Visit here for our full Microsoft MS-102 exam dumps and practice test questions.
Question 61:
Your company needs to ensure that deleted Teams conversations can be recovered for compliance purposes. What should you configure?
A) Retention policy for Teams channel messages
B) Teams conversation backup
C) Litigation hold for Teams users
D) Teams chat archive policy
Answer: A
Explanation:
Retention policies for Teams channel messages provide the mechanism to preserve Teams conversations even after users delete them, ensuring that content can be recovered for compliance and legal purposes. When you create a retention policy targeting Teams locations, you specify whether to retain channel messages, private chat messages, or both. The policy preserves deleted content in a secure hidden location that remains searchable through eDiscovery tools.
When users delete messages from Teams channels or chats, the retention policy ensures that copies are preserved for the specified retention period regardless of user deletion actions. The preserved content remains invisible to users but accessible to compliance administrators through content search and eDiscovery cases. You can configure different retention periods for different types of Teams communications or apply organization-wide policies. The retention policy integrates with the broader Microsoft Purview compliance framework and supports legal hold scenarios.
Option B) is incorrect because there is no specific Teams conversation backup feature. Content preservation in Teams is accomplished through retention policies that keep deleted content accessible for compliance purposes.
Option C) is incorrect because litigation hold applies to Exchange Online mailboxes and preserves mailbox content. While Teams chat messages are stored in user mailboxes, channel messages are stored in group mailboxes, and Teams-specific retention policies provide more appropriate control.
Option D) is incorrect because there is no separate Teams chat archive policy. Archival and preservation of Teams content is managed through retention policies configured in the Microsoft Purview compliance portal.
Question 62:
You need to delegate the ability to reset MFA authentication methods for users without granting password reset permissions. Which role should you assign?
A) Authentication Administrator
B) Helpdesk Administrator
C) User Administrator
D) Password Administrator
Answer: A
Explanation:
The Authentication Administrator role provides specific permissions to manage authentication methods including multi-factor authentication settings for non-administrator users without granting password reset capabilities. This role allows administrators to view, configure, and reset MFA methods such as phone numbers, authenticator apps, and FIDO2 security keys for standard users. Authentication Administrators can require users to re-register for MFA and manage authentication method policies.
Users assigned the Authentication Administrator role can handle MFA-related support tickets and troubleshoot authentication issues without having broader user management permissions. They can update authentication phone numbers, reset MFA settings when users lose access to their authentication methods, and configure authentication policies. However, they cannot reset passwords for users or modify other user account properties beyond authentication settings. This role separation ensures appropriate delegation of authentication management duties while maintaining security boundaries.
Option B) is incorrect because Helpdesk Administrator has both password reset and limited MFA management permissions. The question specifically requires MFA management without password reset capabilities, making Authentication Administrator more appropriate.
Option C) is incorrect because User Administrator has extensive user management permissions including password resets, account modifications, and license management, which exceeds the requirement for managing only MFA authentication methods.
Option D) is incorrect because Password Administrator focuses on password reset capabilities and has limited authentication method management permissions. It’s designed primarily for password-related support rather than comprehensive MFA administration.
Question 63:
Your organization wants to automatically delete all emails in the Deleted Items folder after 7 days. What should you configure?
A) Retention policy with deletion action for Deleted Items folder
B) Mailbox folder policy
C) Retention tag for Deleted Items
D) Deleted item retention period
Answer: C
Explanation:
Retention tags for the Deleted Items folder provide granular control over how long items remain in that specific folder before automatic deletion. You create a retention policy tag specifically for the Deleted Items folder that specifies a 7-day retention period with a delete action. This tag is included in a retention policy that you assign to user mailboxes, ensuring consistent handling of deleted items across the organization.
When you configure a Deleted Items retention tag, the Managed Folder Assistant processes mailboxes regularly and automatically deletes items that have been in the Deleted Items folder for longer than the specified period. This approach helps manage mailbox storage by preventing accumulation of deleted items while giving users a week to recover accidentally deleted messages. The retention tag applies only to the Deleted Items folder without affecting other mailbox folders. Users can still manually empty their Deleted Items folder at any time.
Option A) is incorrect because retention policies typically apply to entire locations or mailbox content broadly rather than providing the folder-specific control needed for the Deleted Items folder. Retention tags offer more granular folder-level management.
Option B) is incorrect because mailbox folder policy is not a specific feature in Exchange Online. Folder-level retention is managed through retention tags that are assigned as part of retention policies.
Option D) is incorrect because deleted item retention period controls how long items remain in the Recoverable Items folder after being purged from Deleted Items, not how long items stay in the Deleted Items folder itself before automatic deletion.
Question 64:
You need to ensure that users receive warnings before sending emails to external recipients. What should you configure?
A) MailTips for external recipients
B) Mail flow rule with notification
C) External recipient policy
D) Outlook warning banner
Answer: A
Explanation:
MailTips for external recipients provide automatic warnings to users when they compose emails addressed to people outside the organization. This feature displays a notification in the Outlook compose window informing users that their message will be sent to external recipients, helping prevent accidental information disclosure. MailTips appear in real-time as users add recipients to their emails, providing immediate awareness before messages are sent.
When you enable the external recipients MailTip in the Exchange admin center, Outlook displays a warning message whenever users include external email addresses in the To, CC, or BCC fields. The warning helps users consider whether they should be sharing information outside the organization and prompts them to verify recipient addresses. You can customize the MailTip message text to include organization-specific guidance or policies about external communications. MailTips work across Outlook desktop, Outlook on the web, and mobile clients that support the feature.
Option B) is incorrect because mail flow rules with notifications can send messages after emails are processed but don’t provide real-time warnings in the compose window before users send messages. They operate at the transport layer rather than the client interface.
Option C) is incorrect because there is no specific external recipient policy feature in Exchange Online. External recipient awareness is provided through MailTips configuration rather than a separate policy type.
Option D) is incorrect because Outlook warning banners typically refer to sensitivity labels or information barriers that display warnings based on content classification, not general warnings about external recipients. MailTips is the specific feature for external recipient notifications.
Question 65:
Your company needs to ensure that all Microsoft 365 audit logs are retained for 5 years. What should you configure?
A) Audit log retention policy
B) Advanced audit retention
C) Compliance center retention settings
D) Azure AD audit log settings
Answer: A
Explanation:
Audit log retention policies in Microsoft 365 provide the capability to extend audit log retention beyond the default periods and meet long-term compliance requirements such as 5-year retention. These policies allow administrators to specify how long audit records should be preserved before deletion, with retention periods extending up to 10 years for organizations with appropriate licensing. You create audit retention policies in the Microsoft Purview compliance portal specifying the retention duration and which types of activities should be retained.
When you configure an audit log retention policy for 5 years, the system preserves all audit records matching the policy criteria for the specified duration. The policies can be scoped to retain all audit activities or specific record types such as Exchange, SharePoint, or Azure AD activities. You can create multiple policies with different retention periods for different activity types or user groups. The retained audit logs remain searchable through the audit log search interface throughout the retention period, enabling long-term investigations and compliance reporting.
Option B) is incorrect because while advanced audit provides additional logging capabilities and longer default retention, configuring specific retention periods like 5 years requires creating explicit audit log retention policies rather than relying on advanced audit features alone.
Option C) is incorrect because compliance center retention settings typically refer to retention policies for content like emails and documents rather than audit log retention. Audit logs have separate retention configuration mechanisms.
Option D) is incorrect because Azure AD audit log settings control directory-level audit logs but don’t provide comprehensive retention control for all Microsoft 365 audit activities including Exchange, SharePoint, and Teams. Organization-wide audit retention requires policies in the compliance portal.
Question 66:
You need to prevent users from accessing Outlook on the web from untrusted networks. What should you configure?
A) Conditional Access policy blocking untrusted locations
B) Exchange Online authentication policy
C) Outlook on the web mailbox policy
D) Client access rules
Answer: A
Explanation:
Conditional Access policies blocking untrusted locations provide identity-based access control that prevents users from accessing Outlook on the web when connecting from networks outside your defined trusted locations. You configure named locations in Azure AD that represent your trusted network IP ranges, then create a Conditional Access policy targeting Outlook on the web that blocks access when users connect from locations not in the trusted list.
The policy evaluates the user’s IP address during authentication and determines whether they are connecting from a trusted or untrusted location. When users attempt to access Outlook on the web from untrusted networks, the policy blocks access and displays an error message. You can configure the policy to apply to all users or specific groups, and you can add exceptions for certain accounts that may need access from various locations. This approach provides strong security for webmail access while maintaining transparency about access restrictions.
Option B) is incorrect because Exchange Online authentication policies control authentication methods and protocols but don’t provide location-based access restrictions. They focus on authentication mechanisms rather than network location controls.
Option C) is incorrect because Outlook on the web mailbox policies control feature availability within Outlook on the web such as calendar access and instant messaging, but they don’t control network-based access restrictions.
Option D) is incorrect because client access rules in Exchange Online can control access based on IP addresses but provide less flexible and modern access control compared to Conditional Access policies. They also don’t integrate with other access conditions as effectively.
Question 67:
Your organization wants to ensure that emails from specific domains are always delivered to the inbox and never marked as spam. What should you configure?
A) Connection filter policy with allowed senders
B) Anti-spam policy with allowed domains
C) Mail flow rule with bypass spam filtering
D) Safe senders list
Answer: B
Explanation:
Anti-spam policies with allowed domains provide the capability to ensure that emails from specific trusted domains always bypass spam filtering and are delivered to user inboxes. In the Exchange admin center, you configure the anti-spam policy by adding trusted sender domains to the allowed domains list. This setting ensures that emails from those domains are never marked as spam regardless of content characteristics that might otherwise trigger spam detection.
When you add domains to the allowed list in the anti-spam policy, Exchange Online Protection processes emails from those senders and bypasses content filtering rules. The emails proceed directly to recipient inboxes without spam scoring or junk mail classification. You should carefully manage the allowed domains list to include only legitimate business partners and trusted sources, as this setting overrides spam protection mechanisms. The policy applies organization-wide or can be scoped to specific users based on your security requirements.
Option A) is incorrect because connection filter policies manage IP allow lists for connecting mail servers rather than domain-based sender allowances. They operate at the connection level before sender domain evaluation.
Option C) is incorrect because while mail flow rules can bypass spam filtering, using the anti-spam policy’s allowed domains list is the more appropriate and manageable approach for permanent domain allowances rather than creating individual mail flow rules.
Option D) is incorrect because safe senders lists are user-managed settings in individual mailboxes that don’t provide centralized administrative control. Anti-spam policies offer organization-wide management of allowed domains.
Question 68:
You need to ensure that specific users can create eDiscovery cases and search all mailboxes in the organization. Which role should you assign?
A) eDiscovery Administrator
B) eDiscovery Manager
C) Organization Management
D) Compliance Administrator
Answer: A
Explanation:
The eDiscovery Administrator role provides comprehensive permissions to create and manage all eDiscovery cases in the organization and search any mailbox regardless of case membership. Unlike eDiscovery Managers who can only access cases they create or are added to, eDiscovery Administrators have organization-wide eDiscovery capabilities. This role is appropriate for senior compliance or legal personnel who need oversight of all investigations and unrestricted search capabilities.
eDiscovery Administrators can create cases, add members to cases, place content on hold across any content locations, perform organization-wide searches, and export search results. They can access and manage cases created by other eDiscovery Managers and administrators, providing centralized oversight of all eDiscovery activities. The role includes permissions to configure eDiscovery settings and manage the eDiscovery framework while maintaining focus on investigation capabilities rather than broader compliance administration.
Option B) is incorrect because eDiscovery Manager can create cases and search mailboxes but only within cases they create or are members of. They cannot access other administrators’ cases or perform unrestricted organization-wide searches.
Option C) is incorrect because Organization Management is a high-privilege role group with extensive administrative permissions across Exchange Online and other services, which exceeds the requirement for eDiscovery-specific capabilities. It grants unnecessary permissions beyond investigation tasks.
Option D) is incorrect because Compliance Administrator has broad compliance and regulatory management permissions but focuses more on policy configuration and compliance features rather than providing the unrestricted eDiscovery case management and search capabilities that eDiscovery Administrator offers.
Question 69:
Your company needs to prevent users from printing documents labeled as “Highly Confidential” from mobile devices. What should you configure?
A) Sensitivity label with print restriction in MAM policy
B) Information Rights Management template
C) Conditional Access policy
D) Mobile device management policy
Answer: A
Explanation:
Sensitivity labels with print restrictions in Mobile Application Management policies provide granular control over what users can do with labeled content on mobile devices. When you configure a sensitivity label for “Highly Confidential” content and combine it with MAM policies for mobile apps like Word, Excel, and PowerPoint, you can specifically prevent printing while allowing other operations like viewing and editing. This approach protects sensitive content on mobile devices without requiring full device management.
The MAM policy respects sensitivity label settings and enforces print restrictions when users access labeled documents through managed applications on iOS and Android devices. When users attempt to print a document labeled as “Highly Confidential,” the managed app blocks the print action and may display a message explaining the restriction. This control applies regardless of whether the device is personally owned or corporate-managed, as MAM policies operate at the application level. The combination of sensitivity labels and MAM policies provides comprehensive data protection for mobile scenarios.
Option B) is incorrect because Information Rights Management templates provide encryption and usage rights but require specific client support and don’t integrate as seamlessly with mobile application management policies for controlling actions like printing on mobile devices.
Option C) is incorrect because Conditional Access policies control access to cloud services based on conditions but don’t provide content-level restrictions like preventing printing of specific documents. They operate at the authentication and access layer.
Option D) is incorrect because mobile device management policies control device-level settings and configurations but don’t provide the document-level print restrictions needed for sensitivity-labeled content. MDM operates at a different scope than content protection policies.
Question 70:
You need to configure automatic deletion of inactive mailboxes after 6 months. What should you configure?
A) Retention policy for inactive mailboxes
B) Inactive mailbox deletion policy
C) Mailbox retention hold
D) Litigation hold with time limit
Answer: A
Explanation:
Retention policies for inactive mailboxes provide the mechanism to manage the lifecycle of mailboxes that become inactive when users leave the organization or licenses are removed. When you create a retention policy that targets inactive mailboxes, you can configure automatic deletion after a specified period such as 6 months. Inactive mailboxes are created when a mailbox has a hold applied before the user account is deleted, preserving the mailbox content for compliance purposes.
The retention policy can be configured specifically for inactive mailbox locations in the Microsoft Purview compliance portal. You specify the retention period of 6 months and configure the action to permanently delete the mailbox after that period expires. This automated approach ensures that inactive mailboxes don’t consume storage indefinitely while meeting organizational retention requirements. Before the policy deletes mailboxes, you can still search and export their content through eDiscovery tools if needed for investigations or legal matters.
Option B) is incorrect because inactive mailbox deletion policy is not a specific standalone feature. Deletion of inactive mailboxes is managed through retention policies that target inactive mailbox locations.
Option C) is incorrect because mailbox retention hold preserves mailbox content and prevents deletion, which is the opposite of the requirement to automatically delete inactive mailboxes after 6 months. Holds prevent deletion rather than enabling it.
Option D) is incorrect because litigation hold preserves mailbox content indefinitely or until manually removed. It doesn’t provide automatic deletion capabilities after a specified period for inactive mailboxes. Retention policies are needed for time-based deletion.
Question 71:
Your organization needs to ensure that all users must provide justification when removing sensitivity labels from documents. What should you configure?
A) Label policy setting requiring justification
B) Sensitivity label protection settings
C) Data Loss Prevention policy
D) Document audit policy
Answer: A
Explanation:
Label policy settings requiring justification provide the mechanism to enforce accountability when users remove or downgrade sensitivity labels from documents. When you publish sensitivity labels through a label policy, you can enable the setting that requires users to provide justification for label removal or downgrade to a less sensitive label. This setting appears in the label policy configuration in the Microsoft Purview compliance portal under policy settings.
When this setting is enabled, users who attempt to remove a sensitivity label or change to a less restrictive label must select a reason from predefined options or provide custom text explaining why they are making the change. The justification is captured in audit logs, providing visibility into label changes and supporting compliance investigations. This requirement helps prevent accidental or unauthorized label removal while maintaining a record of intentional changes. You can configure different label policies for different user groups with varying justification requirements.
Option B) is incorrect because sensitivity label protection settings define encryption and access restrictions that apply when labels are applied, but they don’t control the justification requirements for label removal. Those requirements are configured in label policies.
Option C) is incorrect because DLP policies detect and prevent data loss based on content sensitivity but don’t specifically enforce justification requirements when users modify sensitivity labels. They operate independently of label change workflows.
Option D) is incorrect because document audit policies track file activities and changes but don’t actively require users to provide justification before removing labels. Auditing is passive recording rather than active enforcement of justification requirements.
Question 72:
You need to prevent guest users from downloading files from specific SharePoint sites. What should you configure?
A) Site-level sharing settings with download restrictions
B) Conditional Access policy for guest users
C) Guest user permissions in site settings
D) Azure AD B2B restrictions
Answer: A
Explanation:
Site-level sharing settings with download restrictions provide granular control over what guest users can do when accessing specific SharePoint sites. In SharePoint Online, you can configure site settings to allow guest users to view files without being able to download them to their local devices. This setting is available in the site sharing settings and applies specifically to guest users who access the site through sharing links or as site members.
When you enable the limited-access permission level for guests at the site level, guest users can view files through their web browsers using Office Online or browser-based viewers, but the download option is disabled. This approach balances collaboration needs with security requirements by allowing external partners to access content for review and collaboration without permitting them to extract files. The setting can be applied to individual sites that contain sensitive information while maintaining normal sharing capabilities on other sites.
Option B) is incorrect because while Conditional Access policies can enforce session controls that limit downloads, site-level sharing settings provide more direct and manageable control for specific SharePoint sites without requiring complex policy configuration across all guest access scenarios.
Option C) is incorrect because guest user permissions in site settings control membership and role assignments but don’t provide the specific download restriction capability. Limited-access configurations in sharing settings are needed for download prevention.
Option D) is incorrect because Azure AD B2B restrictions control guest invitation and authentication requirements but don’t manage download permissions for guests accessing SharePoint content. Download controls are configured at the SharePoint site level.
Question 73:
Your company wants to automatically apply retention settings to all Teams channel messages containing financial data. What should you configure?
A) Auto-apply retention label using trainable classifiers
B) Teams retention policy
C) DLP policy with retention action
D) Channel-specific retention settings
Answer: A
Explanation:
Auto-apply retention labels using trainable classifiers provide advanced capability to automatically identify and label Teams channel messages based on content characteristics like financial data rather than simple keywords. Trainable classifiers use machine learning to recognize patterns in financial documents and communications, such as budget discussions, financial reports, or accounting data. When you configure an auto-apply policy with a trainable classifier for financial data, the system automatically applies appropriate retention labels to matching Teams messages.
The auto-apply policy continuously analyzes Teams channel messages and applies the designated retention label when financial content is detected. Once labeled, the messages are subject to the retention and deletion settings configured in the label, ensuring compliance with financial record retention requirements. This approach provides more accurate classification than keyword-based methods because trainable classifiers understand context and document types. You can use pre-built classifiers for financial documents or train custom classifiers specific to your organization’s financial communication patterns.
Option B) is incorrect because Teams retention policies apply broadly to all Teams content or specific teams but don’t provide content-based automatic application for messages containing specific types of data like financial information. They apply uniformly rather than based on content analysis.
Option C) is incorrect because DLP policies detect sensitive information and prevent data loss but don’t apply retention labels for lifecycle management. They focus on policy enforcement rather than classification and retention.
Option D) is incorrect because there are no channel-specific retention settings that automatically apply based on message content. Retention in Teams is managed through retention policies and labels rather than channel-level configurations.
Question 74:
You need to ensure that administrative actions in Exchange Online are logged and cannot be deleted by administrators. What should you configure?
A) Audit logging with immutable storage
B) Admin audit logging
C) Mailbox audit logging
D) Advanced audit features
Answer: B
Explanation:
Admin audit logging in Exchange Online provides comprehensive logging of all administrative actions performed by administrators and users with administrative permissions. When enabled, this feature records cmdlet executions, parameter values, and the administrators who performed actions, creating a detailed audit trail of all Exchange configuration changes. Admin audit logs cannot be disabled or deleted by administrators, ensuring the integrity of the audit trail for compliance and security investigations.
Exchange Online admin audit logging is enabled by default and captures all administrative actions across the Exchange admin center, PowerShell commands, and API calls that modify Exchange configuration. The logs are stored securely and retained according to your organization’s audit retention policies. You can search admin audit logs through the Exchange admin center or PowerShell to investigate specific administrative actions, troubleshoot configuration issues, or respond to security incidents. The immutable nature of admin audit logs ensures accountability for all administrative activities.
Option A) is incorrect because while audit logging with immutable storage is a concept, the specific feature for logging Exchange administrative actions is admin audit logging, which is built into Exchange Online with protected storage.
Option C) is incorrect because mailbox audit logging tracks user and delegate actions within mailboxes rather than administrative actions that modify Exchange configuration. It focuses on mailbox access and content actions rather than administrative operations.
Option D) is incorrect because advanced audit features provide additional capabilities like longer retention and more event types, but the core functionality for logging Exchange administrative actions is provided by admin audit logging rather than requiring advanced audit features.
Question 75:
Your organization needs to prevent users from creating Microsoft Forms that can be accessed by anyone. What should you configure?
A) Forms settings to restrict external sharing
B) Conditional Access policy for Forms
C) Data Loss Prevention policy
D) Forms creation policy
Answer: A
Explanation:
Forms settings to restrict external sharing provide administrative control over how users can share forms they create with Microsoft Forms. In the Microsoft 365 admin center under Forms settings, administrators can configure whether users can create forms that can be accessed by anyone with the link or restrict form sharing to only people within the organization. This setting helps prevent accidental data collection from external respondents or unauthorized form distribution.
When you configure Forms settings to restrict external sharing, users can only create forms that require respondents to sign in with organizational credentials. This prevents the creation of publicly accessible forms that anyone can complete anonymously. The setting applies organization-wide and ensures that all form responses come from authenticated users whose identities can be verified. You can also configure additional settings such as whether users can collaborate on forms with external users or whether external sharing requires recording names.
Option B) is incorrect because Conditional Access policies control access to Microsoft Forms as an application but don’t control the sharing settings of individual forms created by users. They operate at the application access level rather than form configuration level.
Option C) is incorrect because DLP policies detect sensitive information in content but don’t prevent creation of publicly accessible forms. They monitor for data leakage rather than controlling form sharing configurations.
Option D) is incorrect because there is no separate Forms creation policy. Form sharing restrictions are configured through the Forms settings in the Microsoft 365 admin center where you control sharing and collaboration options.
Question 76:
You need to delegate the ability to manage all aspects of SharePoint Online without granting access to other Microsoft 365 services. Which role should you assign?
A) SharePoint Administrator
B) Global Administrator
C) Sites Administrator
D) Compliance Administrator
Answer: A
Explanation:
The SharePoint Administrator role provides comprehensive permissions to manage all aspects of SharePoint Online including site creation, storage management, sharing policies, and service settings without granting access to other Microsoft 365 services. Users assigned this role can perform tasks such as creating and deleting site collections, managing external sharing settings, configuring search settings, and managing SharePoint Online service health through the SharePoint admin center.
SharePoint Administrators have full control over SharePoint and OneDrive settings, can manage site collection administrators, configure information management policies, and handle user profile properties. They can access all sites and OneDrive accounts in the organization to manage content and settings. This role follows the principle of least privilege by limiting administrative access to SharePoint-specific tasks without granting permissions to manage Exchange, Teams, Azure AD, or other workloads. The role is ideal for SharePoint infrastructure administrators who focus exclusively on content management and collaboration platforms.
Option B) is incorrect because Global Administrator has unlimited access to all Microsoft 365 services and settings, which exceeds the requirement of managing only SharePoint Online. This violates least privilege principles for SharePoint-focused administration.
Option C) is incorrect because Sites Administrator is not a distinct built-in role in Microsoft 365. The appropriate role for comprehensive SharePoint management is SharePoint Administrator, which provides full service administration capabilities.
Option D) is incorrect because Compliance Administrator focuses on managing compliance features, data governance, and eDiscovery across Microsoft 365 rather than providing SharePoint infrastructure management capabilities like site creation and service configuration.
Question 77:
Your company needs to ensure that emails sent to distribution lists with more than 100 members require manager approval. What should you configure?
A) Distribution group moderation based on sender criteria
B) Dynamic distribution group rules
C) Mail flow rule with message size condition
D) Group membership limits
Answer: A
Explanation:
Distribution group moderation based on sender criteria provides the capability to require approval for messages sent to specific distribution groups while considering group characteristics like membership size. You can configure moderation settings for each distribution group that has more than 100 members, designating managers or other designated approvers who must review and approve messages before distribution to all members. This control helps prevent accidental mass communications and ensures appropriate oversight of large-scale announcements.
When configuring moderation for large distribution groups, you enable the message approval feature in the group settings and specify which users can send messages without moderation and which managers should receive approval requests. You can exempt certain senders such as executives or communications team members from moderation requirements. When non-exempt users send messages to moderated groups, the messages are held for moderator review, and moderators receive notifications with options to approve or reject each message before it reaches all group members.
Option B) is incorrect because dynamic distribution groups use membership rules based on user attributes but don’t provide moderation capabilities based on group size. They focus on automatic membership determination rather than message approval workflows.
Option C) is incorrect because mail flow rules with message size conditions control messages based on size limits but don’t provide moderation based on distribution group membership counts. They operate on different criteria than group size thresholds.
Option D) is incorrect because group membership limits restrict how many members can be added to groups but don’t provide message moderation capabilities for groups that exceed certain sizes. They control membership rather than message approval requirements.
Question 78:
You need to prevent users from forwarding meeting invitations that contain the word “Confidential” in the subject to external attendees. What should you configure?
A) Sensitivity label with forwarding restriction
B) Calendar sharing policy
C) Information Rights Management for calendar items
D) Mail flow rule for meeting requests
Answer: A
Explanation:
Sensitivity labels with forwarding restrictions provide content-based protection that can prevent forwarding of meeting invitations based on their classification. When you configure a sensitivity label that detects “Confidential” in meeting subjects through auto-labeling rules, you can apply protection settings that restrict forwarding to external recipients. This approach ensures that sensitive meetings remain within the intended audience without unauthorized external sharing.
The sensitivity label can be configured to automatically apply when calendar items contain specific keywords in the subject line, and the label’s protection settings can prevent forwarding and external sharing. When users attempt to forward a labeled meeting invitation to external email addresses, Outlook blocks the action and displays a message explaining the restriction. This protection follows the meeting invitation even if it’s forwarded internally, ensuring consistent enforcement. The label-based approach provides granular control based on content sensitivity rather than applying blanket restrictions to all calendar items.
Option B) is incorrect because calendar sharing policies control what calendar information can be shared externally at a broad level but don’t provide content-based restrictions for individual meeting invitations based on subject keywords.
Option C) is incorrect because while Information Rights Management can protect calendar items, calendar items have limited IRM support compared to emails and documents, and IRM doesn’t automatically apply based on subject line keywords without additional automation.
Option D) is incorrect because mail flow rules process emails rather than calendar meeting requests specifically, and they don’t prevent forwarding of calendar items through the calendar interface. They operate on mail transport rather than calendar sharing.
Question 79:
Your organization needs to ensure that PowerBI reports can only be accessed by users with compliant devices. What should you configure?
A) Conditional Access policy requiring device compliance for PowerBI
B) PowerBI sharing settings
C) Azure AD device policy
D) Information protection policy
Answer: A
Explanation:
Conditional Access policies requiring device compliance for PowerBI provide identity-based access control that ensures only users on compliant devices can access PowerBI reports and dashboards. You create a Conditional Access policy that targets the PowerBI service as the cloud app and configures grant controls to require device compliance as determined by Intune device compliance policies. This ensures that devices meet security standards before users can access business intelligence data.
The policy evaluates device compliance status when users attempt to access PowerBI through web browsers or the PowerBI desktop application. Devices must be enrolled in Intune and meet compliance requirements such as having encryption enabled, antivirus software running, and passing jailbreak detection. Non-compliant devices are blocked from accessing PowerBI, and users receive messages directing them to remediate compliance issues. This approach protects sensitive business data visualized in PowerBI reports by ensuring access only from secure, managed devices.
Option B) is incorrect because PowerBI sharing settings control how reports and dashboards can be shared between users but don’t enforce device compliance requirements for accessing PowerBI. They focus on sharing permissions rather than device security requirements.
Option C) is incorrect because Azure AD device policies define what makes devices compliant but don’t enforce access restrictions. They must be combined with Conditional Access policies to block access from non-compliant devices.
Option D) is incorrect because information protection policies focus on data classification and protection through sensitivity labels but don’t control device compliance requirements for accessing cloud applications like PowerBI.
Question 80:
You need to configure Microsoft 365 to automatically send notifications when users are added to privileged role groups. What should you configure?
A) Privileged Identity Management alert settings
B) Azure AD audit log alerts
C) Admin role assignment notifications
D) Security and Compliance Center alerts
Answer: A
Explanation:
Privileged Identity Management alert settings provide comprehensive notification capabilities when users are added to privileged roles or when suspicious privileged access patterns are detected. PIM includes built-in alerts such as “Administrators aren’t using their privileged roles” and “Roles are being assigned outside of PIM” that can notify security teams when role assignments occur. These alerts help organizations maintain oversight of privileged access and respond quickly to unauthorized role assignments.
When you configure PIM alert settings in the Azure AD Privileged Identity Management interface, you can customize notification recipients and alert thresholds for various role assignment scenarios. Alerts are sent via email to designated administrators when users are added to privileged roles, whether through permanent assignments or eligible assignments that users activate. The alerts include details about who was added, which role they received, who granted the assignment, and when it occurred. This visibility enables security teams to investigate unexpected role assignments and ensure appropriate privileged access governance.
Option B) is incorrect because while Azure AD audit logs capture role assignment events, setting up alerts requires configuring specific alert rules or using PIM’s built-in alert features rather than general audit log alerting mechanisms.
Option C) is incorrect because admin role assignment notifications is not a specific standalone feature. Role assignment alerting is provided through Privileged Identity Management’s alert capabilities or custom alert rules based on audit logs.
Option D) is incorrect because Security and Compliance Center alerts focus primarily on compliance and data governance events rather than Azure AD role assignments. PIM provides more specialized alerting for privileged role management.
