You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" SC-900 Practice Test 7 "
0 of 56 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
SC-900
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Answered
Review
Question 1 of 56
1. Question
Which of the following Microsoft services offers XDR (Extended Detection and Response) capabilities for email messages?
Choose the best option.
Correct
Microsoft offers its XDR technologies under the Microsoft Defender brand. Microsoft Defender is offered in 2 different products:
· Microsoft 365 Defender (for end-user environments)
· Azure Defender (for cloud and hybrid infrastructure)
Reference Link: https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/
Microsoft 365 Defender is a unified enterprise defense suite that comprises of:
· Microsoft Defender for Endpoint
· Microsoft Defender for Office 365 (for documents and email messages)
· Microsoft Defender for Identity
· Microsoft Cloud App Security
So, the correct answer to this question is Microsoft 365 Defender. But a more specific answer will be Microsoft Defender for Office 365.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/2-describe-services
Although Azure Defender offers XDR capabilities, it is an incorrect choice as it doesn’t safeguard email messages.
Azure Sentinel is a cloud-native SIEM/SOAR solution. It is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/azure/sentinel/overview
Microsoft Cloud App Security, a part of Microsoft 365 Defender, protects your cloud apps. Not email messages.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/2-describe-services
Incorrect
Microsoft offers its XDR technologies under the Microsoft Defender brand. Microsoft Defender is offered in 2 different products:
· Microsoft 365 Defender (for end-user environments)
· Azure Defender (for cloud and hybrid infrastructure)
Reference Link: https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/
Microsoft 365 Defender is a unified enterprise defense suite that comprises of:
· Microsoft Defender for Endpoint
· Microsoft Defender for Office 365 (for documents and email messages)
· Microsoft Defender for Identity
· Microsoft Cloud App Security
So, the correct answer to this question is Microsoft 365 Defender. But a more specific answer will be Microsoft Defender for Office 365.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/2-describe-services
Although Azure Defender offers XDR capabilities, it is an incorrect choice as it doesn’t safeguard email messages.
Azure Sentinel is a cloud-native SIEM/SOAR solution. It is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/azure/sentinel/overview
Microsoft Cloud App Security, a part of Microsoft 365 Defender, protects your cloud apps. Not email messages.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/2-describe-services
Unattempted
Microsoft offers its XDR technologies under the Microsoft Defender brand. Microsoft Defender is offered in 2 different products:
· Microsoft 365 Defender (for end-user environments)
· Azure Defender (for cloud and hybrid infrastructure)
Reference Link: https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/
Microsoft 365 Defender is a unified enterprise defense suite that comprises of:
· Microsoft Defender for Endpoint
· Microsoft Defender for Office 365 (for documents and email messages)
· Microsoft Defender for Identity
· Microsoft Cloud App Security
So, the correct answer to this question is Microsoft 365 Defender. But a more specific answer will be Microsoft Defender for Office 365.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/2-describe-services
Although Azure Defender offers XDR capabilities, it is an incorrect choice as it doesn’t safeguard email messages.
Azure Sentinel is a cloud-native SIEM/SOAR solution. It is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/azure/sentinel/overview
Microsoft Cloud App Security, a part of Microsoft 365 Defender, protects your cloud apps. Not email messages.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/2-describe-services
Question 2 of 56
2. Question
Which of the following phases will be the first step in your Azure adoption lifecycle?
Correct
Cloud adoption lifecycle is composed of the following phases:
· Strategy
· Plan
· Ready
· Migrate
· Innovate
· Govern
· Manage
The Strategy will be the first phase in the Azure adoption lifecycle. In the strategy phase, you:
· Define your motivations
· Document business outcomes
· Develop a business case
· Choose your first project
Strategy is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/5-describe-cloud-adoption-framework https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/
Incorrect
Cloud adoption lifecycle is composed of the following phases:
· Strategy
· Plan
· Ready
· Migrate
· Innovate
· Govern
· Manage
The Strategy will be the first phase in the Azure adoption lifecycle. In the strategy phase, you:
· Define your motivations
· Document business outcomes
· Develop a business case
· Choose your first project
Strategy is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/5-describe-cloud-adoption-framework https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/
Unattempted
Cloud adoption lifecycle is composed of the following phases:
· Strategy
· Plan
· Ready
· Migrate
· Innovate
· Govern
· Manage
The Strategy will be the first phase in the Azure adoption lifecycle. In the strategy phase, you:
· Define your motivations
· Document business outcomes
· Develop a business case
· Choose your first project
Strategy is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/5-describe-cloud-adoption-framework https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/
Question 3 of 56
3. Question
Which of the following technologies verifies if the contents of a message are tampered with?
Correct
Signing (with the help of digital signatures) verifies if the contents of a message are tampered. Signing is the correct choice.
Encryption is the process of changing/altering a message, so a hacker only sees garbage.
Hashing converts/alters a text to a hash value (looks encrypted). Hashing is used to store passwords so that only the user knows his password.
Encoding converts data from one format to another. A typical example is audio/video encoders which reduce the size of audio/video files.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data
Incorrect
Signing (with the help of digital signatures) verifies if the contents of a message are tampered. Signing is the correct choice.
Encryption is the process of changing/altering a message, so a hacker only sees garbage.
Hashing converts/alters a text to a hash value (looks encrypted). Hashing is used to store passwords so that only the user knows his password.
Encoding converts data from one format to another. A typical example is audio/video encoders which reduce the size of audio/video files.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data
Unattempted
Signing (with the help of digital signatures) verifies if the contents of a message are tampered. Signing is the correct choice.
Encryption is the process of changing/altering a message, so a hacker only sees garbage.
Hashing converts/alters a text to a hash value (looks encrypted). Hashing is used to store passwords so that only the user knows his password.
Encoding converts data from one format to another. A typical example is audio/video encoders which reduce the size of audio/video files.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data
Question 4 of 56
4. Question
Read the following two statements about Conditional Access policies and select whether they are TRUE/FALSE.
Correct
The first statement is FALSE. Since admin accounts have greater access privileges to an organization’s sensitive data, Microsoft recommends you create a conditional access policy that requires MFA for them.
Note that even a Global administrator should be part of a Conditional Access policy that requires MFA.
Of course, to prevent tenant-wide account lockout, set up emergency access accounts (will not be part of Conditional Access policy).
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
The second statement is TRUE. You can create Conditional Access policies that request additional authentication (MFA) if the user attempts to access the Azure portal.
To create such a policy, select the cloud app Microsoft Azure Management and assign it to your users.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management
Note: Microsoft Azure Management app includes multiple services like Azure portal, Azure CLI, Azure PowerShell, etc.
More Details: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-azure-management
When any user (included in the policy) logs in, the policy prompts him to set up additional security verification.
So Conditional Access can trigger MFA if the user attempts to access the Azure portal.
Option (i) – FALSE, (ii) – TRUE is the correct answer.
Incorrect
The first statement is FALSE. Since admin accounts have greater access privileges to an organization’s sensitive data, Microsoft recommends you create a conditional access policy that requires MFA for them.
Note that even a Global administrator should be part of a Conditional Access policy that requires MFA.
Of course, to prevent tenant-wide account lockout, set up emergency access accounts (will not be part of Conditional Access policy).
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
The second statement is TRUE. You can create Conditional Access policies that request additional authentication (MFA) if the user attempts to access the Azure portal.
To create such a policy, select the cloud app Microsoft Azure Management and assign it to your users.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management
Note: Microsoft Azure Management app includes multiple services like Azure portal, Azure CLI, Azure PowerShell, etc.
More Details: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-azure-management
When any user (included in the policy) logs in, the policy prompts him to set up additional security verification.
So Conditional Access can trigger MFA if the user attempts to access the Azure portal.
Option (i) – FALSE, (ii) – TRUE is the correct answer.
Unattempted
The first statement is FALSE. Since admin accounts have greater access privileges to an organization’s sensitive data, Microsoft recommends you create a conditional access policy that requires MFA for them.
Note that even a Global administrator should be part of a Conditional Access policy that requires MFA.
Of course, to prevent tenant-wide account lockout, set up emergency access accounts (will not be part of Conditional Access policy).
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa
The second statement is TRUE. You can create Conditional Access policies that request additional authentication (MFA) if the user attempts to access the Azure portal.
To create such a policy, select the cloud app Microsoft Azure Management and assign it to your users.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management
Note: Microsoft Azure Management app includes multiple services like Azure portal, Azure CLI, Azure PowerShell, etc.
More Details: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-azure-management
When any user (included in the policy) logs in, the policy prompts him to set up additional security verification.
So Conditional Access can trigger MFA if the user attempts to access the Azure portal.
Option (i) – FALSE, (ii) – TRUE is the correct answer.
Question 5 of 56
5. Question
Which of the following steps precedes searching for content in the Core eDiscovery workflow in Microsoft 365?
Correct
The core eDiscovery workflow in Microsoft 365 consists of the following steps (in order):
· Creating eDiscovery holds (to preserve content relevant to a case so nobody can delete them)
· Search for content (related to an investigation)
· Export and download search results (so that people outside the investigation team can review)
After you create and open a case in the Microsoft 365 compliance center, you can view the above workflow steps as three different menu items.
So, before creating searching for content, you would create eDiscovery holds. Option Creating eDiscovery holds is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/4-describe-core-ediscovery-workflow
All the other three options are incorrect because adding custodians to a case, searching custodial data sources, and adding data to a review set are steps in the Advanced eDiscovery workflow.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/5-describe-advanced-ediscovery-workflow
Incorrect
The core eDiscovery workflow in Microsoft 365 consists of the following steps (in order):
· Creating eDiscovery holds (to preserve content relevant to a case so nobody can delete them)
· Search for content (related to an investigation)
· Export and download search results (so that people outside the investigation team can review)
After you create and open a case in the Microsoft 365 compliance center, you can view the above workflow steps as three different menu items.
So, before creating searching for content, you would create eDiscovery holds. Option Creating eDiscovery holds is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/4-describe-core-ediscovery-workflow
All the other three options are incorrect because adding custodians to a case, searching custodial data sources, and adding data to a review set are steps in the Advanced eDiscovery workflow.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/5-describe-advanced-ediscovery-workflow
Unattempted
The core eDiscovery workflow in Microsoft 365 consists of the following steps (in order):
· Creating eDiscovery holds (to preserve content relevant to a case so nobody can delete them)
· Search for content (related to an investigation)
· Export and download search results (so that people outside the investigation team can review)
After you create and open a case in the Microsoft 365 compliance center, you can view the above workflow steps as three different menu items.
So, before creating searching for content, you would create eDiscovery holds. Option Creating eDiscovery holds is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/4-describe-core-ediscovery-workflow
All the other three options are incorrect because adding custodians to a case, searching custodial data sources, and adding data to a review set are steps in the Advanced eDiscovery workflow.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/5-describe-advanced-ediscovery-workflow
Question 6 of 56
6. Question
This question requires you to select the correct answer from the dropdown.
For SharePoint Online, who is responsible for applying service packs as per the shared responsibility model?
Correct
SharePoint Online is a SaaS product hosted and managed by Microsoft (cloud provider). So, Microsoft is responsible for applying hotfixes/service packs/patches.
Source: Microsoft documentation
Option Microsoft is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#software-as-a-service-saas
Incorrect
SharePoint Online is a SaaS product hosted and managed by Microsoft (cloud provider). So, Microsoft is responsible for applying hotfixes/service packs/patches.
Source: Microsoft documentation
Option Microsoft is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#software-as-a-service-saas
Unattempted
SharePoint Online is a SaaS product hosted and managed by Microsoft (cloud provider). So, Microsoft is responsible for applying hotfixes/service packs/patches.
Source: Microsoft documentation
Option Microsoft is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#software-as-a-service-saas
Question 7 of 56
7. Question
Which of the following is NOT one of the steps in creating a custom trainable classifier?
Correct
The four steps in creating a custom trainable classifier are:
· Add seed content (samples in a single category. For example, patent documents),
· Create a trainable classifier (prediction model) [with seed content],
· Test the model (with both good [patent docs] and bad [Resumes, vendor contracts] examples), and,
· Manual review (Verify if each prediction is correct. This feedback improves the model’s accuracy).
Generally, for a machine learning task, selecting a learning algorithm is one of the steps in the process. However, for this classification task, you don’t need to choose/know the algorithm that’s behind the scenes.
Since it is not one of the steps in creating a custom trainable classifier, the option Choose a model is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers
Incorrect
The four steps in creating a custom trainable classifier are:
· Add seed content (samples in a single category. For example, patent documents),
· Create a trainable classifier (prediction model) [with seed content],
· Test the model (with both good [patent docs] and bad [Resumes, vendor contracts] examples), and,
· Manual review (Verify if each prediction is correct. This feedback improves the model’s accuracy).
Generally, for a machine learning task, selecting a learning algorithm is one of the steps in the process. However, for this classification task, you don’t need to choose/know the algorithm that’s behind the scenes.
Since it is not one of the steps in creating a custom trainable classifier, the option Choose a model is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers
Unattempted
The four steps in creating a custom trainable classifier are:
· Add seed content (samples in a single category. For example, patent documents),
· Create a trainable classifier (prediction model) [with seed content],
· Test the model (with both good [patent docs] and bad [Resumes, vendor contracts] examples), and,
· Manual review (Verify if each prediction is correct. This feedback improves the model’s accuracy).
Generally, for a machine learning task, selecting a learning algorithm is one of the steps in the process. However, for this classification task, you don’t need to choose/know the algorithm that’s behind the scenes.
Since it is not one of the steps in creating a custom trainable classifier, the option Choose a model is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers
Question 8 of 56
8. Question
Microsoft Information Protection (MIP) provides you the tools to
Correct
Microsoft Information Protection provides the tools to know your data, protect your data and prevent data loss. They help classify, safeguard and avert information loss in your organization.
Microsoft Information Governance provides the tools to govern your data for compliance or regulatory reasons.
Source: Microsoft documentation
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Incorrect
Microsoft Information Protection provides the tools to know your data, protect your data and prevent data loss. They help classify, safeguard and avert information loss in your organization.
Microsoft Information Governance provides the tools to govern your data for compliance or regulatory reasons.
Source: Microsoft documentation
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Unattempted
Microsoft Information Protection provides the tools to know your data, protect your data and prevent data loss. They help classify, safeguard and avert information loss in your organization.
Microsoft Information Governance provides the tools to govern your data for compliance or regulatory reasons.
Source: Microsoft documentation
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Question 9 of 56
9. Question
How is activity explorer helpful to a compliance administrator?
Correct
Activity explorer helps admin review activity related to content that contains sensitive information or has labels applied. It helps them to track what labels were used/modified.
It is helpful to administrators as it helps them understand if the current policies are effective. For example, admins could discover that the sensitivity labels are downgraded for several documents.
In such cases, he can:
1. Require that users justify removing/downgrading a label
2. Provide users with a link to a custom help page to educate them about the Organization’s security policies.
Option To verify if the established policies/controls are effective is the correct answer.
All other options are not related to activity explorer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#what-is-the-activity-explorer
Incorrect
Activity explorer helps admin review activity related to content that contains sensitive information or has labels applied. It helps them to track what labels were used/modified.
It is helpful to administrators as it helps them understand if the current policies are effective. For example, admins could discover that the sensitivity labels are downgraded for several documents.
In such cases, he can:
1. Require that users justify removing/downgrading a label
2. Provide users with a link to a custom help page to educate them about the Organization’s security policies.
Option To verify if the established policies/controls are effective is the correct answer.
All other options are not related to activity explorer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#what-is-the-activity-explorer
Unattempted
Activity explorer helps admin review activity related to content that contains sensitive information or has labels applied. It helps them to track what labels were used/modified.
It is helpful to administrators as it helps them understand if the current policies are effective. For example, admins could discover that the sensitivity labels are downgraded for several documents.
In such cases, he can:
1. Require that users justify removing/downgrading a label
2. Provide users with a link to a custom help page to educate them about the Organization’s security policies.
Option To verify if the established policies/controls are effective is the correct answer.
All other options are not related to activity explorer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#what-is-the-activity-explorer
Question 10 of 56
10. Question
You create a custom trainable classifier to classify pricing information in your organization. To test the model, you use seed content. Is it the correct approach?
Correct
Seeding is the feeding of positive samples (in a single category, here, pricing contracts) that a human carefully selects.
Seed content helps to accurately train a classifier to predict an item in a particular category (pricing).
Once you build a prediction model (classifier) with seed content, you test the model’s accuracy with a mix of both positive (pricing info) and negative (M&A deals, IP documents, patents, etc.) samples. This test content is different than the seed content.
So, you use seed content to build a prediction model, not test the model. The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide#seed-content https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers
Incorrect
Seeding is the feeding of positive samples (in a single category, here, pricing contracts) that a human carefully selects.
Seed content helps to accurately train a classifier to predict an item in a particular category (pricing).
Once you build a prediction model (classifier) with seed content, you test the model’s accuracy with a mix of both positive (pricing info) and negative (M&A deals, IP documents, patents, etc.) samples. This test content is different than the seed content.
So, you use seed content to build a prediction model, not test the model. The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide#seed-content https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers
Unattempted
Seeding is the feeding of positive samples (in a single category, here, pricing contracts) that a human carefully selects.
Seed content helps to accurately train a classifier to predict an item in a particular category (pricing).
Once you build a prediction model (classifier) with seed content, you test the model’s accuracy with a mix of both positive (pricing info) and negative (M&A deals, IP documents, patents, etc.) samples. This test content is different than the seed content.
So, you use seed content to build a prediction model, not test the model. The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide#seed-content https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers
Question 11 of 56
11. Question
This question requires that you evaluate the italic text to determine if it is correct.
Azure Bastion is an IaaS service offered by Microsoft Azure.
Please review the italic text. If it makes the statement correct, select ‘No change is needed.’ If the statement is incorrect, select the answer choice that makes the statement correct.
Correct
A service is IaaS/SaaS/PaaS based on how much responsibility you have over the service. For example, look at this comparison.
Azure Bastion is NOT IaaS because you do not manage network controls like DNS configuration or the underlying OS. The given statement in the question is incorrect.
Azure Bastion is a fully managed PaaS service. Here is the explanation:
· Before Azure Bastion’s release, customers typically RDP into a jump server (deployed in an Azure VNet), and from there RDP into their target Azure VMs (to avoid exposing the target VM’s public IP address).
· You are expected to manage, monitor, patch, harden and secure the jump box.
· Microsoft offers the above activities as a PaaS service called Azure Bastion. Microsoft hardens the Bastion service, keeps it up-to-date to protect your VMs from zero-day exploits.
Option PaaS is the correct answer.
Quick Preview:
A service is IaaS/SaaS/PaaS based on how much responsibility you have over the service. For example, look at this comparison.
Azure Bastion is NOT IaaS because you do not manage network controls like DNS configuration or the underlying OS. The given statement in the question is incorrect.
Azure Bastion is a fully managed PaaS service. Here is the explanation:
· Before Azure Bastion’s release, customers typically RDP into a jump server (deployed in an Azure VNet), and from there RDP into their target Azure VMs (to avoid exposing the target VM’s public IP address).
· You are expected to manage, monitor, patch, harden and secure the jump box.
· Microsoft offers the above activities as a PaaS service called Azure Bastion. Microsoft hardens the Bastion service, keeps it up-to-date to protect your VMs from zero-day exploits.
Option PaaS is the correct answer.
Quick Preview:
A service is IaaS/SaaS/PaaS based on how much responsibility you have over the service. For example, look at this comparison.
Azure Bastion is NOT IaaS because you do not manage network controls like DNS configuration or the underlying OS. The given statement in the question is incorrect.
Azure Bastion is a fully managed PaaS service. Here is the explanation:
· Before Azure Bastion’s release, customers typically RDP into a jump server (deployed in an Azure VNet), and from there RDP into their target Azure VMs (to avoid exposing the target VM’s public IP address).
· You are expected to manage, monitor, patch, harden and secure the jump box.
· Microsoft offers the above activities as a PaaS service called Azure Bastion. Microsoft hardens the Bastion service, keeps it up-to-date to protect your VMs from zero-day exploits.
Option PaaS is the correct answer.
Quick Preview:
Which of the following labels would you use to mark content as a record?
Correct
You can use retention labels to:
· Create a standard label (under the Information governance section)
· Create a label that marks content as records or regulatory records (under the records management section).
See the below images:
Retention labels are used to mark content as records. Option Retention labels is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/7-describe-records-management
Option Record labels is incorrect as there is nothing like one in the Microsoft 365 Compliance center.
Option Sensitivity labels is incorrect because they protect sensitive content as they move within/outside the organization. They don’t help in records management.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/4-describe-sensitivity-labels-policies
Option AIP (Azure Information Protection) labels is incorrect, as they are similar to sensitivity labels (they protect data in Azure and on-premises environment) in Azure. With the announcement of the Unified labeling experience, you manage the AIP labels in Office 365 Security & compliance center.
Reference Link: https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
Incorrect
You can use retention labels to:
· Create a standard label (under the Information governance section)
· Create a label that marks content as records or regulatory records (under the records management section).
See the below images:
Retention labels are used to mark content as records. Option Retention labels is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/7-describe-records-management
Option Record labels is incorrect as there is nothing like one in the Microsoft 365 Compliance center.
Option Sensitivity labels is incorrect because they protect sensitive content as they move within/outside the organization. They don’t help in records management.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/4-describe-sensitivity-labels-policies
Option AIP (Azure Information Protection) labels is incorrect, as they are similar to sensitivity labels (they protect data in Azure and on-premises environment) in Azure. With the announcement of the Unified labeling experience, you manage the AIP labels in Office 365 Security & compliance center.
Reference Link: https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
Unattempted
You can use retention labels to:
· Create a standard label (under the Information governance section)
· Create a label that marks content as records or regulatory records (under the records management section).
See the below images:
Retention labels are used to mark content as records. Option Retention labels is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/7-describe-records-management
Option Record labels is incorrect as there is nothing like one in the Microsoft 365 Compliance center.
Option Sensitivity labels is incorrect because they protect sensitive content as they move within/outside the organization. They don’t help in records management.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/4-describe-sensitivity-labels-policies
Option AIP (Azure Information Protection) labels is incorrect, as they are similar to sensitivity labels (they protect data in Azure and on-premises environment) in Azure. With the announcement of the Unified labeling experience, you manage the AIP labels in Office 365 Security & compliance center.
Reference Link: https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
Question 13 of 56
13. Question
Which of the following statements are TRUE concerning sensitivity labels and retention labels?
Correct
Sensitivity labels/retention labels define protection/retention settings respectively. To put them in use, you publish them via sensitivity/retention label policies.
But the sensitivity and retention label policies work differently altogether. You publish sensitivity labels to users and groups.
Whereas, you publish retention labels to different locations in Microsoft 365 like OneDrive, SharePoint, Microsoft 365 groups, Exchange, etc.
Note: You create and publish retention labels in the Information governance section.
Option Retention labels are published to locations such as SharePoint & OneDrive, sensitivity labels are published to users/groups is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-label-policies-can-do
Incorrect
Sensitivity labels/retention labels define protection/retention settings respectively. To put them in use, you publish them via sensitivity/retention label policies.
But the sensitivity and retention label policies work differently altogether. You publish sensitivity labels to users and groups.
Whereas, you publish retention labels to different locations in Microsoft 365 like OneDrive, SharePoint, Microsoft 365 groups, Exchange, etc.
Note: You create and publish retention labels in the Information governance section.
Option Retention labels are published to locations such as SharePoint & OneDrive, sensitivity labels are published to users/groups is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-label-policies-can-do
Unattempted
Sensitivity labels/retention labels define protection/retention settings respectively. To put them in use, you publish them via sensitivity/retention label policies.
But the sensitivity and retention label policies work differently altogether. You publish sensitivity labels to users and groups.
Whereas, you publish retention labels to different locations in Microsoft 365 like OneDrive, SharePoint, Microsoft 365 groups, Exchange, etc.
Note: You create and publish retention labels in the Information governance section.
Option Retention labels are published to locations such as SharePoint & OneDrive, sensitivity labels are published to users/groups is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-label-policies-can-do
Question 14 of 56
14. Question
Can you create conditional access policies based on Android devices?
Correct
Yes. You can create conditional access policies based on device platforms like Android, iOS, Windows, macOS, etc.
As seen in the above image, not only device platform, you can also create conditional access policies based on:
· Device state,
· Locations,
· Client apps they use,
· Risk profile of the user/sign-in
Reference Links: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-platforms
Incorrect
Yes. You can create conditional access policies based on device platforms like Android, iOS, Windows, macOS, etc.
As seen in the above image, not only device platform, you can also create conditional access policies based on:
· Device state,
· Locations,
· Client apps they use,
· Risk profile of the user/sign-in
Reference Links: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-platforms
Unattempted
Yes. You can create conditional access policies based on device platforms like Android, iOS, Windows, macOS, etc.
As seen in the above image, not only device platform, you can also create conditional access policies based on:
· Device state,
· Locations,
· Client apps they use,
· Risk profile of the user/sign-in
Reference Links: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-platforms
Question 15 of 56
15. Question
Where can you enable Privileged access management?
Correct
You enable Privileged access management in Microsoft 365 admin center (accessed at https://admin.microsoft.com/). Below is a step-by-step pictorial representation:
Option Microsoft 365 admin center is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/privileged-access-management-configuration?view=o365-worldwide
Office 365 Security & Compliance (accessed at https://protection.office.com/), as the name indicates, is for dedicated security and compliance tasks. This option is incorrect.
Lately, Microsoft split the Office 365 Security & Compliance into two specialized portals:
· Microsoft 365 Compliance center (can be accessed at https://compliance.microsoft.com/)
· Microsoft 365 security center (can be accessed at https://security.microsoft.com/)
Both the options Microsoft 365 Compliance center and Microsoft 365 security center are incorrect too.
Reference Link: https://techcommunity.microsoft.com/t5/security-compliance-identity/introducing-the-new-microsoft-365-security-center-and-microsoft/ba-p/326959
Incorrect
You enable Privileged access management in Microsoft 365 admin center (accessed at https://admin.microsoft.com/). Below is a step-by-step pictorial representation:
Option Microsoft 365 admin center is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/privileged-access-management-configuration?view=o365-worldwide
Office 365 Security & Compliance (accessed at https://protection.office.com/), as the name indicates, is for dedicated security and compliance tasks. This option is incorrect.
Lately, Microsoft split the Office 365 Security & Compliance into two specialized portals:
· Microsoft 365 Compliance center (can be accessed at https://compliance.microsoft.com/)
· Microsoft 365 security center (can be accessed at https://security.microsoft.com/)
Both the options Microsoft 365 Compliance center and Microsoft 365 security center are incorrect too.
Reference Link: https://techcommunity.microsoft.com/t5/security-compliance-identity/introducing-the-new-microsoft-365-security-center-and-microsoft/ba-p/326959
Unattempted
You enable Privileged access management in Microsoft 365 admin center (accessed at https://admin.microsoft.com/). Below is a step-by-step pictorial representation:
Option Microsoft 365 admin center is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/privileged-access-management-configuration?view=o365-worldwide
Office 365 Security & Compliance (accessed at https://protection.office.com/), as the name indicates, is for dedicated security and compliance tasks. This option is incorrect.
Lately, Microsoft split the Office 365 Security & Compliance into two specialized portals:
· Microsoft 365 Compliance center (can be accessed at https://compliance.microsoft.com/)
· Microsoft 365 security center (can be accessed at https://security.microsoft.com/)
Both the options Microsoft 365 Compliance center and Microsoft 365 security center are incorrect too.
Reference Link: https://techcommunity.microsoft.com/t5/security-compliance-identity/introducing-the-new-microsoft-365-security-center-and-microsoft/ba-p/326959
Question 16 of 56
16. Question
Can you use Azure AD conditional access policies with Intune to enforce your organization’s device compliance policies?
Correct
Yes. You can integrate Intune with Azure AD conditional access policies to enforce your organization’s device compliance policies.
Intune passes the results of your device compliance policies to Azure AD. So, if a device is not compliant with your company’s policies, Conditional access blocks access to your organization’s resources (example, email)
In the below image, you can configure Intune to use conditional access policies in the Microsoft Endpoint Manager admin center.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#configure-conditional-access
Note: You can access the Microsoft Endpoint Manager admin center at endpoint.microsoft.com
Incorrect
Yes. You can integrate Intune with Azure AD conditional access policies to enforce your organization’s device compliance policies.
Intune passes the results of your device compliance policies to Azure AD. So, if a device is not compliant with your company’s policies, Conditional access blocks access to your organization’s resources (example, email)
In the below image, you can configure Intune to use conditional access policies in the Microsoft Endpoint Manager admin center.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#configure-conditional-access
Note: You can access the Microsoft Endpoint Manager admin center at endpoint.microsoft.com
Unattempted
Yes. You can integrate Intune with Azure AD conditional access policies to enforce your organization’s device compliance policies.
Intune passes the results of your device compliance policies to Azure AD. So, if a device is not compliant with your company’s policies, Conditional access blocks access to your organization’s resources (example, email)
In the below image, you can configure Intune to use conditional access policies in the Microsoft Endpoint Manager admin center.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#configure-conditional-access
Note: You can access the Microsoft Endpoint Manager admin center at endpoint.microsoft.com
Question 17 of 56
17. Question
A global investment bank wants to restrict collaboration (for example, sharing files from OneDrive) between their Asset management division and Corporate Advisory group.
Which of the following solutions in Microsoft 365 will help?
Correct
Information barriers restrict communication between groups within an organization. Microsoft 365 solutions like Microsoft Teams, SharePoint Online, and OneDrive for Business support information barriers.
Since both the Asset Management division and the Corporate Advisory groups are separate divisions within the same organization, the option Information barriers is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/4-describe-information-barriers
Privileged access management allows granular access to privileged admin tasks in Microsoft 365 for users within an organization.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/5-describe-privileged-access-management
Customer Lockbox allows granular access to the organization’s content in Microsoft 365 locations to Microsoft (cloud provider).
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/6-describe-customer-lockbox
So:
· Privileged access management (for users within an organization)
· Customer Lockbox (between Microsoft and the organization)
· Information barriers (between an organization’s departments)
Insider risk management helps minimize internal risks in an organization. It doesn’t restrict collaboration between an organization’s departments.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/2-management-solution
Incorrect
Information barriers restrict communication between groups within an organization. Microsoft 365 solutions like Microsoft Teams, SharePoint Online, and OneDrive for Business support information barriers.
Since both the Asset Management division and the Corporate Advisory groups are separate divisions within the same organization, the option Information barriers is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/4-describe-information-barriers
Privileged access management allows granular access to privileged admin tasks in Microsoft 365 for users within an organization.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/5-describe-privileged-access-management
Customer Lockbox allows granular access to the organization’s content in Microsoft 365 locations to Microsoft (cloud provider).
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/6-describe-customer-lockbox
So:
· Privileged access management (for users within an organization)
· Customer Lockbox (between Microsoft and the organization)
· Information barriers (between an organization’s departments)
Insider risk management helps minimize internal risks in an organization. It doesn’t restrict collaboration between an organization’s departments.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/2-management-solution
Unattempted
Information barriers restrict communication between groups within an organization. Microsoft 365 solutions like Microsoft Teams, SharePoint Online, and OneDrive for Business support information barriers.
Since both the Asset Management division and the Corporate Advisory groups are separate divisions within the same organization, the option Information barriers is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/4-describe-information-barriers
Privileged access management allows granular access to privileged admin tasks in Microsoft 365 for users within an organization.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/5-describe-privileged-access-management
Customer Lockbox allows granular access to the organization’s content in Microsoft 365 locations to Microsoft (cloud provider).
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/6-describe-customer-lockbox
So:
· Privileged access management (for users within an organization)
· Customer Lockbox (between Microsoft and the organization)
· Information barriers (between an organization’s departments)
Insider risk management helps minimize internal risks in an organization. It doesn’t restrict collaboration between an organization’s departments.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-insider-risk-capabilities-microsoft-365/2-management-solution
Question 18 of 56
18. Question
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge about a unique scenario.
You use Azure Bastion service for seamless RDP connectivity to your Windows Server VMs on Azure.
Statement: You use RDP protocol (placeholder ?) to connect to Azure Bastion from the Azure portal.
Is the statement correct?
Correct
The given statement is incorrect. You use TLS protocol to establish a connection to Azure Bastion from the Azure portal. From there, Bastion uses the RDP protocol to provide remote connectivity to the target VM.
The given statement is incorrect. You use TLS protocol to establish a connection to Azure Bastion from the Azure portal. From there, Bastion uses the RDP protocol to provide remote connectivity to the target VM.
The given statement is incorrect. You use TLS protocol to establish a connection to Azure Bastion from the Azure portal. From there, Bastion uses the RDP protocol to provide remote connectivity to the target VM.
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge about a unique scenario.
You use Azure Bastion service for seamless RDP connectivity to your Windows Server VMs on Azure.
Do you still need to open the RDP port (3389) on the target VMs with Azure Bastion?
Correct
Azure Bastion uses the same RDP protocol, as that of the traditional model, for providing remote connectivity to the target VMs. So, yes, you still need to open the RDP port 3389.
The value-add of Azure Bastion is you don’t expose the RDP port (of target VMs) outside the virtual network since it lets you use private IPs for those VMs.
Azure Bastion uses the same RDP protocol, as that of the traditional model, for providing remote connectivity to the target VMs. So, yes, you still need to open the RDP port 3389.
The value-add of Azure Bastion is you don’t expose the RDP port (of target VMs) outside the virtual network since it lets you use private IPs for those VMs.
Azure Bastion uses the same RDP protocol, as that of the traditional model, for providing remote connectivity to the target VMs. So, yes, you still need to open the RDP port 3389.
The value-add of Azure Bastion is you don’t expose the RDP port (of target VMs) outside the virtual network since it lets you use private IPs for those VMs.
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge about a unique scenario.
You use Azure Bastion service for seamless RDP connectivity to your Windows Server VMs on Azure.
Review the below additional information about the Bastion subnet’s IP address ranges and the Bastion’s Public IP.
Requirement: Allow RDP access to the target VMs only from the Bastion host, not anywhere on the Virtual Network.
Solution: You add the below two inbound security rules (in the orange box) on the target VM/subnet’s NSG.
Will the above two security rules satisfy the requirement?
Correct
Azure Bastion’s public IP address is 20.85.129.165. Bastion will connect to the target VM over the private IP, not the public IP. So, including Bastion’s public IP address as a source in the NSG’s security rule (priority 1000) is incorrect.
To satisfy the requirement, you should use the AzureBastionSubnet IP address range 192.168.0.0/27 as the source in the security rule (priority 1000).
Quick Preview:
Azure Bastion’s public IP address is 20.85.129.165. Bastion will connect to the target VM over the private IP, not the public IP. So, including Bastion’s public IP address as a source in the NSG’s security rule (priority 1000) is incorrect.
To satisfy the requirement, you should use the AzureBastionSubnet IP address range 192.168.0.0/27 as the source in the security rule (priority 1000).
Quick Preview:
Azure Bastion’s public IP address is 20.85.129.165. Bastion will connect to the target VM over the private IP, not the public IP. So, including Bastion’s public IP address as a source in the NSG’s security rule (priority 1000) is incorrect.
To satisfy the requirement, you should use the AzureBastionSubnet IP address range 192.168.0.0/27 as the source in the security rule (priority 1000).
Quick Preview:
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge about a unique scenario.
You use Azure Bastion service for seamless RDP connectivity to your Windows Server VMs on Azure.
To allow RDP connectivity via Azure Bastion, do you need to install an Azure Windows Agent?
Correct
No, you don’t need to install any agent/software on your browser/Azure VM. The Bastion service is agentless and doesn’t require any additional software for RDP/SSH connectivity.
Quick Preview:
No, you don’t need to install any agent/software on your browser/Azure VM. The Bastion service is agentless and doesn’t require any additional software for RDP/SSH connectivity.
Quick Preview:
No, you don’t need to install any agent/software on your browser/Azure VM. The Bastion service is agentless and doesn’t require any additional software for RDP/SSH connectivity.
Quick Preview:
Your team has assigned the Azure Policy ‘Allowed virtual machine size SKUs’ at a subscription scope to allow only the use of B-series VMs. The subscription Owner tries to resize and upgrade them to a D-series family of VMs.
Does the Azure Policy allow his action?
Correct
No. Although the Owner has full access to all Azure resources, Azure Policy still blocks his action. Azure Policy continuously ensures that the resource state is compliant with your organization’s policies.
In the below image, I created a policy to allow only the use of B-series VMs. When I (the subscription Owner) try to resize the VM, Azure Policy blocks the action.
No. Although the Owner has full access to all Azure resources, Azure Policy still blocks his action. Azure Policy continuously ensures that the resource state is compliant with your organization’s policies.
In the below image, I created a policy to allow only the use of B-series VMs. When I (the subscription Owner) try to resize the VM, Azure Policy blocks the action.
No. Although the Owner has full access to all Azure resources, Azure Policy still blocks his action. Azure Policy continuously ensures that the resource state is compliant with your organization’s policies.
In the below image, I created a policy to allow only the use of B-series VMs. When I (the subscription Owner) try to resize the VM, Azure Policy blocks the action.
As part of your work, you need to view a snapshot of your organization’s scanned classified documents in locations like SharePoint & OneDrive. Your admin added you only to the Content Explorer Content Viewer role group.
Can you access the sensitive information?
Correct
You can view the contents of your organization’s sensitive information in the content explorer tab under the data classification section.
But, since the content explorer stores classified information, the access is restricted. Even a global administrator cannot view the sensitive content. To access the confidential information, you need to be added to both the following role groups:
· Content Explorer List Viewer (Can only view the item and its location, not the contents)
· Content Explorer Content Viewer (can view the sensitive information in plain text)
If you are not a member of either of the two role groups or added only to the Content Explorer Content Viewer role group, you will get this message. You cannot even navigate the document hierarchy.
If you are a member of the Content Explorer List Viewer role group, but not the Content Explorer Content Viewer role group, you will get this message. You can navigate the document hierarchy (thanks to Content Explorer List Viewer) but cannot view the content.
Only if you are added to both the role groups can you access the sensitive information (see the below image).
Note: I have faded the data, but the user can view the credit card number (sensitive data) in plain text.
Additional info: You can add users to the two role groups at the Office 365 Security & Compliance portal
You can view the contents of your organization’s sensitive information in the content explorer tab under the data classification section.
But, since the content explorer stores classified information, the access is restricted. Even a global administrator cannot view the sensitive content. To access the confidential information, you need to be added to both the following role groups:
· Content Explorer List Viewer (Can only view the item and its location, not the contents)
· Content Explorer Content Viewer (can view the sensitive information in plain text)
If you are not a member of either of the two role groups or added only to the Content Explorer Content Viewer role group, you will get this message. You cannot even navigate the document hierarchy.
If you are a member of the Content Explorer List Viewer role group, but not the Content Explorer Content Viewer role group, you will get this message. You can navigate the document hierarchy (thanks to Content Explorer List Viewer) but cannot view the content.
Only if you are added to both the role groups can you access the sensitive information (see the below image).
Note: I have faded the data, but the user can view the credit card number (sensitive data) in plain text.
Additional info: You can add users to the two role groups at the Office 365 Security & Compliance portal
You can view the contents of your organization’s sensitive information in the content explorer tab under the data classification section.
But, since the content explorer stores classified information, the access is restricted. Even a global administrator cannot view the sensitive content. To access the confidential information, you need to be added to both the following role groups:
· Content Explorer List Viewer (Can only view the item and its location, not the contents)
· Content Explorer Content Viewer (can view the sensitive information in plain text)
If you are not a member of either of the two role groups or added only to the Content Explorer Content Viewer role group, you will get this message. You cannot even navigate the document hierarchy.
If you are a member of the Content Explorer List Viewer role group, but not the Content Explorer Content Viewer role group, you will get this message. You can navigate the document hierarchy (thanks to Content Explorer List Viewer) but cannot view the content.
Only if you are added to both the role groups can you access the sensitive information (see the below image).
Note: I have faded the data, but the user can view the credit card number (sensitive data) in plain text.
Additional info: You can add users to the two role groups at the Office 365 Security & Compliance portal
Do Microsoft service engineers have standing access to your organization’s content on Exchange Online?
Correct
Standing access’ means users having privileges by default.
The correct answer is No. Microsoft service engineers do not have standing access to customer/organization’s data on any of the locations like Exchange Online, SharePoint Online, OneDrive for Business, etc.
Customer Lockbox ensures that Microsoft cannot access your data/content to perform a service operation without your approval.
However, to troubleshoot any issue, the service engineers can request access from you by creating a data access request in Customer Lockbox.
Below you will find any data access requests from Microsoft.
Standing access’ means users having privileges by default.
The correct answer is No. Microsoft service engineers do not have standing access to customer/organization’s data on any of the locations like Exchange Online, SharePoint Online, OneDrive for Business, etc.
Customer Lockbox ensures that Microsoft cannot access your data/content to perform a service operation without your approval.
However, to troubleshoot any issue, the service engineers can request access from you by creating a data access request in Customer Lockbox.
Below you will find any data access requests from Microsoft.
Standing access’ means users having privileges by default.
The correct answer is No. Microsoft service engineers do not have standing access to customer/organization’s data on any of the locations like Exchange Online, SharePoint Online, OneDrive for Business, etc.
Customer Lockbox ensures that Microsoft cannot access your data/content to perform a service operation without your approval.
However, to troubleshoot any issue, the service engineers can request access from you by creating a data access request in Customer Lockbox.
Below you will find any data access requests from Microsoft.
Which of the following tools helps you know about your organization’s data?
Correct
Option Sensitivity labels is incorrect because they protect the content/site by encryption, content marking, etc.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-sensitivity-labels-can-do
Option Retention label is incorrect because they manage information by ensuring that content is kept only for the required duration. Retention labels govern the data.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/6-describe-retention-polices-retention-labels
Source: Microsoft documentation
Option Records management is incorrect too because they manage content as records or regulatory records (they levy additional restrictions on data to demonstrate compliance with regulations). They also govern the data.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/7-describe-records-management
Trainable classifiers use AI and machine learning to label and classify your organization’s data. Since they help to know your organization’s data, option trainable classifier is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Incorrect
Option Sensitivity labels is incorrect because they protect the content/site by encryption, content marking, etc.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-sensitivity-labels-can-do
Option Retention label is incorrect because they manage information by ensuring that content is kept only for the required duration. Retention labels govern the data.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/6-describe-retention-polices-retention-labels
Source: Microsoft documentation
Option Records management is incorrect too because they manage content as records or regulatory records (they levy additional restrictions on data to demonstrate compliance with regulations). They also govern the data.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/7-describe-records-management
Trainable classifiers use AI and machine learning to label and classify your organization’s data. Since they help to know your organization’s data, option trainable classifier is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Unattempted
Option Sensitivity labels is incorrect because they protect the content/site by encryption, content marking, etc.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide#what-sensitivity-labels-can-do
Option Retention label is incorrect because they manage information by ensuring that content is kept only for the required duration. Retention labels govern the data.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/6-describe-retention-polices-retention-labels
Source: Microsoft documentation
Option Records management is incorrect too because they manage content as records or regulatory records (they levy additional restrictions on data to demonstrate compliance with regulations). They also govern the data.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/7-describe-records-management
Trainable classifiers use AI and machine learning to label and classify your organization’s data. Since they help to know your organization’s data, option trainable classifier is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/3-describe-data-classification-capabilities-compliance-center#trainable-classifiers https://docs.microsoft.com/en-us/learn/modules/describe-information-protection-governance-capabilities-microsoft-365/2-know-your-data-protect-your-data-govern-your-data
Question 26 of 56
26. Question
Which of the following is an example of a custom sensitive information type in Microsoft Compliance center?
Correct
Microsoft 365 includes many built-in sensitive information types based on patterns defined by a regular expression. These patterns are not specific to an organization/entity and typically well known:
· Passport Number
· Driver’s License Number
· Bank’s SWIFT code
All these three options are incorrect answers.
When the built-in sensitive information types do not meet your business requirements, you can create a custom sensitive information type (specific to your business):
· Partner ID
· Vendor ID
· Organization’s cost center numbers
· Employee ID
Option Your organization’s Partner ID is the correct answer as there is no universally accepted way of defining partners. Every organization has its pattern of defining a partner.
However, you may argue that Driver’s License Number is not universal too (different in each country). That’s right, that’s why Microsoft has defined a sensitive information type for the driver’s License number (or any other ID) for each country.
Microsoft 365 includes many built-in sensitive information types based on patterns defined by a regular expression. These patterns are not specific to an organization/entity and typically well known:
· Passport Number
· Driver’s License Number
· Bank’s SWIFT code
All these three options are incorrect answers.
When the built-in sensitive information types do not meet your business requirements, you can create a custom sensitive information type (specific to your business):
· Partner ID
· Vendor ID
· Organization’s cost center numbers
· Employee ID
Option Your organization’s Partner ID is the correct answer as there is no universally accepted way of defining partners. Every organization has its pattern of defining a partner.
However, you may argue that Driver’s License Number is not universal too (different in each country). That’s right, that’s why Microsoft has defined a sensitive information type for the driver’s License number (or any other ID) for each country.
Microsoft 365 includes many built-in sensitive information types based on patterns defined by a regular expression. These patterns are not specific to an organization/entity and typically well known:
· Passport Number
· Driver’s License Number
· Bank’s SWIFT code
All these three options are incorrect answers.
When the built-in sensitive information types do not meet your business requirements, you can create a custom sensitive information type (specific to your business):
· Partner ID
· Vendor ID
· Organization’s cost center numbers
· Employee ID
Option Your organization’s Partner ID is the correct answer as there is no universally accepted way of defining partners. Every organization has its pattern of defining a partner.
However, you may argue that Driver’s License Number is not universal too (different in each country). That’s right, that’s why Microsoft has defined a sensitive information type for the driver’s License number (or any other ID) for each country.
In Microsoft 365 compliance, under the data classification tab, content explorer shows a current snapshot of documents in your organization. Which of the following classification of items is NOT one of them?
Correct
Content explorer shows a current snapshot of items that are either classified as a sensitive information type or have a sensitivity label or a retention label on it across Exchange, SharePoint, or OneDrive locations.
Note: While taking a screenshot, I have not created a retention label yet. Else, they would appear too.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-content-explorer?view=o365-worldwide#content-explorer
Option Regulatory records is the correct answer as they do not appear in the content explorer. We use retention labels to mark content as a regulatory record.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/records-management?view=o365-worldwide#records
Incorrect
Content explorer shows a current snapshot of items that are either classified as a sensitive information type or have a sensitivity label or a retention label on it across Exchange, SharePoint, or OneDrive locations.
Note: While taking a screenshot, I have not created a retention label yet. Else, they would appear too.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-content-explorer?view=o365-worldwide#content-explorer
Option Regulatory records is the correct answer as they do not appear in the content explorer. We use retention labels to mark content as a regulatory record.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/records-management?view=o365-worldwide#records
Unattempted
Content explorer shows a current snapshot of items that are either classified as a sensitive information type or have a sensitivity label or a retention label on it across Exchange, SharePoint, or OneDrive locations.
Note: While taking a screenshot, I have not created a retention label yet. Else, they would appear too.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-content-explorer?view=o365-worldwide#content-explorer
Option Regulatory records is the correct answer as they do not appear in the content explorer. We use retention labels to mark content as a regulatory record.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/records-management?view=o365-worldwide#records
Question 28 of 56
28. Question
Your organization allows your employees to use their personal devices to access organizational apps. Which of the following options would you use to onboard the devices in Azure AD?
Correct
This is a typical BYOD (Bring-Your-Own-Devices) scenario.
Here, employees bring their personal devices like laptops (Windows 10) or smartphones (iOS) to the workplace. They sign in to the device with their personal Microsoft account. But they access organizational resources with the help of an Azure AD account.
Such devices are registered with Azure AD, not joined to Azure AD. Option Azure AD registered devices is the correct choice.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Azure AD joined devices and hybrid Azure AD joined devices are owned by an organization, not employees. Both the options are incorrect.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Intune integrates nicely with Azure AD. You can use Intune with any of Azure AD joined/registered or hybrid Azure AD joined devices to enable access to your resources.
For example, you can require (with Azure AD Conditional Access policy) that mobile devices be compliant with organizational standards (defined in Intune) to allow access to resources like SharePoint.
Source: Microsoft documentation
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register#scenarios
Only Azure AD joined/registered or hybrid Azure AD joined devices can onboard a device in Azure AD. Once a device is in Azure AD, you use MDM tools like Intune to manage them.
Intune is an incorrect choice.
Incorrect
This is a typical BYOD (Bring-Your-Own-Devices) scenario.
Here, employees bring their personal devices like laptops (Windows 10) or smartphones (iOS) to the workplace. They sign in to the device with their personal Microsoft account. But they access organizational resources with the help of an Azure AD account.
Such devices are registered with Azure AD, not joined to Azure AD. Option Azure AD registered devices is the correct choice.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Azure AD joined devices and hybrid Azure AD joined devices are owned by an organization, not employees. Both the options are incorrect.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Intune integrates nicely with Azure AD. You can use Intune with any of Azure AD joined/registered or hybrid Azure AD joined devices to enable access to your resources.
For example, you can require (with Azure AD Conditional Access policy) that mobile devices be compliant with organizational standards (defined in Intune) to allow access to resources like SharePoint.
Source: Microsoft documentation
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register#scenarios
Only Azure AD joined/registered or hybrid Azure AD joined devices can onboard a device in Azure AD. Once a device is in Azure AD, you use MDM tools like Intune to manage them.
Intune is an incorrect choice.
Unattempted
This is a typical BYOD (Bring-Your-Own-Devices) scenario.
Here, employees bring their personal devices like laptops (Windows 10) or smartphones (iOS) to the workplace. They sign in to the device with their personal Microsoft account. But they access organizational resources with the help of an Azure AD account.
Such devices are registered with Azure AD, not joined to Azure AD. Option Azure AD registered devices is the correct choice.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Azure AD joined devices and hybrid Azure AD joined devices are owned by an organization, not employees. Both the options are incorrect.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Intune integrates nicely with Azure AD. You can use Intune with any of Azure AD joined/registered or hybrid Azure AD joined devices to enable access to your resources.
For example, you can require (with Azure AD Conditional Access policy) that mobile devices be compliant with organizational standards (defined in Intune) to allow access to resources like SharePoint.
Source: Microsoft documentation
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register#scenarios
Only Azure AD joined/registered or hybrid Azure AD joined devices can onboard a device in Azure AD. Once a device is in Azure AD, you use MDM tools like Intune to manage them.
Intune is an incorrect choice.
Question 29 of 56
29. Question
In which of the following scope does Microsoft Cloud App Security (MCAS) address security gaps in an organization’s use of cloud services?
a. SaaS
b. IaaS
c. PaaS
Correct
Microsoft Cloud App Security addresses security gaps in an organization’s use of cloud services across SaaS, PaaS, and IaaS. So, option All a, b, and c is the correct answer.
Quick Preview:
Microsoft Cloud App Security addresses security gaps in an organization’s use of cloud services across SaaS, PaaS, and IaaS. So, option All a, b, and c is the correct answer.
Quick Preview:
Microsoft Cloud App Security addresses security gaps in an organization’s use of cloud services across SaaS, PaaS, and IaaS. So, option All a, b, and c is the correct answer.
Quick Preview:
Just 10% of the users in your organization use personal iOS devices. Can you protect them with Microsoft Defender for Endpoint?
Correct
Yes. Not only iOS, with Microsoft Defender for Endpoint, you can also protect Android, Windows 10, Windows Server, Linux, and macOS devices.
Reference Link: Microsoft Defender for Endpoint on iOS | Microsoft Docs
Incorrect
Yes. Not only iOS, with Microsoft Defender for Endpoint, you can also protect Android, Windows 10, Windows Server, Linux, and macOS devices.
Reference Link: Microsoft Defender for Endpoint on iOS | Microsoft Docs
Unattempted
Yes. Not only iOS, with Microsoft Defender for Endpoint, you can also protect Android, Windows 10, Windows Server, Linux, and macOS devices.
Reference Link: Microsoft Defender for Endpoint on iOS | Microsoft Docs
Question 31 of 56
31. Question
Which of the following implements Azure Security Benchmark’s security recommendations on an individual Azure service?
Correct
Security control is a high-level description of a feature. They are not specific to a technology/implementation. For example, Network security control protects virtual networks and prevents external attacks.
Option Security control is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/overview
A security benchmark contains security recommendations grouped by the security control. They target a specific technology.
For example, a recommendation could be that you implement security for Azure virtual network traffic with NSG rules and Azure Firewall.
Option Security benchmark is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic (NS-1: Implement security for internal traffic is a security recommendation)
A security baseline is the implementation of the benchmark recommendations on individual Azure services.
For example, in the Microsoft documentation, there are security baselines for different Azure services.
Security control is a high-level description of a feature. They are not specific to a technology/implementation. For example, Network security control protects virtual networks and prevents external attacks.
Option Security control is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/overview
A security benchmark contains security recommendations grouped by the security control. They target a specific technology.
For example, a recommendation could be that you implement security for Azure virtual network traffic with NSG rules and Azure Firewall.
Option Security benchmark is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic (NS-1: Implement security for internal traffic is a security recommendation)
A security baseline is the implementation of the benchmark recommendations on individual Azure services.
For example, in the Microsoft documentation, there are security baselines for different Azure services.
Security control is a high-level description of a feature. They are not specific to a technology/implementation. For example, Network security control protects virtual networks and prevents external attacks.
Option Security control is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/overview
A security benchmark contains security recommendations grouped by the security control. They target a specific technology.
For example, a recommendation could be that you implement security for Azure virtual network traffic with NSG rules and Azure Firewall.
Option Security benchmark is incorrect.
Reference Link: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic (NS-1: Implement security for internal traffic is a security recommendation)
A security baseline is the implementation of the benchmark recommendations on individual Azure services.
For example, in the Microsoft documentation, there are security baselines for different Azure services.
Can you use SSPR (self-service password reset) with Microsoft authenticator?
Correct
Yes. Although you don’t see an explicit option for enabling Microsoft Authenticator in SSPR, the mobile app code/notification refers to the Authenticator app.
First, your admin enables any of the mobile app authentication methods for SSPR.
Then, when you navigate to the URL https://aka.ms/mfasetup to set up your account for SSPR/MFA, you see the option to use Microsoft Authenticator.
Option Yes is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#mobile-app-and-sspr
Note: For this scenario, I enabled combined registration experience for both MFA and SSPR in Azure AD. This allows me to register for authentication methods just once and get the benefits of both MFA and SSPR. More details on the below link.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
Incorrect
Yes. Although you don’t see an explicit option for enabling Microsoft Authenticator in SSPR, the mobile app code/notification refers to the Authenticator app.
First, your admin enables any of the mobile app authentication methods for SSPR.
Then, when you navigate to the URL https://aka.ms/mfasetup to set up your account for SSPR/MFA, you see the option to use Microsoft Authenticator.
Option Yes is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#mobile-app-and-sspr
Note: For this scenario, I enabled combined registration experience for both MFA and SSPR in Azure AD. This allows me to register for authentication methods just once and get the benefits of both MFA and SSPR. More details on the below link.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
Unattempted
Yes. Although you don’t see an explicit option for enabling Microsoft Authenticator in SSPR, the mobile app code/notification refers to the Authenticator app.
First, your admin enables any of the mobile app authentication methods for SSPR.
Then, when you navigate to the URL https://aka.ms/mfasetup to set up your account for SSPR/MFA, you see the option to use Microsoft Authenticator.
Option Yes is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#mobile-app-and-sspr
Note: For this scenario, I enabled combined registration experience for both MFA and SSPR in Azure AD. This allows me to register for authentication methods just once and get the benefits of both MFA and SSPR. More details on the below link.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
Question 33 of 56
33. Question
In which of the following scenarios are Azure Active Directory security defaults recommended to use?
Correct
Security defaults provide default security settings that Microsoft manages to keep your identities safe until you are ready to manage your own identities.
They are best suited for small/midsize organizations that aren’t ready to manage complex security requirements. So, option Organizations that do not know how to approach security is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
The option Organizations with Azure AD premium licenses is incorrect as security defaults come with the free Azure AD tier. Azure AD premium users should try and implement Conditional Access.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
Both security defaults and Conditional Access are similar in what they do. For example, both require Multi-Factor Authentication. But with Conditional Access, you can implement more granular & advanced security controls for MFA. For example, with Conditional Access, you can:
· Require MFA only when specific signals warrant it.
· Exclude specific users
· Or allow access only to compliant devices
Generally, enterprise organizations have these advanced security requirements. They would do well with Conditional Access.
Option Organizations with complex security requirements is incorrect because such organizations would use Conditional Access, not security defaults.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#conditional-access
Option Organizations using Conditional Access policies is incorrect because security defaults are a precursor to Conditional Access.
Organizations should first take advantage of the out-of-the-box security settings provided by security defaults. As their security requirements become more complex, they can manage their own identities with Conditional Access.
Moreover, both Conditional Access and security defaults are mutually exclusive. If you have security defaults enabled, you cannot create a conditional access policy and vice-versa.
Security defaults provide default security settings that Microsoft manages to keep your identities safe until you are ready to manage your own identities.
They are best suited for small/midsize organizations that aren’t ready to manage complex security requirements. So, option Organizations that do not know how to approach security is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
The option Organizations with Azure AD premium licenses is incorrect as security defaults come with the free Azure AD tier. Azure AD premium users should try and implement Conditional Access.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
Both security defaults and Conditional Access are similar in what they do. For example, both require Multi-Factor Authentication. But with Conditional Access, you can implement more granular & advanced security controls for MFA. For example, with Conditional Access, you can:
· Require MFA only when specific signals warrant it.
· Exclude specific users
· Or allow access only to compliant devices
Generally, enterprise organizations have these advanced security requirements. They would do well with Conditional Access.
Option Organizations with complex security requirements is incorrect because such organizations would use Conditional Access, not security defaults.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#conditional-access
Option Organizations using Conditional Access policies is incorrect because security defaults are a precursor to Conditional Access.
Organizations should first take advantage of the out-of-the-box security settings provided by security defaults. As their security requirements become more complex, they can manage their own identities with Conditional Access.
Moreover, both Conditional Access and security defaults are mutually exclusive. If you have security defaults enabled, you cannot create a conditional access policy and vice-versa.
Security defaults provide default security settings that Microsoft manages to keep your identities safe until you are ready to manage your own identities.
They are best suited for small/midsize organizations that aren’t ready to manage complex security requirements. So, option Organizations that do not know how to approach security is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
The option Organizations with Azure AD premium licenses is incorrect as security defaults come with the free Azure AD tier. Azure AD premium users should try and implement Conditional Access.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/2-describe-different-authentication-methods#security-defaults-and-multifactor-authentication
Both security defaults and Conditional Access are similar in what they do. For example, both require Multi-Factor Authentication. But with Conditional Access, you can implement more granular & advanced security controls for MFA. For example, with Conditional Access, you can:
· Require MFA only when specific signals warrant it.
· Exclude specific users
· Or allow access only to compliant devices
Generally, enterprise organizations have these advanced security requirements. They would do well with Conditional Access.
Option Organizations with complex security requirements is incorrect because such organizations would use Conditional Access, not security defaults.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#conditional-access
Option Organizations using Conditional Access policies is incorrect because security defaults are a precursor to Conditional Access.
Organizations should first take advantage of the out-of-the-box security settings provided by security defaults. As their security requirements become more complex, they can manage their own identities with Conditional Access.
Moreover, both Conditional Access and security defaults are mutually exclusive. If you have security defaults enabled, you cannot create a conditional access policy and vice-versa.
This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
To maximize user productivity, you need to onboard and manage domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
Solution: You use Azure AD registered devices
Does the solution meet the goal?
Correct
A down-level device is a device using an older Windows version.
The solution does NOT meet the goal because you use hybrid Azure AD joined devices to onboard Active Directory domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
If your organization already has an on-premises footprint, to get the benefits like SSO to both cloud and on-premises apps, you can onboard them to Azure AD with hybrid Azure AD joined devices.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Azure AD registered devices support the BYOD scenario where users bring their own devices and sign in with a personal Microsoft account. It typically supports devices that run Android, macOS, iOS, Windows 10, etc.
Quick Preview:
A down-level device is a device using an older Windows version.
The solution does NOT meet the goal because you use hybrid Azure AD joined devices to onboard Active Directory domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
If your organization already has an on-premises footprint, to get the benefits like SSO to both cloud and on-premises apps, you can onboard them to Azure AD with hybrid Azure AD joined devices.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Azure AD registered devices support the BYOD scenario where users bring their own devices and sign in with a personal Microsoft account. It typically supports devices that run Android, macOS, iOS, Windows 10, etc.
Quick Preview:
A down-level device is a device using an older Windows version.
The solution does NOT meet the goal because you use hybrid Azure AD joined devices to onboard Active Directory domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
If your organization already has an on-premises footprint, to get the benefits like SSO to both cloud and on-premises apps, you can onboard them to Azure AD with hybrid Azure AD joined devices.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/4-describe-identity-types#device
Azure AD registered devices support the BYOD scenario where users bring their own devices and sign in with a personal Microsoft account. It typically supports devices that run Android, macOS, iOS, Windows 10, etc.
Quick Preview:
This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
To maximize user productivity, you need to onboard and manage domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
Solution: You use Azure AD joined devices
Does the solution meet the goal?
Correct
A down-level device is a device using an older Windows version.
Azure AD join for Windows 7 or 8.1 machines is not supported.
Reference Link: Windows 7 Azure AD login
And, Azure AD joined devices exist only in the cloud. The scenario in the question alludes to a solution that joins devices to both on-premises Active Directory and Azure AD (hybrid Azure AD joined devices).
Quick Preview:
A down-level device is a device using an older Windows version.
Azure AD join for Windows 7 or 8.1 machines is not supported.
Reference Link: Windows 7 Azure AD login
And, Azure AD joined devices exist only in the cloud. The scenario in the question alludes to a solution that joins devices to both on-premises Active Directory and Azure AD (hybrid Azure AD joined devices).
Quick Preview:
A down-level device is a device using an older Windows version.
Azure AD join for Windows 7 or 8.1 machines is not supported.
Reference Link: Windows 7 Azure AD login
And, Azure AD joined devices exist only in the cloud. The scenario in the question alludes to a solution that joins devices to both on-premises Active Directory and Azure AD (hybrid Azure AD joined devices).
Quick Preview:
This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
To maximize user productivity, you need to onboard and manage domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
Solution: You use hybrid Azure AD joined devices
Does the solution meet the goal?
Correct
The given statement meets the goal.
Use hybrid Azure AD joined devices to onboard Active Directory domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
Since the devices are already domain-joined to on-premises Active Directory, to get the benefits like SSO to both cloud and on-premises apps, you can onboard them to Azure AD with hybrid Azure AD joined devices.
These devices are owned by the organization and signed in with an Active Directory Domain Service account.
Quick Preview:
The given statement meets the goal.
Use hybrid Azure AD joined devices to onboard Active Directory domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
Since the devices are already domain-joined to on-premises Active Directory, to get the benefits like SSO to both cloud and on-premises apps, you can onboard them to Azure AD with hybrid Azure AD joined devices.
These devices are owned by the organization and signed in with an Active Directory Domain Service account.
Quick Preview:
The given statement meets the goal.
Use hybrid Azure AD joined devices to onboard Active Directory domain-joined, down-level devices like Windows 7 and 8.1 to Azure AD.
Since the devices are already domain-joined to on-premises Active Directory, to get the benefits like SSO to both cloud and on-premises apps, you can onboard them to Azure AD with hybrid Azure AD joined devices.
These devices are owned by the organization and signed in with an Active Directory Domain Service account.
Quick Preview:
Where can you manage your organization’s devices with Microsoft Intune?
Correct
Microsoft has combined the following two products into Microsoft Endpoint Manager
· (SCCM) System Center Configuration Manager (for managing desktop devices)
· Intune (for managing mobile devices)
Reference Link: Microsoft combines Intune with ConfigMgr | Computerworld
So, in the Microsoft Endpoint Manager admin center, you can manage all devices with Intune. Microsoft Endpoint Manager admin center is the correct answer.
In the admin center, go to Endpoint security -> All devices. Here you’ll see all your devices registered in Azure AD.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#role-based-access-control-with-microsoft-intune
In Microsoft 365 admin center, you can manage users/licenses/passwords, etc. but not devices. Option Microsoft 365 admin center is incorrect.
In Microsoft 365 security center, you monitor and respond to security threats. It is incorrect too.
There is nothing like the Intune admin center. Option Intune admin center is incorrect.
Reference Link:https://docs.microsoft.com/en-us/microsoft-365/security/defender/portals?view=o365-worldwide
Incorrect
Microsoft has combined the following two products into Microsoft Endpoint Manager
· (SCCM) System Center Configuration Manager (for managing desktop devices)
· Intune (for managing mobile devices)
Reference Link: Microsoft combines Intune with ConfigMgr | Computerworld
So, in the Microsoft Endpoint Manager admin center, you can manage all devices with Intune. Microsoft Endpoint Manager admin center is the correct answer.
In the admin center, go to Endpoint security -> All devices. Here you’ll see all your devices registered in Azure AD.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#role-based-access-control-with-microsoft-intune
In Microsoft 365 admin center, you can manage users/licenses/passwords, etc. but not devices. Option Microsoft 365 admin center is incorrect.
In Microsoft 365 security center, you monitor and respond to security threats. It is incorrect too.
There is nothing like the Intune admin center. Option Intune admin center is incorrect.
Reference Link:https://docs.microsoft.com/en-us/microsoft-365/security/defender/portals?view=o365-worldwide
Unattempted
Microsoft has combined the following two products into Microsoft Endpoint Manager
· (SCCM) System Center Configuration Manager (for managing desktop devices)
· Intune (for managing mobile devices)
Reference Link: Microsoft combines Intune with ConfigMgr | Computerworld
So, in the Microsoft Endpoint Manager admin center, you can manage all devices with Intune. Microsoft Endpoint Manager admin center is the correct answer.
In the admin center, go to Endpoint security -> All devices. Here you’ll see all your devices registered in Azure AD.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-endpoint-security-with-microsoft-intune/3-intune#role-based-access-control-with-microsoft-intune
In Microsoft 365 admin center, you can manage users/licenses/passwords, etc. but not devices. Option Microsoft 365 admin center is incorrect.
In Microsoft 365 security center, you monitor and respond to security threats. It is incorrect too.
There is nothing like the Intune admin center. Option Intune admin center is incorrect.
Reference Link:https://docs.microsoft.com/en-us/microsoft-365/security/defender/portals?view=o365-worldwide
Question 38 of 56
38. Question
In Microsoft 365 Defender, you can proactively find threats across devices, emails, apps, and identities with hunting.
Is the statement correct?
Correct
This is a slightly tricky question.
Hunting and Advanced hunting are two features with similar capabilities in Azure Sentinel and Microsoft 365 Defender respectively.
In Azure Sentinel, Hunting proactively hunts for threats across your organization’s data sources.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/3-describe-sentinel-provide-integrated-threat-protection#hunting
In Microsoft 365 Defender, Advanced hunting, not hunting, proactively searches for malware, suspicious files in your devices, emails, and cloud apps.
So, the correct answer is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
Incorrect
This is a slightly tricky question.
Hunting and Advanced hunting are two features with similar capabilities in Azure Sentinel and Microsoft 365 Defender respectively.
In Azure Sentinel, Hunting proactively hunts for threats across your organization’s data sources.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/3-describe-sentinel-provide-integrated-threat-protection#hunting
In Microsoft 365 Defender, Advanced hunting, not hunting, proactively searches for malware, suspicious files in your devices, emails, and cloud apps.
So, the correct answer is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
Unattempted
This is a slightly tricky question.
Hunting and Advanced hunting are two features with similar capabilities in Azure Sentinel and Microsoft 365 Defender respectively.
In Azure Sentinel, Hunting proactively hunts for threats across your organization’s data sources.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/3-describe-sentinel-provide-integrated-threat-protection#hunting
In Microsoft 365 Defender, Advanced hunting, not hunting, proactively searches for malware, suspicious files in your devices, emails, and cloud apps.
So, the correct answer is No.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
Question 39 of 56
39. Question
Which of the following resources does Azure DDoS Protection Standard protect?
Correct
Azure DDoS comes is offered in two flavors:
· Azure DDoS Protection Basic (Free)
· Azure DDoS Protection Standard (Pay-as-you-use)
Reference Link: https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Azure DDoS Protection Standard protects your virtual network resources. Just create a DDoS protection plan, and add your Virtual Network to the plan.
Option Virtual Network resources is the correct answer. All other options are incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/3-describe-azure-ddos-protection#what-is-azure-ddos-protection
Once a Virtual Network is added to the DDoS plan, DDoS Protection Standard protects all resources deployed in the Virtual Network with a public IP (Since the attack originates from outside Azure, private IP resources do not need DDoS Protection).
For example, I deployed an Azure Firewall in the VNet. The service detects the Firewall resource automatically (see the below image). In addition to the firewall, you can also protect other VNet resources like Application Gateway, VMs, Bastion, VMSS, etc. (seen as headings in the below image)
Incorrect
Azure DDoS comes is offered in two flavors:
· Azure DDoS Protection Basic (Free)
· Azure DDoS Protection Standard (Pay-as-you-use)
Reference Link: https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Azure DDoS Protection Standard protects your virtual network resources. Just create a DDoS protection plan, and add your Virtual Network to the plan.
Option Virtual Network resources is the correct answer. All other options are incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/3-describe-azure-ddos-protection#what-is-azure-ddos-protection
Once a Virtual Network is added to the DDoS plan, DDoS Protection Standard protects all resources deployed in the Virtual Network with a public IP (Since the attack originates from outside Azure, private IP resources do not need DDoS Protection).
For example, I deployed an Azure Firewall in the VNet. The service detects the Firewall resource automatically (see the below image). In addition to the firewall, you can also protect other VNet resources like Application Gateway, VMs, Bastion, VMSS, etc. (seen as headings in the below image)
Unattempted
Azure DDoS comes is offered in two flavors:
· Azure DDoS Protection Basic (Free)
· Azure DDoS Protection Standard (Pay-as-you-use)
Reference Link: https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Azure DDoS Protection Standard protects your virtual network resources. Just create a DDoS protection plan, and add your Virtual Network to the plan.
Option Virtual Network resources is the correct answer. All other options are incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/3-describe-azure-ddos-protection#what-is-azure-ddos-protection
Once a Virtual Network is added to the DDoS plan, DDoS Protection Standard protects all resources deployed in the Virtual Network with a public IP (Since the attack originates from outside Azure, private IP resources do not need DDoS Protection).
For example, I deployed an Azure Firewall in the VNet. The service detects the Firewall resource automatically (see the below image). In addition to the firewall, you can also protect other VNet resources like Application Gateway, VMs, Bastion, VMSS, etc. (seen as headings in the below image)
Question 40 of 56
40. Question
Where can you track the protection status of your organization’s identities, devices, and data in the Microsoft 365 Security Center?
Correct
The reports section in Microsoft 365 Security Center displays cards covering different areas like identities, data, and devices.
Option Reports is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/4-explore-security-reports-dashboards
In the Incidents section, you will find all the domains (users, mailboxes, and devices) that were affected by an alert. Option Incidents is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/5-describe-incidents-capabilities
In the Action center, you will approve or reject pending remediation actions. It is an incorrect choice.
The reports section in Microsoft 365 Security Center displays cards covering different areas like identities, data, and devices.
Option Reports is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/4-explore-security-reports-dashboards
In the Incidents section, you will find all the domains (users, mailboxes, and devices) that were affected by an alert. Option Incidents is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/5-describe-incidents-capabilities
In the Action center, you will approve or reject pending remediation actions. It is an incorrect choice.
The reports section in Microsoft 365 Security Center displays cards covering different areas like identities, data, and devices.
Option Reports is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/4-explore-security-reports-dashboards
In the Incidents section, you will find all the domains (users, mailboxes, and devices) that were affected by an alert. Option Incidents is an incorrect choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-management-capabilities-of-microsoft-365/5-describe-incidents-capabilities
In the Action center, you will approve or reject pending remediation actions. It is an incorrect choice.
Where can you enable Azure Defender in the Azure portal?
Correct
Microsoft offers a layered approach to security.
· A base layer – Only Azure Security Center (free, basic level of protection)
· An advanced layer – Azure Security Center with Azure Defender (paid, advanced protection with features like Just in time access, Adaptive application controls, vulnerability assessment, etc.)
Reference Link: https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-security-center-azure/ba-p/2155188
You access Azure Defender from Azure Security Center. You get the below screen only after upgrading.
Security Center is the correct choice.
Incorrect
Microsoft offers a layered approach to security.
· A base layer – Only Azure Security Center (free, basic level of protection)
· An advanced layer – Azure Security Center with Azure Defender (paid, advanced protection with features like Just in time access, Adaptive application controls, vulnerability assessment, etc.)
Reference Link: https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-security-center-azure/ba-p/2155188
You access Azure Defender from Azure Security Center. You get the below screen only after upgrading.
Security Center is the correct choice.
Unattempted
Microsoft offers a layered approach to security.
· A base layer – Only Azure Security Center (free, basic level of protection)
· An advanced layer – Azure Security Center with Azure Defender (paid, advanced protection with features like Just in time access, Adaptive application controls, vulnerability assessment, etc.)
Reference Link: https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-security-center-azure/ba-p/2155188
You access Azure Defender from Azure Security Center. You get the below screen only after upgrading.
Security Center is the correct choice.
Question 42 of 56
42. Question
Which of the following is an example of encryption at rest?
Correct
Encryption at rest encrypts data stored at a single location.
Data in an Azure Virtual Machine’s disk is stored in a single location. Encrypting a disk is an example of encryption at rest. Other examples include encrypting data on your hard drive/laptop/flash drive.
Option Encrypting an Azure VM’s disk is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-for-iaas-customers
Encryption in transit encrypts data that’s actively moving from one location to another.
For RDP sessions, data travels from a client to a remote machine. Option Sign into an Azure VM by using RDP is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#rdp-sessions
For VPN connections, your mobile workforce connects to your corporate resources from home. Option Using VPN to access your corporate resources is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#azure-vpn-encryption
For HTTPS access to cloud services, data travels between cloud customers and data centers.
Option Using HTTPS to access cloud services is incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data (general, for all scenarios)
Incorrect
Encryption at rest encrypts data stored at a single location.
Data in an Azure Virtual Machine’s disk is stored in a single location. Encrypting a disk is an example of encryption at rest. Other examples include encrypting data on your hard drive/laptop/flash drive.
Option Encrypting an Azure VM’s disk is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-for-iaas-customers
Encryption in transit encrypts data that’s actively moving from one location to another.
For RDP sessions, data travels from a client to a remote machine. Option Sign into an Azure VM by using RDP is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#rdp-sessions
For VPN connections, your mobile workforce connects to your corporate resources from home. Option Using VPN to access your corporate resources is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#azure-vpn-encryption
For HTTPS access to cloud services, data travels between cloud customers and data centers.
Option Using HTTPS to access cloud services is incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data (general, for all scenarios)
Unattempted
Encryption at rest encrypts data stored at a single location.
Data in an Azure Virtual Machine’s disk is stored in a single location. Encrypting a disk is an example of encryption at rest. Other examples include encrypting data on your hard drive/laptop/flash drive.
Option Encrypting an Azure VM’s disk is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#encryption-at-rest-for-iaas-customers
Encryption in transit encrypts data that’s actively moving from one location to another.
For RDP sessions, data travels from a client to a remote machine. Option Sign into an Azure VM by using RDP is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#rdp-sessions
For VPN connections, your mobile workforce connects to your corporate resources from home. Option Using VPN to access your corporate resources is incorrect.
Reference Link: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#azure-vpn-encryption
For HTTPS access to cloud services, data travels between cloud customers and data centers.
Option Using HTTPS to access cloud services is incorrect.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/6-describe-ways-encryption-hashing-signing-secure-data (general, for all scenarios)
Question 43 of 56
43. Question
Can you implement Conditional Access policies to grant access only to the hybrid Azure AD joined devices?
Correct
A hybrid Azure AD joined machine is joined to both on-premises Active Directory and Azure AD.
Yes. You can create Conditional Access policies to grant access only to the hybrid Azure AD joined devices.
Note: As I create this question, ‘Device state’ is in preview and should not be tested in the exam. But no harm in learning ??
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview
Incorrect
A hybrid Azure AD joined machine is joined to both on-premises Active Directory and Azure AD.
Yes. You can create Conditional Access policies to grant access only to the hybrid Azure AD joined devices.
Note: As I create this question, ‘Device state’ is in preview and should not be tested in the exam. But no harm in learning ??
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview
Unattempted
A hybrid Azure AD joined machine is joined to both on-premises Active Directory and Azure AD.
Yes. You can create Conditional Access policies to grant access only to the hybrid Azure AD joined devices.
Note: As I create this question, ‘Device state’ is in preview and should not be tested in the exam. But no harm in learning ??
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview
Question 44 of 56
44. Question
Your organization has developed a Single-page application for your employees. When you register the app with the Microsoft identity platform, a managed identity is automatically created.
Is the last statement TRUE?
Correct
When you register your app under ‘App registrations,’ in Azure AD, two objects are created:
· An application object (template/definition of your app); similar to a class in Java/C#
· A service principal object (instance of your app); similar to an object in Java/C#
Reference Link: https://docs.microsoft.com/en-us/answers/questions/270680/app-registration-vs-enterprise-applications.html
You can find the application object (with application ID) within the ‘App registrations’ section itself.
And the instance of the app (the service principal with an object ID) in the ‘Enterprise applications’ section.
So, the given statement is incorrect. When you register an app, a service principal is automatically created, not a managed identity.
The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals (Refer to the paragraph with the title ‘App registration, app objects, and service principals’)
Note: The purpose and the reason why two objects are created in two different places is beyond the scope of this question/exam.
But, if you are inquisitive, John Savill has an awesome video on this topic: https://www.youtube.com/watch?v=WVNvoiA_ktw
And this MS docs link: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
Incorrect
When you register your app under ‘App registrations,’ in Azure AD, two objects are created:
· An application object (template/definition of your app); similar to a class in Java/C#
· A service principal object (instance of your app); similar to an object in Java/C#
Reference Link: https://docs.microsoft.com/en-us/answers/questions/270680/app-registration-vs-enterprise-applications.html
You can find the application object (with application ID) within the ‘App registrations’ section itself.
And the instance of the app (the service principal with an object ID) in the ‘Enterprise applications’ section.
So, the given statement is incorrect. When you register an app, a service principal is automatically created, not a managed identity.
The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals (Refer to the paragraph with the title ‘App registration, app objects, and service principals’)
Note: The purpose and the reason why two objects are created in two different places is beyond the scope of this question/exam.
But, if you are inquisitive, John Savill has an awesome video on this topic: https://www.youtube.com/watch?v=WVNvoiA_ktw
And this MS docs link: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
Unattempted
When you register your app under ‘App registrations,’ in Azure AD, two objects are created:
· An application object (template/definition of your app); similar to a class in Java/C#
· A service principal object (instance of your app); similar to an object in Java/C#
Reference Link: https://docs.microsoft.com/en-us/answers/questions/270680/app-registration-vs-enterprise-applications.html
You can find the application object (with application ID) within the ‘App registrations’ section itself.
And the instance of the app (the service principal with an object ID) in the ‘Enterprise applications’ section.
So, the given statement is incorrect. When you register an app, a service principal is automatically created, not a managed identity.
The correct answer choice is No.
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals (Refer to the paragraph with the title ‘App registration, app objects, and service principals’)
Note: The purpose and the reason why two objects are created in two different places is beyond the scope of this question/exam.
But, if you are inquisitive, John Savill has an awesome video on this topic: https://www.youtube.com/watch?v=WVNvoiA_ktw
And this MS docs link: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
Question 45 of 56
45. Question
Which of the following defense in depth layer implements the Availability concern of the CIA principle?
Correct
CIA stands for Confidentiality, Integrity, and Availability. They represent security trade-offs in keeping your systems secure.
Defense in depth is a layered approach to security. Each of the defense in depth layers implements one or more of the CIA concerns.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/2-defense-in-depth#defense-in-depth-a-layered-approach-to-security
The Perimeter layer implements the Availability concern of the CIA principle. By providing DDoS protection, it ensures that the services are available to users. Option Perimeter is the correct answer.
The Physical security layer implements the Confidentiality principle because it grants access only to authorized personnel. Option Physical security is incorrect.
The Identity & Access layer implements the Integrity principle because it gives access only after verifying who the user they claim to be. Option Identity & access is incorrect too.
The Data layer implements the Integrity principle because data encryption at rest/in transit prevents unauthorized changes to the information. Option Data is an incorrect choice.
Incorrect
CIA stands for Confidentiality, Integrity, and Availability. They represent security trade-offs in keeping your systems secure.
Defense in depth is a layered approach to security. Each of the defense in depth layers implements one or more of the CIA concerns.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/2-defense-in-depth#defense-in-depth-a-layered-approach-to-security
The Perimeter layer implements the Availability concern of the CIA principle. By providing DDoS protection, it ensures that the services are available to users. Option Perimeter is the correct answer.
The Physical security layer implements the Confidentiality principle because it grants access only to authorized personnel. Option Physical security is incorrect.
The Identity & Access layer implements the Integrity principle because it gives access only after verifying who the user they claim to be. Option Identity & access is incorrect too.
The Data layer implements the Integrity principle because data encryption at rest/in transit prevents unauthorized changes to the information. Option Data is an incorrect choice.
Unattempted
CIA stands for Confidentiality, Integrity, and Availability. They represent security trade-offs in keeping your systems secure.
Defense in depth is a layered approach to security. Each of the defense in depth layers implements one or more of the CIA concerns.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/2-defense-in-depth#defense-in-depth-a-layered-approach-to-security
The Perimeter layer implements the Availability concern of the CIA principle. By providing DDoS protection, it ensures that the services are available to users. Option Perimeter is the correct answer.
The Physical security layer implements the Confidentiality principle because it grants access only to authorized personnel. Option Physical security is incorrect.
The Identity & Access layer implements the Integrity principle because it gives access only after verifying who the user they claim to be. Option Identity & access is incorrect too.
The Data layer implements the Integrity principle because data encryption at rest/in transit prevents unauthorized changes to the information. Option Data is an incorrect choice.
Question 46 of 56
46. Question
Which of the following determines the level of access within an application?
Correct
All four options are the fundamental pillars of identity.
Authentication is verifying who the user says they are? The system challenges legitimate credentials before providing access. Azure AD technologies that implement Authentication are MFA, Windows Hello, etc. It doesn’t control access to specific parts of an app.
Authentication is an incorrect choice.
Azure AD handles the authorization of access to secured resources through Role-based access control (RBAC). With RBAC, you can assign permissions to a user/group. These permissions define what they can/cannot do (they determine the level of access).
In the below image, the Reader role has permissions only to read Azure AD Metrics definition. He cannot create/update/delete Metrics Definition.
Authorization is the correct choice.
Although both Administration & Auditing are two of the four pillars of identity, they do not determine access. Both are incorrect choices.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Incorrect
All four options are the fundamental pillars of identity.
Authentication is verifying who the user says they are? The system challenges legitimate credentials before providing access. Azure AD technologies that implement Authentication are MFA, Windows Hello, etc. It doesn’t control access to specific parts of an app.
Authentication is an incorrect choice.
Azure AD handles the authorization of access to secured resources through Role-based access control (RBAC). With RBAC, you can assign permissions to a user/group. These permissions define what they can/cannot do (they determine the level of access).
In the below image, the Reader role has permissions only to read Azure AD Metrics definition. He cannot create/update/delete Metrics Definition.
Authorization is the correct choice.
Although both Administration & Auditing are two of the four pillars of identity, they do not determine access. Both are incorrect choices.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Unattempted
All four options are the fundamental pillars of identity.
Authentication is verifying who the user says they are? The system challenges legitimate credentials before providing access. Azure AD technologies that implement Authentication are MFA, Windows Hello, etc. It doesn’t control access to specific parts of an app.
Authentication is an incorrect choice.
Azure AD handles the authorization of access to secured resources through Role-based access control (RBAC). With RBAC, you can assign permissions to a user/group. These permissions define what they can/cannot do (they determine the level of access).
In the below image, the Reader role has permissions only to read Azure AD Metrics definition. He cannot create/update/delete Metrics Definition.
Authorization is the correct choice.
Although both Administration & Auditing are two of the four pillars of identity, they do not determine access. Both are incorrect choices.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/3-define-identity-primary-security-perimeter
Question 47 of 56
47. Question
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge on how the Microsoft Cloud App Security (MCAS) features protect your environment across the four pillars of MCAS.
Microsoft Cloud App Security easily integrates with other Microsoft services to protect your organization’s sensitive data across pillars: Visibility, Data security, Compliance, and Threat protection.
Statement: Cloud Discovery protects your environment along the Visibility pillar.
Is the statement TRUE?
Correct
MCAS offers protection across these four pillars: Visibility, data security, threat protection, and compliance.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/6-describe-microsoft-cloud-app-security#what-is-a-cloud-access-security-broker
The given statement is TRUE. Cloud Discovery uses traffic logs to discover cloud apps your employees use, providing rich visibility into cloud use & Shadow IT (unapproved apps). Once you discover the apps, manage them to ensure security and compliance.
Quick Preview:
MCAS offers protection across these four pillars: Visibility, data security, threat protection, and compliance.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/6-describe-microsoft-cloud-app-security#what-is-a-cloud-access-security-broker
The given statement is TRUE. Cloud Discovery uses traffic logs to discover cloud apps your employees use, providing rich visibility into cloud use & Shadow IT (unapproved apps). Once you discover the apps, manage them to ensure security and compliance.
Quick Preview:
MCAS offers protection across these four pillars: Visibility, data security, threat protection, and compliance.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-threat-protection-with-microsoft-365-defender/6-describe-microsoft-cloud-app-security#what-is-a-cloud-access-security-broker
The given statement is TRUE. Cloud Discovery uses traffic logs to discover cloud apps your employees use, providing rich visibility into cloud use & Shadow IT (unapproved apps). Once you discover the apps, manage them to ensure security and compliance.
Quick Preview:
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge on how the Microsoft Cloud App Security (MCAS) features protect your environment across the four pillars of MCAS.
Microsoft Cloud App Security easily integrates with other Microsoft services to protect your organization’s sensitive data across pillars: Visibility, Data security, Compliance, and Threat protection.
Statement: Per the threat protection pillar, Azure Information Protection integrates with MCAS to protect your data against threats.
Is the statement TRUE?
Correct
Azure Information Protection (AIP) enables you to classify and protect your documents by applying labels to content. AIP labels are similar to sensitivity labels created in the Microsoft 365 compliance center. Microsoft recommends you migrate your AIP labels to sensitivity labels.
Reference Link: https://docs.microsoft.com/en-us/azure/information-protection/faqs#whats-the-difference-between-labels-in-microsoft-365-and-labels-in-azure-information-protection
AIP integrates with MCAS to classify and protect (encrypt) your sensitive information at rest.
For example, you can create MCAS file policies to ensure that sensitive information is automatically labeled and protected.
1. Create a file policy in MCAS
2. In this instance, this policy will detect files with sensitive information (for example, credit card) on all locations within the cloud app Box. Once a file is detected, we apply AIP labels to classify and protect them.
But using AIP labels with MCAS is an example of the Data security pillar and not the Threat protection pillar. AIP labels classify, encrypt, and protect the data to ensure data security, and they do not offer any threat protection.
Review the below image. Each of the bullet points in the Cloud App Security framework talks about a corresponding pillar.
As marked in the black box, using AIP labels is an example of the Data security pillar. The given statement is NOT TRUE.
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security#why-do-i-need-a-casb
Incorrect
Azure Information Protection (AIP) enables you to classify and protect your documents by applying labels to content. AIP labels are similar to sensitivity labels created in the Microsoft 365 compliance center. Microsoft recommends you migrate your AIP labels to sensitivity labels.
Reference Link: https://docs.microsoft.com/en-us/azure/information-protection/faqs#whats-the-difference-between-labels-in-microsoft-365-and-labels-in-azure-information-protection
AIP integrates with MCAS to classify and protect (encrypt) your sensitive information at rest.
For example, you can create MCAS file policies to ensure that sensitive information is automatically labeled and protected.
1. Create a file policy in MCAS
2. In this instance, this policy will detect files with sensitive information (for example, credit card) on all locations within the cloud app Box. Once a file is detected, we apply AIP labels to classify and protect them.
But using AIP labels with MCAS is an example of the Data security pillar and not the Threat protection pillar. AIP labels classify, encrypt, and protect the data to ensure data security, and they do not offer any threat protection.
Review the below image. Each of the bullet points in the Cloud App Security framework talks about a corresponding pillar.
As marked in the black box, using AIP labels is an example of the Data security pillar. The given statement is NOT TRUE.
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security#why-do-i-need-a-casb
Unattempted
Azure Information Protection (AIP) enables you to classify and protect your documents by applying labels to content. AIP labels are similar to sensitivity labels created in the Microsoft 365 compliance center. Microsoft recommends you migrate your AIP labels to sensitivity labels.
Reference Link: https://docs.microsoft.com/en-us/azure/information-protection/faqs#whats-the-difference-between-labels-in-microsoft-365-and-labels-in-azure-information-protection
AIP integrates with MCAS to classify and protect (encrypt) your sensitive information at rest.
For example, you can create MCAS file policies to ensure that sensitive information is automatically labeled and protected.
1. Create a file policy in MCAS
2. In this instance, this policy will detect files with sensitive information (for example, credit card) on all locations within the cloud app Box. Once a file is detected, we apply AIP labels to classify and protect them.
But using AIP labels with MCAS is an example of the Data security pillar and not the Threat protection pillar. AIP labels classify, encrypt, and protect the data to ensure data security, and they do not offer any threat protection.
Review the below image. Each of the bullet points in the Cloud App Security framework talks about a corresponding pillar.
As marked in the black box, using AIP labels is an example of the Data security pillar. The given statement is NOT TRUE.
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security#why-do-i-need-a-casb
Question 49 of 56
49. Question
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge on how the Microsoft Cloud App Security (MCAS) features protect your environment across the four pillars of MCAS.
Microsoft Cloud App Security easily integrates with other Microsoft services to protect your organization’s sensitive data across pillars: Visibility, Data security, Compliance, and Threat protection.
Statement: Per the data security pillar, DLP policies integrate with MCAS to protect data in non-Microsoft cloud apps.
Is the statement TRUE?
Correct
To use DLP policies to protect non-Microsoft cloud apps, go to the Microsoft 365 Compliance Center, turn on the Microsoft Cloud App Security location. And select the non-Microsoft cloud apps to apply the DLP policy.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps
Before that, you need to connect these apps to MCAS. For example, this link describes how you would connect a Box app to MCAS.
The given statement is TRUE. Per the Data security pillar, you can use MCAS to create DLP policies to monitor and detect when sensitive items are shared via non-Microsoft cloud apps like Box, Dropbox, etc.
Creating DLP policies to secure your data corresponds to the Data security pillar (black box in the below image).
To use DLP policies to protect non-Microsoft cloud apps, go to the Microsoft 365 Compliance Center, turn on the Microsoft Cloud App Security location. And select the non-Microsoft cloud apps to apply the DLP policy.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps
Before that, you need to connect these apps to MCAS. For example, this link describes how you would connect a Box app to MCAS.
The given statement is TRUE. Per the Data security pillar, you can use MCAS to create DLP policies to monitor and detect when sensitive items are shared via non-Microsoft cloud apps like Box, Dropbox, etc.
Creating DLP policies to secure your data corresponds to the Data security pillar (black box in the below image).
To use DLP policies to protect non-Microsoft cloud apps, go to the Microsoft 365 Compliance Center, turn on the Microsoft Cloud App Security location. And select the non-Microsoft cloud apps to apply the DLP policy.
Reference Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps
Before that, you need to connect these apps to MCAS. For example, this link describes how you would connect a Box app to MCAS.
The given statement is TRUE. Per the Data security pillar, you can use MCAS to create DLP policies to monitor and detect when sensitive items are shared via non-Microsoft cloud apps like Box, Dropbox, etc.
Creating DLP policies to secure your data corresponds to the Data security pillar (black box in the below image).
This question is part of a series of questions that present the same scenario. Each question in the series tests your knowledge on how the Microsoft Cloud App Security (MCAS) features protect your environment across the four pillars of MCAS.
Microsoft Cloud App Security easily integrates with other Microsoft services to protect your organization’s sensitive data across pillars: Visibility, Data security, Compliance, and Threat protection.
Statement: Per the threat protection pillar, Azure AD Identity Protection integrates with MCAS to provide UEBA capabilities.
Is the statement TRUE?
Correct
UEBA refers to User and Entity Behavior Analytics. It detects a user’s anomalous behaviors that are deviations from the normal patterns.
Reference Link: https://digitalguardian.com/blog/what-user-and-entity-behavior-analytics-definition-ueba-benefits-how-it-works-and-more
Anomalous behaviors (like atypical travel, impossible travel ) are uncovered by both ‘Azure AD Identity Protection’ and ‘Microsoft Cloud App Security.’
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk
Further, you can connect Azure AD Identity Protection with MCAS for unified alerts/risk detections view and enhanced UEBA capabilities.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/aadip-integration
And, using UEBA capabilities to detect anomalies helps you prevent threats and cyberattacks (see black boxes in the below image).
This statement in the question ‘Azure AD Identity Protection integrates with MCAS to provide UEBA capabilities’ agrees with the MCAS pillar threat protection. The given statement is TRUE.
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security#why-do-i-need-a-casb
Incorrect
UEBA refers to User and Entity Behavior Analytics. It detects a user’s anomalous behaviors that are deviations from the normal patterns.
Reference Link: https://digitalguardian.com/blog/what-user-and-entity-behavior-analytics-definition-ueba-benefits-how-it-works-and-more
Anomalous behaviors (like atypical travel, impossible travel ) are uncovered by both ‘Azure AD Identity Protection’ and ‘Microsoft Cloud App Security.’
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk
Further, you can connect Azure AD Identity Protection with MCAS for unified alerts/risk detections view and enhanced UEBA capabilities.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/aadip-integration
And, using UEBA capabilities to detect anomalies helps you prevent threats and cyberattacks (see black boxes in the below image).
This statement in the question ‘Azure AD Identity Protection integrates with MCAS to provide UEBA capabilities’ agrees with the MCAS pillar threat protection. The given statement is TRUE.
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security#why-do-i-need-a-casb
Unattempted
UEBA refers to User and Entity Behavior Analytics. It detects a user’s anomalous behaviors that are deviations from the normal patterns.
Reference Link: https://digitalguardian.com/blog/what-user-and-entity-behavior-analytics-definition-ueba-benefits-how-it-works-and-more
Anomalous behaviors (like atypical travel, impossible travel ) are uncovered by both ‘Azure AD Identity Protection’ and ‘Microsoft Cloud App Security.’
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk
Further, you can connect Azure AD Identity Protection with MCAS for unified alerts/risk detections view and enhanced UEBA capabilities.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/aadip-integration
And, using UEBA capabilities to detect anomalies helps you prevent threats and cyberattacks (see black boxes in the below image).
This statement in the question ‘Azure AD Identity Protection integrates with MCAS to provide UEBA capabilities’ agrees with the MCAS pillar threat protection. The given statement is TRUE.
Reference Link: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security#why-do-i-need-a-casb
Question 51 of 56
51. Question
Read the following two statements about authentication methods for hybrid identity and select whether they are TRUE/FALSE.
Correct
The first statement is FALSE.
Password validation for pass-through authentication (PTA) happens in the on-premises Active Directory, not in the cloud.
When a hybrid user signs in to a cloud app with Azure AD, the credentials are passed through for verification in the on-premises directory. In steps 7 & 8 (below image), password verification happens against Active Directory.
Source: Microsoft documentation – How Pass-through authentication works
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works
The second statement is FALSE too.
As you can see from the above image, Pass-through authentication, not password hash synchronization, uses agents (steps 5, 6, 7 & 8) in the on-premises servers to validate the passwords.
Option (i) – FALSE, (ii) – FALSE is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/6-describe-concept-of-hybrid-identities
Incorrect
The first statement is FALSE.
Password validation for pass-through authentication (PTA) happens in the on-premises Active Directory, not in the cloud.
When a hybrid user signs in to a cloud app with Azure AD, the credentials are passed through for verification in the on-premises directory. In steps 7 & 8 (below image), password verification happens against Active Directory.
Source: Microsoft documentation – How Pass-through authentication works
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works
The second statement is FALSE too.
As you can see from the above image, Pass-through authentication, not password hash synchronization, uses agents (steps 5, 6, 7 & 8) in the on-premises servers to validate the passwords.
Option (i) – FALSE, (ii) – FALSE is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/6-describe-concept-of-hybrid-identities
Unattempted
The first statement is FALSE.
Password validation for pass-through authentication (PTA) happens in the on-premises Active Directory, not in the cloud.
When a hybrid user signs in to a cloud app with Azure AD, the credentials are passed through for verification in the on-premises directory. In steps 7 & 8 (below image), password verification happens against Active Directory.
Source: Microsoft documentation – How Pass-through authentication works
Reference Link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-how-it-works
The second statement is FALSE too.
As you can see from the above image, Pass-through authentication, not password hash synchronization, uses agents (steps 5, 6, 7 & 8) in the on-premises servers to validate the passwords.
Option (i) – FALSE, (ii) – FALSE is the correct answer.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-basic-services-identity-types/6-describe-concept-of-hybrid-identities
Question 52 of 56
52. Question
Which of the following are the features of SSPR (self-service password reset)?
a. Password change
b. Password reset
c. Account unlock
d. Password write-back
Correct
The features of SSPR are:
· Password change (when you know the password and need to update it)
· Password reset (when you forgot the password)
· Unlock the account
· Password write-back to the on-premises directory (so you can access on-premises applications with the updated password)
All four choices are features of SSPR.
The option All four options is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Incorrect
The features of SSPR are:
· Password change (when you know the password and need to update it)
· Password reset (when you forgot the password)
· Unlock the account
· Password write-back to the on-premises directory (so you can access on-premises applications with the updated password)
All four choices are features of SSPR.
The option All four options is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Unattempted
The features of SSPR are:
· Password change (when you know the password and need to update it)
· Password reset (when you forgot the password)
· Unlock the account
· Password write-back to the on-premises directory (so you can access on-premises applications with the updated password)
All four choices are features of SSPR.
The option All four options is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/explore-authentication-capabilities/5-describe-self-service-password-reset
Question 53 of 56
53. Question
Can you use an external email address (for example Gmail) to reset your password with Azure AD SSPR?
Correct
Yes. You can use an external email address to reset your password with Azure AD SSPR (self-service password reset).
After the administrator enables SSPR for you in the Azure AD tenant, the next time you sign in to a cloud service, you need to register for SSPR by providing information on the alternate email address (if the email method is enabled)
Below, I have entered an external email address (Gmail) as an authentication email for SSPR. Whenever I forget a password or when my account is locked out, I can use this email to reset my password. SSPR doesn’t complain that I entered an external email address.
Below is the screenshot of when I am trying to recover my password with SSPR (Note the registered external email address).
From the above explanations, it is clear that you can use an external email address to reset your password with Azure AD SSPR.
Option Yes is the correct answer.
This question is based on practical experience. There isn’t a reference link I could find to this scenario.
Incorrect
Yes. You can use an external email address to reset your password with Azure AD SSPR (self-service password reset).
After the administrator enables SSPR for you in the Azure AD tenant, the next time you sign in to a cloud service, you need to register for SSPR by providing information on the alternate email address (if the email method is enabled)
Below, I have entered an external email address (Gmail) as an authentication email for SSPR. Whenever I forget a password or when my account is locked out, I can use this email to reset my password. SSPR doesn’t complain that I entered an external email address.
Below is the screenshot of when I am trying to recover my password with SSPR (Note the registered external email address).
From the above explanations, it is clear that you can use an external email address to reset your password with Azure AD SSPR.
Option Yes is the correct answer.
This question is based on practical experience. There isn’t a reference link I could find to this scenario.
Unattempted
Yes. You can use an external email address to reset your password with Azure AD SSPR (self-service password reset).
After the administrator enables SSPR for you in the Azure AD tenant, the next time you sign in to a cloud service, you need to register for SSPR by providing information on the alternate email address (if the email method is enabled)
Below, I have entered an external email address (Gmail) as an authentication email for SSPR. Whenever I forget a password or when my account is locked out, I can use this email to reset my password. SSPR doesn’t complain that I entered an external email address.
Below is the screenshot of when I am trying to recover my password with SSPR (Note the registered external email address).
From the above explanations, it is clear that you can use an external email address to reset your password with Azure AD SSPR.
Option Yes is the correct answer.
This question is based on practical experience. There isn’t a reference link I could find to this scenario.
Question 54 of 56
54. Question
Does Microsoft 365 security center provide Secure Score recommendations for Cloud App Security?
Correct
Yes. Microsoft Secure Score provides recommendations for Microsoft Cloud App Security. In addition to that, it also provides recommendations for Azure AD, Defender for Endpoint and, Defender for Identity.
You can view these recommendations in Microsoft 365 security center.
Option Yes is the correct choice.
Reference Link: Describe how to use Microsoft Secure Score
Incorrect
Yes. Microsoft Secure Score provides recommendations for Microsoft Cloud App Security. In addition to that, it also provides recommendations for Azure AD, Defender for Endpoint and, Defender for Identity.
You can view these recommendations in Microsoft 365 security center.
Option Yes is the correct choice.
Reference Link: Describe how to use Microsoft Secure Score
Unattempted
Yes. Microsoft Secure Score provides recommendations for Microsoft Cloud App Security. In addition to that, it also provides recommendations for Azure AD, Defender for Endpoint and, Defender for Identity.
You can view these recommendations in Microsoft 365 security center.
Option Yes is the correct choice.
Reference Link: Describe how to use Microsoft Secure Score
Question 55 of 56
55. Question
Drag & match the appropriate Azure service on the left column to its corresponding use case on the right
Correct
The correct answer is:
Azure Policy -> Continuously monitors resources to ensure compliance
Azure Blueprints -> Achieve shorter development times
ARM Templates -> Azure’s Infrastructure-as-code
Azure RBAC -> Manages user actions
Detailed Explanation:
Azure Policy -> Continuously monitors resources to ensure compliance
Azure Policy continuously monitors Azure resources at specific times to ensure compliance across your organization. The standard evaluation cycle is every 24 hours.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
Azure Blueprints -> Achieve shorter development times
In organizations adopting Azure, a centralized team ensures that teams consume Azure compatible with organizational standards. They use Azure Blueprints to define their compliance standards & patterns and push the blueprints to the development team’s subscriptions.
Accordingly, individual teams rapidly provision new environments across subscriptions simultaneously in line with the organizational compliance standards, achieving shorter development times.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
ARM Templates -> Azure’s Infrastructure-as-code
ARM templates are a way of implementing infrastructure as code (IaC) in Azure.
In ARM templates, you define your infrastructure (VMs, databases) in code. Like the app code, you store infrastructure code in source control and version it. It helps you to deploy your infrastructure across several environments repeatedly.
Reference Link: https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code
Azure RBAC -> Manages user actions
Azure RBAC is an authorization system that manages the who/what/where of user’s access to Azure resources. Who can access; What can they access; Where can they access;
Quick Preview:
The correct answer is:
Azure Policy -> Continuously monitors resources to ensure compliance
Azure Blueprints -> Achieve shorter development times
ARM Templates -> Azure’s Infrastructure-as-code
Azure RBAC -> Manages user actions
Detailed Explanation:
Azure Policy -> Continuously monitors resources to ensure compliance
Azure Policy continuously monitors Azure resources at specific times to ensure compliance across your organization. The standard evaluation cycle is every 24 hours.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
Azure Blueprints -> Achieve shorter development times
In organizations adopting Azure, a centralized team ensures that teams consume Azure compatible with organizational standards. They use Azure Blueprints to define their compliance standards & patterns and push the blueprints to the development team’s subscriptions.
Accordingly, individual teams rapidly provision new environments across subscriptions simultaneously in line with the organizational compliance standards, achieving shorter development times.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
ARM Templates -> Azure’s Infrastructure-as-code
ARM templates are a way of implementing infrastructure as code (IaC) in Azure.
In ARM templates, you define your infrastructure (VMs, databases) in code. Like the app code, you store infrastructure code in source control and version it. It helps you to deploy your infrastructure across several environments repeatedly.
Reference Link: https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code
Azure RBAC -> Manages user actions
Azure RBAC is an authorization system that manages the who/what/where of user’s access to Azure resources. Who can access; What can they access; Where can they access;
Quick Preview:
The correct answer is:
Azure Policy -> Continuously monitors resources to ensure compliance
Azure Blueprints -> Achieve shorter development times
ARM Templates -> Azure’s Infrastructure-as-code
Azure RBAC -> Manages user actions
Detailed Explanation:
Azure Policy -> Continuously monitors resources to ensure compliance
Azure Policy continuously monitors Azure resources at specific times to ensure compliance across your organization. The standard evaluation cycle is every 24 hours.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
Azure Blueprints -> Achieve shorter development times
In organizations adopting Azure, a centralized team ensures that teams consume Azure compatible with organizational standards. They use Azure Blueprints to define their compliance standards & patterns and push the blueprints to the development team’s subscriptions.
Accordingly, individual teams rapidly provision new environments across subscriptions simultaneously in line with the organizational compliance standards, achieving shorter development times.
Quick Preview:
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints
ARM Templates -> Azure’s Infrastructure-as-code
ARM templates are a way of implementing infrastructure as code (IaC) in Azure.
In ARM templates, you define your infrastructure (VMs, databases) in code. Like the app code, you store infrastructure code in source control and version it. It helps you to deploy your infrastructure across several environments repeatedly.
Reference Link: https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code
Azure RBAC -> Manages user actions
Azure RBAC is an authorization system that manages the who/what/where of user’s access to Azure resources. Who can access; What can they access; Where can they access;
Quick Preview:
This question requires you to select the correct answer from the dropdown.
For Azure VMs, who is responsible for applying patches as per the shared responsibility model?
Correct
Azure VM is an IaaS service hosted in Microsoft Azure. Although Microsoft is responsible for the physical components like compute and network, the cloud customer is responsible for patching their VMs.
Option Customer is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#infrastructure-as-a-service-iaas
Patching Azure VM | (This security best practice talks about customers patching VMs)
Incorrect
Azure VM is an IaaS service hosted in Microsoft Azure. Although Microsoft is responsible for the physical components like compute and network, the cloud customer is responsible for patching their VMs.
Option Customer is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#infrastructure-as-a-service-iaas
Patching Azure VM | (This security best practice talks about customers patching VMs)
Unattempted
Azure VM is an IaaS service hosted in Microsoft Azure. Although Microsoft is responsible for the physical components like compute and network, the cloud customer is responsible for patching their VMs.
Option Customer is the correct choice.
Reference Link: https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/3-describe-shared-responsibility-model#infrastructure-as-a-service-iaas
Patching Azure VM | (This security best practice talks about customers patching VMs)
X
Use Last Page number below to navigate to Master Cheat Sheet