-malware protection -Protection from malicious URLs -Zero-hour auto purge

Protection from malicious URLs This feature requires a subscription.

An administrator wants to open a previously saved query. After opening the Logs page in Microsoft Sentinel, which one of the following options must the administrator select? -Queries -Query explorer -Tables pane

Query explorer The Query Explorer link in the page header helps you access your previously saved queries.

What is journaling? -Recording the activities of your day. -Keeping track of how many messages each user in your environment sends. -Recording all communications in your environment..

Recording all communications in your environment.. Yes, Exchange uses journaling and journal rules to record all of the communications you need for your retention and archival strategy.

There are two risk policies that can be enabled in the directory. One is user risk policy. Which is the other risk policy? -Mobile device access risk policy -Sign-in risk policy -Hybrid identity sign-in risk policy

Sign-in risk policy Sign-in risk policy: The sign-in risk policy detects suspicious actions that come along with the sign-in. It's focused on the sign-in activity directly. Sign-in risk policy analyzes the probability that the sign-in wasn't performed by the user.

The default data retention period in Microsoft 365 Defender for Endpoint is? -One month -Six months -Three months

Six months The default is six months.

It can be difficult for organizations to review all the collected documents in a review set when a large number of documents are involved. eDiscovery (Premium) provides a set of tools to make the review process more manageable, efficient, and effective. In the "Near duplicate detection" tool, once all documents have been compared and grouped, what is a document from each group marked as? -The pivot -The theme -The primary

The pivot Once all documents have been compared and grouped, a document from each group is marked as the pivot. When reviewing your documents, you can review a pivot first and review the other documents in the same near duplicate set. This process enables you to focus on the difference between the pivot and the document that's in review.

Who can view a quarantined message? -Only the recipient -Only an admin -The recipient or an admin

The recipient or an admin a quarantined message can be viewed by the recipient or an admin.

You opted to retain content using the basic path under Settings. You selected when it was last modified in Teams conversations. What will happen? -The retention period begins when messages were created. -The retention period begins based on when the messages were last modified. -The retention period is based on when messages were sent or received.

The retention period is based on when messages were sent or received. Regardless of what you choose, the retention period on content in Teams conversations will be based on when messages or conversations were sent or received.

In Microsoft Graph, which three APIs expose information about risky users and sign-ins? -riskDetection, riskyUsers, signIn -riskDetection, itemActivity, signIn -riskyUsers, signIn, IdentitySet

There are three APIs that expose information about risky users and sign-ins. RiskDetection, allows you to query Microsoft Graph for a list of user and sign-in linked risk detections. You'll also get associated information about the detection. The second API, riskyUsers, allows you to query Microsoft Graph for information about users that Identity Protection detected as being risky. The API, signIn, allows you to query Microsoft Graph for information on Azure AD sign-ins. The information contains specific properties related to risk state, detail, and level.

Azure AD B2B can be configured to federate with identity providers that use either of two protocols. One protocol is Security Assertion Markup Language (SAML); what is the other protocol? -WS-Federation (WS-Fed) -Layer 2 Tunneling Protocol (L2TP) -Resource Location Protocol (RLP)

WS-Fed WS-Fed is one of two protocols that Azure AD B2B can make use of to federate with identity providers.

What is the name of the eDiscovery-related role group name in the Microsoft 365 Defender portal? -eDiscoveryManagement -eDiscoveryManager -eDiscoveryAdministrator

eDiscoveryManager This is the correct role.

True or false? Microsoft Defender for Office 365 requires an agent to be deployed to all Windows 10 devices in your organization for the best protection. -True -False

False Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization. No agents are deployed.

True or false: If you select to choose manual approval for high risk tasks like setting a journal rule, you cannot choose a different approval group beyond the default approval group. -True -False

False You can keep the default group identified and you can choose a different approval group if you want to.

There are several communication remediation actions available to organizations. Which of the following remediation actions cannot be re-opened? -Escalate - Tag As -False positive

False positive You can always resolve a message as a false positive at any point during the message review workflow. The message cannot be reopened, and all false positive messages are displayed in the Resolved tab.

Maintaining patient privacy is a top priority in the Health Care industry. As a senior care facility, what best practice should you employ using the ready-to-use U.S personal information policy template? -Create a custom policy to identify HIPAA-protected information. -Turn on the policy right away. -Test the policy before releasing it.

Test the policy before releasing it. In most cases, you will want to test the DLP policy to make sure it is functioning as expected and meets your specific organization's needs.

After a Subject Rights Request is completed, where do the results show up in the compliance portal? -The Data collected tab. -Request results page. -The Request Audit log.

The Data collected tab.

Some situations might require the removal of a server from being monitored by the Azure AD Connect Health service. What needs to be done to start monitoring the same server again? -The Azure AD Connect Health service needs to be stopped and restarted on any other targeted server in the network. -The Health Agent needs to be uninstalled and reinstalled on this server -The data already collected from this server needs to be deleted and then the Health Agent needs to be reactivated on the server.

The Health Agent needs to be uninstalled and reinstalled on this server To start monitoring a server again, the Health Agent needs to be uninstalled and reinstalled

A user sends an email to several recipients containing 16 unique credit card numbers that match a single DLP Policy rule with this sensitive information type. How many lines will display on the DLP Policy matches report? -1 -3 -16

1 The DLP policy matches report shows matches at a rule level. If an email matched three different rules, the DLP policy matches report would show three different line items. By contrast, the DLP incidents report shows matches at an item level. If an email matched three different rules, the incidents report shows a single line-item for that item.

How long are deleted users retained by Azure AD by default? -14 days -30 days -60 days

30 days By default with Azure AD, a deleted user is in a deleted state for 30 days. During which time they can be restored by an administrator if necessary.

When a Customer Lockbox request is approved by the organization, what is the maximum period for access permissions granted to the Microsoft engineer? -4 hours -8 hours -24 hours

4 hours Currently, the maximum period for the access permissions granted to the Microsoft engineer is 4 hours. The Microsoft engineer can also request a shorter period.

Which is the best sensitive information type for a large list of custom keywords? -A built-in sensitive information type. -A Keyword List in a custom sensitive information type. -A Keyword Dictionary.

A Keyword Dictionary. A large number of keywords can be used best in a Keyword Dictionary.

The primary use case of information barriers is represented in which of the following statements? -An individual wants to keep their work private from the public. -A department is handling information that should not be shared with other groups or departments. -An organization wants to break down silos and allow searching across all business units.

A department is handling information that should not be shared with other groups or departments. Information barriers in Office 365 are policies that a compliance administrator or information barriers administrator can configure to prevent individuals or groups from communicating with each other.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez has deployed eDiscovery (Premium). Lucerne is responding to a legal case, so Patti created a case for it in the Microsoft Purview compliance portal. Custodians were added to the case, and Patti conducted a search of custodial data sources for relevant data. What's the next step that Patti should complete in the eDiscovery (Premium) workflow? -Reindex custodian data -Add data to a review set -Send a legal hold notification to custodians

Add data to a review set Once you've configured and verified that a search returns the expected data, the next step is to add the search results to a review set. When you add data to a review set, items are copied from their original location to a secure Azure Storage location. The data is reindexed again to optimize it for thorough and fast searches when reviewing and analyzing items in the review set.

Contoso is implementing eDiscovery (Premium) in Microsoft Purview. As the Enterprise Administrator for Contoso, Holly Dickson has created an eDiscovery case in the Microsoft Purview compliance portal. The purpose of the case is to address a legal issue facing the company. Several Contoso employees have since been identified as potential persons of interest in the investigation. What should Holly do next? -Place a legal hold on the data sources associated with the case -Add the employees as custodians to the case -Send legal hold notifications to the employees and track their acknowledgments

Add the employees as custodians to the case After an organization identifies potential persons of interest in an investigation, it can add them as custodians to an eDiscovery (Premium) case. After users are added as custodians, it's easy to preserve, collect, and review custodian documents.

Users assigned limited administrator directory roles can use the Azure portal to invite B2B collaboration users. You can invite B2B collaboration users to a directory or to a group. What other activities can B2B collaboration users be invited? -Limited self-service functionality for modifying their profiles. -Network resources such as printers. -An application.

An application. -B2B collaboration users can also be invited to an application.

Before you can get started with privileged access management you need to do which of the following? -Create an approver's group -Enable privileged access -Create an access policy

Create an approver's group Before you start using privilege access, determine who needs approval authority for incoming requests for access to elevated and privileged tasks. Any user who is part of the Approvers' group is able to approve access requests.

When would you use Mobile Application Management (MAM) without enrollment to protect sensitive data in a work or school-related app? -Bring-your-own-device (BYOD) scenarios -Smart lockout policies -Session management controls

Bring-your-own-device (BYOD) scenarios MAM app protection policies allow you to manage and protect your organization's data within an application. With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in BYOD scenarios.

Which of the following is not a component of Microsoft Defender for Endpoint? -Next generation protection -Endpoint detection and response -Cloud device management

Cloud device management Cloud device management is not a component of security administration of Microsoft Defender for Endpoint.

If a customer has stringent encryption requirements for key management that mandate keys are rolled every year, which of the following Microsoft 365 features should the customer use? -Microsoft Managed Keys -Availability key -Customer Key

Customer Key Customer Key provides customers the ability to manage encryption keys, which includes key rolling and key revocation.

Which of the following items is a True statement regarding conditional access policies? -Conditional Access policies are enforced after second-factor authentication is completed -Conditional Access is intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks -Conditional Access can take into account common signals from first line of defense scenarios to determine access

Conditional Access can take into account common signals from first line of defense scenarios to determine access Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks. However, it can use signals from these events to determine access.

Which task can a user with the Security Operator role perform? -Configure alerts -Confirm safe sign-in -Reset a password for a user

Confirm safe sign-in Security Operators can view all Identity Protection reports and the Overview screen, dismiss user risk, confirm safe sign-in, and confirm compromise.

What is the default action for a message with an SCL of 5? -Deliver the message to the recipient's inbox -Deliver the message to the recipient's Junk Email folder -Delete the message

Deliver the message to the recipient's Junk Email folder Yes, messages with an SCL of 5 or higher are delivered to the recipient's Junk Email folder

A security operations analyst wants to fine-tune their DLP policies based on user input. Which report should they use to gather information? -DLP false positives and overrides -DLP incidents -DLP policy matches

DLP false positives and overrides You can allow users to report false positives and override protective actions. You can use the information of these actions to reduce the number of false positives or interruptions of legitimate business processes.

A security operations analyst wants to identify items in their organization that might contain a high volume of sensitive information based on your DLP policies. Which report should they use to gather information? -DLP false reports and overrides -DLP incidents -DLP policy matches

DLP incidents This report is used to identify items with a high volume of matches which can indicate a high volume of sensitive information.

A security operations analyst wants to fine-tune their DLP policies before activating policy tips. Which report should they use to gather information? -DLP incidents -DLP policy matches -DLP false positives and overrides

DLP policy matches This report shows you all rule matches and allows you to review the accuracy of matches for fine-tuning.

As Contoso's enterprise administrator, you're creating an access package within Azure AD entitlement management. This package will manage access to SharePoint Online sites for your internal users. As part of the access package, you're creating an internal user policy. Which of the following items must you define as part of the internal user policy? -The sites that Contoso's internal users need access to -The roles that Contoso's internal users must be assigned to access the sites -Contoso's internal users who are eligible to request access

Contoso's internal users who are eligible to request access Within each access package policy, an administrator or access package manager must define the users who are eligible to request access, the approval process, the users who can approve or deny access, and the duration of a user's access assignment, once it's approved.

What are the different types of risk management policy templates? -Data loss prevention, Data in transit, and Data breach. -Data overexposure, Data transfers, and Data minimization. -Data encryption, Data labeling, and Data anonymization.

Data overexposure, Data transfers, and Data minimization. Data overexposure, Data transfers, and Data minimization are the three policy types for Microsoft Priva risk management.

One of the first steps in investigating a possible violation is understanding the intent of the communication. Which of the following flexible remediation workflows will provide insight into the context of the communication during investigation? -Keyword highlighting -Conversation threading -Exact and near duplicated detection

Conversation threading Messages are now visually grouped by original message and all associated reply messages, giving you better context during investigation and remediation actions.

What are app configuration policies versus app protection policies? -App configuration policies and app protection policies are essentially the same thing. -App configuration policies help secure access on devices by restricting actions users can take with organizational data. -App protection policies provide a method to configure how apps are set up. -App configuration policies provide app configuration settings for both iOS/iPadOS and Android apps. App protection policies help secure your devices.

App configuration policies provide app configuration settings for both iOS/iPadOS and Android apps. App protection policies help secure your devices.

Typically, Azure AD defines users in three ways. Cloud identities and guest users are two of the ways. What is the third way Azure AD defines users? -As non-connected users. -As transitional users. -As directory-synchronized identities.

As directory-synchronized identities. Azure AD defines users as cloud identities, guest users, and as directory-synchronized identities.

Which one of the following tools can an administrator use to query data in Microsoft Sentinel? -Structured Query Language (SQL) -PowerShell -Azure Data Explorer

Azure Data Explorer, which is also known as Kusto, is a log analytics cloud platform optimized for ad-hoc big data queries.

Configuring a Microsoft Human Resources (HR) data connector is a dependency for which insider risk management template? -Departing employee's data theft template -Data leaks -Offensive language in email

Departing employee's data theft template If you configure a policy using the Departing employee data theft template, you'll need to configure a Microsoft 365 HR data connector so that you can import user and log data from 3rd-party risk management and human resources platforms. HR connectors allow you to pull in human resources data from CSV files, including user termination and last employment dates.

How can Discovery and insights for privileged identity management help an organization? -Discovery and insights can find privileged role assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM). -Discovery and insights can find when guest's access resources across Azure AD. -Discovery and insights can find security group assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).

Discovery and insights can find privileged role assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM). Discovery and insights can find privileged role assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).

Which one of the following apply to Microsoft Insider Risk Management policies and templates? -Insider risk settings for Privacy and Policy Indicators can be configured to apply for a specific policy. -Microsoft Insider Risk Management policies and templates are for malicious intent violations. -Each policy must have a template assigned in the policy creation wizard before the policy is created.

Each policy must have a template assigned in the policy creation wizard before the policy is created. -Insider risk management templates are pre-defined policy conditions that define the types of risk indicators monitored by a policy. Each policy must have a template assigned before creation.

Instead of blocking communications between two segments, you decide you want to allow communications to occur between certain segments. What should you do? -Edit a policy -Edit a segment -Edit user account attributes

Edit a policy -Edit an information barrier policy when you want to change how a policy works.

Which roles can only be assigned using Privileged Identity Management? -Permanently active roles. -Eligible roles. -Transient roles.

Eligible roles. Permanently active roles are the normal roles assigned through Azure Active Directory and Azure resources while eligible roles can only be assigned in Privileged Identity Management.

If you want to restrict access to a file, you need to configure a sensitivity label with which of the following? -Marking content -Encryption -Guest access

Encryption Only a label with encryption can have access rules to prevent other user to edit or open the file.

Which of the case actions opens a new eDiscovery (Premium) case in your Microsoft O365 investigation? -Escalate for investigation -Send a notice -Resolve the case

Escalate for investigation Escalate the case for employee investigation in situations where additional legal review is needed for the employee's risk activity. This escalation opens a new eDiscovery (Premium) case in your Microsoft 365 organization. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external legal investigations.

In the Remediate phase, which option allows for inputting multiple reviewers within the organization to help resolve the incident? -Escalate to another reviewer -Tag a message -Notify the user

Escalate to another reviewer Sometimes, the initial reviewer of an issue needs input from other reviewers to help resolve the incident. You can easily escalate message issues to reviewers in other areas of your organization as part of the resolution process.

When should access packages be used? -To allow one organization access when collaborating on a project. -An employee requires permanent permissions to perform their job role. -For access that requires the approval of an employee's manager or other designated individuals

For access that requires the approval of an employee's manager or other designated individuals Two or more organizations are collaborating on a project, and as a result, multiple users from one organization will need to be brought in via Azure AD B2B to access another organization's resources.

You want to search for insider risk alerts that occurred in the past 30 days and are high severity risks. The easiest way to accomplish this is to do which of the following? -From the Alerts dashboard search for "last 30 days." -Click "Export" to download a CSV file with all alerts. Import this into Excel and use the filter function. -From the Alerts dashboard, select the Filter control.

From the Alerts dashboard, select the Filter control. You can filter alerts by one of more attributes including Status, Severity, Time detected, and Policy.

Which Microsoft 365 administrator role can change the password of a user who's assigned to the Microsoft 365 Global administrator role? -User Management administrator -Global administrator -Password administrator

Global administrator When your account is a global admin account, you must get another global admin to reset it for you.

An administrator creates a custom workbook and wants to display the data in table. Which visualization steps should the administrator use in the workbook? -Text visualization -Links/Tabs -Grid visualization

Grid visualization You can use grids visualization to present the data in tables.

Which Microsoft 365 provisioning option do companies prefer when they want more administrative versatility and another disaster recovery backup option? -On-premises -Cloud -Hybrid

Hybrid Companies prefer the hybrid option when they want more administrative versatility and another disaster recovery backup option.

When Microsoft Edge Application Guard identifies an untrusted site or application, it opens Microsoft Edge in an isolated container to protect the host operating system from damage or exploitation. Which of the following containers does Microsoft Edge use? -Hard disk drive image -Isolation chamber -Hyper-V Krypton container

Hyper-V Krypton container Microsoft Edge isolates untrusted sites in Hyper-V Krypton containers to prevent harm to the host operating system, or to prevent access to corporate resources.

What setting should you configure to skip spam filtering for all incoming messages, when they come from source email servers you've identified? -IP Allow list -IP Block list -Safe list

IP Allow list IP Allow list skips spam filtering for all incoming messages from the specific source email servers you identify by other IP address or IP address range.

Microsoft has had built-in intelligence to detect profanities for a while. Which of the following represents a new enhancement in this area? -Identify threats for the individual to potentially harm themselves -Identify insider trading -Identify possible legal exposure

Identify threats for the individual to potentially harm themselves Microsoft has expanded the offensive language classifiers to identify threats to others or even for the individual to harm themselves or even targeted harassment.

After a device is enrolled to Intune, a built-in device MDM agent automatically begins to sync the device details to Intune. Where can organizations view this device information? -In the Azure AD admin center -In the Microsoft 365 admin center -In the Microsoft Endpoint Manager admin center

In the Microsoft Endpoint Manager admin center Organizations can view device information in the Microsoft Endpoint Manager admin center.

Email threading parses each email and deconstructs it down to the individual messages. It then analyzes all emails in the working set to determine whether an email has unique content or if the chain is wholly contained in a different email. At the end of the process, emails are divided into four categories. In which category does the last message in the email have unique content, but the email doesn't contain some of the attachments that were included in other emails of which the content is wholly contained in this email? -Inclusive -Inclusive minus -Inclusive copy

Inclusive minus In this category, the last message in the email has unique content, but the email doesn't contain some of the attachments that were included in other emails of which the content is wholly contained in this email.

What is the connection between risk policies, alerts and issues? -An issue is a specific type of policy alert that is described in the policy template. -Issues and alerts are both specified in risk policies as different types of notifications when the policy is matched. -Issues are created by admins while assessing alerts about policy matches to further investigate a case.

Issues are created by admins while assessing alerts about policy matches to further investigate a case.

What does Conditional Access do? -It's the component that enforces multifactor authentication policies for access. -It analyzes signals such as user, device, and location to enforce organizational access policies. -It monitors and logs all access attempts.

It analyzes signals such as user, device, and location to enforce organizational access policies. Conditional Access is the tool used by Azure Active Directory to bring signals together, make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity-driven control plane.

When do retention labels take effect? -Once the label policy is synced from the admin center to the locations in the policy. -As soon as you publish or auto-apply retention labels. -It depends on the type of retention label.

It depends on the type of retention label. -It depends on the target location to which the retention label is published or auto-applied.

Which of the following is a benefit of encryption? -It is always legally required. -It helps mitigate the impact of data theft. -It renders data permanently unreadable. -It meets all access control requirements.

It helps mitigate the impact of data theft. When data is encrypted with strong encryption, it cannot reasonably be deciphered without the correct encryption key.

If you approve access via the Customer Lockbox system, the Microsoft engineer has the following access: -Standing access -Limited standing group access -Just-in-time

Just-in-time In the rare instance when a Microsoft engineer needs access to your data, you grant access only to data required to resolve the issue and for a limited amount of time, which is considered just-in-time access.

In The answer list, which is a security group used by Hybrid Windows Hello for Business when no Windows Server 2016 or later domain controllers are deployed? -KeyCredential Admins -Enterprise Key Admins -Windows Authorization Access Group

KeyCredential Admins To use Windows Hello for Business, you must create the KeyCredential Admins security group and the Windows Hello for Business Users security groups.

Which of the following describes the most comprehensive approach to Data Lifecycle Management and its benefits? -Securing sensitive data and access. -Ensuring your data is defensible and retained. -Managing the end-to-end lifecycle of all content across your digital estate.

Managing the end-to-end lifecycle of all content across your digital estate. A comprehensive approach across all content in your digital estate helps protect confidential information and prevent incidents that could disrupt your business.

Whether to assign a role to a group instead of to individual users is a strategic decision. When planning, consider assigning a role to a group to manage role assignments when the desired outcome is to delegate assigning the role and what else? -You want to use conditional access policies. -Many Azure resources need to be managed. -Many users are assigned to a role.

Many users are assigned to a role. Management of one group is much easier than management many individual users.

Which formatting does Microsoft Sentinel use to format the text in the workbook with text visualization? -Microsoft Word -HTML text formatting -Markdown

Markdown The text is edited through a Markdown formatting, which provides different heading and font styles, hyperlinks, tables.

What describes Safe Attachments from Microsoft Defender for Office 365? -Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent. -Protects your users from malicious URLs in a message or in an Office document. -A powerful report that enables your Security Operations team to investigate and respond to threats effectively and efficiently.

Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent. Microsoft Defender for Office 365 Safe Attachments protect against unknown malware and viruses, and provide zero-day protection to safeguard your messaging system by rerouting messages and using machine learning to detect malicious intent.

Azure AD Connect includes an optional group writeback feature. Group writeback writes groups from Azure AD to on-premises Active Directory. Which type of groups can be written back from Azure AD to your on-premises Active Directory? -Distribution groups -Mail-enabled security groups -Microsoft 365 groups

Microsoft 365 groups The group writeback feature in Azure AD Connect allows all Microsoft 365 groups to be synchronized from Azure AD to your on-premises Active Directory.

Azure AD allows for the definition of two different types of groups; one type is Security groups, which are used to manage member and computer access to shared resources. What is the other type of group? -Distribution groups, which are used for communications purposes via applications such as Teams and Exchange. -Licensing groups, which are used to make it easier to administer software licenses. -Microsoft 365 groups, which provide access to shared mailboxes, calendars, SharePoint sites, and so on.

Microsoft 365 groups, which provide access to shared mailboxes, calendars, SharePoint sites, and so on. Azure AD allows for the definition of Security groups and Microsoft 365 groups.

Which of the following statements is accurate? -Files sent between users in Microsoft Purview are encrypted using BitLocker. -Microsoft 365 uses service encryption to encrypt customer data at the application layer. -Microsoft utilizes a third party's certificate authority to manage all certificates used for TLS encryption.

Microsoft 365 uses service encryption to encrypt customer data at the application layer. Additionally, Microsoft 365 encrypts data-at-rest using BitLocker.

Which of these authentication methods offers the highest level of security? -SMS verification -Microsoft Authenticator App -Voice call verification

Microsoft Authenticator App Microsoft recommends using the Microsoft Authenticator app, which provides the best user experience and multiple authentication methods.

Which tool should you use to create fake phishing messages and send them to internal users as an education aid? -Exchange Online Protection -Microsoft Defender for Office 365 -Microsoft 365

Microsoft Defender for Office 365 Yes, you can use the Attack simulator in Microsoft Defender for Office 365 to create and send fake phishing mails.

The administrator wants to create an analytics rule from the created query. Which option from the queries pane should the administrator select? -Azure Monitor Alert -Microsoft Sentinel Alert -Copy link

Microsoft Sentinel Alert A new Microsoft Sentinel alert creates an analytics rule.

Too many DLP policy false positives can have a negative effect on business production. Additionally, too many false positives can result in security teams ignoring the warnings. Microsoft sensitive information types are thoroughly tested. There is still a chance your organization may have specific needs not met by built-in sensitive information types. What do you do if your DLP incident report returns too many false positives? -Modify the DLP policy. -Create a new retention policy and attach it to the DLP policy. -Design a new DLP policy.

Modify the DLP policy. When identifying information to protect, you need to configure the conditions that will result in a policy being triggered via rules. Data loss prevention includes policy templates that include rules for detecting many common sensitive information types. You can modify these rules using the rule editor if they are resulting in too many false positives.

Can you use address book policies and information barrier policies at the same time? -Yes -No -Only when address book policies were in place first

No Information barriers are based on address book policies, but the two kinds of policies aren't compatible. If you do have such policies, make sure to remove your address book policies first. Once information barrier policies are enabled and you have hierarchical address book enabled, all users who aren't included in an information barrier segment will see the hierarchical address book in Exchange Online.

Lucerne Publishing uses both Conditional Access policies and device compliance policies. As the company's Enterprise Administrator, Patti Fernandez wants to create a compliance policy that determines how Intune treats devices that haven't been assigned a device compliance policy. What should Patti set the "Mark devices with no compliance policy assigned as" setting to ensure that only devices that are confirmed as compliant can access the company's resources? -Compliant -Not compliant -Disabled

Not compliant If an organization uses Conditional Access with its device compliance policies, it's recommended that it change the "Mark devices with no compliance policy assigned as" setting to Not compliant. Doing so ensures that only devices that are confirmed as compliant can access the company's resources.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to deploy eDiscovery (Premium) in the company's Microsoft 365 tenant. Patti has set it up by configuring licenses, permissions, and an optional global setting. What must Patti do next to deploy eDiscovery (Premium)? -Identify the users who will be assigned as eDiscovery (Premium) custodians -Align Lucerne's eDiscovery (Premium) deployment with EDRM -Nothing else needs to be done

Nothing else needs to be done Nothing is needed to deploy eDiscovery (Premium). Organizations just need to configure licenses, permissions, and an optional global setting to set it up. Once eDiscovery (Premium) is set up, you're ready to create and manage cases.

Northwind Traders wants to block access to company resources from non-compliant devices. As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to configure a compliance policy that provides this restriction. If the compliance policy identifies a previously compliant device as being noncompliant, which of the following items is a noncompliant action that can be performed by the policy? -Leave the device marked as compliant for three more days, then mark the device as noncompliant if it still hasn't achieved compliance -Leave the device marked as compliant for an organization-defined grace period, then mark the device as noncompliant if it still hasn't achieved compliance -Notify end users through email

Notify end users through email Organizations can customize an email notification before sending it to the end user. Intune includes details about the noncompliant device in the email notification.

Privileged access management provides just-in-time access at different scopes. What does just-in-time access protect against? -Reduces the attack surface of standing privileged accounts -Reduces the risk of privileged access abuse -Reduces access to customer content in Exchange Online, -SharePoint Online, and OneDrive for Business.

Reduces the risk of privileged access abuse -The use of the just-in-time access model ensures that service teams only ever have the necessary access required to support the operation of Office 365, and are restricted by elevation level, resource access, and time.

You have already deployed data loss prevention and are using it to protect data in Microsoft Teams, Exchange, SharePoint, and OneDrive. You also want to protect data stored on your Windows devices, so you have modified an existing policy and added Devices to the list of locations you will protect. What else must you do to begin protecting content on your Windows devices? -Make sure each device is Azure AD registered. Onboard each device. -Once created, you can't add locations to a DLP policy, so this isn't a valid scenario.

Onboard each device. Device onboarding enables collecting data from devices to incorporate into Endpoint DLP. Only devices that have been onboarded can be included in DLP policies that target Windows devices.

Which of the following statements is accurate regarding retention labels? -Only one retention label can be assigned to content (such as an email or document) at a time. -If content has an auto-apply label assigned, users can remove or change the retention label that is assigned. -If there are multiple rules that assign an auto-apply label and content meets the conditions of multiple rules, the retention label for the most recent (newest) rule is assigned.

Only one retention label can be assigned to content (such as an email or document) at a time. Content like an email or document can have only a single retention label assigned to it at a time.

As the Enterprise Administrator for Tailspin Toys, you're interested in making self-service password reset functionality available to Tailspin's users. To implement self-service password reset, which of the following conditions must be in place? -Password reset is only available for Microsoft 365 users with cloud identities that have passwords that aren't linked to the on-premises AD DS -Password reset enables users to reset their own password after the Password administrator starts the transaction To reset a password, either a Global administrator or a -Password administrator must first authenticate the user's identity

Password reset is only available for Microsoft 365 users with cloud identities that have passwords that aren't linked to the on-premises AD DS This condition is required because a password from Microsoft 365 can't be synchronized back to on-premises AD DS without using other synchronization services.

Azure AD Connect provides which of the following features? -Migrates Exchange public folders from your on-premises organization to Exchange Online -Password writeback that enables your users to change and reset their passwords in the cloud and have your on-premises password policy applied -Determines the on-premises domain suffixes, identifies whether any domains are already verified with Microsoft 365, and validates the appropriate DNS records

Password writeback that enables your users to change and reset their passwords in the cloud and have your on-premises password policy applied Azure AD Connect provides password writeback functionality that allows your users to change and reset their passwords in the cloud and have your on-premises password policy applied.

Microsoft Defender SmartScreen acts as an early warning system for users and administrators, helping to prevent exploits and attacks before they do serious damage. SmartScreen can help defend against which of the following? -Phishing, malware, and potentially unwanted applications (PUAs) -Viruses, Session Hijacking, and Denial of Service (DoS) -Physical exploits, brute force password attacks, and SQL injection attacks

Phishing, malware, and potentially unwanted applications (PUAs) These are the most common threats that SmartScreen can help defend against.

Which one of the following characters can an administrator use to separate the commands in the query. -Pipe (|) -Hyphen (-) -Underscore (_)

Pipe (|) You can use the pipe (|) character to separate commands.

As the Enterprise Administrator for Contoso, Holly Dickson has created an eDiscovery case in the Microsoft Purview compliance portal to address a legal issue facing the company. What should Holly do to preserve any content that's relevant to the case? -Place the custodian data on hold -Index custodian data by using the process known as Advanced indexing -Create searches to search the in-place custodial and non-custodial data sources in Microsoft 365 for content relevant to the case

Place the custodian data on hold Custodian data can be placed on hold. Doing so preserves data that may be relevant to the case during the investigation.

Which of the following tools can be used to visualize how Microsoft Edge isolates processes to maintain a secure browsing environment, preventing malicious code from accessing data and resources on the host operating system? -Event Viewer -Process Explorer -Task Manager

Process Explorer Process Explorer can be used to look at the individual processes created by Microsoft Edge, but also their priorities and integrity levels.

What are protected apps? -Protected apps are all apps that end users may be using on their device that are managed by a mobile device management (MDM) service. -Protected apps incorporate special mobile app management capabilities using the Intune App Software Development Kit (SDK) or the App Wrapping Tool for either iOS or Android. -Protected apps are the apps that can be run on an end user's device that are managed by a mobile device management (MDM) service.

Protected apps incorporate special mobile app management capabilities using the Intune App Software Development Kit (SDK) or the App Wrapping Tool for either iOS or Android.

A healthcare employee left work with an unencrypted work laptop, which was stolen days later in a burglary. Data containing sensitive information for 100 patients is on the laptop. This is an example of which type of internal risk? -Regulatory compliance violation -Sabotage -Data leak

Regulatory compliance violation If your business handles the personal, medical, sensitive, or classified data of individuals or government organizations, the law requires you to follow strict compliance regulations.

What do catalogs contain? -Device registrations -Resources and access packages -User lists

Resources and access packages Catalogs are used to group related resources and access packages.

Which feature should be used to support users in archiving their mailbox messages? -Preservation Hold Libraries -Litigation Hold -Retention Tags

Retention Tags Retention tags are used for archiving messages to the users archive mailbox or to empty default folders, such as Junk or Deleted items.

Many organizations have different types of content that require different actions taken on them in order to comply with industry regulations and internal policies. Which feature of Microsoft Purview Records Management can help you take the right actions on the right content type? -File plan descriptors -Retention labels -Activity explorer

Retention labels -With retention labels, you can classify data across your organization for governance, and enforce retention rules based on that classification.

Which default role can you assign if you want to grant someone read-only permissions on DLP reports without allowing them to make changes? -Security Reader -Security Administrator -Compliance Administrator

Security Reader The role only grants read-only permission to Compliance reports.

You create a new policy by stepping through the policy wizard and policy settings. Which of the following is optional when creating a new policy? -The users or groups the policy will apply to -Alert indicators -Specify content to prioritize

Specify content to prioritize -This is optional, you can assign the sources to prioritize for risky user activity such as SharePoint sites.

What is required to deploy Microsoft Defender for Endpoint to Windows devices in your organization? -Subscription to the Microsoft Defender for Endpoint online service. -No action is required. Microsoft Defender for Endpoint is included in the Windows 10 operating system. -License for Microsoft Intune.

Subscription to the Microsoft Defender for Endpoint online service. To deploy Microsoft Defender for Endpoint you require a subscription to the Microsoft Defender for Endpoint online service.

Declaring content as a record means which of the following? -The item becomes immutable for a minimum amount of time. -The item becomes immutable until after the designated time period. -The item becomes immutable for a maximum amount of time.

The item becomes immutable until after the designated time period. Declaring content as a record means that the item becomes immutable and cannot be modified or deleted until after their defined retention period has passed. The item becomes immutable for a minimum amount of time.

With Safe Links, what happens when a user selects a blocked URL? -They are taken to a warning page -They are taken to the page, and an admin is notified. -They are taken to the page, but all scripting on the page is blocked.

They are taken to a warning page Yes, when Safe Links is enabled, when a user tries to visit a blocked URL, they'll see a warning page.

What is the defining feature of hybrid identity solutions? -They create common user identities for authenticating and authorizing users who operate workstations that run on various operating systems. -They create common user identities that are trusted for authentication and authorization between organizations. -They create common user identities for authentication and authorization to both on-premises and cloud-based resources.

They create common user identities for authentication and authorization to both on-premises and cloud-based resources. Authentication and authorization are essential for hybrid identity solutions.

What is user sign-in frequency? -User sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. -User sign-in frequency defines the number of times a user signs in from a single device in a 24-hour period -User sign-in frequency defines the number of devices a single user is signed in to.

User sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. User sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.

How can users restore previous versions of their documents? -eDiscovery cases -Versioning in SharePoint Online -Exchange hidden mailbox folders.

Versioning in SharePoint Online -SharePoint Online provides versioning.

When do you use event-driven retention configuration? -When a specific event was created -When a specific event was labeled -When a specific type of event occurs

When a specific type of event occurs -Use event-based retention when you want the retention period to be based on when a specific type of event occurs, rather than when the content was created, last modified, or labeled.

Can app protection policies be deployed on devices that are not enrolled in any MDM service? -Yes. Your organization can use app protection policies as part of application management with and without using a mobile device management (MDM) service. -No. Your organization can only use app protection policies with the Intune mobile device management (MDM) service.

Yes. Your organization can use app protection policies as part of application management with and without using a mobile device management (MDM) service.

Which of the following choices describes threat hunting using Microsoft Defender for Endpoint? -You can proactively inspect events in your network using a powerful search and query tool. -Detecting and blocking apps that are considered unsafe but may not be detected as malware. -Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware.

You can proactively inspect events in your network using a powerful search and query tool. Microsoft Defender for Endpoint advanced threat hunting is a powerful search and query tool built on top of a query language that gives you flexibility.

When passwords are changed in Microsoft 365, they can be written back to the on-premises Active Directory. Which of the following requirements must be met to enable this feature? -You need an Azure Active Directory Premium license -Your domain controllers must be at least Windows Server 2003 -You need a Microsoft 365 E5 license

You need an Azure Active Directory Premium license You must have an Azure AD Premium license to have password changes in Microsoft 365 written back to your on-premises AD.

The Unified Labeling Scanner requires which other system to conduct scans? -a SQL Server Standard or SQL Server Enterprise -Microsoft 365 alerts enabled. -A Linux server.

a SQL Server Standard or SQL Server Enterprise The SQL Server Express version is only for testing.