MS-101: Microsoft 365 Mobility and Security

Ace your homework & exams now with Quizwiz!

How many segments can a user be in? -1 -3 -5

1 -A user can only be in one segment. As such, organizations should plan their segments carefully. Also, each segment can have only one information barrier policy applied.

Which Compliance Score component is an evaluation of a template that starts the scoring process for an organization? -A Microsoft-managed control -As assessment -A Customer-managed control

As assessment -An assessment is an evaluation of a template that starts the scoring process for an organization. Assessments group the actions necessary to meet the requirements of a standard, regulation, or law. For example, you may have an assessment that, when you complete all actions within it, brings your Microsoft 365 settings in line with ISO 27001 requirements.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to give one of Lucerne's users, Allan Deyoung, the minimum level of privileges that will enable Allan to search the Microsoft 365 audit log. What should Patti do? -Assign Allan the Microsoft 365 Global Administrator role -Assign Allan the Search-UnifiedAuditLog role -Assign Allan the View-Only Audit Logs role

Assign Allan the View-Only Audit Logs role -To search the audit log, administrators and members of investigation teams must be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online.

As Fabrikam's Enterprise Administrator, Holly Spencer wants to implement Privileged Identity Management. Holly has discovered and selected the Fabrikam resources to protect with Privileged Identity Management. What is the next step that Holly should complete in the PIM setup process? -Elevate access for a Global Administrator -Assign other users to the Privileged Role Administrator role -Respond to user requests for a role

Assign other users to the Privileged Role Administrator role -To delegate access to PIM, a Global Administrator can assign other users to the Privileged Role Administrator role. By default, Security administrators and Security readers have read-only access to Privileged Identity Management. To grant access to Privileged Identity Management, the first user can assign others to the Privileged Role Administrator role.

Fabrikam created a custom sensitivity label for highly confidential data. It tested the label during the pilot phase of its data protection project by assigning the label to a label policy. In turn, the policy was assigned to a select group of users on the project team. Now that its testing phase is complete, Fabrikam is ready to roll out the label across the entire organization. What should it do? -Create a new label and then assign it to a new label policy that specifies all users Assign the existing label to a new label policy that specifies all users -Delete the existing label, create a new label, and assign it to a new label policy that specifies all users

Assign the existing label to a new label policy that specifies all users - A single label is reusable—you define it once, and then you can include it in several label policies assigned to different users. For example, you could pilot your sensitivity labels by assigning a label policy to just a few users. Then when you're ready to roll out the labels across your organization, you can create a new label policy for your labels and this time, specify all users.

Which of the following items is an underlying principle that's part of the foundation of the Zero Trust model? -Implicit trust -Use most privileged access -Assume breach

Assume breach -Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted from start to finish. Use analytics to get visibility and drive threat detection and improve defenses.

Which Microsoft Defender for Endpoint capability provides the first line of defense in the stack? -Threat and vulnerability management -Attack surface reduction -Automated investigation and remediation

Attack surface reduction -The attack surface reduction set of capabilities provides the first line of defense in the stack. To support this feature, organizations should ensure configuration settings are properly set and exploit mitigation techniques are applied. By doing so, the attack surface reduction capabilities can resist attacks and exploitation. The capabilities also include network protection and web protection.

As the Enterprise Administrator for Fabrikam, Holly Spencer has several older devices running Windows 8.1 that the company wants to refurbish and redeploy to its warehouse staff. Because the previous users of these devices had downloaded unapproved and unlicensed software, Holly plans to wipe the hard disks clean and redeploy the devices without preserving any existing data. Which deployment method should Holly use to deploy the latest version of Windows 11 on these devices? -In-place upgrade -Bare metal deployment -Dynamic deployment

Bare metal deployment -Organizations can use this deployment method when they have to deploy a new device that doesn't have a previous operating system (bare metal). It can also be used when they want to wipe and redeploy a device without preserving any existing data.

Which Intune feature enables organizations to create security policies using recommendations by Microsoft security teams? -Administrative templates -Settings catalog -Baselines

Baselines -On Windows 10 and later devices, baselines include preconfigured security settings. Organizations can use baselines to create security policies using recommendations by Microsoft security teams.

As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to run compliance security filter cmdlets in Windows PowerShell. Which of the following is a step that Allan must complete to run these cmdlets? -Enable search permission filtering in the Microsoft Purview compliance portal -Connect Windows PowerShell to both the Microsoft Purview compliance portal and to Microsoft Teams -Be a member of the Organization Management role group in the Microsoft Purview compliance portal

Be a member of the Organization Management role group in the Microsoft Purview compliance portal -Allan must be a member of the Organization Management role group in the Microsoft Purview compliance portal to have the permissions necessary to run the compliance security filter cmdlets in Windows PowerShell.

Contoso received an alert in which: the alert is accurate, the activity is legitimate but not a security issue. How should Contoso categorize the alert? -True positive -False positive -Benign positive

Benign positive -A benign positive alert is one in which the alert is accurate, the activity is legitimate, but it isn't a security issue.

How does document fingerprinting work? -An organization's security department dusts documents for prints -A document's word patterns are converted into a document fingerprint -The document fingerprint tool can be trained to recognize various types of content

A document's word patterns are converted into a document fingerprint -The "document fingerprinting" name helps explain the feature. In the same way that a person's fingerprints have unique patterns, documents have unique word patterns. When an organization uploads a file, Microsoft Purview DLP identifies the unique word pattern in the document and creates a document fingerprint based on that pattern.

Items that are available for preview must meet which of the following criteria? -A maximum of 1,000 randomly selected items are available to preview -For mailbox items, calendar items and contacts can be previewed -For site items, folders, lists, and list attachments can be previewed

A maximum of 1,000 randomly selected items are available to preview - A maximum of 1,000 randomly selected items are available to preview. A maximum of 100 items from a single content location (a mailbox or a site) can be previewed.

After an audit log search has finished running, the search results are loaded. After a few moments, the results are displayed. How are the search results displayed? -All the results will be displayed in increments of 150 events -A maximum of 1500 events will be displayed in increments of 150 events (10 pages worth of events) -A maximum of 50,000 events will be displayed in increments of 150 events

A maximum of 50,000 events will be displayed in increments of 150 events - A maximum of 50,000 events will be displayed in increments of 150 events. If more than 5000 events meet the search criteria, only the most recent 5000 events are displayed.

As the Enterprise Admin for Tailspin Toys, Allan Deyoung disabled a user's archive mailbox. Three months later, Allan re-enabled the archive mailbox. What was the result of this action? -The contents of the archive mailbox were soft-deleted and could be recovered -The original archive mailbox was able to be reconnected to the user's primary mailbox -A new archive mailbox was created

A new archive mailbox was created -After you disable an archive mailbox, you can reconnect it to the user's primary mailbox within 30 days of disabling it. In this case, the original contents of the archive mailbox are restored. After 30 days, the contents of the original archive mailbox are permanently deleted and can't be recovered. So if you re-enable the archive more than 30 days after disabling it, a new archive mailbox is created.

As the Enterprise Administrator for Fabrikam, Holly Spencer wants to implement Microsoft Purview Message Encryption to apply the protection features in Azure Rights Management Services (Azure RMS). As part of the company's Exchange Online deployment, Holly wants to protect emails and documents through encryption and access controls. Fabrikam plans to use the default settings in Azure Information Protection related to its root key. What must Holly do to implement Microsoft Purview Message Encryption? -Migrate to Azure Information Protection -Activate Azure RMS in Fabrikam's tenant -Generate and manage its own root key

Activate Azure RMS in Fabrikam's tenant -The only prerequisite for an organization to use Microsoft Purview Message Encryption is that Azure RMS must be activated in its tenant. If Azure RMS is activated, Microsoft 365 activates message encryption automatically and you don't need to do anything.

Fabrikam recently purchased a dozen new devices from its hardware vendor. As the Enterprise Administrator for Fabrikam, Holly Spencer wants to use the Windows Autopilot pre-provisioned deployment model to provision the devices. Which of the following items is a prerequisite to using the pre-provisioned deployment model? -Wi-fi connectivity -An Intune subscription -Access to an end user's on-premises domain infrastructure

An Intune subscription - Before starting the pre-provisioning process in the provisioning service facility, you must configure an Autopilot profile setting by using your Intune account.

As the Enterprise Administrator for Contoso, Holly Dickson must add a DNS record that ensures email sent to Contoso's domain will arrive in mailboxes hosted in Exchange Online through the EOP service. Which type of DNS record does Holly need to create? -An A record -An MX record -A Sender Protection Framework (SPF) record

An MX record -An MX record ensures that email sent to the tenant's domain will arrive in mailboxes hosted in Exchange Online through the EOP service.

As hackers around the globe launch increasingly sophisticated attacks, organizations need tools that provide extra protection. A typical outbreak consists of two parts. The first part is a zero-day attack that consists of malware with unknown signatures. What is the second part of the attack? -A lateral move inside the network to gain further control of sensitive users -An elongated period of attack -Compromising user credentials using brute force attacks, user group membership changes, and other methods

An elongated period of attack - Once the zero-day attack occurs, the next step is an elongated period of attack.

Contoso wants to implement Microsoft 365 Defender's automated investigation and response capability. When it does so, which of the following items will trigger the start of an automated investigation? -An incident -An alert -A verdict

An incident - An alert creates an incident. An incident, in turn, can start an automated investigation. The automated investigation results in a verdict for each piece of evidence.

As the Enterprise Administrator for Contoso, Holly Dickson wants to use MAM app protection policies to protect Contoso's data within applications. Which of the following items is another benefit of using app protection policies? -App protection policies require device management, which provides greater control over app management -App protection policies can protect company data on both managed and unmanaged devices -App protection policies apply when using an app in both work and personal context

App protection policies can protect company data on both managed and unmanaged devices -Mobile app management doesn't require device management. As a result, app protection policies can protect company data on both managed and unmanaged devices. Management is centered on the user identity, which removes the requirement for device management.

Tailspin Toys has just deployed Microsoft 365. It's now analyzing its compliance needs. As such, it's trying to determine its current state of compliance. Which of the following actions should it complete to help it understand its compliance posture? -Deploy Microsoft's built-in alert policies -Classify and protect sensitive data with sensitivity labels -Check its compliance score in Compliance Manager

Check its compliance score in Compliance Manager - It's difficult to know where to go if you don't know where you are. To meet its compliance needs, an organization must understand its current level of risk. It can do so by checking its compliance score in Compliance Manager. Once it knows its compliance posture given its compliance score, it can then complete actions to help reduce risks around data protection and regulatory standards, such as deploying Microsoft's built-in alert policies and creating sensitivity labels.

Contoso is implementing sensitivity labels in a controlled test environment. However, it isn't seeing the label or label policy setting behavior that was expected for its test groups. Which of the following actions is recommended to troubleshoot this type of issue? -Make sure users don't have more than five main labels -Check the order of the sensitivity label policies -Change label policies to a different set of users and groups

Check the order of the sensitivity label policies - If you're not seeing the label or label policy setting behavior that you expect for a user or group, check the order of the sensitivity label policies. You may need to move a policy down.

As the Enterprise Administrator for Tailspin Toys, Patti Fernandez created a DLP policy. Which of the following actions can Patti do next to the policy? -Activate the policy and run it in test mode -Choose not to activate the policy and instead run it in test mode -Activate the policy and configure it to display policy tips for user training

Choose not to activate the policy and instead run it in test mode -After Patti creates a DLP policy, she can choose to run it in test mode rather than activate it. Test mode enables an organization to review the DLP reports for any possible activity without interfering with the company's production environment.

Designing a DLP policy typically involves which of the following actions? -Identify your stakeholders -Identify the categories of sensitive information to protect -Clearly define your business needs

Clearly define your business needs - Designing a DLP policy typically involves clearly defining your business needs. Once its business needs are defined, an organization should then document them in a policy intent statement, and then map those needs to its policy configuration.

As Enterprise Administrator for Lucerne Publishing, Inc., Holly Dickson is concerned about the recent data deletion attacks that have affected the company. To address these attacks, Holly wants to focus Lucerne's initial data protection mechanisms on preventing account breaches and elevation of privilege. If a data deletion attack is still successful, which of the following strategies can Holly use to minimize the impact of the attack? -Back up critical data to online stores -Build redundancies into data management processes -Implement role-based delegation

Build redundancies into data management processes - Organizations typically focus their initial data protection mechanisms on preventing account breaches and elevation of privilege. They should then enhance their core prevention strategy by ensuring they have sufficient redundancies built into their data management processes to minimize the impact of data deletion.

Contoso wants to manually apply retention settings. How can it accomplish this task? -By implementing a retention policy -By implementing a retention label -Contoso can't manually apply retention settings; they must be automatically applied through retention policies or labels

By implementing a retention label - Retention policies and retention labels can both be automatically applied. However, only retention labels can be manually applied.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to create templates that will be used to encrypt emails that originate from within the company. Patti plans to create a custom branding template and an encryption template. Once Patti creates the templates, how can she apply them? -By running the Set-OMEConfiguration PowerShell cmdlet -By setting the priority of the branding rule higher than the encryption rule -By using Exchange mail flow rules

By using Exchange mail flow rules -Once you've created the templates, you can apply them to encrypted emails by using Exchange mail flow rules. If you have Microsoft Purview Advanced Message Encryption, you can revoke any email that you've branded by using these templates.

Which Microsoft 365 feature provides an organization an at-a-glance view of its current compliance posture, and helps it to manage its compliance requirements with greater ease and convenience by providing pre-built assessments, workflows, and step-by-step guidance on suggested improvement actions? -Compliance score -Microsoft Purview compliance portal -Compliance Manager

Compliance Manager -Compliance Manager is a feature in the Microsoft Purview compliance portal. Its purpose is to help organizations manage their compliance requirements with greater ease and convenience. It also simplifies compliance and reduces risk by providing pre-built assessments, workflows, step-by-step guidance on suggested improvement actions, and a risk-based compliance score.

Which of the following items is a True statement regarding conditional access policies? -Conditional Access policies are enforced after second-factor authentication is completed -Conditional Access is intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks -Conditional Access can take into account common signals from first line of defense scenarios to determine access

Conditional Access can take into account common signals from first line of defense scenarios to determine access - Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks. However, it can use signals from these events to determine access.

Which type of policy should Contoso create to control the devices and apps that can connect to its email and company resources? -Device compliance policy -Security policy -Conditional Access policy

Conditional Access policy -Organizations use Conditional Access policies with Microsoft Intune to control the devices and apps that can connect to an organization's email and company resources. When integrated, you can control access to keep your corporate data secure, while giving users an experience that enables them to do their best work from any device, and from any location.

As the Enterprise Administrator for Contoso, Holly Dickson has identified many Windows 10 and later devices throughout the organization that don't have the Configuration Manager client installed. Holly had Contoso's developers create an app to deploy the Configuration Manager client on these devices. After the app was run, which service is managing all the workloads on these devices that now have co-management enabled? -Intune -Azure AD -Configuration Manager

Configuration Manager -After co-management is enabled, Configuration Manager continues to manage all workloads. When you decide that you're ready, Intune can start managing available workloads.

Which Microsoft Endpoint Manager solution is an on-premises management solution that manages desktops, servers, and laptops that are internet-based or on an organization's network? -Microsoft Intune -Configuration Manager -Windows Autopilot

Configuration Manager -Configuration Manager is an on-premises management solution that manages desktops, servers, and laptops that are internet-based or on an organization's network. Configuration Manager can deploy apps, software updates, and operating systems. It can also monitor compliance, query and act on clients in real time, and much more.

What component of insider risk management enables organizations to deeply investigate and take action on issues generated by risk indicators defined in their policies? -Alerts -Insider risk policy templates -Cases

Cases - Cases are the heart of insider risk management. They enable organizations to deeply investigate and take action on issues generated by risk indicators defined in their policies. Cases are manually created from alerts when further action is needed to address an employee's compliance-related issue.

As the Enterprise Administrator for Contoso, Holly Dickson has finished setting up the company's Microsoft 365 subscription. Holly has also completed all the Microsoft 365 Learn modules on data compliance, data governance, and information protection. What's the next step that Holly should complete when planning for security and compliance in Microsoft 365? -Plan access protection for identity and devices -Check Contoso's Secure Score -Plan data protection based on data sensitivity

Check Contoso's Secure Score -After setting up Contoso's Microsoft 365 subscription, Holly should take note of the company's starting Secure Score using the Microsoft Secure Score tool. Secure Score provides Microsoft 365 configuration suggestions that Contoso can implement to increase its score.

As the Enterprise Administrator for Contoso, Holly Dickson is implementing Co-management for the company's Windows 10 and later devices. Holly has defined which devices will be part of Contoso's Pilot collection. Holly is considering whether to set the Workloads setting for Compliance policies to both Configuration Manager and Intune. Based on this setting, which service will manage Compliance policies on the devices that aren't in the Pilot collection? -Intune -Configuration Manager -The two services will co-manage the devices that aren't in the Pilot collection for the Compliance policies workload

Configuration Manager -Each of the four workloads can be managed by Configuration Manager, Intune, or both. If a workload is managed by both Configuration Manager and Intune, then Intune manages it for devices in the pilot collection, and Configuration Manager manages it for all other devices.

As the Enterprise Administrator for Contoso, Holly Dickson wants to implement sensitivity labels to help protect Contoso's data. Holly has created and named Contoso's sensitivity labels according to the company's Data Classification framework. What's the next step that Holly must complete? -Publish the sensitivity labels -Configure the protection settings associated with each label -Assign the sensitivity labels to a label policy

Configure the protection settings associated with each label - After Holly created Contoso's sensitivity labels, she should define what each sensitivity label can do. This action involves configuring the protection settings that Contoso associates with each label.

Contoso recently purchased a dozen new Windows 11 devices. Contoso's Enterprise Administrator, Holly Dickson, wants to use Windows Autopilot user-driven mode to transform the devices from their initial state directly from the factory into a ready-to-use state without requiring Contoso's IT personnel to ever touch them. Which of the following steps must Holly complete in preparation to deploying Windows Autopilot in user-driven mode? -Ensure the users who will be performing user-driven mode deployments can join devices to on-premises Active Directory -Create an Autopilot profile for user-driven mode with the required settings -Add the devices to Microsoft Intune

Create an Autopilot profile for user-driven mode with the required settings - Holly must create an Autopilot profile for user-driven mode with the required settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile.

As the Enterprise Administrator for Lucerne Publishing, Allan Deyoung wants to implement Safe Links in Microsoft Defender for Office 365. Allan plans to use the Microsoft 365 Defender portal to implement Safe Links. What must Allan do to implement Safe Links scanning of URLs at Lucerne Publishing? -Create a Safe Links rule -Enable the ATP Safe Links option in the org-wide settings page of the SCC -Create at least one Safe Links policy

Create at least one Safe Links policy -To implement Safe Links scanning of URLs, you must create one or more Safe Links policies.

Which of the following actions is considered the heart of the insider risk management workflow? -Automatic generation of alerts by risk indicators that match policy conditions -Creating a case -Sending notices to users for violating policy conditions

Creating a case - Selecting a case on the Case dashboard opens the case for investigation and review. This step is the heart of the insider risk management workflow. This area is where risk activities, policy conditions, alerts details, and user details are synthesized into an integrated view for reviewers.

In Attack simulation training, which social engineering (simulation) technique provides a phishing attack that sends the recipient a message containing a URL, directs the user to a login site when the recipient selects the link, then displays what appears to be a well-known website so that the user believes they've accessed a real site? -Link to malware -Credential harvest -Drive-by-url

Credential harvest - In a Credential harvest simulation, an attacker sends the recipient a message that contains a URL. When the recipient selects the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. The destination page is themed to represent a well-known website. By displaying what appears to be a well-known website, the goal of the phishing attack is to have the user actually believe they've accessed a real site.

Which dDiscovery capability helps organizations manage the people they've identified as people of interest in a case? -Custodian management -Case management -Tagging

Custodian management - Custodian management is managing the people that you've identified as people of interest in a case (called custodians) and other data sources that may not be associated with a custodian. When you add custodians and non-custodial data sources to a case, you can place a legal hold on these data sources, communicate with custodians by using the legal hold notification process, and search custodian and non-custodial data sources to collect content relevant to the case.

The compliance solution provided by Microsoft 365 is built upon three core pillars. Which pillar ensures that users have the tools available to import, store, preserve, retire, and expire data as it leaves an organization's data retention windows? -eDiscovery -Auditing -Data governance

Data governance - Data governance ensures that users have the tools available to import, store, preserve, retire, and expire data as it leaves an organization's data retention windows.

Preventing data exfiltration is most effective when a data classification scheme is used in combination with which of the following? -Access Control Lists -Data loss prevention policies -External sharing policies

Data loss prevention policies -The data classification scheme that's based on risk tiers such as high, medium, and low business impact is most effective when used in combination with the Data Loss Prevention feature in Microsoft 365. This technology enables you to configure rules about how to handle data moving in and out of your tenant. It can prevent sensitive document content from being emailed to external parties. It can also prevent your users from sending social security numbers in email.

As Fabrikam's Enterprise Administrator, Holly Spencer is in the process of implementing Azure Identity Protection. One of Holly's biggest concern is that their IT department is often unaware of all the cloud applications being used by Fabrikam's users to do their work. Fabrikam's administrative staff has concerns that this situation leads to unauthorized access to corporate data, possible data leakage, and other security risks. What action should Holly recommend to address this situation? -Deploy Cloud App Discovery -Use PIM to manage identity access to user apps -Require Azure AD Multi-Factor Authentication for user sign-in attempts to user apps

Deploy Cloud App Discovery - It's recommended that you deploy Cloud App Discovery to discover unmanaged cloud applications.

Which Microsoft Endpoint Manager feature is a cloud-based service that provides insight and intelligence for an organization to make more informed decisions about the update readiness of its Windows clients? -Desktop Analytics -Microsoft Intune -Configuration Manager

Desktop Analytics -Desktop Analytics is a cloud-based service that integrates with Configuration Manager. It provides insight and intelligence for an organization to make more informed decisions about the update readiness of its Windows clients. The service combines data from an organization with data aggregated from millions of devices connected to the Microsoft cloud. It provides information on security updates, apps, and devices in an organization. It also identifies compatibility issues with apps and drivers.

Which type of Intune policies enable an organization to create profiles for different device platforms that establish device requirements? -Device configuration policies -Device compliance policies -Conditional access policies

Device compliance policies - These policies enable an organization to create profiles for different device platforms that establish device requirements. Requirements can include Operating system versions, disk encryption, and being at or under specific threat levels as defined by threat management software.

Which of the following is a True statement regarding Co-management? -By itself, Co-management is a solution to manage remotely connected Windows systems -Devices are managed with Configuration Manager and enrolled to a third-party MDM service. -Devices are concurrently managed with both Configuration Manager and Microsoft Intune

Devices are concurrently managed with both Configuration Manager and Microsoft Intune -Co-management is one of the primary ways for an organization to attach its existing Configuration Manager deployment to the Microsoft 365 cloud. Co-management enables an organization to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune.

As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to implement Microsoft Intune as Northwind's MDM authority. Allan likes the fact MDM can only allow access to e-mail and documents from devices that are managed by MDM and follow company policy. Which of the following items is an MDM policy used in Microsoft 365? -Devices that aren't enrolled to MDM can't be prevented from accessing mailboxes, documents, and cloud apps -Devices that aren't enrolled to MDM can't have their compliance evaluated -If a user tries to access their mailbox from a device that's not enrolled to MDM, the user won't have access

Devices that aren't enrolled to MDM can't have their compliance evaluated - Devices that aren't enrolled to MDM can't have their compliance evaluated.

Devices that aren't enrolled to MDM can't have their compliance evaluated -Devices that aren't enrolled to MDM can't have their compliance evaluated.

As the Enterprise Administrator for Fabrikam, Holly Spencer wants to protect users from opening unsafe attachments. Holly doesn't want to create policies that block or replace attachments. Instead, Holly wants to avoid message delivery delays so that Fabrikam's users remain productive. When Holly creates a Safe Attachments policy, what action should she select to implement this business requirement? -Dynamic delivery -Block -Replace

Dynamic delivery -While ensuring the user is protected, dynamic delivery enables the user to remain productive. It does so by allowing the user to read and respond to the email while the attachment is being scanned.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to reduce or eliminate standing admin access to privileged roles. What feature of Azure AD Privileged Identity Management should Patti employ to meet this requirement? -Azure roles -Elevate access to the User Access Administrator role in Azure -Eligible admins

Eligible admins - Eligible admins are users that need privileged access periodically, but not all-day, every day. The role is inactive until the user needs access. At that point, the user must complete an activation process and become an active admin for a predetermined amount of time. More organizations are choosing to use this approach to reduce or eliminate "standing admin access" to privileged roles.

Fabrikam is ready to start governing its data by retaining the content that it must keep and deleting the content that it doesn't. As part of this project, it's following guidance from Microsoft Purview Data Lifecycle Management. Fabrikam has determined that it must support archive mailboxes. What should it do for mailboxes that need more than 100 GB of storage? -Use retention labels with records management rather than data lifecycle management -Create and configure retention policies -Enable auto-expanding archiving

Enable auto-expanding archiving -When organizations must support archive mailboxes for mailboxes that need more than 100 GB of storage, they should enable auto-expanding archiving.

As the Enterprise Administrator for Tailspin Toys, Allan Deyoung is worried about several recent attempts by hackers to obtain a user's account credentials by using a password cracking tool. Which of the following strategies can Allan implement to protect against future password cracking attempts? -Enable directory controls against multiple failed sign-in attempts -Determine a set of risk tiers and then require sites and documents to tag data in your systems with the appropriate classification. -Create external sharing policies in Microsoft 365

Enable directory controls against multiple failed sign-in attempts - You can protect against password cracking attempts by enabling directory controls against multiple failed sign-in attempts. For example, you can have an account automatically disabled after three failed attempts.

As the Enterprise Admin for Lucerne Publishing, Patti Fernandez wants to enable information barriers for SharePoint Online and OneDrive. What should Patti do? -Enable information barriers in separate actions; first for SharePoint, and then OneDrive -Enable information barriers in separate actions; first for OneDrive, and then SharePoint -Enable information barriers for SharePoint and OneDrive in a single action

Enable information barriers for SharePoint and OneDrive in a single action - Enabling information barriers for SharePoint and OneDrive are configured in a single action. Information barriers for the services can't be enabled separately.

As the Enterprise Administrator for Contoso, Holly Dickson wants to implement Microsoft Secure Score. Holly wants to begin by implementing actions that will affect user productivity the least while providing immediate gains. Which of the following actions should Holly complete that will meet this requirement? -Implement Data Loss Prevention policies -Enable multifactor authentication on all admin accounts -Enable Information Rights Management

Enable multifactor authentication on all admin accounts - This action will have the lowest effect on user productivity while providing immediate gains.

There are two prerequisites to using Microsoft Intune in a Co-management deployment. The first is setting it up. What's the second prerequisite? -Joining the Windows 10 devices to Azure AD -Enabling automatic enrollment for Windows 10 and later devices -Connecting Configuration Manager to Intune

Enabling automatic enrollment for Windows 10 and later devices -There are two prerequisites to using Intune - setting it up and enabling Windows 10 and later devices for automatic enrollment.

Which Configuration Manager feature can configure, update, and protect clients against malware? -Endpoint Protection -Content Management -Asset Intelligence

Endpoint Protection -The functionality in Endpoint Protection can configure, update, and protect clients against malware.

As Enterprise Administrator for Contoso, Holly Dickson wants to implement Microsoft Defender for Endpoint. Holly likes the fact that Defender for Endpoint combines Microsoft's robust cloud service and Windows 10 technology. Which Windows 10 technology does Defender for Endpoint use that will enable it to collect and process behavioral signals from the operating system and send this sensor data to Contoso's private, isolated, cloud instance of Microsoft Defender for Endpoint? -Threat intelligence -Cloud security analytics -Endpoint behavioral sensors

Endpoint behavioral sensors -These sensors are embedded in Windows 10. They collect and process behavioral signals from the operating system. They then send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.

As the Enterprise Administrator for Northwind Traders, Allan Deyoung is implementing sensitivity labels. Which of the following items is a recommended practice that Allan should implement when publishing labels? -Publish a sensitivity label policy for each group in the company -Delete labels from a policy because it's less risky than removing labels from a policy -Have as few label policies as possible

Have as few label policies as possible - Multiple label policies are needed only if users need different labels or different policy settings. Organizations should plan to have as few label policies as possible. It's not uncommon to have just one label policy for an entire organization.

What technique is used to identify mail as suspicious based on an analysis of delivery patterns? -Sender reputation -Reputation block -Heuristic clustering

Heuristic clustering -This technique is used to identify mail as suspicious based on an analysis of delivery patterns. When this process occurs, a sample from a cluster is sent to a hypervisor sandbox environment where the file is opened for further analysis.

As the Enterprise Administrator for Contoso, Holly Dickson created a Safe Links policy using Exchange Online PowerShell. After Holly navigated to the Safe Links page in the Microsoft 365 Defender portal, she couldn't find the Safe Links policy. What prevented the Safe Links policy that Holly created in PowerShell from appearing in the Microsoft 365 Defender portal? -Holly didn't create a safe links rule in the Microsoft 365 Defender portal -Holly didn't assign the policy to a safe links rule in PowerShell -Holly should have created a Safe Links rule before creating the Safe Links policy in PowerShell

Holly didn't assign the policy to a safe links rule in PowerShell - A new safe links policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to a safe links rule in PowerShell.

As the Enterprise Administrator for Fabrikam, Holly Spencer wants to apply an outbound spam policy that applies to all senders in the organization. What must Holly do to complete this requirement? -Create an outbound spam policy in the Microsoft 365 Defender portal -Create an outbound spam policy in PowerShell -Holly doesn't have to do anything

Holly doesn't have to do anything -Every organization has a built-in outbound spam policy named Default. The policy is applied to all senders in the organization. This process occurs even though there's no outbound spam filter rule (sender filters) associated with the policy. Creating custom policies with stricter settings than the Default policy enables organizations to increase the effectiveness of its outbound spam filtering. However, creating custom policies isn't required if organizations are comfortable with the Default policy settings.

As the Enterprise Administrator at Fabrikam, Holly Spencer wants to specify retention settings that enforce actions at the item level. Specifically, Holly wants to retain press materials for a specific period and then permanently delete them. She also wants to retain project plans for a minimum period of time. How should Holly assign these retention settings? -Holly must use retention policies -Holly must use retention labels -Holly must use multiple auto-apply retention policies

Holly must use retention labels -When you need to specify retention settings at the item level, retention labels must be used. Unlike retention policies, retention settings from retention labels travel with the content if it's moved to a different location within a company's Microsoft 365 tenant.

After a device is enrolled to Intune, a built-in device MDM agent automatically begins to sync the device details to Intune. Where can organizations view this device information? -In the Azure AD admin center -In the Microsoft 365 admin center -In the Microsoft Endpoint Manager admin center

In the Microsoft Endpoint Manager admin center - Organizations can view device information in the Microsoft Endpoint Manager admin center.

As the Enterprise Administrator for Fabrikam, Inc., Holly Spencer wants to enable Microsoft Purview Privileged Access Management (PAM). After Holly enables PAM at Fabrikam, its users must request just-in-time access to complete elevated and privileged tasks through an approval workflow that is highly scoped and time-bound. This process gives Fabrikam's users just-enough-access to complete the task at hand, without risking exposure of sensitive data or critical configuration settings. How will this feature benefit Fabrikam? -It can reduce legacy authentication workflows -It can operate with zero standing privileges -It reduces or eliminates standing admin access to privileged roles

It can operate with zero standing privileges - By enabling PAM in Microsoft 365, organizations can operate with zero standing privileges. This design provides a layer of defense against vulnerabilities arising because of such standing administrative access.

Organizations can tie sensitivity labels with other actions on a document. For example, an organization can configure a label, such as a "Highly Confidential" label, so that it encrypts the data in whatever document or email that it's applied to. When a document is encrypted, what other effect can encryption have on the document? -It causes a watermark to be automatically displayed on the content -It can restrict what actions authorized people can take on the content -It automatically prohibits the document from being sent in emails

It can restrict what actions authorized people can take on the content -Encryption can also restrict what actions authorized people can take on the content.

Lucerne Publishing uses both Conditional Access policies and device compliance policies. As the company's Enterprise Administrator, Patti Fernandez wants to create a compliance policy that determines how Intune treats devices that haven't been assigned a device compliance policy. What should Patti set the "Mark devices with no compliance policy assigned as" setting to ensure that only devices that are confirmed as compliant can access the company's resources? -Compliant -Not compliant -Disabled

Not compliant - If an organization uses Conditional Access with its device compliance policies, it's recommended that it change the "Mark devices with no compliance policy assigned as" setting to Not compliant. Doing so ensures that only devices that are confirmed as compliant can access the company's resources.

Holly Dickson is the Enterprise Administrator for Contoso. Holly wants Contoso's security operations team to have visibility into the large and small threats and risks that Microsoft thinks an organization should be aware of. Which Threat Tracker feature will provide this information for Contoso? -Tending trackers -Tracked queries -Noteworthy trackers

Noteworthy trackers -Noteworthy trackers display large and small threats and risks that Microsoft thinks an organization should be aware of. Noteworthy trackers help organizations find whether these issues exist in their Microsoft 365 environments.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to deploy eDiscovery (Premium) in the company's Microsoft 365 tenant. Patti has set it up by configuring licenses, permissions, and an optional global setting. What must Patti do next to deploy eDiscovery (Premium)? -Identify the users who will be assigned as eDiscovery (Premium) custodians -Align Lucerne's eDiscovery (Premium) deployment with EDRM -Nothing else needs to be done

Nothing else needs to be done - Nothing is needed to deploy eDiscovery (Premium). Organizations just need to configure licenses, permissions, and an optional global setting to set it up. Once eDiscovery (Premium) is set up, you're ready to create and manage cases.

Northwind Traders wants to block access to company resources from non-compliant devices. As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to configure a compliance policy that provides this restriction. If the compliance policy identifies a previously compliant device as being noncompliant, which of the following items is a noncompliant action that can be performed by the policy? -Leave the device marked as compliant for three more days, then mark the device as noncompliant if it still hasn't achieved compliance -Leave the device marked as compliant for an organization-defined grace period, then mark the device as noncompliant if it still hasn't achieved compliance -Notify end users through email

Notify end users through email - Organizations can customize an email notification before sending it to the end user. Intune includes details about the noncompliant device in the email notification.

As the Enterprise Administrator for Lucerne Publishing, Allan Deyoung wants to deploy Microsoft Defender for Cloud Apps. Which of the following actions is a prerequisite that Allan must complete before deploying Microsoft Defender for Cloud Apps? -Obtain a license for every user protected by Microsoft Defender for Cloud Apps -Set instant visibility, protection, and governance actions for the company's apps -Protect sensitive information with DLP policies

Obtain a license for every user protected by Microsoft Defender for Cloud Apps - An organization must be in compliance for licensing Microsoft Defender for Cloud Apps. To do so, it must obtain a license for every user protected by Microsoft Defender for Cloud Apps.

Contoso has implemented Microsoft Purview Audit (Premium). How long does Contoso's default audit log retention policy retain Exchange Online audit records? -90 days -One year -Ten years

One year -Microsoft Purview Audit (Premium) provides a default audit log retention policy for all organizations. This policy retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year.

Information barriers apply to which of the following services? -Exchange Server -OneDrive -Outlook

OneDrive - Information barriers apply to Microsoft Teams (chats and channels), SharePoint Online, and OneDrive services.

Contoso has implemented Microsoft's Basic Mobility and Security service as its MDM solution. As Contoso's Enterprise Administrator, Holly Dickson wants to configure a mobile device setting or policy that specifies whether Contoso allows or blocks access to Exchange mail for devices that aren't supported by Basic Mobility and Security. Which type of mobile device setting or policy must Holly configure to support this requirement? -Organization-wide device access settings -Device security policies -Device compliance policies

Organization-wide device access settings - Organization-wide device access settings enable an organization to specify whether it wants to allow or block access to Exchange mail for devices that aren't supported by Basic Mobility and Security and which security groups should be excluded from access control.

Organization-wide device access settings -Organization-wide device access settings enable an organization to specify whether it wants to allow or block access to Exchange mail for devices that aren't supported by Basic Mobility and Security and which security groups should be excluded from access control.

As the Enterprise Administrator for Contoso, Holly Dickson has created an eDiscovery case in the Microsoft Purview compliance portal to address a legal issue facing the company. What should Holly do to preserve any content that's relevant to the case? -Place the custodian data on hold -Index custodian data by using the process known as Advanced indexing -Create searches to search the in-place custodial and non-custodial data sources in Microsoft 365 for content relevant to the case

Place the custodian data on hold -Custodian data can be placed on hold. Doing so preserves data that may be relevant to the case during the investigation.

Which layer of the Microsoft Defender for Office 365 protection stack includes the following features: Safe Links, Zero-hour auto purge, and the Report Message and Report phishing add-ins? -Post-delivery protection layer -Content filtering layer -Edge protection layer

Post-delivery protection layer - The last layer in the protection stack is Post-delivery protection. This persistent layer manages how users interact with files and links not just in their mailboxes, but across other collaborative tools like Microsoft Teams. It includes features such as Safe Links, Zero-hour auto-purge, and the Report Message and Report Phishing add-ins.

Which servicing channel is designed only for specialized devices that don't need feature updates as frequently as other devices in an organization? -General Availability Channel -Long-term Servicing Channel -Windows Insider Program

Long-term Servicing Channel - The Long-term Servicing Channel (LTSC) is designed only for specialized devices, which typically don't run Office. Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task. As such, they don't need feature updates as frequently as other devices in the organization.

As the Enterprise Administrator for Fabrikam, Holly Spencer has been researching a Microsoft product that will provide Fabrikam's security analysts with reports and graphical views of the threat landscape in Fabrikam's tenant. This product provides actionable insights and recommendations on policy and enforcement. What is the product that will provide these features for Fabrikam? -Microsoft Cloud App Security -Microsoft Defender for Endpoint -Microsoft 365 Threat explorer

Microsoft 365 Threat explorer -Threat explorer provides security analysts with reports and graphical views of the threat landscape in their tenant. It provides actionable insights and recommendations on policy and enforcement. Threat explorer also provides details about threat families, global threats, top targeted users, and links to security analyst reports on malware families that summarize the threat.

When a company uses Compliance Manager for the first time, what's its initial compliance score based upon? -The completion of Microsoft-managed actions and customer-managed actions -The sum of the company's control scores -Microsoft 365 data protection baseline

Microsoft 365 data protection baseline -Compliance Manager gives an organization an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.

When an organization comes to Compliance Manager for the first time, what is its initial score based on? -Microsoft 365 data protection baseline -Assessments -Categories

Microsoft 365 data protection baseline -When an organization comes to Compliance Manager for the first time, its initial score is based on the Microsoft 365 data protection baseline. This baseline assessment, which is available to all organizations, is a set of controls that includes common industry regulations and standards.

Lucerne Publishing recently purchased a dozen new devices from its hardware vendor. As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to use Windows Autopilot to initially deploy these devices. What does Autopilot use when initially deploying new Windows devices? -A custom Windows 11 image that Patti created -A provisioning package that Patti created using Windows Configuration Designer -The OEM-optimized version of Windows 11 that's preinstalled on the devices

The OEM-optimized version of Windows 11 that's preinstalled on the devices - When Windows devices are initially deployed, Windows Autopilot uses the OEM-optimized version of Windows 10 or 11 that's preinstalled on the device. Doing so saves organizations the effort of having to maintain custom images and drivers for every model of device that's used.

As the Enterprise Administrator for Contoso, Holly Dickson created an eDiscovery (Standard) case involving members of the Sales group. This group is a Microsoft 365 group. When Holly configured the search, she set the Exchange mailboxes toggle switch to On and selected the Sales group. Which of the following items will be searched? -The Sales group mailbox -The mailboxes of the Sales group members -The mailbox of the Sales group manager

The Sales group mailbox - If you add Microsoft Teams, Yammer Groups, or Microsoft 365 Groups, the group or team mailbox is searched; the mailboxes of the group members aren't searched.

What does it mean when the information barrier mode for a SharePoint site is set to Open? -The SharePoint site is used for collaboration between incompatible segments moderated by the site owner -The SharePoint site doesn't have segments -The SharePoint site is provisioned by Microsoft Teams

The SharePoint site doesn't have segments - When a SharePoint site doesn't have segments, the site's IB mode is automatically set as Open. An example of this mode is a Team site that's created for the company's annual picnic.

How is an email attachment tested when Safe Attachments is enabled? -The attachment is executed on the company's mail server and analyzed by the company's security team to determine if it's malicious -The attachment is executed in a virtual environment and analyzed by the company's security team to determine if it's malicious -The attachment is executed in a virtual environment and undergoes behavioral analysis to determine if it's malicious

The attachment is executed in a virtual environment and undergoes behavioral analysis to determine if it's malicious -Attachments are tested in virtual environments that run different versions of the Windows operating system and applications. The attachments are executed, or "detonated". They then undergo behavioral analysis to determine if the file executes malicious behavior.

Contoso has some devices that haven't been active for the past two months. What effect will this situation have on Contoso's threat and vulnerability management functionality? -The devices will be ignored during the periodic scans conducted by the Threat and Vulnerability Management module -The devices won't be factored in on the data that's reflected in Contoso's exposure score -The devices won't be included as part of the high-value assets that are protected by the Threat and Vulnerability Management module

The devices won't be factored in on the data that's reflected in Contoso's exposure score - Devices must be active in the last 30 days to be factored in on the data that reflects an organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.

An email message for Holly Dickson at Contoso is subject to two retention policies. The first retention policy is unscoped and deletes items after five years. The second retention policy is scoped to specific mailboxes, including Holly's mailbox. It deletes items after three years. What happens to the email message? -The email message is permanently deleted after five years -The email message is permanently deleted after three years -It can't be determined at this level when the document will be permanently deleted

The email message is permanently deleted after three years -The email message is permanently deleted after three years. Why? Because the deletion action from the scoped retention policy takes precedence over the org-wide retention policy.

As the Enterprise Administrator for Fabrikam, Holly Spencer deleted a sensitivity label that applied encryption for Highly Confidential documents. Holly later used the desktop version of Word to open a highly confidential document the label had been applied to. What happened when Holly opened the document? -The label information in the metadata was removed -The encryption was removed -Holly was still able to see the applied label name displayed

The encryption was removed -When you open a document using an Office for the web app, if the deleted label applied encryption and the app can process the encrypted content, the encryption is removed. In this case, Word was able to open the document, so the encryption was removed.

As the Enterprise Administrator for Fabrikam, Holly Spencer just completed running a search using the Microsoft Purview Audit (Standard) solution. When Holly reviewed the search results, she noticed that several records displayed a null value in the IP address field. Why wouldn't an IP address be displayed in these records? -The records were for administrator activities for Azure AD-related events -The records were for activities performed by external users -The records were for activities performed by a trusted application calling into the service on behalf of a user

The records were for administrator activities for Azure AD-related events - For administrator activity (or activity performed by a system account) for Azure Active Directory-related events, the IP address isn't logged. As a result, the value displayed in this field is null.

Contoso plans to implement Microsoft Purview Data Loss Protection. Contoso's DLP project team has identified its stakeholders and the sensitive information that needs protection. Which of the following actions should Contoso complete next? -The stakeholders can set their protection goals -Complete all implementation prerequisites -Create a DLP policy

The stakeholders can set their protection goals -Once an organization has identified its stakeholders and it knows which sensitive information needs protection and where it's used, the stakeholders can set their protection goals, and IT can develop an implementation plan.

Microsoft 365 follows an insider risk management workflow that helps to identify and resolve internal risk activities and compliance issues. The workflow begins by defining Policies. It then defines the Alerts that are generated by those policies. After Alerts are defined, the next three steps in the workflow address and resolve an insider risk case. What is the first of the three steps in an insider risk case workflow? -Take Action to address the compliance-related issue -Investigate the details of the case -Triage alerts generated by insider risk policies

Triage alerts generated by insider risk policies - In an insider risk case, the first step in the workflow is to triage the alerts that are generated by insider risk policies.

The default archive policy that's part of the retention policy assigned to Exchange Online mailboxes moves items to the archive mailbox how many years after the date the item was delivered to the mailbox or created by the user? -One year -Two years -Three years

Two years -The default archive policy that's part of the retention policy assigned to Exchange Online mailboxes moves items to the archive mailbox two years after the date the item was delivered to the mailbox or created by the user.

How long does an eDiscovery hold preserve data? -Until the end date of the retention period is reached -Until the end date of the retention period is reached, but no more than 180 days after the start date -Until an administrator manually releases the hold

Until an administrator manually releases the hold - If content is subject to both retention settings and an eDiscovery hold, preserving content for the eDiscovery hold always takes precedence. In this way, the principles of retention expand to eDiscovery holds because they preserve data until an administrator manually releases the hold. However, despite this precedence, organizations shouldn't use eDiscovery holds for long-term data lifecycle management.

Contoso is planning to implement Microsoft Purview Data Loss Prevention. It just finished planning its business processes for DLP. It created its policies and deployed them in test mode. What's the next step that it should complete? -Apply the policies in more restrictive modes -Use policy tips to raise awareness with its users before changing the policy enforcement from test mode to more restrictive modes -Use Activity Explorer to evaluate the effect of the policies

Use Activity Explorer to evaluate the effect of the policies - In business process planning for DLP, you should plan your policies and deploy them in test mode. You should then evaluate their effect through Activity Explorer first, before applying them in more restrictive modes.

As the Enterprise Administrator for Lucerne Publishing, Allan Deyoung wants to use Exchange Online PowerShell to create a Safe Attachments policy. What's the first thing Allan should do? -Use the New-SafeAttachmentRule cmdlet to create a Safe Attachments rule -Use the New-SafeAttachmentPolicy cmdlet to create a Safe Attachments policy -Use the Set-SafeAttachmentPolicy cmdlet to update the Safe Attachments policy settings

Use the New-SafeAttachmentPolicy cmdlet to create a Safe Attachments policy -When using PowerShell to create a policy, you must create the policy before the rule. The policy must be created first so that you can later assign it to the rule. If you create the rule first, you won't have a policy to assign to it.

As the Enterprise Administrator for Lucerne Publishing, Allan Deyoung wants to use Exchange Online PowerShell to create a Safe Links policy. What's the first thing Allan should do? -Use the New-SafeLinksRule cmdlet to create a Safe Links rule -Use the New-SafeLinksPolicy cmdlet to create a Safe Links policy -Use the Set-SafeLinksPolicy cmdlet to update the Safe Links policy settings

Use the New-SafeLinksPolicy cmdlet to create a Safe Links policy - When using PowerShell to create a policy, you must create the policy before the rule. The policy must be created first so that you can later assign it to the rule. If you create the rule first, you won't have a policy to assign to it.

Audit (Premium) helps organizations conduct forensic and compliance investigations by providing access to important events. Which of the following prerequisites must be completed so that audit logs will be generated when users perform these events? -An extra add-on license must be purchased per user -Users must be assigned an Audit (Premium) license -The MailItemsAccessed action must be enabled

Users must be assigned an Audit (Premium) license - Users must be assigned an Audit (Premium) license so that audit logs will be generated when users perform these important, audited events.

Where can sensitivity labels be published to? -Exchange mailboxes -Outlook folders -Users or groups

Users or groups - Sensitivity labels are published to users or groups. Apps that support sensitivity labels can then display them to those users and groups as applied labels, or as labels that they can apply.

Fabrikam wants to let its legal teams manage custodians and the legal hold notification workflow. Which of the three eDiscovery solutions provided by Microsoft Purview must Fabrikam implement to provide this functionality? -Content search -eDiscovery (Standard) -eDiscovery (Premium)

eDiscovery (Premium) - The eDiscovery (Premium) tool builds on the existing case management, preservation, search, and export capabilities in eDiscovery (Standard). eDiscovery (Premium) lets legal teams manage custodians and the legal hold notification workflow to communicate with custodians involved in a case.

Which eDiscovery solution lets legal teams manage custodians and the legal hold notification workflow to communicate with custodians involved in a case? -Content search -eDiscovery (Standard) -eDiscovery (Premium)

eDiscovery (Premium) - eDiscovery (Premium) provides an end-to-end workflow to identify, preserve, collect, review, analyze, and export content that's responsive to an organization's internal and external investigations. It lets legal teams manage custodians and the legal hold notification workflow to communicate with custodians involved in a case.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to add Holly Dickson as a member of an eDiscovery (Standard) case involving a copyright infringement issue. What role group must Holly be a member of before Patti can assign her as a member of this case? -Organization Management -eDiscovery Manager -Compliance Administrator

eDiscovery Manager -A user must be assigned the appropriate permissions to either access eDiscovery (Standard) or be added as a member of an eDiscovery (Standard) case. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to have access to the Content search page to conduct searches and preview and export search results. What role group must Patti be a member of in the Microsoft Purview compliance portal to complete these tasks? -Organization Management role group -Compliance Manager role group -eDiscovery Manager role group

eDiscovery Manager role group - This role group provides the permissions necessary to access the Content search page to conduct searches and preview and export search results.

World Wide Importers has finished running a search on its audit log. Allan Deyoung, the company's Enterprise Admin, downloaded the search results in a CSV file and opened it in Excel. Allan noticed that the AuditData column displayed multiple properties that were combined together for each row of data. What feature in Excel's Power Query Editor can Allan use to sort and filter on a specific property in this column? -the JSON transform feature -the Text/CSV transform feature -the AuditData transform feature

the JSON transform feature -The AuditData column is a JSON object that contains multiple properties. Allan must use the JSON transform feature in the Power Query Editor in Excel to split each property in the JSON object in the AuditData column into its own column. Allan can then filter columns to view records based on the values of specific properties.

You're the Enterprise Administrator for Contoso. You want to upload a Windows virtual machine (VM) from Contoso's on-premises environment to Microsoft Azure. Before you can upload the VM, what's the first thing you must do? -Change the VM's generation -Prepare the virtual hard disk -Create custom Remote Desktop Protocol (RDP) settings for Azure

Prepare the virtual hard disk -Before an organization uploads a Windows virtual machine (VM) from on-premises to Azure, it must prepare the virtual hard disk (VHD or VHDX).

As the Enterprise Admin for Tailspin Toys, Allan Deyoung wants to shorten the time to mitigate or remediate vulnerabilities and drive compliance. What should Allan do to achieve this goal? -Communicate with peers and management about the effect of security efforts -Prioritize security recommendations -Create exceptions for security recommendations

Prioritize security recommendations - Cybersecurity weaknesses identified in an organization are mapped to actionable security recommendations and prioritized by their effect. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance. Remediating issues based on prioritized security recommendations also enable organizations to lower their threat and vulnerability exposure.

What does URL detonation do? -If the URL is malicious, it redirects the user to a secure server where the site can be safely viewed -If the URL is malicious, it quarantines the URL so that any future links to that URL blow up and return an error -Protects users in the event a URL points to a malicious file on a web site

Protects users in the event a URL points to a malicious file on a web site - URL detonation combines elements of Safe Links and Safe Attachments into a single feature. This feature is designed to protect users in the event a URL points to a malicious file on a web site.

What does URL detonation do? -Protects users in the event a URL points to a malicious file on a web site -If the URL is malicious, it redirects the user to a secure server where the site can be safely viewed -If the URL is malicious, it quarantines the URL so that any future links to that URL blow up and return an error

Protects users in the event a URL points to a malicious file on a web site -URL detonation combines elements of Safe Links and Safe Attachments into a single feature. This feature is designed to protect users in the event a URL points to a malicious file on a web site.

Contoso wants to use Conditional Access with Microsoft Intune to keep its corporate data secure, while giving users an experience that enables them to do their best work from any device, and from any location. What must Contoso do to enable Conditional Access? -Purchase an Azure AD Premium license -Enable it through the Company Portal app -Enable it in Microsoft Defender for Endpoint

Purchase an Azure AD Premium license -Conditional Access is an Azure Active Directory capability that's included with an Azure AD Premium license.

As the Enterprise Administrator for Lucerne Publishing, Allan Deyoung wants to modify Lucerne's Safe Attachments policy. Which option should Allan select that removes an infected attachment and quarantines the message so that only an admin can review, release, or delete it? -Block -Dynamic delivery -Replace

Replace -This option removes an infected attachment. It also quarantines the message so that only an admin can review, release, or delete it.

Once mail enters the Microsoft 365 network, EOP compares file attachments with the results of scans that were previously completed throughout Microsoft 365. It then checks to see if there are specific files - or pieces of files - that were previously identified as malicious that appear to match something in an incoming message. What is this name of this technique? -Machine Learning model -Reputation block -Zero-hour auto purge

Reputation block -Once mail enters the Microsoft 365 network, EOP scans individual files using a technique called reputation block. With reputation block, EOP compares file attachments with the results of scans that were previously completed throughout Microsoft 365. It then checks to see if there are specific files - or pieces of files - that were previously identified as malicious that appear to match something in an incoming message.

As the Enterprise Administrator for Tailspin Toys, Patti Fernandez plans to configure a label policy. Which of the following items can Patti configure in the policy? -Require a justification for changing a label -Apply a default label to a site container -Publish labels to any email-enabled and non-email-enabled security group, distribution group, or Microsoft 365 group

Require a justification for changing a label - If a user tries to remove a label or replace it with a label that has a lower-order number, you can require the user provides a justification to complete this action.

As the Enterprise Administrator for Contoso, Holly Dickson is reviewing the remote actions the company's Security team can apply to its Windows 10 and later devices from the Microsoft Endpoint Manager admin center. Which action concerns Holly, since it may result in the device owner losing work? -Synchronize device -BitLocker key rotation -Restart

Restart -This remote action forces a Windows 10 and later device to restart, within five minutes. The device owner won't automatically be notified of the restart and may lose work.

What happens when Azure Identity Protection's threat intelligence or advanced machine-learning algorithms indicate that a user's credentials are compromised? -Risk-based conditional access policies can be triggered -Azure AD Multi-Factor Authentication is enabled for the user -Azure Identity Protection notifies the Security Admin of the compromised credentials

Risk-based conditional access policies can be triggered - When Azure Identity Protection's threat intelligence or advanced machine-learning algorithms indicate that a user's credentials are compromised, the risk-based conditional access policies can be triggered. These policies can offer either automatic remediation in the form of blocking the account or, with multifactor authentication, require a user-initiated password change.

As the Enterprise Administrator for Contoso, Holly Dickson is interested in purchasing Windows 11 Enterprise E3 through a CSP partner. By doing so, which of the following benefits would Contoso receive? -Deploy Windows 11 Enterprise edition on up to three devices per licensed user -Roll back to Windows 11 Pro at any time -Annual, per-user pricing model

Roll back to Windows 11 Pro at any time - When a user's subscription expires or Windows 11 Enterprise E3 license is transferred to another user, the Windows 11 Enterprise device reverts seamlessly to Windows 11 Pro edition, after a grace period of up to 90 days.

A DLP policy contains one or more of which item? -Conditions -Actions -Rules

Rules - Rules are what enforce an organization's business requirements on the information that it stores. A policy can contain one or more rules, and each rule consists of conditions and actions.

As the Enterprise Admin for Fabrikam, Holly Spencer is running a pilot project to implement Microsoft Defender for Endpoint. As part of the pilot, Holly has onboarded several devices. What should Holly do next to verify the devices are properly onboarded to the service? -Run a detection test -Use the appropriate management tool for the devices -Correlate EDR insights with endpoint vulnerabilities and process them

Run a detection test -After onboarding devices to the Microsoft Defender for Endpoint service, you can optionally run a detection test to verify the devices are properly onboarded and reporting to the service.

What's the maximum number of compatible segments that can be associated with a site? -100 -200 -250

100 -Up to 100 compatible segments can be associated with a site. The segments are associated at the site level (previously called site collection level).

As the Enterprise Administrator for Fabrikam, Holly Spencer created and ran a Content search. Holly now wants to preview the search results. What's the maximum number of randomly selected items that will be available for Holly to preview? -500 -1000 -2500

1000 - A maximum of 1,000 randomly selected items will be available to preview.

By default, how long does Exchange Online keep deleted items? -10 days -14 days -21 days

14 days - An Exchange Online mailbox keeps deleted items for 14 days by default. However, Exchange Online administrators can change this setting to increase the period up to a maximum of 30 days. Users can recover, or purge, deleted items before the retention time for a deleted item expires.

Contoso uses Microsoft Intune as its mobile device management provider. Contoso's Enterprise Administrator, Holly Dickson, recently learned that Intune deleted several devices. Upon further investigation, Holly discovered the devices' MDM certificates were never renewed and had expired. How many days must a device remain idle after its MDM certificate expires before Intune deletes the devices from its service? -60 days -90 days -180 days

180 days - The MDM certificate renews automatically as long as enrolled devices communicate with the Microsoft Intune service. The MDM certificate doesn't renew for devices that have been wiped, or that fail to sync with Microsoft Intune for an extended period of time. Microsoft Intune deletes idle devices from record 180 days after the MDM certificate expires.

After an organization creates an eDiscovery hold, how long does it usually take for the hold to take effect? -The hold takes effect immediately after being created -12 hours -24 hours

24 hours - After an organization creates an eDiscovery hold, it may take up to 24 hours for the hold to take effect.

How many days of raw data can you explore up to in an advanced threat hunting query? -30 days -60 days -90 days

30 days - Advanced hunting in Microsoft 365 Defender is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.

After a hold is turned off, a grace period (called a delay hold) is applied to content locations that were on hold. How long is this delay hold? -30 days -60 days -90 days

30 days -After the hold is turned off, a 30-day grace period (called a delay hold) is applied to content locations that were on hold. This delay helps prevent content from being immediately deleted. It also provides administrators the opportunity to search for and restore content before it may be permanently deleted after the delay hold period expires.

As the Enterprise Admin for Tailspin Toys, Allan Deyoung disabled a user's archive mailbox. If Allan wants to reconnect the archive mailbox to the user's primary mailbox, how many days does Allan have to reconnect it from the date on which it was disabled? -30 days -45 days -60 days

30 days -After you disable an archive mailbox, you can reconnect it to the user's primary mailbox within 30 days of disabling it. In this case, the original contents of the archive mailbox are restored.

The spoof intelligence insight shows how many days worth of data? -10 days in the Microsoft 365 Defender portal -30 days when using PowerShell -20 days in the Exchange admin center

30 days when using PowerShell - The Get-SpoofIntelligenceInsight PowerShell cmdlet shows 30 days worth of data.

Tailspin Toys deleted a sensitivity label that applied to one of its SharePoint sites. What's the typical length of time that it takes for the label to be removed and the label settings to no longer be enforced on the site? -24 to 48 hours -48 to 72 hours -The changes are immediately enforced on the SharePoint site

48 to 72 hours -When you delete a sensitivity label that applies to containers such as a SharePoint site, the label is removed and any settings that were configured with that label are no longer enforced. This action typically takes between 48 to 72 hours for SharePoint sites.

How many policies does insider risk management support for each policy template? -3 -5 -10

5 -Insider risk management supports up to five policies for each policy template. When you create a new insider risk policy with the policy wizard, you must choose from one of the policy templates.

In Microsoft Purview Audit (Standard), how long are records retained for in the audit log? -60 days -90 days -120 days

90 days - When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for the organization. In Microsoft Purview Audit (Standard), records are retained for 90 days. As such, organizations can search for activities that occurred within the past three months.

Cloud Discovery uses the event data in an organization's traffic logs to generate a Cloud Discovery report. What's the maximum age a traffic log event can be to appear on a Cloud Discovery report? -30 days old -60 days old -90 days old

90 days old - For a traffic log event to appear on a Cloud Discovery report, it can't be more than 90 days old.

As the Enterprise Administrator for Fabrikam, Holly Spencer just created an eDiscovery case regarding a potential legal issue the company is facing. Holly is especially concerned about preserving content associated with Allan Deyoung, one of the company's Vice Presidents. Allan is the main focus of the legal investigation facing Fabrikam. As such, Holly created an eDiscovery hold to preserve Allan's emails. What must Holly do as part of creating this eDiscovery hold? -Add Allan's mailbox to the hold -Create a search associated with Allan's mailbox -Add Allan as a member of the case

Add Allan's mailbox to the hold -If Holly doesn't add Allan's mailbox to the hold, Allan's email may not be preserved for the case.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez has deployed eDiscovery (Premium). Lucerne is responding to a legal case, so Patti created a case for it in the Microsoft Purview compliance portal. Custodians were added to the case, and Patti conducted a search of custodial data sources for relevant data. What's the next step that Patti should complete in the eDiscovery (Premium) workflow? -Reindex custodian data -Add data to a review set -Send a legal hold notification to custodians

Add data to a review set -Once you've configured and verified that a search returns the expected data, the next step is to add the search results to a review set. When you add data to a review set, items are copied from their original location to a secure Azure Storage location. The data is reindexed again to optimize it for thorough and fast searches when reviewing and analyzing items in the review set.

As the Enterprise Administrator for Contoso, Holly Dickson wants to use Windows Autopilot to set up and pre-configure Contoso's new devices to get them ready for productive use. Before Windows Autopilot can be used, which of the following tasks must Holly complete to support the common Autopilot scenarios? -Configure AD DS automatic enrollment -Enable Intune subscription activation -Add devices to Windows Autopilot

Add devices to Windows Autopilot -Devices must be added to Windows Autopilot to support most Windows Autopilot scenarios.

As the Enterprise Administrator for Contoso, Holly Dickson wants to use Intune's Mobile Application Management to manage the lifecycles of Contoso's apps. Holly created a pilot team to test MAM at Contoso. The team identified an app they want to use in the pilot project. What's the first step the team must complete in the lifecycle of this app? -Add the app to Intune -Deploy the app to users and devices -Protect the app data by using app protection policies

Add the app to Intune - The app lifecycle begins when you add an app to Intune.

Contoso is implementing eDiscovery (Premium) in Microsoft Purview. As the Enterprise Administrator for Contoso, Holly Dickson has created an eDiscovery case in the Microsoft Purview compliance portal. The purpose of the case is to address a legal issue facing the company. Several Contoso employees have since been identified as potential persons of interest in the investigation. What should Holly do next? -Place a legal hold on the data sources associated with the case -Add the employees as custodians to the case -Send legal hold notifications to the employees and track their acknowledgments

Add the employees as custodians to the case - After an organization identifies potential persons of interest in an investigation, it can add them as custodians to an eDiscovery (Premium) case. After users are added as custodians, it's easy to preserve, collect, and review custodian documents.

What does insider risk management use to help protect and optimize an organization's risk investigation and review experience? -Alert throttling -User activity reports -Activity explorer

Alert throttling - Insider risk management uses built-in alert throttling to help protect and optimize an organization's risk investigation and review experience. Throttling guards against issues that may result in an overload of policy alerts. For example, misconfigured data connectors or DLP policies. As a result, there might be a delay in displaying new alerts for a user.

Which feature of Microsoft Purview Insider Risk Management is automatically generated by risk indicators that match policy conditions? -Alerts -Security policy violations -Insider risk management workflow

Alerts -Alerts are automatically generated by risk indicators that match policy conditions. Alerts are displayed in the Alerts dashboard.

What's the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment? -Alerts -Automated investigations -Alert story

Alerts -Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide clues about an incident. In Microsoft 365 Defender, related alerts are aggregated together to form incidents. Incidents will always provide the broader context of an attack. However, analyzing alerts can be valuable when deeper analysis is required.

As the Enterprise Administrator for Northwind Traders, Allan Deyoung is creating a content search. On the Locations page, Allan sets the "Exchange mailboxes" toggle switch to On. What does this enable? -All public folders in Northwind's Exchange Online organization can be placed on hold -Allan can specify the mailboxes to place on hold -All Exchange mailboxes in Northwind's organization can be searched for Teams chat data for on-premises users

Allan can specify the mailboxes to place on hold -Setting this switch to On enables Allan to specify the mailboxes to be placed on hold.

Microsoft Purview Advanced Message Encryption enables administrators to control sensitive emails shared outside the organization. An administrator can do so with the use of which of the following items? -Automatic policies that detect sensitive information types -Third-party applications that scan and modify mail -Active Directory RMS

Automatic policies that detect sensitive information types - Administrators can control sensitive emails shared outside the organization. They can do so by using automatic policies that detect sensitive information types, such as financial or health information.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez plans to implement endpoint security using the tools that are available through Microsoft Intune. Patti is planning which methods Lucerne will use to deploy configurations to different devices. In doing so, Patti doesn't want to create policy conflicts when designing Endpoint security policies. Which of the following items should Patti implement to avoid policy conflicts on devices? -Avoid using instances of the same baseline -Use different baselines -Use different policy types to manage the same settings on a device

Avoid using instances of the same baseline -One way to avoid conflicts is to NOT use different baselines, instances of the same baseline, or different policy types and instances to manage the same settings on a device.

As the Enterprise Administrator for Adventure Works Cycles, Patti Fernandez wants to adopt a Zero Trust approach to security protection throughout the organization. Which of the following features is the policy engine at the heart of Microsoft's Zero Trust solution? -Threat Analytics -Microsoft Purview Insider Risk Management -Azure AD Conditional Access

Azure AD Conditional Access - This feature is the policy engine at the heart of Microsoft's Zero Trust solution. It uses authentication context to enforce even more granular policies based on user actions within the app they're using or sensitivity of data they're trying to access. This design helps organizations protect important information without unduly restricting access to less sensitive content.

As Enterprise Administrator for Lucerne Publishing, Inc., Holly Dickson is concerned about several users who recently fell for elevation of privilege attacks. Which of the following strategies can Holly implement to help prevent future elevation of privilege attacks? -Account isolation -Variable password mitigation -Azure AD Multi-Factor Authentication

Azure AD Multi-Factor Authentication -To counter elevation of privilege attacks, it's recommended that you implement multi-factor authentication, especially with admin accounts or accounts with access to sensitive content.

Lucerne Publishing wants to simplify Windows enrollment into Intune for its users. Lucerne has set up Microsoft Intune. It's now ready to enroll Windows devices into Intune. Lucerne wants to enable bulk enrollment. Which of the following featured is required to implement bulk enrollment? -Azure AD Premium -Device Enrollment Manager -Conditional Access

Azure AD Premium -To enable bulk enrollment, Azure AD Premium and Windows Configuration Designer are required.

Which of the following is a feature of Azure AD joined devices? -Azure AD join can be configured for all Windows 10 and 11 devices -Azure AD join can use an on-premises domain join -Azure AD join is suitable for both cloud-only and hybrid organizations

Azure AD join is suitable for both cloud-only and hybrid organizations - Any organization can deploy Azure AD joined devices no matter the size or industry. Azure AD join works even in hybrid environments, enabling access to both cloud and on-premises apps and resources.

Which enrollment method requires Azure AD Premium? -Azure AD joined with Autopilot -Azure AD joined -Bring your own device

Azure AD joined with Autopilot - The following enrollment methods require Azure AD Premium: Azure AD joined with Autopilot (including both user-driven mode and self-deploying mode), bulk enrollment, Group policy object, and Co-management.

What does Cloud App Security use to map and identify your cloud environment and the cloud apps your organization is using? -Cloud Discovery -Conditional Access App Control -App Connectors

Cloud Discovery -Cloud App Security integrates visibility with your cloud by using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.

Which of the following Microsoft Defender for Cloud Apps tools uses traffic logs to dynamically discover and analyze the cloud apps that a company's employees use? -Cloud Discovery -App connectors -Conditional Access App Control

Cloud Discovery -Cloud Discovery uses your traffic logs to dynamically discover and analyze the cloud apps that your organization uses. To create a snapshot report of your organization's cloud use, you can manually upload log files from your firewalls or proxies for analysis. To set up continuous reports, use Cloud App Security log collectors to periodically forward your logs.

Which of the following policies looks at the logs you use for discovering cloud apps and searches for unusual occurrences, such as when the number of transactions on a particular app are higher than usual? -Anomaly detection policy -App discovery policy -Cloud Discovery anomaly detection policy

Cloud Discovery anomaly detection policy -Cloud Discovery anomaly detection policies look at the logs you use for discovering cloud apps and search for unusual occurrences, such as when the number of transactions on a particular app are higher than usual.

A user who never used Dropbox before suddenly uploads 600 GB to Dropbox. Which cloud app policy type would detect this type of activity? -Cloud Discovery anomaly detection policy -App discovery policy -Anomaly detection policy

Which of the following features is the act of moving workloads from Configuration Manager to Intune and telling the Windows client who the management authority is for that particular workload? -Device provisioning -Co-management -Co-existence

Co-management -Co-management is the act of moving workloads from Configuration Manager to Intune and telling the Windows client who the management authority is for that particular workload. For example, you may move Compliance Policies and Device Configuration workloads to Intune while leaving all other workloads set to Configuration Manager.

For Android devices, which app is required to receive app protection policies? -Company Portal -WSATools - APK installer -App Installer

Company Portal - For Android devices, the Company Portal app is required to receive app protection policies.

Which of the following capabilities is provided in both Microsoft Intune and Basic Mobility and Security? -Managed browser -Zero touch enrollment programs -Remote actions

Remote actions - Remote actions are available in both Microsoft Intune and Basic Mobility and Security, although limited functionality is provided in Basic Mobility and Security.

Which layer in the Microsoft Defender for Office 365 protection stack looks for suspicious message structure and word frequency, hyperlinks, and attachments? -Edge protection layer -Content filtering layer -Post-delivery protection layer

Content filtering layer -The primary focus of the Content filtering layer is to check the content of the mail. In doing so, it looks for suspicious message structure and word frequency, hyperlinks, and attachments. Each email is subject to several checks, from mail flow rules to heuristics and machine learning models.

Which element of Compliance Manager defines how an organization assesses and manages system configuration, organizational process, and the people responsible for meeting a specific requirement of a regulation, standard, or policy? -Control -Assessment -Improvement actions

Control -A control is a requirement of a regulation, standard, or policy. It defines how an organization assesses and manages system configuration, organizational process, and the people responsible for meeting a specific requirement of a regulation, standard, or policy.

Fabrikam wants to configure the Autodiscover service to aid its users when they enroll their Windows 10 devices to its MDM authority. What does Fabrikam need to do to configure the Autodiscover service for device enrollment to its MDM authority? -Purchase an Azure AD Premium license -Add an EnterpriseRegistration CNAME DNS record that points to EnterpriseRegistration.windows.net -Create a CNAME record in the external (public) DNS zone that automatically redirects enrollment requests to Intune servers

Create a CNAME record in the external (public) DNS zone that automatically redirects enrollment requests to Intune servers -The Autodiscover service is configured when you create an alias (CNAME resource record type) in the domain DNS zone that automatically redirects enrollment requests to Intune servers.

As the Enterprise Administrator for Tailspin Toys, Allan Deyoung wants to rename a DLP policy whose purpose has changed since he originally created the company's overall DLP strategy. What should Allan do? -Rename the policy -Create a new one with the desired name and then retire the old one -Create a new one with the desired name and leave the old one in place

Create a new one with the desired name and then retire the old one - Policies can't be renamed once they're created. If you must rename a policy, you'll have to create a new one with the desired name and then retire the old one. So decide on the naming structure that all your policies will use now.

As the Enterprise administrator for Fabrikam, Holly Spencer wants to give some of the company's executive personnel read-only access to Microsoft 365 records management features. What should Holly do to assign this permission? -Create a new role group and add the View-Only Record Management role to this group -Add the users to the Records Management admin role group -Create a new role group and add the Records Management role to this group

Create a new role group and add the View-Only Record Management role to this group - For a read-only role, you can create a new role group and add the View-Only Record Management role to this group.

Contoso has decided that when the mail its users receive is from a trusted source, any attachments are assumed to be safe. As the Enterprise Administrator for Contoso, Holly Dickson has been instructed to allow mail with attachments to flow without delay from internal senders. What should Holly do to implement this business requirement? -Create a transport rule and set the "Select the action for unknown malware in attachments" option to Monitor -Create a transport rule and don't select the "Redirect attachment on detection" option -Create a transport rule that bypasses Safe Attachments scanning

Create a transport rule that bypasses Safe Attachments scanning -If an organization wants to implement a policy to allow mail with attachments to flow without delay from internal senders, it can create a mail flow rule in the Exchange admin center. The purpose of this rule would be to bypass Safe Attachments scanning.

Which of the following capabilities is provided in both Microsoft Intune and Basic Mobility and Security? -Managed browser -Zero touch enrollment programs -Remote actions

Remote actions - Remote actions are available in both Microsoft Intune and Basic Mobility and Security, although limited functionality is provided in Basic Mobility and Security. 2. As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to implement

As the Enterprise Admin for Lucerne Publishing, Patti Fernandez is in the process of downloading search results. Patti wants to optimize the download experience so that it doesn't adversely affect network traffic. Which of the following guidelines should Patti follow to achieve this goal? -Disable anti-virus scanning for the folder that you download the search result to -Download search results to the same folder for concurrent download jobs -Download search results to a mapped network drive

Disable anti-virus scanning for the folder that you download the search result to - Disabling anti-virus scanning on the folder to which you're downloading search results will help to optimize the download process.

Organizations can classify content using various methods in Microsoft 365. Which method recognizes an item because it's a variation on a template? -Trainable classifiers -Manual classification -Document fingerprinting

Document fingerprinting - Document fingerprinting is a form of automated pattern-matching. It recognizes an item because it's a variation on a template.

As the enterprise administrator for Fabrikam, Holly Spencer is considering whether to create both a device configuration policy and an endpoint detection and response policy to manage the same device setting - in this case, onboarding devices to Microsoft Defender for Endpoint. What could happen if Holly creates these policies? -Fabrikam's devices will report their risk levels to Microsoft Defender for Endpoint -Fabrikam could end up with policy conflicts for devices -Device threat levels will be assessed, and devices that don't meet an acceptable level will either be blocked or selectively wiped.

Fabrikam could end up with policy conflicts for devices - Some organizations use multiple policies or policy types to manage the same device settings (such as onboarding to Microsoft Defender for Endpoint). For example, they may use both a device configuration policy and an endpoint detection and response policy. This practice can result in policy conflicts for devices.

As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to implement Microsoft Intune as Northwind's MDM authority. Which of the following rules must Allan consider when planning this implementation? -Only Group Policy can manage Windows 10 and 11 devices that are domain members -Only MDM can manage Windows 10 and 11 devices that are domain members -Group Policy and MDM can simultaneously manage Windows 10 and 11 devices that are domain members

Group Policy and MDM can simultaneously manage Windows 10 and 11 devices that are domain members - If a Windows 10 or 11 device is a domain member, it can be managed by Group Policy and MDM at the same time.

Email threading parses each email and deconstructs it down to the individual messages. It then analyzes all emails in the working set to determine whether an email has unique content or if the chain is wholly contained in a different email. At the end of the process, emails are divided into four categories. In which category does the last message in the email have unique content, but the email doesn't contain some of the attachments that were included in other emails of which the content is wholly contained in this email? -Inclusive -Inclusive minus -Inclusive copy

Inclusive minus -In this category, the last message in the email has unique content, but the email doesn't contain some of the attachments that were included in other emails of which the content is wholly contained in this email.

Insider risk settings apply to all insider risk management policies. Which setting includes insider risk policy templates that define the type of risk activities that a company wants to detect and investigate? -Intelligent detections -Indicators -Privacy

Indicators -Insider risk policy templates define the type of risk activities that you want to detect and investigate. Each policy template is based on specific indicators that correspond to particular risk activities. Alerts are triggered by policies when users complete activities related to these indicators.

When the Information Barriers policy administrator makes changes to a policy, what service automatically searches the members to ensure their membership in the team doesn't violate any policies? -Microsoft Purview information compliance service -Microsoft Teams Information Barriers service -Information Barrier Policy Evaluation service

Information Barrier Policy Evaluation service -When the IB policy administrator makes changes to a policy, or when a policy change is activated because of a change to a user's profile (such as for a job change), the Information Barrier Policy Evaluation Service automatically searches the members to ensure their membership in the team doesn't violate any policies.

A Windows 10 or later device can be Co-managed if it's managed by Configuration Manager and enrolled to Intune. What must you do to manage a device by Configuration Manager? -Purchase an Azure AD license -Add the device to the Pilot collection -Install the Configuration Manager client on the device

Install the Configuration Manager client on the device - To be managed by Configuration Manager, you must install the Configuration Manager client on a device. 2. There are two prerequisites to using Microsof

Holly Spencer is the Enterprise Administrator for Fabrikam. Fabrikam uses Intune as its mobile device management solution. Holly configured multiple compliance policies and an Intune configuration policy. She later discovered that a couple of the settings from the compliance policies overlapped. How will Intune resolve these policy conflicts? -Intune uses the most secure of these policies -The settings in the compliance policy will take precedence over the settings in the Intune configuration policy -The settings in the Intune configuration policy will apply if it's more secure than the compliance policy

Intune uses the most secure of these policies -If policy settings overlap and the organization deployed multiple compliance policies, Intune uses the most secure of these policies.

Microsoft Purview Message Encryption is an online service that's built on Microsoft Azure Rights Management (Azure RMS). Together, Microsoft Purview Message Encryption and Azure RMS provide encryption, identity, and authorization policies to help secure an organization's email. Microsoft Purview Message Encryption enables organizations to encrypt messages by using rights management templates, the Do Not Forward option, and the encrypt-only option. What does Azure RMS do? -It encrypts inbound mail from senders outside of your organization -It updates an organization's existing mail flow rules so that it can use Microsoft Purview Message Encryption with Azure Information Protection -It enables administrators to define transport rules that determine the conditions for encryption

It enables administrators to define transport rules that determine the conditions for encryption - With Azure RMS set up for an organization, administrators can enable message encryption by defining transport rules that determine the conditions for encryption.

How does Azure Identity Protection investigate risk events? -It uses Conditional Access autoremediation to intercept the risk event with an adaptive two-factor challenge -It uses advanced machine learning to detect suspicious activities based on signals -It triggers Risk-Based Conditional Access policies

It uses advanced machine learning to detect suspicious activities based on signals - It uses advanced machine learning to detect suspicious activities based on signals. These activities include brute force attacks, leaked credentials, sign-in from unfamiliar locations, and infected devices.

As the Enterprise Administrator for Contoso, Holly Dickson is considering using Windows Autopilot to set up and pre-configure new Windows 11 devices that will be shared throughout the company. Holly wants to use Windows Autopilot self-deployment mode to deploy Windows 11 to these devices. Which of the following steps must Holly complete to use self-deployment mode? -Join each device to Azure Active Directory -Join each device to on-premises Active Directory -Join each device to Hybrid Azure Active Directory

Join each device to Azure Active Directory - Self-deployment mode requires the devices to be joined to Azure Active Directory.

What's advanced threat hunting based upon? -Event or activity data -Kusto query language -Threat Analytics dashboard

Kusto query language - Advanced hunting is based on the Kusto query language. A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model designed to make the syntax easy to read, author, and automate. The query uses schema entities that are organized in a hierarchy similar to SQL Server's schema design: databases, tables, and columns.

As Enterprise Administrator for Lucerne Publishing, Inc., Holly Dickson is concerned about the recent rash of malware infections that have plagued the company's computers. Holly knows that attackers use JavaScript to exploit users' computers to plant payloads. What else do attackers typically use to plant payloads on users' computers? -Macros -Bulk email -Spam

Macros - Malware uses code to exploit a user's computer. It uses macros and JavaScript to plant payloads such as a virus or Trojan horse.

To help organizations investigate compromised email accounts, Microsoft 365 audits access to mail data by mail protocols and clients. What mailbox-auditing action does Microsoft 365 use in Audit (Premium) to provide this functionality? -MailItemsAccessed -AuditExchangeMail -ExchangeMailActivity

MailItemsAccessed -To help organizations investigate compromised email accounts, Microsoft 365 audits access to mail data by mail protocols and clients. It does so by using the MailItemsAccessed mailbox-auditing action. This audited action can help investigators better understand email data breaches and identify the scope of compromises to specific mail items that may have been compromised.

Intune represents different app configuration policy channels. The channel that an organization selects for a specific app policy is defined in the Device Enrollment Type setting. When an organization configures an app policy, which Device Enrollment Type setting specifically refers to apps deployed by Intune on enrolled devices? -Managed Apps -Managed Devices -Intune App SDK

Managed Devices -This setting refers to apps deployed by Intune on enrolled devices. As such, they're managed by Intune as the enrollment provider.

When a risk event is created, which risk level identifies events that are potentially risky, and any affected user accounts should be remediated? -High -Medium -Low

Medium -A medium risk level event is a potentially risky event. Any affected user accounts should be remediated.

Microsoft Purview Advanced Message Encryption offers extra capabilities on top of the standard Microsoft Purview Message Encryption capabilities. Which of the following items is one of these advanced capabilities? -Using right management templates to encrypt messages -Message revocation -Do Not Forward option

Message revocation -The advanced capabilities found in Microsoft Purview Advanced Message Encryption include message revocation, message expiration, and multiple branding templates.

As the Enterprise Administrator for Contoso, Holly Dickson has been researching a Microsoft product that will monitor and analyze user activities and information across Contoso's network. This product will then create a behavioral baseline for each Consoto user, which the product will use to identify user anomalies with adaptive built-in intelligence. What is the product that will provide these features for Contoso? -Microsoft Defender for Identity -Microsoft Defender for Endpoint -Microsoft Defender for Office 365

Microsoft Defender for Identity -Microsoft Defender for Identity monitors and analyzes user activities and information across your network. This analysis creates a behavioral baseline for each user. Defender for Identity then uses these behavioral baselines to help identify user anomalies with adaptive built-in intelligence. This reporting provides organizations with insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats that they face.

Apps that have been sourced from other Microsoft services can be sourced from either Azure AD or Office Online. Azure AD Enterprise applications are registered and assigned through which of the following portals? -Microsoft 365 admin center -Azure Active Directory admin center -Microsoft Endpoint Manager admin center

Microsoft Endpoint Manager admin center -Apps from other Microsoft services have been sourced from either Azure AD or Office Online. Azure AD Enterprise applications are registered and assigned through the Microsoft Endpoint Manager admin center. Office Online applications are assigned using the licensing controls available in the Microsoft 365 admin center.

Which of the following Microsoft products powers Threat Intelligence in Microsoft 365? -Microsoft AI -Microsoft Threat Management -Microsoft Intelligent Security Graph

Microsoft Intelligent Security Graph - Threat intelligence in Microsoft 365 is powered by the Microsoft Intelligent Security Graph. It consumes billions of packets of information traffic across the Microsoft 365 network, uses artificial intelligence and machine learning capabilities, and integrates this data across different security products to address different attack scenarios.

Which of the following features does Microsoft Threat Protection use to generate meaningful alerts that identify threat components and activities that automated investigation and response (AIR) capabilities can remediate? -Microsoft AI -Microsoft Intelligent Security Graph -Microsoft Threat Management

Microsoft Intelligent Security Graph -The Intelligent Security Graph generates meaningful alerts. These alerts identify threat components and activities that automated investigation and response (AIR) capabilities can remediate.

As the Enterprise Administrator for Fabrikam, Holly Spencer was a bit confused as to how a notice appeared on the Microsoft Purview compliance portal's Home page that indicated someone had sent an email containing a credit card number. Fabrikam's DLP project team, which Holly was leading, had yet to create its first DLP policy. Without a custom DLP policy in place, how could this DLP violation have been caught? -Microsoft Purview DLP includes multiple templates that are constantly checking for specific violations -Microsoft Purview DLP has a default policy that's in-place and running -Exchange Online has a built-in DLP policy that checks for emails containing sensitive data

Microsoft Purview DLP has a default policy that's in-place and running -Before an organization even creates its first Microsoft Purview Data Loss Prevention (DLP) policy, DLP is helping to protect its sensitive information with a default policy. The default policy helps keep an organization's sensitive content secure by notifying it when email or documents containing a credit card number are shared with someone outside the organization. This recommendation is displayed in a tile on the Home page of the Microsoft Purview compliance portal.

The third step in the Microsoft Purview Information Protection framework is Prevent data loss. Which capability of this step helps prevent unintentional sharing of sensitive items? -Endpoint Data Loss Prevention -Microsoft Purview Data Loss Prevention -Sensitivity labels

Microsoft Purview Data Loss Prevention - Microsoft Purview Data Loss Prevention helps prevent unintentional sharing of sensitive items.

As the Enterprise Administrator for Fabrikam, Holly Spencer is searching for a product that will provide a powerful report that enables Fabrikam's Security Operations team to effectively and efficiently investigate and respond to threats. This report should allow the Security Operations team to drill down and understand details related to threats targeting Fabrikam's Microsoft 365 tenant. Which of the following Microsoft products will provide Fabrikam with this functionality? -Microsoft Threat Explorer -Microsoft Threat Dashboard -Microsoft Threat Protection

Microsoft Threat Explorer - Threat Explorer provides a powerful report that enables an organization's Security Operations team to effectively and efficiently investigate and respond to threats. Where the Threat Dashboard provides C-level executives a broad view of the threat landscape, Threat Explorer enables security analysts and admins to drill down and understand details related to threats targeting their tenant.

Which deployment method is image-based and can always be used, regardless of the current device state? -Traditional deployment -Modern deployment -Dynamic deployment

Traditional deployment - These methods are image-based and can always be used, regardless of the current device state. Traditional deployment methods include bare metal deployment and refresh and replace.

As the Enterprise Administrator for Contoso, Holly Dickson has created and published several sensitivity labels. Holly later used the Edit Sensitivity Label wizard to edit the settings in a label that was previously published by using a label policy. What must Holly do next to the edited label for the changes to become available to the same users? -Republish the label policy -Add the label to a new label policy -No extra steps are needed once the wizard is finished

No extra steps are needed once the wizard is finished -If you edit a label that's already published by using a label policy, no extra steps are needed when you finish the wizard. For example, you don't need to add it to a new label policy for the changes to become available to the same users.

As the Enterprise Administrator for Contoso, Holly Dickson wants to implement Co-management. Holly recently purchased an Enterprise Mobility + Security subscription for Contoso. What other license does Holly need to purchase to implement Co-management? -Azure AD Premium -Microsoft Intune -No other license

No other license -Co-management requires an Azure AD Premium license and a Microsoft Intune license. An Enterprise Mobility + Security subscription includes both Azure AD Premium and Microsoft Intune. Since Contoso already purchased an EMS subscription, Holly doesn't need to purchase any other licenses.

A conditional access policy can be created that includes many settings. Which of the following items is an Access Control setting that can be included in a conditional access policy? -Persistent browser session -Users and groups -Device state

Persistent browser session - This access control setting allows users to remain signed in after closing and reopening their browser window.

As the Enterprise Administrator for Fabrikam, Inc., Patti Fernandez is focused on educating Fabrikam's users about the effect of spoofing campaigns on the company. Besides whaling and malware delivery, what's another common intention of a spoofing campaign that Patti must educate Fabrikam's users about? -Phishing -Message deletion -Account isolation

Phishing - Phishing is a technique a hacker uses to retrieve sensitive information such as a user's account credentials. Once an attacker has obtained a user's credentials, the attacker can forge an email header so the message appears to recipients as having been sent from a trusted source.

Fabrikam ran the Co-management Configuration Wizard. Which "Automatic enrollment in Intune" option enabled Fabrikam to automatically enroll selected devices? -Targeted devices -Pilot -Limited

Pilot -The Pilot option should be selected to enroll selected devices.

As the Enterprise Administrator for Fabrikam, Holly Spencer just created an eDiscovery case regarding a potential legal issue the company is facing. Holly is especially concerned about preserving content associated with Allan Deyoung, one of the company's Vice Presidents who's also the main focus of the investigation. What's the next step that Holly should perform? -View search statistics related to content created by Allan Deyoung -Search the content locations associated with the case -Place a hold on the content locations associated with Allan Deyoung

Place a hold on the content locations associated with Allan Deyoung -In the eDiscovery (Standard) workflow, the first step after creating a case is placing a hold (also called an eDiscovery hold) on the content locations of the people of interest in the investigation. Content locations include Exchange mailboxes, SharePoint sites, OneDrive accounts, and the mailboxes and sites associated with Microsoft Teams and Microsoft 365 Groups.

Fabrikam has implemented Microsoft Purview Audit (Premium). It now wants to create appropriate 10-year audit log retention policies for the managers of its security and compliance teams. What must Fabrikam do to enable this functionality? -Configure the 10 year audit log setting in the Microsoft Purview compliance portal -Purchase per-user add-on licenses for each manager -Nothing extra is needed since audit logs are retained by default for 10 years when Audit (Premium) is licensed

Purchase per-user add-on licenses for each manager -In addition to the one-year retention capabilities of Audit (Premium), Microsoft 365 can optionally retain audit logs for 10 years. The 10-year retention of audit logs helps support long running investigations and respond to regulatory, legal, and internal obligations. Retaining audit logs for 10 years requires an extra per-user add-on license. After this license is assigned to a user and an appropriate 10-year audit log retention policy is set for that user, audit logs covered by that policy will start to be retained for the 10-year period.

Office 365 Advanced Message Encryption offers extra capabilities on top of the standard Office 365 Message Encryption capabilities. Which of the following items is a feature of Office 365 Advanced Message Encryption? -Recipients must view and reply to secure mail through the encrypted message portal -Message revocation and expiration only work for emails that users send to recipients inside their Microsoft 365 organization -Organizations can revoke messages and apply expiration dates to any messages that users receive

Recipients must view and reply to secure mail through the encrypted message portal -To use the capabilities of Office 365 Advanced Message Encryption, recipients must view and reply to secure mail through the encrypted message portal.

As Tailspin Toys' Enterprise Administrator, Alan Deyoung wants to implement Microsoft Identity Manager to help protect Tailspin's privileged accounts. Alan wants to begin by implementing passwordless authentication. Alan has enforced multifactor authentication and removed passwords. What's the next task that Alan should complete to set up passwordless authentication at Tailspin Toys? -Reduce legacy authentication workflows -Run Azure AD Connect to make the users and permissions available in Azure AD for Microsoft 365 and cloud-hosted apps -Run the Discovery and Insights tool

Reduce legacy authentication workflows -Alan should place apps that require passwords into a separate user access portal and migrate users to modern authentication flows.

Organizations should follow five steps to secure their identity infrastructure. Four of these steps include strengthening your credentials, automating threat response, increasing your awareness, and enabling user self-help. What is the fifth step to secure their identity infrastructure? -Implement multi-factor authentication -Reducing the time criminals have to embed themselves into your environment -Reduce your attack surface area

Reduce your attack surface area -To make life harder for hackers, reduce your attack surface area by eliminating using older, less secure protocols, limiting access entry points, and exercising more significant control of administrative access to resources.

Fabrikam has created an MDM policy in Intune that enables its manufacturing design engineers to remotely access the company's proprietary fabrication system. This system contains all the company's top secret design specs for its automotive parts division. What must Fabrikam do to enforce the Intune policy so that its design engineers can access the fabrication system remotely? -Require biometric device sign-in -Register each engineer's remote device with Azure AD -Enables Phone sign-in with the Microsoft Authenticator app

Register each engineer's remote device with Azure AD - Once an engineer's remote device is registered with Azure AD, Fabrikam's required Intune policy will be enforced, and the engineer will have access to the company's fabrication system.

Contoso wants to evaluate how attack surface reduction rules would affect its line-of-business applications if the rules are enabled. What should Contoso do so that it can understand how the rules would affect its line-of-business applications? -Run all attack surface reduction rules in warn mode -Run all attack surface reduction rules in audit mode first -When testing rules, run obfuscated or suspicious scripts

Run all attack surface reduction rules in audit mode first -Organizations should use audit mode to evaluate how attack surface reduction rules would affect them if enabled. They should also run all rules in audit mode first so they can understand how the rules affect their line-of-business applications. Many line-of-business applications are written with limited security concerns. As such, they may perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, organizations can deploy attack surface reduction rules without reducing productivity.

As the Enterprise Administrator for Lucerne Publishing, Inc., Allan Deyoung is interested in implementing Microsoft Defender for Office 365. Allan is especially interested in providing time-of-click protection, which prevents users from going to malicious web sites. Which Microsoft Defender for Office 365 feature provides this functionality? -Safe Links -Spoof intelligence -Anti-phishing

Safe Links - Safe Links provides time-of-click protection. This feature prevents users from going to malicious web sites and phishing scams when they select links in email and documents.

Tailspin Toys has implemented Microsoft Purview Audit (Premium). It set up Audit (Premium) for its users. It's now enabling Audit (Premium) events to be logged. Which of the following items is an Audit (Premium) event that Tailspin Toys must enable? -ExchangeQueryInitiated -SearchQueryInitiatedSharePoint -InitiateOneDriveQuery

SearchQueryInitiatedSharePoint -You must enable the following Audit (Premium) events to be logged so that users can perform searches in Exchange Online and SharePoint Online: SearchQueryInitiatedExchange andSearchQueryInitiatedSharePoint.

Which of the following statements accurately reflects Secure Score functionality? -Secure Score displays the possible improvements you can make depending on the product licenses your organization owns -Secure Score isn't an absolute measurement of how likely your system or data will be breached -Secure Score syncs weekly to receive system data about your achieved points for each action

Secure Score isn't an absolute measurement of how likely your system or data will be breached - Microsoft Secure Score is a numerical summary of your security posture based on system configurations, user behavior, and other security-related measurements. It's not an absolute measurement of how likely your system or data will be breached. Rather, it represents the extent to which you have adopted security controls in your Microsoft 365 environment that can help offset the risk of being breached.

Which of the following statements accurately reflects Secure Score functionality? -All improvement actions only give points when fully completed -The highest ranked improvement actions have a large number of points remaining with high difficulty, user impact, and complexity -Secure Score shouldn't be interpreted as a guarantee against security breach in any manner

Secure Score shouldn't be interpreted as a guarantee against security breach in any manner - Secure Score isn't an absolute measurement of how likely your system or data will be breached. Rather, it represents the extent to which you have adopted security controls in your Microsoft 365 environment that can help offset the risk of being breached. No online service is immune from security breaches. Secure Score shouldn't be interpreted as a guarantee against security breach in any manner.

Tailspin Toys is a well-managed, security-conscious organization in which standard end users don't have administrative rights. Tailspin is new to Intune, which it wants to use to help protect its users and devices. Allan Deyoung, Tailspin Toy's Enterprise Administrator, isn't sure where to start. Which of the following items should Allan use that will give him an advantage by enabling him to quickly create and deploy a secure profile, knowing that it will help protect Tailspin's resources and data? -Device-compliant conditional access policies -App-based conditional access policies -Security baselines

Security baselines - If you're new to Intune, and not sure where to start, then security baselines gives you an advantage. You can quickly create and deploy a secure profile, knowing that you're helping protect your organization's resources and data. Baselines are designed for well-managed, security-conscious organizations in which standard end users don't have administrative rights.

As the Enterprise administrator for Lucerne Publishing, Patti Fernandez wants to implement mobile application management (MAM) in Intune. By doing so, which of the following tasks can Patti do? -See reports on which apps are used and track their usage -Do a selective wipe by removing only personally owned data from apps -Protect organization data on store apps only

See reports on which apps are used and track their usage -When apps are managed in Intune, administrators can add and assign mobile apps to user groups and devices, configure apps to start or run with specific settings enabled, see reports on which apps are used and track their usage, and do a selective wipe by removing only organization data from apps.

Northwind Traders recently purchased a dozen new devices from its hardware vendor. As the Enterprise Administrator for Lucerne Publishing, Allan Deyoung used the Windows Autopilot self-deployment mode to deploy Windows on each new device. An IT administrator who later used one of the devices told Allan that some Azure AD and Intune capabilities weren't available on the device, including BitLocker recovery and Conditional Access. Why were these features missing when the user signed into the device? -Self-deploying mode doesn't associate a user with the device -The device doesn't support TPM 2.0 -The device doesn't support TPM device attestation

Self-deploying mode doesn't associate a user with the device - Self-deploying mode doesn't associate a user with the device, since no user ID or password is specified as part of the process. As a result, some Azure AD and Intune capabilities such as BitLocker recovery, installation of apps from the Company Portal, and Conditional Access may not be available to a user that signs into the device.

As the Enterprise Administrator for World Wide Importers, Allan Deyoung wants to create a DLP policy to identify, monitor, and protect sensitive information across the company's Microsoft 365 tenant. As part of the DLP policy, Allan wants to configure it to send both user notifications and policy tips. Which of the following items is an action that Allan can configure when sending an email notification or a policy tip? -Send email notifications to groups -Send policy tips when editing existing content -Send email notifications to external senders

Send policy tips when editing existing content -Only new content will trigger an email notification. Editing existing content will trigger policy tips, but not email notifications.

Because EOP sometimes can't determine the validity of the spoofing attempt, it supports three email authentication techniques to aid in detecting legitimate cases of spoofing while preventing unwanted spoofing and phishing. Two of these techniques are Domain Keys Identified Mail (DKIM) and Domain-based Message and Reporting Compliance (DMARC). What is the third technique that EOP uses to help prevent unwanted spoofing and phishing? -Zero-Hour Auto Purge -Reputation block -Sender Policy Framework (SPF)

Sender Policy Framework (SPF) -A Sender Policy Framework TXT record is a DNS record that helps to prevent spoofing and phishing. It does so by verifying the domain name from which email messages are sent. SPF validates the origin of email messages by verifying the IP address of the sender against the supposed owner of the sending domain. This process enables SPF to determine if a sender is permitted to send on behalf of a domain.

When using a policy tip to override a rule, the option to override is per rule. As such, it overrides all the actions in the rule, with one exception. Which of the following actions is the one exception? -Sending a notification -Block access to the content -Restrict copying a sensitive item to a removeable USB device

Sending a notification - The option to override is per rule. It overrides all the actions in the rule, with one exception. The Sending a notification action can't be overridden.

Which of the following features gets embedded in a document so that it follows the document everywhere it goes? -Sensitivity label -Retention label -Data classification label

Sensitivity label -A sensitivity label is simply a tag that indicates the value of the item to an organization. It can be applied manually or automatically. Once applied, the label gets embedded in the document. By doing so, it follows the document everywhere it goes.

Microsoft released an update to one of the security baselines used by Fabrikam. As the Enterprise Administrator for Fabrikam, Holly Spencer was notified that a new version of the baseline was released. However, since she was satisfied with the existing profile that used the older baseline, Holly decided not to upgrade to the new version. Instead, Fabrikam continued using the older version. 6 months later, Holly attempted to edit the settings for the profile. However, the system didn't allow her to update the profile settings. Why couldn't Holly update the profile settings? -Baseline profiles that don't use the latest version are automatically placed on hold -Settings in baseline profiles that don't use the latest version become read-only -Baseline profiles that don't use the latest version are disabled

Settings in baseline profiles that don't use the latest version become read-only -When a new version for a baseline is released, existing profiles don't upgrade to the new baseline version automatically. As such, settings in baseline profiles that don't use the latest version become read-only. Organizations can continue using those older profiles, including editing their name, description and assignments. However, they won't be able to edit settings for them or create new profiles based on the older versions.

Fabrikam has submitted a retention policy for workloads. How long can it take for the policy to take effect? -Five days -Seven days -10 days

Seven days -When you create and submit a retention policy, it can take up to seven days for the retention policy to take effect.

Which mechanism in the anti-malware pipeline is effective in catching up to 80% of commodity malware coming into the Microsoft 365 network? -Signature-based anti-virus scanners -Sender reputation -DomainKeys Identified Mail (DKIM)

Signature-based anti-virus scanners - Once mail passes through the first entry point in Microsoft 365, it's scanned by multiple signature-based anti-virus scanners. This process alone is effective in catching up to 80% of commodity malware coming into the network.

Which of the following payloads can be delivered through malware? -Spam -Spyware -Data exfiltration

Spyware -Spyware is often used to gather information about internet activity, keystrokes, passwords, and other sensitive data. Spyware can also be used as adware, where the software delivers pop-up ads and tracks user behavior.

As the Enterprise Admin for Lucerne Publishing, Patti Fernandez wants to implement a device discovery mode that enables endpoints to actively find devices in the company's network. Patti wants to implement a mode that enriches the collected data for devices and finds more devices than any other mode. Which device discovery mode should Patti implement to achieve these goals? -Basic discovery -Enhanced discovery -Standard discovery

Standard discovery -This mode enables endpoints to actively find devices in a network to enrich collected data and discover more devices. This process helps organizations build a reliable and coherent device inventory. This process finds even more devices than Basic mode. Standard mode uses smart, active probing to discover more information about observed devices to enrich existing device information.

As the Enterprise Administrator for Tailspin Toys, Allan Deyoung is interested in purchasing Windows 10 Enterprise E3 through a CSP partner. By doing so, which of the following benefits would Tailspin Toys receive? -Windows 10 can use the Long-Term-Servicing Channel (LTSC) -Roll back to Windows 10 Pro at any time after a grace period of up to 30 days -Support from one user to hundreds of users

Support from one user to hundreds of users -Although the Windows 10 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses that a company can use, the offering is designed for small- and medium-sized companies.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez wants to start deploying Windows 10 Enterprise E3 licenses to Lucerne's users. Before doing so, what must Patti do first? -Sync the identities in Lucerne's on-premises AD DS domain with Azure AD -Use Windows PowerShell to verify whether a firmware-embedded activation key is present on each user's device -Ensure Lucerne's Windows Client Software Assurance (SA) agreement provides Lucerne's users with virtual desktop access rights

Sync the identities in Lucerne's on-premises AD DS domain with Azure AD - Before an organization can start deploying Windows 10 Enterprise E3 or E5 licenses to users, it must sync the identities in the on-premises AD DS domain with Azure AD. This process is required because it ensures that users have a single identity they can use to access their on-premises apps and cloud services that use Azure AD, such as Windows 10 Enterprise E3 or E5.

As the Enterprise Administrator for Lucerne Publishing, Inc., Holly Spencer wants to implement a Zero Trust network approach. Which of the following items will help Holly control access to resources at Lucerne Publishing? -External sharing policies -Terms of use -Data loss prevention policies

Terms of use - Access can be controlled with extra authentication challenges (for example, multifactor authentication), Terms of Use, or access restrictions.

As the Enterprise Administrator for Fabrikam, Holly Spencer created a Safe Attachments policy and set the action to "Dynamic delivery". What will happen when an email message is received that has an infected attachment? -The message is updated with an attachment that tells the recipient the original attachment was infected with malware -The attachment will be included with the original message in the user's inbox along with a warning message indicating the attachment is infected -The message is sent to the user's inbox with no attachment

The message is updated with an attachment that tells the recipient the original attachment was infected with malware - Dynamic delivery allows the user to read and respond to the email while the attachment is being scanned. The user receives the email, but in place of the attachment that was originally sent, the user receives a placeholder attachment, which notifies the user the original attachment is currently being scanned. If the scanned attachment is considered infected, the message is updated with an attachment that tells the recipient the original attachment was infected with malware.

Contoso had been running Windows 10 Pro edition on all its devices. It recently purchased a Windows 10 Enterprise E3 online service subscription. Contoso is using Azure AD, and it has assigned a Windows 10 license to all of its users. All of Contoso's users will be signing in to their devices using the Azure AD credentials associated with their Windows 10 Enterprise E3 license. What will happen to their device when they sign in? -Each device will run Contoso's Windows 10 provisioning package to install Windows 10 Enterprise -The operating system turns from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots -The operating system turns from Windows 10 Pro to Windows 10 Enterprise and each user will have to reboot their device to unlock the Windows 10 Enterprise features

The operating system turns from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots - When a licensed user signs in to a device by using the Azure AD credentials associated with a Windows 10 Enterprise E3 or E5 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots, and all the Windows 10 Enterprise features are unlocked.

It can be difficult for organizations to review all the collected documents in a review set when a large number of documents are involved. eDiscovery (Premium) provides a set of tools to make the review process more manageable, efficient, and effective. In the "Near duplicate detection" tool, once all documents have been compared and grouped, what is a document from each group marked as? -The pivot -The theme -The primary

The pivot -Once all documents have been compared and grouped, a document from each group is marked as the pivot. When reviewing your documents, you can review a pivot first and review the other documents in the same near duplicate set. This process enables you to focus on the difference between the pivot and the document that's in review.

Because Contoso is a financial securities broker, it must comply with the Securities and Exchange Commission rule 17a-4. This rule outlines requirements for data retention, indexing, and accessibility for companies such as Contoso that deal in the trade or brokering of financial securities. This type of retention functionality is called a preservation lock, which is a lock that can be applied to a retention policy. Which of the following restrictions is associated with a retention policy that has a preservation lock applied to it? -The content that's subject to the locked retention policy can only be modified or deleted during the retention period -Only a Global administrator can make a locked retention policy less restrictive -The preservation lock can never be removed from a retention policy once it's been applied

The preservation lock can never be removed from a retention policy once it's been applied -Preservation Lock locks a retention policy or retention label policy so that no one—not even an administrator—can turn off the policy, delete the policy, or make it less restrictive.

Lucerne Publishing recently purchased a dozen new Windows 11 laptops from its local hardware vendor. When the users turn on these new computers, the Out of Box Experience (OOBE) setup phase occurs. In this phase, Windows performs several tasks, such as asking for the keyboard layout and EULA acceptance. Of all the OOBE setup phase tasks, which one is unacceptable for many companies because it can cause serious problems? -Windows asks if the computer should be joined to AD DS or Azure AD -The user is automatically assigned to the local Administrators group -Windows asks about the privacy settings to be used

The user is automatically assigned to the local Administrators group -The OOBE setup phase automatically assigns the user to the local Administrators group. This assignment is unacceptable for many companies because it can cause serious problems. For example, users with local admin rights can install/uninstall any software or modify the configuration of the system in such a way that could damage the system.

When Safe Links is enabled, what does it do when it encounters a malicious link? -All links are removed from the message -The user is blocked from continuing to the site, and the browser displays a warning page -An email notification is sent to the user indicating the URL in the original message was blocked

The user is blocked from continuing to the site, and the browser displays a warning page - An MX record ensures that email sent to the tenant's domain will arrive in mailboxes hosted in Exchange Online through the EOP service.

What happens if the segments associated with a user's OneDrive don't match the segment applied to the user? -The user won't be able to access their OneDrive -Any changes you make will be overwritten -The IB mode of the OneDrive is automatically updated to Open

The user won't be able to access their OneDrive - If the segments associated with a user's OneDrive don't match the segment applied to the user, the user won't be able to access their OneDrive. Be careful not to associate any segments with the OneDrive of a non-segment user.

As the Enterprise Administrator for Contoso, Holly Dickson is managing Contoso's pilot project that's testing in-place archiving. As part of the pilot, Holly configured Outlook in cached mode on a laptop belonging to a pilot project teammate. The result of this action was twofold. First, Holly saw that the amount of space required for caching on the laptop was reduced. Second, the user was only able to access their archive mailbox content when the laptop was connected to Exchange. What was the cause of these two issues after Holly configured Outlook in cached mode on the laptop? -The user's archive mailbox wasn't cached on the laptop -By configuring Outlook in cached mode, the user's mail content was stored in a .pst file on the laptop -When you use cached mode for your primary mailbox, a local index is created on your computer

The user's archive mailbox wasn't cached on the laptop - Even if Outlook is configured in cached mode, the archive mailbox isn't cached on the client computer. This process reduces the amount of space required for caching on the client. It also means the user can access the archive mailbox content only when connected to Exchange.

Contoso plans to use Endpoint data loss prevention to extend the activity monitoring and protection capabilities of DLP policies to sensitive items that are physically stored on its Windows 10 and Windows 11 devices. What's the time lag that Contoso must plan for when DLP policies and policy updates are distributed to individual devices? -One hour -24 hours -There's no time lag

There's no time lag - In Microsoft Purview, DLP policy evaluation of sensitive items occurs centrally. As such, there's no time lag for policies and policy updates to be distributed to individual devices. When a policy is updated in the Microsoft Purview compliance portal, it generally takes about an hour for those updates to be synchronized across the service. Once policy updates are synchronized, items on targeted devices are automatically reevaluated the next time they're accessed or modified.

Patti Fernandez was recently hired as the new Enterprise Admin for Lucerne Publishing. Upon reviewing the company's Microsoft 365 deployment, Patti discovered that several users appeared on the Restricted users page in the Microsoft 365 Defender portal. What was the likely cause of these users being blocked from sending email? -They were using the company's Exchange Online service to send out personal emails -They exceeded one of the company's outbound sending limits -They sent out emails containing personal photographs

They exceeded one of the company's outbound sending limits -Blocked users are potentially compromised users. They may have exceeded one of their company's outbound sending limits. Or, they may have exceeded the sending limits in their company's outbound spam policies. Sending limits apply to the number of recipients, number of messages, and number of recipients per message that a user can send from their Exchange Online account.

When organizations create policies or profiles, how can they deploy them? -They must be assigned directly to individual users -They must be assigned directly to individual devices -They must be assigned to groups of users

They must be assigned to groups of users -When organizations create policies or profiles, they can only deploy them by assigning them to groups of users. They can't assign them directly to individual devices or users.

Which of the following items is a feature of hybrid Azure AD joined devices? -They can be Windows 10/11 devices, iOS/Android devices, and macOS devices -They can be used in both hybrid and cloud-only organizations -They must be connected to an organization's on-premises domain controllers

They must be connected to an organization's on-premises domain controllers -Hybrid Azure AD joined devices require periodic network line of sight to an organization's on-premises domain controllers. Without this connection, devices become unusable. If this requirement is a concern, organizations should consider Azure AD joining their devices.

Northwind Traders uses Basic Mobility and Security as its MDM authority. Northwind had several devices whose MDM certificates expired over a year ago. The certificates were never renewed. What was the effect on the devices? -They were automatically removed from Basic Mobility and Security 90 days after certificate expiration -They were automatically removed from Intune 180 days after certificate expiration -The users could still access Microsoft 365 email and documents, but the devices were no longer managed by MDM

They were automatically removed from Intune 180 days after certificate expiration - This certificate is used to communicate with Intune, even if you're using Basic Mobility and Security (remember, Basic Mobility and Security is hosted by the Intune service and includes a subset of Intune services). The certificate is renewed automatically when the device communicates with Intune. If the certificate expires, the device is no longer managed by MDM. If the certificate isn't renewed, the device is automatically removed from Intune after 180 days.

As the Enterprise Administrator for Lucerne Publishing, Patti Fernandez recently got Windows 10 Enterprise E3 licenses for free because of Lucerne's existing Enterprise Agreement (EA) with Microsoft. Patti then assigned the licenses Lucerne's Azure AD users. What will happen to Lucerne's Windows 10 devices that have Windows 10 Pro installed? -Patti must use PowerShell to activate the firmware-embedded activation key, which will trigger the upgrade to Windows 10 Enterprise -If a firmware-embedded activation key is present on the machines, Patti can deploy a provisioning package to deploy Windows 10 Enterprise -They'll be automatically upgraded to Windows 10 Enterprise and activated when users sign in

They'll be automatically upgraded to Windows 10 Enterprise and activated when users sign in - If you're an existing EA customer, you can get Windows 10 Enterprise E3 or E5 licenses for free, depending on your EA. You can then assign the licenses to Azure AD users or groups. By doing so, Windows 10 Pro devices will be automatically upgraded and activated when users sign in.

Northwind Traders has several users who use iOS devices. Allan Deyoung, Northwind's Enterprise Administrator, obtained an APNS certificate so that the iOS devices can be enrolled and managed by Northwind's MDM. Allan added the APNS certificate to Intune. It's now up to Northwind's users to enroll their iOS devices for MDM. How can they enroll their iOS devices to Northwind's MDM? -Through the Company Portal app -Through the Configuration Manager portal -Through the Microsoft 365 Device Enrollment Program

Through the Company Portal app -Northwind's users can enroll their Apple devices to MDM through the Company Portal app.

As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to change Northwind's MDM authority from Configuration Manager MDM Authority to Intune MDM Authority. How should Allan make this change? -Allan should contact Microsoft Support to make this change for Northwind Traders -Unenroll the existing managed devices, make the change through the Intune portal, then reenroll the devices -Through the Configuration Manager console

Through the Configuration Manager console -If an organization wants to change its MDM authority setting, it can do so by using the Configuration Manager console.

When a user selects a link in an email and the target web site is later identified as malicious, what does the Safe Links process automatically do? -Warns the user the URL is malicious -Removes all links in the message -Navigates to the target web site

Warns the user the URL is malicious -When a user selects a link in an email and the target web site is later identified as malicious, the Safe Links process automatically warns the user.

As the Enterprise Administrator for Fabrikam, Holly Spencer is interested in implementing Microsoft Secure Score. Holly has researched this product and discovered that the Secure Score framework is based on a score relative to three factors. The first two factors are the features that have been enabled by the organization, and the features that are available in the service. What is the third factor upon which the Secure Score framework is built? -What the risks might look like -The roadmap of recommended actions -The security recommendations that address possible attack surfaces

What the risks might look like - The Secure Score framework is based in part on a score relative to what the risks might look like.

When a trainable classifier initially builds its model, what's the model based on? -Microsoft's pre-defined classification items -What you seed it with -Industry-standard classification items

What you seed it with - To create a trainable classifier, an organization must first present it with many samples of the type of content that are in the category. This feeding of samples to the trainable classifier is known as seeding. An organization must select the seed content that it wants to use to represent the category of content.

As the Enterprise Admin for Lucerne Publishing, Patti Fernandez noticed that mailbox audit events for some users weren't found in audit log searches. This situation occurred when Lucerne's compliance team used either the Microsoft Purview compliance portal or the Office 365 Management Activity API to run the search. What was the probable cause of this situation? -The missing events were administrator activity for Azure AD-related events -The compliance team should have used the Search-UnifiedAuditLog cmdlet to run the search -When either of these search methods is used, mailbox audit events are returned only for users with E5 licenses

When either of these search methods is used, mailbox audit events are returned only for users with E5 licenses - Even when mailbox auditing is turned on by default for an organization, mailbox audit events for some users won't be found in audit log searches when the organization uses any of the following methods: the Microsoft Purview compliance portal, the Search-UnifiedAuditLog cmdlet, or the Office 365 Management Activity API. Why? Because mailbox audit events are returned only for users with E5 licenses when you use one of these methods to search the unified audit log.

As the Enterprise Administrator for Contoso, Holly Dickson is creating a sensitivity label. When Holly defined the scope for the label, she configured the label settings. What else can Holly define as part of the label's scope? -Where the label will be visible to users -A help link to a custom help page -Choose which users and groups see the label

Where the label will be visible to users -A label's scope determines two things - the label settings for that label and where the label will be visible to users.

As the Enterprise Administrator for Northwind Traders, Allan Deyoung wants to update all the company's Windows 11 devices, which already have Windows 11 preinstalled. Allan wants to customize them to adhere to company policy without reinstallation. Which of the following deployment options should Allan use given the current state of Northwind's devices? -In-place upgrade -Migration -Windows Autopilot

Windows Autopilot - When devices already have Windows 10 or later preinstalled and an organization wants to customize them to adhere to company policy without reinstallation, use provisioning or Windows Autopilot. Windows Autopilot is considered the modern way of deploying Windows 10 and later.

As the Enterprise Administrator for Fabrikam, Inc., Allan Deyoung wants to implement a Zero Trust security model across the organization. What tool can Allan use to help determine where Fabrikam is in its journey across its identities, devices, apps, infrastructure, network, and data? -Azure AD Conditional Access wizard -Zero Trust Assessment -Microsoft Defender for Office 365

Zero Trust Assessment -The Zero Trust Assessment tool will help you determine where you are in your journey across your identities, devices, apps, infrastructure, network, and data.

Data classification in Microsoft 365 scans an organization's sensitive content and labeled content before the organization creates any policies. What is this process known as? -Trainable classifiers -Data protection baseline assessment -Zero change management

Zero change management - Data classification in Microsoft 365 scans an organization's sensitive content and labeled content before the organization creates any policies. This process is called zero change management. It enables an organization to see the effect that all the retention and sensitivity labels are having in its environment. It also empowers the organization to start assessing its protection and governance policy needs.

Which of the following items is an email protection feature in the Exchange Online Protection service that detects messages with spam or malware that previously went undetected and were delivered to users' Inboxes? -DomainKeys Identified Mail (DKIM) -Zero-hour Auto Purge (ZAP) -Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Zero-hour Auto Purge (ZAP) -Zero-hour Auto Purge (ZAP) is an email protection feature in EOP. ZAP detects messages with spam or malware that previously went undetected and were delivered to users' inboxes. ZAP's ability to detect infected messages is usually because of evolving heuristic and delivery patterns, and content that's weaponized after being delivered to users.

As the Enterprise Administrator for Contoso, Holly Dickson has found that Contoso's IT staff is constantly asking questions about co-managing devices and hybrid Azure AD-joined devices. They keep confusing these two services. To help clarify this situation, Holly has told them to remember one fact - Co-management and Azure AD are different types of options. Co-management is a device management option. What type of option is Azure AD? -a Mobile Desktop Management option -an identity option -an autoprovisioning option

an identity option -Azure AD is an identity option, whereas, co-management is a device management option.

MS-101: Microsoft 365 Mobility and Security

Related study sets

Web unit 5

Chapter 39: Animal Cardiovascular & Respiratory System

Econ 101 Chapter 39 Multiple Choice & T/F

Chapter 4 Criminology

Ch 5

Chapter 16

International Law Ch 2

Chapter 8 - Supporting Your Ideas

FHCE 4210 Unit 6 quiz

Prep U's - The Nurse-Patient Relationship - Chapter 9

Film Final

DM Sherpath

The Youngest of the Little Rock Nine Speaks Out About Holding Onto History

Psych 105: Chapter 12

Psych

Chapter 1: Taking Charge of Your Health

Grammar Tutorial

PSYCH 1000 Final Exam

Missed Questions Part 107

Pharmacology Prepu Ch. 20 Anxiolytic and Hypnotic Agents