Visit here for our full Microsoft MS-102 exam dumps and practice test questions.
Question 1:
You are the Microsoft 365 administrator for your organization. You need to ensure that all users in the marketing department can share files externally with specific people only. What should you configure?
A) OneDrive sharing settings to allow sharing with anyone
B) SharePoint sharing settings to allow sharing with specific people
C) Azure AD external collaboration settings
D) Conditional Access policies
Answer: B
Explanation:
SharePoint sharing settings provide granular control over how users can share content with people outside the organization. When you need to enable external sharing while maintaining security, configuring sharing to allow only specific people is the recommended approach. SharePoint sharing settings offer multiple levels of external sharing control. The “Specific people” option requires that external users authenticate before accessing shared content. This setting ensures that only individuals who receive direct sharing invitations can access the files. When configured at the site collection or organizational level, this setting applies to all libraries and lists within that scope. For the marketing department specifically, you can configure these settings at the site level to ensure departmental compliance while maintaining organizational security standards.
Option A is incorrect because allowing sharing with anyone removes security controls and permits anonymous access, which doesn’t meet the requirement for specific people only. Option C is incorrect because Azure AD external collaboration settings control broader B2B collaboration features but don’t specifically manage file sharing permissions at the SharePoint level. Option D is incorrect because Conditional Access policies control access conditions like location and device compliance but don’t directly configure sharing permissions for files. The correct approach is to use SharePoint sharing settings to enable the specific people sharing option, which provides the exact level of control required for the marketing department’s needs.
Question 2:
Your organization needs to implement multi-factor authentication for all administrators. Which Azure AD feature should you configure?
A) Security defaults
B) Conditional Access policies
C) Azure AD Identity Protection
D) Password protection policies
Answer: B
Explanation:
Conditional Access policies provide the most flexible and comprehensive approach to implementing multi-factor authentication for specific user groups like administrators. These policies allow you to create targeted rules that enforce MFA based on user roles, group membership, applications being accessed, and other conditions. For administrator accounts, you can create a Conditional Access policy that specifically targets users with administrative roles and requires MFA for all cloud apps or specific administrative portals. This approach ensures that high-privileged accounts have an additional layer of security while allowing you to customize the MFA experience based on risk levels and access scenarios. Conditional Access policies are part of Azure AD Premium P1 licensing and offer granular control over authentication requirements. You can configure multiple policies to address different scenarios, such as requiring MFA when administrators access the Azure portal or Microsoft 365 admin center. The policies can also be configured to exclude certain trusted locations or require compliant devices in addition to MFA.
Option A is incorrect because while security defaults do enable MFA, they apply to all users in the organization and provide less flexibility than Conditional Access policies for targeting specific groups. Option C is incorrect because Azure AD Identity Protection focuses on risk-based policies and automated risk remediation rather than directly enforcing MFA for specific user groups. Option D is incorrect because password protection policies deal with password complexity and banned password lists, not multi-factor authentication requirements.
Question 3:
You need to prevent users from downloading files from SharePoint Online to unmanaged devices. What should you implement?
A) Data Loss Prevention policies
B) Conditional Access app control
C) Information Rights Management
D) Azure AD device compliance policies
Answer: B
Explanation:
Conditional Access app control, also known as Conditional Access App Control for Microsoft Cloud App Security, provides the ability to monitor and control user sessions in real-time. This feature allows administrators to enforce session-level controls that can prevent downloads, printing, and copy-paste operations on unmanaged devices while still allowing users to access SharePoint Online content through their browsers. When implementing this solution, you create a Conditional Access policy that applies session controls to SharePoint Online and OneDrive for Business. The policy can be configured to allow access from unmanaged devices but with restrictions on what users can do with the content. This approach balances security with productivity by enabling users to view and collaborate on documents without being able to extract them to potentially insecure devices. The session controls are enforced through a reverse proxy architecture that monitors all user activities in real-time.
Option A is incorrect because Data Loss Prevention policies focus on preventing sensitive information from leaving the organization through various channels but don’t specifically control downloads based on device management status. Option C is incorrect because Information Rights Management protects documents with encryption and usage rights but requires additional client-side support and doesn’t prevent initial downloads based on device management. Option D is incorrect because device compliance policies define requirements that devices must meet to be considered compliant but don’t directly enforce download restrictions for non-compliant devices accessing SharePoint.
Question 4:
Your company wants to automatically classify emails containing credit card numbers. Which Microsoft 365 feature should you use?
A) Retention labels
B) Sensitivity labels
C) Data Loss Prevention policies
D) eDiscovery
Answer: B
Explanation:
Sensitivity labels are the appropriate feature for automatically classifying emails and documents based on their content, including credit card numbers. These labels can be configured with auto-labeling policies that scan content for sensitive information types using built-in or custom classifiers. When an email contains credit card numbers, the sensitivity label can be automatically applied based on predefined conditions. Sensitivity labels not only classify content but can also apply protection settings such as encryption, content marking, and access restrictions. The auto-labeling functionality works across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. Administrators can configure trainable classifiers or use pre-built sensitive information types to detect credit card numbers and other financial data. Once applied, sensitivity labels travel with the content, ensuring consistent protection regardless of where the email is forwarded or stored. The labels can trigger additional security controls and compliance workflows based on organizational policies.
Option A is incorrect because retention labels are designed for managing the lifecycle of content and determining how long items should be retained or deleted, not for classifying based on sensitive content. Option C is incorrect because while DLP policies can detect and prevent sharing of credit card numbers, they focus on policy enforcement rather than classification of content. Option D is incorrect because eDiscovery is used for searching, holding, and exporting content for legal and compliance investigations, not for automatic classification of content.
Question 5:
You need to ensure that all Microsoft 365 group owners can manage their group membership. What should you configure?
A) Azure AD self-service group management
B) Dynamic group membership rules
C) Access reviews
D) Privileged Identity Management
Answer: A
Explanation:
Azure AD self-service group management enables group owners to manage their groups without requiring administrator intervention. When this feature is enabled, group owners can add or remove members, update group properties, and manage group settings through the Azure AD portal or Microsoft 365 interfaces. This capability empowers business users to maintain their team structures while reducing the administrative burden on IT departments. The self-service group management feature includes settings that control who can create groups, whether owners can manage membership, and what types of groups can be managed. Administrators can configure these settings at the tenant level to balance autonomy with governance requirements. Group owners receive the necessary permissions automatically when they create a group or are designated as owners by administrators. The feature supports both Microsoft 365 groups and security groups in Azure AD. Self-service capabilities extend to group lifecycle management, allowing owners to renew groups and manage guest user access.
Option B is incorrect because dynamic group membership rules automatically populate groups based on user attributes and don’t provide manual management capabilities for group owners. Option C is incorrect because access reviews are periodic audits of group membership and resource access, not a mechanism for ongoing membership management by owners. Option D is incorrect because Privileged Identity Management is designed for managing and monitoring access to administrative roles, not for empowering group owners to manage standard group membership.
Question 6:
Your organization needs to retain all Teams chat messages for 7 years. What should you create?
A) Litigation hold policy
B) Retention policy
C) eDiscovery case
D) Compliance search
Answer: B
Explanation:
Retention policies in Microsoft 365 provide the mechanism to retain or delete content across various workloads including Teams chat messages. When you create a retention policy specifically for Teams, you can configure it to retain all chat messages for a specified period, such as 7 years. The policy applies to private chats, channel messages, and messages in private channels. Retention policies work in the background to preserve content in a secure location even if users delete messages from their Teams interface. The retained content remains searchable through eDiscovery tools and can be recovered if needed for compliance or legal purposes. You can configure retention policies at different scopes, including organization-wide, specific users, or specific Teams. The policies support flexible retention periods and can be configured to take action after the retention period expires, such as permanently deleting content or triggering a disposition review. Teams retention policies integrate with the broader Microsoft 365 compliance framework and can be managed through the Microsoft Purview compliance portal.
Option A is incorrect because litigation hold is designed for preserving content for specific users involved in legal matters and is typically used in eDiscovery scenarios rather than organization-wide retention requirements. Option C is incorrect because eDiscovery cases are used for searching, preserving, and exporting content for investigations, not for implementing retention requirements across all Teams communications. Option D is incorrect because compliance search is a tool for finding and exporting content that matches specific criteria, not for enforcing retention periods.
Question 7:
You need to allow external users to access specific SharePoint sites without requiring them to sign in. What sharing level should you configure?
A) Anyone with the link
B) People in your organization
C) Specific people
D) Existing guests
Answer: A
Explanation:
The “Anyone with the link” sharing level allows external users to access SharePoint content without authentication requirements. When this option is enabled, users who receive the sharing link can access the content anonymously without signing in with a Microsoft account or organizational credentials. This sharing level generates anonymous access links that can be shared broadly and don’t require recipient verification. The links can be configured with expiration dates and permissions levels such as view-only or edit access. This approach is useful for scenarios where you need to share content with a large audience or when requiring authentication would create barriers to access. However, it’s important to note that this is the least secure sharing option because anyone who obtains the link can access the content. Organizations should carefully consider the sensitivity of content before enabling this sharing level and may want to implement additional controls such as link expiration or password protection for anonymous links.
Option B is incorrect because “People in your organization” restricts sharing to internal users only and requires authentication with organizational credentials. Option C is incorrect because “Specific people” requires external users to authenticate before accessing content, which doesn’t meet the requirement of no sign-in. Option D is incorrect because “Existing guests” requires that external users already have guest accounts in your Azure AD tenant and must sign in with those credentials.
Question 8: Your organization wants to prevent users from forwarding emails containing financial data outside the company. What should you configure?
A) Transport rules in Exchange Online
B) Mail flow rules with DLP policies
C) Sensitivity labels with forwarding restrictions
D) Conditional Access policies
Answer: B
Explanation:
Mail flow rules combined with Data Loss Prevention policies provide comprehensive protection against forwarding sensitive emails outside the organization. DLP policies can detect financial data using built-in or custom sensitive information types such as credit card numbers, bank account numbers, or financial report patterns. When integrated with mail flow rules, these policies can automatically block, quarantine, or modify emails that match the DLP criteria before they leave the organization. The solution monitors all outbound email traffic and applies actions based on the sensitivity of detected content. You can configure the policies to generate policy tips that warn users before they forward sensitive content, or automatically prevent forwarding entirely. DLP policies also provide detailed reporting and incident management capabilities that help administrators track and investigate potential data leakage attempts. The combination of mail flow rules and DLP policies offers granular control over email forwarding behavior while maintaining visibility into user actions.
Option A is incorrect because transport rules alone don’t have the built-in capability to detect and classify financial data; they require manual configuration of conditions that may not effectively identify sensitive content. Option C is incorrect because while sensitivity labels can restrict forwarding, they require user action to apply the label or rely on auto-labeling, which may not catch all instances of financial data in real-time email flow. Option D is incorrect because Conditional Access policies control authentication and access conditions but don’t monitor or restrict email forwarding based on content.
Question 9:
You need to delegate the ability to reset passwords for non-administrative users. Which Azure AD role should you assign?
A) Password Administrator
B) User Administrator
C) Helpdesk Administrator
D) Authentication Administrator
Answer: C
Explanation:
The Helpdesk Administrator role is specifically designed for delegating password reset capabilities to support personnel without granting excessive privileges. Users assigned this role can reset passwords and invalidate refresh tokens for non-administrators and users with limited administrative roles. This role provides the minimum necessary permissions for help desk staff to assist users with password issues while maintaining security boundaries. Helpdesk Administrators cannot reset passwords for other administrators with higher privileges, which prevents privilege escalation scenarios. The role also allows managing support tickets and monitoring service health, making it ideal for first-line support personnel. When assigning this role, you ensure that help desk staff can perform their duties efficiently without accessing sensitive configuration settings or user data beyond what’s necessary for password management. The role follows the principle of least privilege by limiting capabilities to password resets and basic user management tasks.
Option A is incorrect because the Password Administrator role, while it can reset passwords, has broader capabilities including managing authentication methods and may grant more permissions than needed for standard help desk operations. Option B is incorrect because the User Administrator role has extensive user management capabilities including creating users, managing licenses, and modifying user properties, which exceeds the requirement of password reset delegation. Option D is incorrect because the Authentication Administrator role focuses on managing authentication methods and MFA settings for non-administrators but is more specialized than needed for general password reset scenarios.
Question 10:
Your company needs to ensure that deleted mailboxes can be recovered for 60 days. What should you configure?
A) Litigation hold
B) Retention policy
C) Deleted mailbox retention period
D) Recoverable Items folder quota
Answer: C
Explanation:
The deleted mailbox retention period setting in Exchange Online determines how long soft-deleted mailboxes remain available for recovery before being permanently purged. By default, this period is 30 days, but it can be extended up to 30 days maximum through the standard setting. However, for scenarios requiring 60 days of recovery capability, you would need to implement a combination of retention policies or litigation hold before deletion. The deleted mailbox retention period applies when user accounts are deleted from Azure AD, which triggers the soft-deletion of their associated mailbox. During this retention period, administrators can reconnect the mailbox to a new or existing user account, or permanently delete it if needed. The soft-deleted mailbox retains all email content, calendar items, contacts, and other mailbox data. This setting is crucial for organizations that need flexibility in recovering accidentally deleted user accounts or managing employee departures. The configuration is managed at the organizational level in Exchange Online and applies uniformly to all mailboxes unless specific mailboxes have additional holds or retention policies applied.
Option A is incorrect because litigation hold preserves mailbox content from deletion and modification while the mailbox is active, but it doesn’t extend the recovery period for already-deleted mailboxes. Option B is incorrect because retention policies manage the lifecycle of content within mailboxes but don’t control the recovery window for deleted mailbox objects themselves. Option D is incorrect because the Recoverable Items folder quota determines storage limits for items in the retention process within an active mailbox, not the recovery period for deleted mailboxes.
Question 11:
You need to prevent guest users from inviting other guests to your Azure AD tenant. What should you configure?
A) Azure AD external collaboration settings
B) Conditional Access policies
C) Guest user access restrictions
D) Cross-tenant access settings
Answer: A
Explanation:
Azure AD external collaboration settings provide granular control over guest user permissions and invitation capabilities within your tenant. Within these settings, you can specifically configure whether guest users can invite other guests to the organization. This setting is found in the External Identities section of the Azure AD portal under External collaboration settings. By default, guest users may have the ability to invite others depending on your organization’s configuration, but this can be restricted to ensure that only members or specific administrators can send invitations. Limiting guest invitation privileges helps maintain control over who can access your organization’s resources and prevents unauthorized expansion of external access. The external collaboration settings also allow you to configure other restrictions such as which domains can be invited, whether guests can see other users in the directory, and what information guests can access. These settings work in conjunction with Conditional Access policies to provide comprehensive security for external collaboration scenarios while maintaining appropriate access controls.
Option B is incorrect because Conditional Access policies control access conditions and requirements but don’t directly manage invitation capabilities or permissions for guest users. Option C is incorrect because while guest user access restrictions limit what guests can see and do within the directory, they don’t specifically prevent guests from inviting other guests. Option D is incorrect because cross-tenant access settings manage B2B collaboration between specific organizations and mutual access configurations, not the ability of individual guests to send invitations.
Question 12:
Your organization wants to automatically apply encryption to emails containing the word “Confidential” in the subject line. What should you configure?
A) Mail flow rule with Office 365 Message Encryption
B) Sensitivity label with auto-labeling policy
C) DLP policy with encryption action
D) Information Rights Management template
Answer: A
Explanation:
Mail flow rules in Exchange Online combined with Office 365 Message Encryption provide the capability to automatically encrypt emails based on specific conditions such as subject line keywords. When you create a mail flow rule that detects the word “Confidential” in the subject line, you can apply the “Apply Office 365 Message Encryption and rights protection” action to automatically encrypt these messages before delivery. This approach ensures immediate and consistent protection without requiring user action or awareness. The encryption applies to emails sent both internally and externally, with external recipients receiving instructions on how to access the encrypted content through the Office 365 Message Encryption portal. Mail flow rules operate at the transport layer, processing emails in real-time as they flow through Exchange Online. You can configure additional conditions and exceptions to fine-tune when encryption should be applied, such as combining subject line detection with sender criteria or recipient domains. The solution provides centralized control over email encryption policies and generates audit logs for compliance tracking.
Option B is incorrect because sensitivity labels with auto-labeling policies can classify and protect content, but they typically work based on content inspection patterns and sensitive information types rather than simple subject line keyword matching, and may not encrypt emails in real-time during transport. Option C is incorrect because DLP policies primarily focus on detecting and preventing data loss rather than applying encryption, though they can block or quarantine emails, they’re not the primary tool for automatic encryption. Option D is incorrect because Information Rights Management templates define protection settings but require application through other mechanisms and don’t automatically apply encryption based on email properties.
Question 13:
You need to monitor and receive alerts when users sign in from anonymous IP addresses. Which solution should you implement?
A) Azure AD Identity Protection
B) Microsoft Defender for Cloud Apps
C) Conditional Access policies
D) Azure AD sign-in logs
Answer: A
Explanation:
Azure AD Identity Protection provides comprehensive risk detection and alerting capabilities for suspicious sign-in activities, including sign-ins from anonymous IP addresses. This feature continuously monitors authentication events and applies machine learning algorithms to detect unusual patterns and potential threats. When a sign-in occurs from an anonymous IP address such as those using VPN services or anonymization networks, Identity Protection generates a risk detection event and can trigger automated responses. Administrators can configure risk-based policies that respond to these detections by requiring additional authentication factors, blocking access, or alerting security teams. The solution provides a centralized dashboard showing all risk detections, their severity levels, and recommended actions. Identity Protection integrates with Conditional Access to enable automated risk remediation and can send notifications to administrators when high-risk sign-ins are detected. The risk detection for anonymous IP addresses specifically identifies connections from IP addresses known to be associated with anonymization services.
Option B is incorrect because while Microsoft Defender for Cloud Apps monitors cloud application usage and can detect some anomalous activities, it’s primarily focused on cloud app security posture and shadow IT discovery rather than identity-specific risk detection like anonymous IP sign-ins. Option C is incorrect because Conditional Access policies enforce access controls based on conditions but don’t inherently monitor or alert on anonymous IP usage unless combined with other detection mechanisms. Option D is incorrect because sign-in logs provide historical records and can be queried for analysis but don’t automatically generate alerts or detect anonymous IP usage without additional configuration.
Question 14:
Your company needs to ensure that all SharePoint sites created by users include specific metadata columns. What should you configure?
A) Site scripts and site designs
B) Content type hub
C) Site templates
D) Information management policies
Answer: A
Explanation:
Site scripts and site designs provide the mechanism to standardize SharePoint site creation by automatically applying configurations including metadata columns, lists, themes, and other site elements. Site scripts are JSON-based definitions that specify what should be created or configured on a site, while site designs are the containers that execute one or more site scripts and can be made available to users during site creation. When users create new SharePoint sites through the self-service process, they can select from available site designs that automatically provision the required metadata columns to all libraries or lists. This approach ensures consistency across all new sites without requiring manual configuration after creation. Site designs can be scoped to specific site types such as team sites or communication sites, and can be set as default designs to ensure all sites include the necessary metadata structure. The solution supports complex provisioning scenarios including creating columns with specific data types, adding them to default views, and configuring column settings.
Option B is incorrect because the content type hub is used to publish and synchronize content types across site collections, which is useful for metadata management but doesn’t automatically provision columns during site creation. Option C is incorrect because while site templates can save site configurations, they require manual application and don’t provide the same level of automated provisioning and governance as site designs. Option D is incorrect because information management policies define retention and auditing rules for content but don’t create or enforce the presence of specific metadata columns during site creation.
Question 15:
You need to ensure that users can only access Microsoft 365 services from corporate-managed devices. What should you implement?
A) Device compliance policies with Conditional Access
B) Azure AD joined devices
C) Mobile Device Management enrollment
D) Windows Autopilot
Answer: A
Explanation:
Device compliance policies combined with Conditional Access provide comprehensive control over which devices can access Microsoft 365 services. Device compliance policies define the requirements that devices must meet to be considered compliant, such as having up-to-date antivirus software, encryption enabled, minimum operating system versions, and no jailbreak detection. These policies are created in Microsoft Intune and apply to devices enrolled in mobile device management. Conditional Access policies then leverage the compliance status to make real-time access decisions, allowing only compliant devices to access specified cloud applications including all Microsoft 365 services. This two-component approach ensures that access is granted only to devices that meet your organization’s security standards, regardless of where users are connecting from. The solution works across multiple platforms including Windows, iOS, Android, and macOS, providing consistent security controls across your entire device ecosystem. When a device falls out of compliance, access is automatically revoked until the device returns to a compliant state.
Option B is incorrect because Azure AD joined devices provide identity integration and single sign-on capabilities but don’t inherently restrict access to only managed devices without additional Conditional Access policies. Option C is incorrect because MDM enrollment alone makes devices manageable but doesn’t enforce access restrictions; it must be combined with compliance and Conditional Access policies to control access. Option D is incorrect because Windows Autopilot is a deployment solution for provisioning and configuring new Windows devices, not an access control mechanism for restricting service access to managed devices.
Question 16:
Your organization needs to investigate potential insider threats by searching all user communications. Which tool should you use?
A) Advanced eDiscovery
B) Content Search
C) Audit log search
D) Insider risk management
Answer: D
Explanation:
Insider risk management in Microsoft Purview is specifically designed to detect, investigate, and respond to potential insider threats within an organization. This solution uses machine learning and intelligent analytics to identify risky user behaviors across Microsoft 365 services including email, Teams, SharePoint, and OneDrive. The tool can detect patterns such as data exfiltration, policy violations, security violations, and data leaks by departing employees. Insider risk management provides a comprehensive dashboard that shows risk signals, allows investigators to review user activities in context, and enables escalation to Advanced eDiscovery cases when warranted. The solution respects privacy by using pseudonymization initially and revealing identities only when investigators need to take action. It includes pre-built policies for common insider risk scenarios and allows customization based on organizational needs. The tool correlates signals from multiple sources to provide holistic risk assessment and helps security teams prioritize investigations based on risk scores.
Option A is incorrect because Advanced eDiscovery is designed for legal and compliance investigations with known scope and subjects, not for proactive detection of unknown insider threats across the organization. Option B is incorrect because Content Search allows searching for specific content across Microsoft 365 but doesn’t provide behavioral analytics or risk scoring needed for insider threat detection. Option C is incorrect because audit log search provides historical records of user and admin activities but doesn’t analyze patterns or identify risky behaviors associated with insider threats.
Question 17:
You need to ensure that all new Microsoft 365 groups are created with a specific naming policy. What should you configure?
A) Azure AD group naming policy
B) Office 365 Groups creation policy
C) SharePoint site creation settings
D) Teams creation policy
Answer: A
Explanation:
Azure AD group naming policy provides centralized control over the naming conventions for Microsoft 365 groups across all group creation scenarios. This policy allows you to define prefixes, suffixes, and blocked words that apply whenever users create new groups through any interface including Outlook, Teams, SharePoint, or the Azure portal. The naming policy can include static text elements and dynamic attributes such as department, location, or user properties that are automatically inserted into group names. This ensures consistency in group naming across the organization and helps with group discovery and management. When users attempt to create a group with a name that violates the policy, they receive immediate feedback and must adjust the name to comply. The policy also prevents the use of specific words that might be inappropriate or conflict with organizational standards. Naming policies apply at the Azure AD level, ensuring enforcement regardless of which workload or application is being used to create the group.
Option B is incorrect because while you can control who can create Office 365 Groups, there isn’t a separate creation policy specifically for naming conventions; naming is controlled through the Azure AD naming policy. Option C is incorrect because SharePoint site creation settings control site creation permissions and available site designs but don’t enforce naming policies for the underlying Microsoft 365 groups. Option D is incorrect because Teams creation policy controls who can create teams and related settings but doesn’t enforce naming conventions; Teams respects the Azure AD group naming policy for the underlying Microsoft 365 group.
Question 18:
Your company wants to block access to Microsoft 365 from specific countries. What should you configure?
A) Named locations in Conditional Access
B) Azure AD Identity Protection
C) Firewall rules
D) IP address restrictions in SharePoint
Answer: A
Explanation:
Named locations in Azure AD Conditional Access allow you to define geographic locations based on countries or regions that can then be used in Conditional Access policies to control access to Microsoft 365 services. You can create named locations representing countries from which you want to block access, and then configure a Conditional Access policy that denies access when sign-ins originate from those locations. This approach provides centralized, identity-based access control that applies across all Microsoft 365 services and doesn’t depend on network-level controls. Named locations use IP geolocation data to determine the country of origin for sign-in attempts. The solution works regardless of which application users are trying to access, providing consistent enforcement across Exchange Online, SharePoint, Teams, and all other Microsoft 365 services. You can also create exceptions for specific users or groups who may need to access services while traveling to blocked countries.
Option B is incorrect because Azure AD Identity Protection focuses on detecting risky sign-ins based on unusual patterns and known threats, but it doesn’t provide direct controls for blocking access based on geographic location. Option C is incorrect because traditional firewall rules operate at the network perimeter and can’t effectively control access to cloud services that users access from any location; additionally, Microsoft 365 uses distributed endpoints that change frequently. Option D is incorrect because IP address restrictions in SharePoint only apply to SharePoint Online and OneDrive and don’t provide comprehensive blocking across all Microsoft 365 services; they also use IP ranges rather than country-based identification.
Question 19:
You need to provide temporary administrative access to a user for 8 hours. What should you use?
A) Privileged Identity Management eligible assignment
B) Permanent role assignment
C) Just-in-time access
D) Emergency access account
Answer: A
Explanation:
Privileged Identity Management eligible assignments allow administrators to grant time-bound access to Azure AD roles and Azure resource roles. With PIM, you can configure eligible assignments that users must activate when they need to perform administrative tasks. The activation process can require multi-factor authentication, justification, and approval before the role becomes active. Once activated, the role remains active for a specified duration such as 8 hours and then automatically expires. This approach implements the principle of least privilege by ensuring administrative permissions are only active when needed. PIM provides detailed audit logs of all activation requests and activities performed with elevated privileges. Eligible assignments are superior to permanent assignments for scenarios requiring temporary access because they reduce the window of exposure for privileged accounts and provide better accountability through the activation workflow. The solution integrates with Conditional Access to enforce additional security requirements during role activation.
Option B is incorrect because permanent role assignments grant continuous access without time limitations, which violates the principle of least privilege for temporary access needs. Option C is incorrect because while just-in-time access is a concept related to PIM, it’s not the specific mechanism for configuring time-bound administrative access; eligible assignments in PIM implement just-in-time access. Option D is incorrect because emergency access accounts are break-glass accounts intended for emergency scenarios when normal administrative access is unavailable, not for routine temporary administrative tasks.
Question 20:
Your organization needs to ensure that all documents in a specific SharePoint library are automatically deleted after 5 years. What should you create?
A) Retention label
B) Retention policy
C) Information management policy
D) Document deletion workflow
Answer: A
Explanation:
Retention labels provide the mechanism to apply retention and deletion settings to individual items or documents in SharePoint libraries. When you create a retention label with a 5-year retention period followed by automatic deletion, you can publish this label to specific SharePoint locations including individual libraries. Users can manually apply the label to documents, or you can configure automatic application based on conditions. Once applied, the retention label enforces the retention period and deletion action regardless of where the document is moved within SharePoint. Retention labels can also be set as default labels for a library, ensuring all new documents automatically receive the retention settings. The label-based approach provides granular control at the document level and allows different retention periods for different types of content within the same library. When the retention period expires, the documents are automatically moved to the Preservation Hold library before final deletion, providing a safety net for recovery if needed.
Option B is incorrect because retention policies apply broadly to locations like entire sites or all SharePoint sites, and while they can delete content after a specified period, they don’t provide the granular control needed for a specific library without affecting other content. Option C is incorrect because information management policies are legacy features in SharePoint that have largely been replaced by retention labels and policies in the Microsoft Purview compliance center. Option D is incorrect because while SharePoint workflows can perform actions including deletion, they require manual triggering or complex scheduling and don’t provide the compliance-focused retention management capabilities that retention labels offer.
