Visit here for our full Microsoft MS-102 exam dumps and practice test questions.
Question 41:
Your company needs to ensure that Teams meetings automatically expire shared content after 30 days. What should you configure?
A) Teams meeting policy with content expiration
B) SharePoint retention policy for Teams sites
C) Teams content lifecycle policy
D) Files retention label in Teams
Answer: B
Explanation:
SharePoint retention policies for Teams sites provide the mechanism to automatically expire and delete shared content from Teams meetings after a specified period. Teams meetings store shared content including uploaded files and shared documents in the associated SharePoint site for each team. When you create a retention policy that targets SharePoint locations and specifically includes Teams sites, you can configure the policy to delete content after 30 days.
The retention policy can be scoped to apply to all Teams sites or specific teams based on organizational requirements. Once configured, the policy automatically processes content based on its creation or modification date and deletes items that exceed the 30-day threshold. This approach ensures consistent content lifecycle management across all Teams meeting content without requiring manual intervention. The policy integrates with the broader Microsoft Purview compliance framework and provides audit trails of content deletion activities.
Option A) is incorrect because Teams meeting policies control meeting settings and participant capabilities but don’t include content expiration settings for shared files and documents. They focus on meeting behavior rather than content lifecycle.
Option C) is incorrect because there is no specific Teams content lifecycle policy feature. Content lifecycle management for Teams is accomplished through SharePoint retention policies that target the underlying SharePoint sites where Teams content is stored.
Option D) is incorrect because while retention labels can be applied to files in Teams, they require publishing and application rather than providing automatic 30-day expiration for all meeting content. A retention policy provides better automation.
Question 42:
You need to grant users the ability to search and export mailbox content without giving them full eDiscovery permissions. Which role should you assign?
A) eDiscovery Manager
B) Compliance Search
C) Organization Management
D) Records Management
Answer: A
Explanation:
The eDiscovery Manager role provides users with permissions to search mailbox content and export search results while maintaining appropriate security boundaries. This role includes two sub-roles: eDiscovery Manager and eDiscovery Administrator. The eDiscovery Manager role allows users to create and manage eDiscovery cases, perform content searches across Exchange Online mailboxes, and export search results for analysis or legal review.
Users assigned the eDiscovery Manager role can only access cases they create or are members of, preventing unauthorized access to other investigations. They can search mailboxes, place content holds, and export data but cannot perform organization-wide administrative tasks or access all eDiscovery cases in the organization. This role is appropriate for legal teams, compliance officers, or investigators who need to conduct searches without broader administrative permissions. The role follows the principle of least privilege by granting sufficient permissions for eDiscovery tasks without unnecessary access to organizational configuration.
Option B) is incorrect because while there are compliance search-related permissions, the specific role for searching and exporting mailbox content in the context of investigations is eDiscovery Manager, which provides the necessary case management and export capabilities.
Option C) is incorrect because Organization Management is a high-privilege role group that grants extensive administrative permissions across Microsoft 365, which far exceeds the requirements for mailbox search and export capabilities.
Option D) is incorrect because Records Management role focuses on managing retention labels, file plans, and disposition reviews rather than searching and exporting mailbox content for investigations.
Question 43:
Your organization needs to ensure that users can only share files with external users who have verified email addresses. What should you configure?
A) SharePoint sharing settings requiring authentication
B) Azure AD B2B email verification
C) External sharing with authentication code
D) One-time passcode authentication for guests
Answer: D
Explanation:
One-time passcode authentication for guests in Azure AD provides email verification for external users who don’t have organizational accounts or Microsoft accounts. When you enable this feature, external users who receive sharing invitations must verify their email address by entering a one-time passcode that is sent to their email. This ensures that only userswith verified email addresses can access shared content.
The one-time passcode feature is configured in Azure AD External Identities settings and works automatically when external users attempt to access shared resources. When an external user clicks a sharing link, Azure AD sends a time-limited passcode to their email address. The user must enter this passcode to authenticate and access the shared content. This verification process confirms that the user has access to the email address they claim and prevents unauthorized access through guessed or shared links. The one-time passcode authentication integrates seamlessly with SharePoint, OneDrive, and Teams sharing workflows.
Option A) is incorrect because SharePoint sharing settings requiring authentication ensure users must sign in but don’t specifically verify email addresses through a passcode mechanism. Users with existing Microsoft accounts can authenticate without email verification.
Option B) is incorrect because Azure AD B2B email verification is not a standalone configuration option. Email verification for guests is accomplished through the one-time passcode authentication feature.
Option C) is incorrect because while external sharing can use authentication codes, this terminology doesn’t accurately describe the one-time passcode authentication feature that provides email verification for guest access.
Question 44:
You need to prevent users from creating Teams that don’t follow the company naming convention. What should you implement?
A) Azure AD group naming policy with required prefix
B) Teams creation policy
C) PowerShell script for validation
D) Teams naming template
Answer: A
Explanation:
Azure AD group naming policy with required prefix provides automated enforcement of naming conventions for all Teams created by users throughout the organization. Since Microsoft Teams is built on Microsoft 365 groups, the naming policy applies to the underlying group and ensures compliance with organizational standards. When you configure a naming policy with required prefixes or suffixes, the system automatically adds these elements to team names or blocks creation if the name doesn’t comply with specified patterns.
The naming policy can include static text elements like department codes or dynamic attributes from Azure AD such as user department, location, or other properties. When users attempt to create a team with a name that doesn’t meet the policy requirements, they receive an error message explaining the naming convention. The policy ensures consistent naming across all teams regardless of which interface users employ for creation, including the Teams client, SharePoint, or Outlook. You can also define blocked words that cannot appear in team names.
Option B) is incorrect because Teams creation policy controls who can create teams but doesn’t enforce naming conventions. It focuses on creation permissions rather than name format requirements.
Option C) is incorrect because PowerShell scripts can validate team names but require manual execution and don’t provide real-time enforcement during the team creation process. They are reactive rather than preventive.
Option D) is incorrect because there is no specific Teams naming template feature. Naming convention enforcement is accomplished through the Azure AD group naming policy that applies to the Microsoft 365 groups underlying Teams.
Question 45:
Your company needs to ensure that all PowerPoint presentations contain a watermark when shared externally. What should you configure?
A) Sensitivity label with content marking
B) Information Rights Management template
C) Data Loss Prevention policy
D) SharePoint document library settings
Answer: A
Explanation:
Sensitivity labels with content marking provide the capability to automatically apply watermarks to PowerPoint presentations and other Office documents when they are classified with specific labels. Content markings can include headers, footers, and watermarks that display text such as classification level, confidentiality notices, or other organizational information. When you configure a sensitivity label for external sharing scenarios, you can enable content marking that automatically applies when the label is applied to presentations.
The sensitivity label can be configured with auto-labeling policies that detect when presentations are shared externally or contain specific content types. Once applied, the label adds the configured watermark to all slides in the presentation, ensuring that external recipients see the classification and handling instructions. The watermark persists with the document and appears when viewed in PowerPoint or exported to PDF. You can customize the watermark text, font, size, color, and position to meet organizational branding and security requirements.
Option B) is incorrect because Information Rights Management templates provide encryption and usage rights but don’t automatically add visual content markings like watermarks to documents. They focus on access control rather than document marking.
Option C) is incorrect because Data Loss Prevention policies detect and prevent sharing of sensitive content but don’t add watermarks to documents. They operate by blocking or modifying transmission rather than marking content.
Option D) is incorrect because SharePoint document library settings control library behavior and metadata but don’t provide functionality to automatically add watermarks to PowerPoint presentations when they are shared externally.
Question 46:
You need to ensure that all emails sent to a specific distribution group are moderated before delivery. What should you configure?
A) Distribution group moderation settings
B) Mail flow rule with approval
C) Transport rule with redirect
D) Exchange Online Protection policy
Answer: A
Explanation:
Distribution group moderation settings in Exchange Online provide built-in functionality to require approval of messages before they are delivered to group members. When you enable moderation for a distribution group, you designate one or more moderators who must approve messages before they are distributed to the group membership. This feature is particularly useful for groups that communicate important announcements or sensitive information where message control is necessary.
You configure moderation by editing the distribution group properties in the Exchange admin center and enabling the message approval option. You then specify which users should act as moderators and configure settings such as whether senders are notified when their messages require moderation. When users send email to the moderated group, the message is held in a queue and moderators receive notification with options to approve or reject the message. Approved messages are delivered to all group members, while rejected messages are returned to the sender with an explanation.
Option B) is incorrect because while mail flow rules can include approval actions, using distribution group moderation settings is the native and more appropriate method for requiring approval of messages sent to specific groups. It’s designed specifically for this purpose.
Option C) is incorrect because transport rules with redirect change message routing but don’t provide moderation and approval workflow for distribution group messages. They focus on message redirection rather than approval processes.
Option D) is incorrect because Exchange Online Protection policies focus on anti-spam and anti-malware protection rather than providing moderation capabilities for internal distribution group communications.
Question 47:
Your organization wants to automatically classify emails based on machine learning patterns. What should you implement?
A) Trainable classifiers with sensitivity labels
B) Manual sensitivity labels
C) DLP policies with keywords
D) Mail flow rules with patterns
Answer: A
Explanation:
Trainable classifiers with sensitivity labels provide advanced machine learning capabilities to automatically classify emails and documents based on patterns learned from sample content rather than simple keyword or pattern matching. Microsoft 365 includes pre-trained classifiers for common content types like resumes, source code, harassment, profanity, and financial documents. Organizations can also create custom trainable classifiers by providing positive and negative sample documents that train the machine learning model.
When you configure auto-labeling policies using trainable classifiers, the system analyzes email content and applies appropriate sensitivity labels based on the learned patterns. This approach provides more accurate classification than keyword-based methods because it understands context, document structure, and content characteristics beyond simple text matching. The trainable classifier continuously improves as it processes more content and receives feedback. Once labels are applied, they can trigger protection settings like encryption, access restrictions, or content markings.
Option B) is incorrect because manual sensitivity labels require users to apply classifications themselves, which doesn’t provide automatic classification based on machine learning patterns. It relies on user judgment and action.
Option C) is incorrect because DLP policies with keywords use pattern matching and regular expressions but don’t employ machine learning to understand content context and characteristics. They provide less sophisticated classification capabilities.
Option D) is incorrect because mail flow rules with patterns operate on explicit matching conditions and don’t use machine learning to classify content. They require administrators to define specific patterns rather than learning from examples.
Question 48:
You need to prevent users from forwarding calendar meeting invitations to external recipients. What should you configure?
A) Calendar sharing policies in Exchange Online
B) Outlook calendar permissions
C) Information Rights Management for calendar
D) Conditional Access policy
Answer: A
Explanation:
Calendar sharing policies in Exchange Online provide control over how users can share their calendar information with people outside the organization, including preventing forwarding of meeting invitations to external recipients. These policies define what level of calendar information can be shared externally and through which mechanisms. When you configure calendar sharing policies to restrict external sharing, users cannot forward meeting invitations or share detailed calendar information with external recipients.
You can configure calendar sharing policies at the organizational level to apply default restrictions to all users, or create specific policies for different user groups with varying requirements. The policies control whether users can share free/busy information only, limited details, or full details with external recipients. By setting restrictive policies, you prevent users from forwarding meeting invitations that might contain sensitive information to people outside the organization. The policies apply across all Outlook clients including desktop, web, and mobile applications.
Option B) is incorrect because Outlook calendar permissions control sharing within the organization and delegate access but don’t specifically prevent forwarding of meeting invitations to external recipients. They focus on internal calendar sharing scenarios.
Option C) is incorrect because Information Rights Management can protect calendar items with encryption and usage rights, but calendar items don’t support IRM protection in the same way as emails and documents. IRM isn’t the primary mechanism for controlling calendar sharing.
Option D) is incorrect because Conditional Access policies control access to cloud applications based on conditions but don’t specifically prevent forwarding of calendar meeting invitations. They operate at the authentication and access layer rather than content sharing control.
Question 49:
Your company needs to ensure that deleted SharePoint sites can be recovered for 60 days. What should you configure?
A) SharePoint site collection retention period
B) Deleted site retention policy
C) SharePoint recycle bin settings
D) Site closure and deletion policy
Answer: B
Explanation:
Deleted site retention policy in SharePoint Online controls how long deleted site collections remain available for recovery in the deleted sites collection before permanent deletion. By default, deleted SharePoint sites are retained for 93 days, but this can be adjusted through PowerShell commands to meet specific organizational requirements such as 60 days. During the retention period, deleted sites appear in the SharePoint admin center under the deleted sites section where administrators can restore them if needed.
When a site is deleted, all its content including documents, lists, pages, and settings are preserved in the deleted sites collection. Site collection administrators and global administrators can restore deleted sites through the SharePoint admin center interface, recovering all content and configurations to their state at deletion time. The retention period countdown begins when the site is deleted, and after the period expires, sites are permanently removed and cannot be recovered. This setting provides a safety net for accidental deletions while managing storage consumption.
Option A) is incorrect because SharePoint site collection retention period isn’t a standard configuration option. Site retention after deletion is controlled through the deleted site retention policy setting.
Option C) is incorrect because SharePoint recycle bin settings control how long deleted items within sites remain in the recycle bin, not how long deleted site collections themselves can be recovered. They operate at different scopes.
Option D) is incorrect because site closure and deletion policy relates to automatic site lifecycle management and expiration policies rather than the retention period for already-deleted sites in the deleted sites collection.
Question 50:
You need to delegate permissions to manage Microsoft 365 groups without granting access to other Azure AD settings. Which role should you assign?
A) Groups Administrator
B) User Administrator
C) Global Administrator
D) Exchange Administrator
Answer: A
Explanation:
The Groups Administrator role provides specific permissions to manage all aspects of Microsoft 365 groups and security groups in Azure AD without granting broader administrative access to other directory settings or services. Users assigned this role can create, delete, and manage groups, configure group settings, manage group membership, and handle group lifecycle policies. This role follows the principle of least privilege by limiting access to group management tasks only.
Groups Administrators can manage group properties including name, description, membership type, and privacy settings. They can configure group expiration policies, naming policies, and handle group restoration from deleted items. The role also provides permissions to manage group-based licensing assignments and view group reports. However, Groups Administrators cannot manage other Azure AD objects like users, domains, or applications unless they have additional role assignments. This makes the role ideal for delegating group management responsibilities to department managers or team leads.
Option B) is incorrect because User Administrator has broader permissions including user account management, password resets, and license assignments beyond group management. It grants more permissions than necessary for managing only groups.
Option C) is incorrect because Global Administrator has unlimited access to all Azure AD and Microsoft 365 settings, which far exceeds the requirement for managing groups. This violates the principle of least privilege for group management tasks.
Option D) is incorrect because Exchange Administrator focuses on Exchange Online management including mailboxes and distribution groups but doesn’t provide comprehensive permissions for managing all Microsoft 365 groups and security groups in Azure AD.
Question 51:
Your organization needs to prevent users from downloading files from Teams to unmanaged mobile devices. What should you configure?
A) Teams app protection policy
B) Conditional Access session control
C) Mobile Application Management policy
D) Teams device restriction policy
Answer: C
Explanation:
Mobile Application Management policies provide granular control over how users interact with Teams content on mobile devices, including the ability to prevent downloading files to device storage on unmanaged devices. These policies can be applied to the Teams mobile app without requiring full device enrollment in Intune MDM. MAM policies allow administrators to control actions such as save as, copy, paste, and download while users access Teams on iOS and Android devices.
When you configure a MAM policy for Teams with download restrictions, users can view files within the Teams app but cannot save them to their device’s local storage or personal cloud storage accounts. The policy creates a secure container around the Teams app that prevents data leakage to unmanaged applications while maintaining user productivity. You can configure different MAM policies for corporate-owned versus personal devices, allowing downloads on managed devices while restricting them on unmanaged devices. The policy enforcement happens at the application level regardless of device management status.
Option A) is incorrect because while Teams has app policies for managing features and capabilities, app protection policies specifically refer to the MAM policies in Intune that control data handling within mobile apps.
Option B) is incorrect because Conditional Access session controls work primarily with web-based access to SharePoint and OneDrive through Cloud App Security integration, not specifically with the Teams mobile app download behavior on unmanaged devices.
Option D) is incorrect because there is no specific Teams device restriction policy for controlling file downloads. Download restrictions on mobile devices are implemented through Mobile Application Management policies in Intune.
Question 52:
You need to ensure that all users must wait 24 hours before they can delete a Microsoft 365 group they created. What should you configure?
A) Group deletion protection policy
B) Group expiration policy with notification
C) Azure AD administrative unit
D) Group lifecycle policy
Answer: D
Explanation:
Group lifecycle policy in Azure AD provides controls over Microsoft 365 group retention and deletion, including the ability to configure settings that affect when groups can be deleted. While the primary purpose of lifecycle policies is to manage group expiration and renewal, you can implement protection mechanisms through PowerShell that require confirmation periods before deletion. However, the native lifecycle policy focuses more on automatic expiration rather than mandatory waiting periods for user-initiated deletions.
For implementing a 24-hour waiting period before group deletion, you would typically combine lifecycle policies with custom workflows or use the soft-delete feature that retains deleted groups for 30 days before permanent deletion. During soft-delete, groups can be restored by administrators or group owners. The lifecycle policy can be configured to send notifications to group owners before groups expire, giving them time to renew or take action. This provides a safeguard against accidental or hasty deletion decisions.
Option A) is incorrect because group deletion protection policy is not a standard feature in Microsoft 365. Group protection is handled through lifecycle policies and soft-delete mechanisms that provide recovery options.
Option B) is incorrect because group expiration policy with notification manages automatic group expiration based on inactivity rather than controlling user-initiated deletion timing. It sends renewal reminders but doesn’t impose waiting periods on manual deletions.
Option C) is incorrect because Azure AD administrative units are organizational containers for delegating administrative permissions to specific resources. They don’t control group deletion timing or impose waiting periods.
Question 53:
Your company wants to automatically tag emails containing invoice numbers with a retention label. What should you configure?
A) Auto-apply retention label policy using sensitive information types
B) Published retention labels
C) DLP policy with labeling action
D) Mail flow rule with classification
Answer: A
Explanation:
Auto-apply retention label policies using sensitive information types provide the capability to automatically apply retention labels to emails and documents that contain specific patterns like invoice numbers. You configure the policy by selecting a retention label and specifying conditions that trigger automatic application, including sensitive information types such as invoice numbers, purchase order numbers, or custom patterns you define using regular expressions.
When you create an auto-apply policy for Exchange Online, the system continuously scans email content as it’s processed and applies the designated retention label when invoice numbers are detected. The sensitive information type for invoice numbers can use pattern matching to identify various invoice number formats across different vendors and systems. Once applied, the retention label enforces retention and deletion settings according to the configured timeline. The auto-labeling process works in the background without requiring user action or awareness.
Option B) is incorrect because published retention labels require users to manually apply them to content. This doesn’t provide automatic tagging based on content analysis and relies on user awareness and action.
Option C) is incorrect because DLP policies primarily focus on detecting and preventing data loss rather than applying retention labels for lifecycle management. While they detect sensitive information, they don’t automatically tag content with retention labels.
Option D) is incorrect because mail flow rules can add message classifications or headers but don’t apply retention labels. Message classification is different from retention labeling and doesn’t provide the same compliance and lifecycle management capabilities.
Question 54:
You need to ensure that users can only access their Exchange Online mailbox from specific approved applications. What should you configure?
A) Conditional Access policy with approved client app requirement
B) Exchange ActiveSync policy
C) Mobile device access rule
D) Application control policy
Answer: A
Explanation:
Conditional Access policies with approved client app requirements provide the mechanism to control which applications users can use to access Exchange Online mailboxes. This control ensures that users can only access email through approved applications that support modern authentication and compliance features. You create a Conditional Access policy targeting Exchange Online and configure the grant controls to require approved client apps or app protection policies.
When you enable this requirement, users attempting to access Exchange Online through unapproved applications are blocked and receive messages directing them to use approved apps. The approved client apps list includes Microsoft first-party applications like Outlook, Teams, and other apps that meet security standards. This approach prevents users from accessing corporate email through potentially insecure third-party applications or legacy protocols that don’t support modern authentication features like multi-factor authentication and device compliance checks.
Option B) is incorrect because Exchange ActiveSync policies control mobile device synchronization settings but don’t provide comprehensive application control across all client types. They focus on mobile device protocols rather than application-level access control.
Option C) is incorrect because mobile device access rules in Exchange Online control which devices can synchronize email but don’t specifically restrict which applications can access mailboxes. They operate at the device level rather than application level.
Option D) is incorrect because there is no generic application control policy for Exchange Online access. Application-based access control is implemented through Conditional Access policies that specify approved client app requirements.
Question 55:
Your organization needs to monitor and alert when users share files containing personally identifiable information externally. What should you implement?
A) DLP policy with alert configuration for external sharing
B) Azure Information Protection scanner
C) Cloud App Security file policy
D) SharePoint audit alerts
Answer: A
Explanation:
DLP policies with alert configuration provide comprehensive monitoring and alerting capabilities when users attempt to share files containing personally identifiable information with external recipients. You create a DLP policy that uses sensitive information types to detect PII such as social security numbers, passport numbers, driver license numbers, or other personal data. The policy is configured to apply to SharePoint Online, OneDrive, and Teams, and you enable alerts when sharing violations occur.
When users attempt to share files containing PII externally, the DLP policy detects the sensitive information and can block the sharing action, warn users, or allow sharing while generating an alert. Alerts are sent to designated administrators through the Microsoft Purview compliance portal and can be configured with severity levels and email notifications. The policy provides detailed incident reports showing who attempted to share content, what sensitive information was detected, and whether the action was blocked or allowed. This enables security teams to investigate potential data leakage and take appropriate remedial actions.
Option B) is incorrect because Azure Information Protection scanner is designed for discovering and classifying sensitive information in on-premises file repositories and SharePoint Server, not for monitoring real-time external sharing activities in SharePoint Online.
Option C) is incorrect because while Cloud App Security can monitor file activities across cloud applications, DLP policies provide more specific capabilities for detecting PII patterns and generating alerts based on sensitive information types.
Option D) is incorrect because SharePoint audit alerts provide notifications about general file activities like deletion or access but don’t include built-in sensitive information detection for PII. They don’t analyze file content for data loss prevention.
Question 56:
You need to delegate the ability to create and manage eDiscovery cases without providing access to view audit logs. Which role should you assign?
A) eDiscovery Manager
B) Compliance Administrator
C) Security Administrator
D) Audit Reader
Answer: A
Explanation:
The eDiscovery Manager role provides specific permissions to create and manage eDiscovery cases, perform content searches, and export search results without granting access to view audit logs or perform broader compliance administrative tasks. This role is designed specifically for legal and compliance personnel who need to conduct investigations and preserve content for legal matters. eDiscovery Managers can only access cases they create or are explicitly added to as members.
Users with the eDiscovery Manager role can create cases, place content locations on hold, run content searches across mailboxes and SharePoint sites, and export search results for analysis. They can manage case membership and perform all eDiscovery-related tasks within their assigned cases. However, they cannot access organizational audit logs, configure compliance policies, or view other administrators’ cases unless specifically granted access. This separation of duties ensures that investigation activities remain confidential while preventing unnecessary access to audit information.
Option B) is incorrect because Compliance Administrator has extensive permissions including access to compliance features, audit logs, and organizational compliance settings beyond eDiscovery case management. It grants more permissions than necessary.
Option C) is incorrect because Security Administrator focuses on security-related configurations and monitoring, including security policies and threat management, but doesn’t primarily focus on eDiscovery case management. It’s a broader security role.
Option D) is incorrect because Audit Reader specifically provides permissions to view audit logs and run audit reports, which is the opposite of the requirement. This role doesn’t include eDiscovery case management permissions.
Question 57:
Your company wants to ensure that all SharePoint sites automatically expire after 12 months of inactivity. What should you configure?
A) Site lifecycle policy with expiration
B) SharePoint site expiration notifications
C) Inactive site policy
D) Azure AD group expiration policy
Answer: C
Explanation:
Inactive site policy in SharePoint Online provides automated lifecycle management for sites based on activity patterns. While Microsoft 365 uses group expiration policies for the underlying groups, SharePoint-specific inactive site policies can be configured to identify and handle sites that haven’t been accessed for specified periods. These policies help organizations manage SharePoint storage and maintain an organized site structure by automatically handling abandoned or unused sites.
When you configure an inactive site policy, the system monitors site activity including page views, file access, and modifications. Sites that show no activity for the specified period such as 12 months are flagged as inactive. You can configure the policy to send notifications to site owners before expiration, requiring them to confirm whether the site is still needed. If owners don’t respond within the notification period, the sites can be automatically deleted or archived. This approach combines automated monitoring with owner accountability.
Option A) is incorrect because while site lifecycle policy is conceptually correct, the specific implementation for managing inactive SharePoint sites involves inactive site policies or Microsoft 365 group expiration policies that affect the underlying groups.
Option B) is incorrect because SharePoint site expiration notifications are part of the expiration policy configuration but don’t represent the complete policy setup needed for automatic expiration based on inactivity periods.
Option D) is incorrect because Azure AD group expiration policy manages Microsoft 365 groups based on activity and affects associated sites, but it’s not specific to SharePoint site inactivity. It focuses on group-level expiration rather than site-specific inactivity detection.
Question 58:
You need to prevent users from creating Teams using specific keywords in the team name. What should you configure?
A) Azure AD group naming policy with blocked words
B) Teams naming convention
C) PowerShell validation script
D) Teams creation template
Answer: A
Explanation:
Azure AD group naming policy with blocked words provides the mechanism to prevent users from creating Teams with specific keywords in the team name. Since Teams are built on Microsoft 365 groups, the group naming policy applies to all team creation scenarios regardless of which interface users employ. When you configure blocked words in the naming policy, users receive error messages if they attempt to create teams with names containing those words.
You can specify a list of blocked words that cannot appear anywhere in team names, including words that might be inappropriate, conflict with organizational terminology, or represent protected brand names. The policy checks team names in real-time during creation and prevents creation if blocked words are detected. You can configure different blocked word lists or make exceptions for specific users who may need to use certain terms. The policy ensures consistent naming standards across all teams in the organization.
Option B) is incorrect because while Teams naming convention is a general concept, the specific enforcement mechanism for blocking keywords is the Azure AD group naming policy. There isn’t a separate Teams-specific naming convention feature.
Option C) is incorrect because PowerShell validation scripts can check team names but require manual execution and don’t provide real-time prevention during the team creation process through the Teams client or other interfaces.
Option D) is incorrect because Teams creation templates define the channels, apps, and settings for new teams but don’t enforce naming restrictions or block specific keywords. They focus on team structure rather than name validation.
Question 59:
Your organization needs to ensure that all newly created OneDrive accounts have a storage quota of 2TB. What should you configure?
A) OneDrive storage settings in admin center
B) SharePoint storage quota
C) User storage policy
D) OneDrive for Business default quota
Answer: A
Explanation:
OneDrive storage settings in the admin center provide centralized control over storage quotas for all OneDrive accounts in the organization. Administrators can configure the default storage quota that applies to all newly created OneDrive accounts, ensuring consistent storage allocation across the organization. The setting allows you to specify storage limits that align with licensing entitlements and organizational policies.
When you configure the OneDrive storage quota to 2TB in the SharePoint admin center, this setting automatically applies to all new OneDrive accounts as they are provisioned. Users who already have OneDrive accounts retain their current quotas unless manually adjusted. You can set the organization-wide default quota and also adjust individual user quotas if specific users require more or less storage. The quota setting helps manage overall SharePoint Online storage consumption while providing adequate space for user file storage needs.
Option B) is incorrect because SharePoint storage quota controls site collection storage limits for team sites and other SharePoint sites, not individual OneDrive account quotas. OneDrive quotas are managed separately in OneDrive-specific settings.
Option C) is incorrect because there is no generic user storage policy feature. OneDrive storage quotas are configured through the OneDrive settings in the SharePoint admin center.
Option D) is incorrect because while the concept is correct, the specific configuration location is the OneDrive storage settings in the admin center where you set the default storage quota for new OneDrive accounts.
Question 60:
You need to ensure that emails containing the word “Confidential” are automatically encrypted when sent outside the organization. What should you configure?
A) Mail flow rule with Office 365 Message Encryption for external recipients
B) Sensitivity label with automatic encryption
C) Transport rule with RMS template
D) DLP policy with encryption action
Answer: A
Explanation:
Mail flow rules with Office 365 Message Encryption provide the capability to automatically encrypt emails based on specific conditions such as subject line or body content containing particular keywords like “Confidential” when sent to external recipients. This approach ensures immediate and consistent protection at the transport layer without requiring user action or label application. You create a mail flow rule in the Exchange admin center that detects the keyword and applies encryption only when recipients are outside the organization.
The rule combines two conditions: detecting “Confidential” in the email and identifying that the recipient is external to the organization. When both conditions are met, the rule applies Office 365 Message Encryption action that encrypts the message before delivery. External recipients receive instructions for accessing the encrypted content through the OME portal where they can authenticate and read the message. This solution provides granular control by applying encryption only to external communications containing sensitive keywords while allowing internal emails to flow normally.
Option B) is incorrect because sensitivity labels with automatic encryption require either manual label application or auto-labeling policies that work based on content inspection patterns. They don’t provide real-time keyword-based encryption specifically for external recipients during mail transport.
Option C) is incorrect because while transport rules can apply RMS templates, the modern approach uses Office 365 Message Encryption integration rather than legacy RMS templates. The terminology and implementation have evolved.
Option D) is incorrect because DLP policies primarily focus on detecting and preventing data loss through blocking or quarantining emails. While they can apply encryption, mail flow rules provide more direct and appropriate control for keyword-based automatic encryption.
