Visit here for our full Microsoft MS-102 exam dumps and practice test questions.
Question 81:
Your company wants to ensure that all external sharing links expire after 30 days. What should you configure?
A) SharePoint and OneDrive sharing link expiration
B) Azure AD B2B invitation expiration
C) External user account expiration
D) Guest access policy
Answer: A
Explanation:
SharePoint and OneDrive sharing link expiration settings provide control over how long external sharing links remain valid before automatically expiring. In the SharePoint admin center, you can configure organization-wide policies that set default expiration periods for anonymous sharing links and authenticated sharing links. When you configure link expiration for 30 days, all new sharing links created by users automatically expire after that period, requiring users to create new links if continued sharing is needed.
This setting helps maintain security by ensuring that external access doesn’t persist indefinitely, reducing the risk of unauthorized access through old sharing links. Users can set expiration dates when creating sharing links, but the organization policy can enforce maximum expiration periods. The expiration applies to both view-only and edit links, and expired links display error messages when accessed. You can configure different expiration periods for different types of links, such as shorter expiration for anonymous links and longer expiration for authenticated links.
Option B) is incorrect because Azure AD B2B invitation expiration relates to the validity period of guest invitation emails rather than the expiration of sharing links for accessing specific documents or sites in SharePoint and OneDrive.
Option C) is incorrect because external user account expiration manages the lifecycle of guest accounts in Azure AD but doesn’t control the expiration of specific sharing links that grant access to SharePoint content.
Option D) is incorrect because guest access policy is a general term that could encompass various settings, but the specific configuration for sharing link expiration is found in SharePoint and OneDrive admin settings rather than a separate policy type.
Question 82:
You need to prevent users from installing PowerBI Desktop application on their computers. What should you configure?
A) Application control policy in Intune
B) Conditional Access for PowerBI
C) Azure AD application restrictions
D) PowerBI admin settings
Answer: A
Explanation:
Application control policies in Intune provide the capability to prevent installation of specific applications on managed Windows devices. You can use Windows Defender Application Control policies or AppLocker policies deployed through Intune to block installation of PowerBI Desktop based on file hashes, publisher certificates, or file paths. This approach ensures that users on managed devices cannot install PowerBI Desktop even if they have local administrative privileges on their computers.
When you configure application control policies, you create rules that identify PowerBI Desktop installation files and block their execution. The policy can be deployed to specific device groups or all Windows computers in your organization. Blocked installation attempts generate alerts that help security teams monitor compliance with software installation policies. This control helps organizations manage software licensing, prevent shadow IT, and ensure users access PowerBI only through approved methods such as the PowerBI service in web browsers.
Option B) is incorrect because Conditional Access for PowerBI controls access to the PowerBI service in the cloud but doesn’t prevent installation of the PowerBI Desktop application on local computers. It operates at the service access level rather than application installation.
Option C) is incorrect because Azure AD application restrictions control user consent for cloud applications that integrate with Azure AD but don’t prevent installation of desktop applications like PowerBI Desktop on local computers.
Option D) is incorrect because PowerBI admin settings control service-level configurations such as sharing, export, and feature availability but don’t provide mechanisms to prevent installation of the desktop application on user computers.
Question 83:
Your organization needs to ensure that all newly created SharePoint sites include a specific document library template. What should you configure?
A) Site design with library provisioning
B) Content type publishing
C) Site template customization
D) SharePoint hub site association
Answer: A
Explanation:
Site designs with library provisioning provide automated capability to create specific document libraries with predefined configurations when new SharePoint sites are created. Site designs use JSON-based site scripts that define actions to execute during site creation, including creating lists and libraries with specific templates, columns, views, and settings. When you configure a site design that includes library provisioning actions, every site created using that design automatically includes the specified document library.
You create site scripts that define the document library structure including content types, metadata columns, default views, and library settings. These scripts are packaged into site designs that can be made available to users during site creation or set as default designs for site types. When users create new sites through self-service, the site design executes automatically and provisions the required document library with all configured settings. This approach ensures consistency across sites without requiring manual library creation and configuration after site provisioning.
Option B) is incorrect because content type publishing from the content type hub distributes content types to site collections but doesn’t automatically create document libraries in new sites. It provides content type availability rather than library provisioning.
Option C) is incorrect because site template customization could refer to various approaches, but the modern SharePoint Online method for automatically provisioning libraries in new sites is through site designs rather than legacy site templates.
Option D) is incorrect because SharePoint hub site association connects sites for navigation and shared branding but doesn’t provision specific document libraries in newly created sites. Hub sites focus on site relationships rather than library provisioning.
Question 84:
You need to ensure that users receive training materials before they can classify documents with sensitivity labels. What should you configure?
A) Label policy with mandatory training link
B) Sensitivity label tooltip customization
C) Label publishing with help link
D) Information protection awareness training
Answer: C
Explanation:
Label publishing with help links provides the capability to include training materials and guidance when users interact with sensitivity labels in Office applications. When you publish sensitivity labels through a label policy, you can configure policy settings that include help links appearing alongside labels in the sensitivity menu. These help links can point to internal training materials, classification guides, or policy documentation that users should review before applying labels.
The help link appears as a clickable link in the sensitivity label interface within Office apps like Word, Excel, PowerPoint, and Outlook. When users open the sensitivity menu to classify documents, they see the help link and can access training materials before making classification decisions. You can also customize label tooltips to include brief guidance about when each label should be applied. This approach provides just-in-time training resources without requiring separate training completion tracking or blocking document classification.
Option A) is incorrect because there is no mandatory training link feature that prevents users from classifying documents until they complete training. Label policies provide help links as guidance rather than enforced training prerequisites.
Option B) is incorrect because while sensitivity label tooltip customization allows you to provide brief descriptions, the comprehensive approach for providing training materials is through help links in label policies rather than just tooltip text.
Option D) is incorrect because information protection awareness training refers to general training programs that organizations conduct, but the specific mechanism for providing training materials within the labeling interface is through help links configured in label policies.
Question 85:
Your organization needs to ensure that all emails containing social security numbers are quarantined for review before delivery to recipients. What should you configure?
A) Mail flow rule with quarantine action
B) Data Loss Prevention policy with quarantine action
C) Exchange Online Protection policy
D) Anti-spam policy with content filtering
Answer: B
Explanation:
Data Loss Prevention policies with quarantine action provide comprehensive protection for detecting and quarantining emails that contain sensitive information such as social security numbers before they reach recipients. DLP policies in Microsoft 365 include pre-built sensitive information types that can accurately identify social security number patterns using sophisticated algorithms that validate format and checksums. When you create a DLP policy for Exchange Online with quarantine action, the system scans all email messages in transit and automatically quarantines those containing social security numbers.
The quarantine action holds detected emails in a secure location where designated reviewers can examine them and decide whether to release or permanently delete them. This review process provides human oversight for sensitive communications and prevents accidental disclosure of personal information. You can configure the DLP policy to send notifications to email administrators or compliance officers when messages are quarantined, enabling timely review. The policy also generates incident reports that provide details about detected violations including sender information, recipients, and the number of social security numbers found.
DLP policies offer granular control over policy enforcement with options to apply different actions based on confidence levels and the number of detected instances. You can configure exceptions for specific users or scenarios where social security numbers might legitimately appear in communications. The quarantine approach balances security with business needs by preventing automatic delivery while allowing authorized personnel to release legitimate messages after review.
Option A is incorrect because mail flow rules can quarantine messages based on conditions but lack the sophisticated sensitive information type detection capabilities built into DLP policies for accurately identifying social security numbers. Option C is incorrect because Exchange Online Protection focuses on anti-malware and anti-spam filtering rather than content inspection for data loss prevention. Option D is incorrect because anti-spam policies detect unwanted commercial messages based on spam characteristics rather than scanning for specific sensitive information patterns like social security numbers.
Question 86:
You need to delegate the ability to manage Microsoft Teams policies without granting access to other Microsoft 365 services. Which role should you assign?
A) Teams Administrator
B) Teams Communications Administrator
C) Global Administrator
D) User Administrator
Answer: A
Explanation:
The Teams Administrator role provides comprehensive permissions to manage all aspects of Microsoft Teams including teams policies, meeting policies, messaging policies, calling features, and Teams service settings without granting access to other Microsoft 365 workloads. Users assigned this role can configure organization-wide Teams settings, manage team creation policies, configure guest access settings, and handle Teams service health issues through the Teams admin center.
Teams Administrators have full control over Teams infrastructure and can manage policies that affect how users interact with Teams including meeting settings, messaging capabilities, calling features, and application permissions. They can configure live events policies, manage Teams apps and app policies, handle Teams device management, and oversee Teams analytics and reporting. This role follows the principle of least privilege by limiting administrative access to Teams-specific configurations without granting permissions to manage Exchange Online, SharePoint, Azure AD users, or other Microsoft 365 services.
The Teams Administrator role is ideal for communications administrators or collaboration platform managers who focus exclusively on Teams deployment, configuration, and ongoing management. They can troubleshoot Teams-related issues, manage the Teams client rollout, and ensure Teams policies align with organizational communication requirements. The role includes permissions to manage both the technical infrastructure and user-facing policies that govern Teams behavior.
Option B is incorrect because Teams Communications Administrator focuses specifically on calling and meeting features within Teams rather than comprehensive Teams policy management across all areas. Option C is incorrect because Global Administrator has unlimited access to all Microsoft 365 services which far exceeds the requirement for managing only Teams policies and violates least privilege principles. Option D is incorrect because User Administrator manages user accounts and basic user properties but lacks the Teams-specific policy management permissions needed for comprehensive Teams administration.
Question 87:
Your company wants to ensure that users can only download files from OneDrive on devices running Windows 10 or later. What should you configure?
A) Conditional Access policy requiring compliant devices with OS version
B) OneDrive sync client restrictions
C) Device compliance policy with OS requirements
D) OneDrive admin center device settings
Answer: A
Explanation:
Conditional Access policies requiring compliant devices with operating system version requirements provide comprehensive control over which devices can access and download files from OneDrive based on their OS version. You create a Conditional Access policy that targets OneDrive for Business as the cloud application and configures conditions that check the device platform and operating system version. The policy can be set to allow access only from devices running Windows 10 or later versions while blocking older Windows versions.
When users attempt to access OneDrive from devices running Windows 8.1 or earlier versions, the Conditional Access policy evaluates the device information during authentication and blocks access. Users receive error messages explaining that their device does not meet organizational requirements and directing them to upgrade their operating system. The policy works in conjunction with device compliance policies in Intune that evaluate detailed device state including OS version, security updates, and configuration status.
This approach provides flexible enforcement that can differentiate between various access scenarios. You can configure the policy to allow browser-based viewing of files while preventing sync client access from non-compliant devices, or you can block all forms of access until devices meet requirements. The policy integrates with Azure AD device registration to track device information and make real-time access decisions based on current device state.
Conditional Access policies for OS version requirements help organizations maintain security by ensuring that only devices with supported operating systems that receive security updates can access corporate data. Windows 10 and later versions include security features like BitLocker, Windows Defender, and secure boot that protect data on devices.
Option B is incorrect because OneDrive sync client restrictions control which devices can synchronize files based on domain join status but do not provide granular OS version checking capabilities. Option C is incorrect because device compliance policies define what makes devices compliant but must be combined with Conditional Access policies to enforce access restrictions. Option D is incorrect because OneDrive admin center device settings do not provide OS version-based access controls for file downloads.
Question 88:
You need to ensure that all users must acknowledge a privacy notice before accessing Microsoft 365 services for the first time. What should you configure?
A) Terms of use policy in Azure AD
B) Conditional Access policy with compliance requirement
C) User consent settings
D) Azure AD sign-in policy
Answer: A
Explanation:
Terms of use policy in Azure AD provides the mechanism to require users to read and accept organizational policies, privacy notices, or compliance statements before accessing Microsoft 365 services. This feature allows administrators to upload PDF documents containing terms of use, privacy notices, or acceptable use policies that users must acknowledge. The terms of use can be configured to require acceptance before initial access or at regular intervals for ongoing compliance.
When you create a terms of use policy in Azure AD, you upload a PDF document and configure settings such as whether users must expand the document before accepting, how frequently users must re-accept the terms, and whether acceptance is required per device or per user. You then link the terms of use to a Conditional Access policy that enforces the requirement when users attempt to access Microsoft 365 cloud applications. Users are presented with the terms of use document during their first sign-in attempt and must scroll through and accept the terms before proceeding to access services.
The terms of use feature maintains audit records of all user acceptances including timestamps and user identities, providing compliance documentation that demonstrates user acknowledgment of organizational policies. Administrators can view acceptance reports to verify that all users have acknowledged the privacy notice. If users decline the terms of use, they are blocked from accessing Microsoft 365 services until they accept.
This capability is particularly valuable for organizations with regulatory compliance requirements that mandate documented user acknowledgment of privacy practices, data handling policies, or acceptable use terms. The terms of use can be updated as policies evolve, and you can configure whether existing users must re-accept updated terms.
Option B is incorrect because Conditional Access policies enforce access requirements but the terms of use feature is the specific mechanism for presenting and requiring acceptance of policy documents. Option C is incorrect because user consent settings control application permission requests rather than organizational policy acceptance. Option D is incorrect because there is no separate Azure AD sign-in policy for requiring policy acknowledgment; this functionality is provided through terms of use.
Question 89:
Your organization needs to prevent users from accessing SharePoint Online using legacy authentication protocols. What should you configure?
A) Conditional Access policy blocking legacy authentication
B) SharePoint authentication settings
C) Azure AD security defaults
D) Exchange Online authentication policy
Answer: A
Explanation:
Conditional Access policies blocking legacy authentication provide targeted control to prevent users from accessing SharePoint Online using older authentication protocols that do not support modern security features like multi-factor authentication. Legacy authentication protocols include basic authentication, POP, IMAP, SMTP, and older Office clients that use authentication methods incompatible with Conditional Access policy enforcement. By creating a Conditional Access policy that blocks legacy authentication attempts to SharePoint Online, you ensure that all access uses modern authentication protocols.
When you configure the policy, you select SharePoint Online as the target cloud application and configure the conditions to specifically identify legacy authentication client apps. The policy then blocks these authentication attempts while allowing modern authentication to proceed normally. Users attempting to access SharePoint through legacy protocols receive authentication failures and must switch to modern authentication methods supported by current Office applications and web browsers.
Blocking legacy authentication is a critical security measure because legacy protocols do not support multi-factor authentication, device compliance checks, or other Conditional Access controls. Attackers often target legacy authentication as a weakness to bypass modern security protections. Organizations implementing zero trust security models prioritize eliminating legacy authentication to ensure all access requests can be properly evaluated for risk and compliance.
The policy can be phased in gradually by first configuring it in report-only mode to identify which users and applications are still using legacy authentication. This allows organizations to communicate with affected users and migrate applications before enforcing the block. You can also configure exceptions for specific service accounts that may require legacy authentication temporarily while modernization efforts progress.
Option B is incorrect because SharePoint authentication settings do not provide granular control over authentication protocols at the connection level; protocol restrictions are enforced through Conditional Access policies. Option C is incorrect because while Azure AD security defaults block legacy authentication broadly, Conditional Access policies provide more targeted control specific to SharePoint Online. Option D is incorrect because Exchange Online authentication policies control Exchange-specific authentication rather than SharePoint Online access.
Question 90:
You need to ensure that all documents in SharePoint Online are automatically watermarked with the user’s email address when downloaded. What should you configure?
A) Sensitivity label with dynamic content marking
B) Information Rights Management template
C) SharePoint document library policy
D) Data Loss Prevention policy
Answer: A
Explanation:
Sensitivity labels with dynamic content marking provide the capability to automatically add watermarks containing user-specific information such as email addresses to documents when they are classified. Dynamic content markings use variables that are replaced with actual user information at the time the label is applied or when documents are opened. When you configure a sensitivity label with watermark settings, you can specify that the watermark should display the user’s email address using the ${User.Email} variable.
To implement automatic watermarking for downloads, you create a sensitivity label with content marking configured to include a watermark with the user email variable. You then publish this label and configure auto-labeling policies or set it as a default label for SharePoint libraries. When users download documents, the label ensures that the watermark appears on all pages showing who downloaded the file. This provides accountability and helps trace document leakage if files are shared inappropriately.
The watermark becomes part of the document and persists when the file is saved, printed, or shared, providing ongoing identification of the user who downloaded it. This approach deters unauthorized sharing because recipients can see who provided the document. Dynamic watermarks are particularly effective for protecting sensitive documents where attribution is important for security and compliance.
Sensitivity labels with dynamic content marking work across Office applications including Word, Excel, and PowerPoint. The watermarks appear both on screen and in printed documents, ensuring consistent identification regardless of how documents are used. Organizations can customize watermark appearance including font size, color, and position to balance security visibility with document readability.
Option B is incorrect because Information Rights Management templates provide encryption and usage restrictions but do not support dynamic watermarking based on user information in the same flexible way as sensitivity labels. Option C is incorrect because SharePoint document library policies do not provide automatic watermarking capabilities with user-specific information. Option D is incorrect because DLP policies detect and prevent data loss but do not add watermarks to documents during download operations.
Question 91:
Your company wants to automatically delete all OneNote notebooks that have not been accessed for 3 years. What should you configure?
A) Retention policy for SharePoint sites with deletion action
B) OneNote retention settings
C) Inactive content deletion policy
D) Site lifecycle policy
Answer: A
Explanation:
Retention policies for SharePoint sites with deletion action provide the mechanism to automatically delete OneNote notebooks based on age because OneNote notebooks in Microsoft 365 are stored in SharePoint Online. When you create a retention policy targeting SharePoint locations, you can configure it to delete content that has not been modified for a specified period such as three years. The policy applies to all content stored in SharePoint including OneNote notebooks that are technically stored as folder structures within SharePoint document libraries.
The retention policy evaluates the last modified date of OneNote content and automatically deletes notebooks that exceed the three-year threshold without any recent access or modifications. Before permanent deletion, the content moves through the SharePoint recycle bins providing recovery opportunities if the deletion was premature. You can configure the policy to apply organization-wide to all SharePoint sites or target specific sites where OneNote notebooks are stored.
When configuring retention for OneNote, it is important to understand that OneNote notebooks consist of multiple files and folders in SharePoint. The retention policy treats the entire notebook structure as content subject to the retention period. Organizations should carefully communicate retention policies to users so they understand that inactive notebooks will be automatically deleted to manage storage consumption.
The policy runs periodically through automated processes that scan SharePoint content and identify items meeting deletion criteria. Administrators receive logs and reports showing what content was deleted, enabling audit trails for compliance purposes. Organizations can adjust retention periods based on business requirements and regulatory obligations, with some industries requiring longer retention for certain types of notes and documentation.
Option B is incorrect because there are no separate OneNote retention settings independent of SharePoint retention policies since OneNote notebooks are stored in SharePoint Online. Option C is incorrect because inactive content deletion policy is not a specific feature type; content deletion based on inactivity is implemented through retention policies. Option D is incorrect because site lifecycle policies manage entire site collections rather than specific content types like OneNote notebooks within sites.
Question 92:
You need to prevent users from sharing files with external users unless those files have sensitivity labels applied. What should you configure?
A) SharePoint sharing settings with label requirement
B) Data Loss Prevention policy requiring labels
C) Conditional Access policy for external sharing
D) Azure AD external collaboration settings
Answer: B
Explanation:
Data Loss Prevention policies requiring labels provide enforcement mechanisms to prevent users from sharing files with external recipients unless those files have been classified with sensitivity labels. You create a DLP policy in Microsoft Purview that targets SharePoint Online, OneDrive, and Teams with conditions that detect when users attempt to share content externally. The policy includes rules that check whether files have sensitivity labels applied and blocks sharing if no label is present.
When you configure this DLP policy, you specify that the policy should monitor sharing activities with people outside the organization and evaluate whether content has been labeled. If users attempt to share unlabeled files externally, the DLP policy blocks the sharing action and can display policy tips explaining that files must be classified before external sharing. This enforcement ensures that all content leaving the organization has been reviewed and appropriately classified according to its sensitivity level.
The policy can be configured with different enforcement modes including blocking sharing immediately, warning users and allowing them to override with justification, or simply monitoring and reporting violations. Organizations typically start with monitoring mode to understand sharing patterns and user behavior before enforcing blocking. The policy generates detailed incident reports showing who attempted to share unlabeled content, what files were involved, and whether sharing was allowed or blocked.
This approach supports information governance by ensuring that content classification is mandatory before external distribution. Users must apply appropriate sensitivity labels that can include protection settings like encryption or access restrictions before sharing with external partners. The combination of labeling requirements and DLP enforcement creates a comprehensive data protection framework.
Option A is incorrect because SharePoint sharing settings control external sharing capabilities broadly but do not provide conditional enforcement based on whether files have sensitivity labels applied. Option C is incorrect because Conditional Access policies control access to applications based on user and device conditions but do not evaluate document classification status. Option D is incorrect because Azure AD external collaboration settings control guest invitation and authentication but do not enforce content labeling requirements.
Question 93:
Your organization needs to ensure that all Teams meetings are automatically transcribed and the transcripts are retained for 7 years. What should you configure?
A) Teams meeting policy with transcription enabled and retention policy for transcripts
B) Teams transcription settings with SharePoint retention
C) Compliance recording with retention hold
D) Meeting recording policy with extended retention
Answer: A
Explanation:
Teams meeting policy with transcription enabled combined with retention policies for transcripts provides comprehensive configuration for automatically transcribing meetings and retaining the transcripts for compliance purposes. In the Teams admin center, you configure meeting policies that enable automatic transcription for all meetings, ensuring that spoken content is converted to searchable text. You then create retention policies in Microsoft Purview that target Teams meeting recordings and transcripts with a seven-year retention period.
When you enable transcription in Teams meeting policies, the system automatically generates transcripts during meetings that include timestamps and speaker attribution. These transcripts are stored in SharePoint and OneDrive locations associated with the meetings. The retention policy you configure applies to these storage locations and ensures that transcripts are preserved for the full seven-year period even if users delete them or if meetings are removed from Teams.
The transcription feature uses advanced speech recognition to convert audio to text in multiple languages, making meeting content searchable and accessible for compliance reviews and eDiscovery. Transcripts are linked to meeting recordings and can be reviewed through the Teams interface or accessed directly from SharePoint. Organizations with regulatory requirements to maintain records of meeting discussions benefit from this combination of automatic transcription and long-term retention.
You can configure different meeting policies for different groups of users based on their roles or departments. Some organizations enable transcription only for executive meetings or regulatory discussions while excluding routine team meetings from automatic transcription. The retention policy can similarly be scoped to specific sites or user groups where compliance requirements necessitate extended transcript retention.
Option B is incorrect because while the concept is similar, the precise configuration requires Teams meeting policies specifically enabling transcription rather than general transcription settings, combined with retention policies. Option C is incorrect because compliance recording is for regulated industries requiring certified third-party recording solutions rather than built-in Teams transcription. Option D is incorrect because meeting recording policy enables recording but transcription requires separate enablement in meeting policies, and retention is managed through dedicated retention policies rather than recording policy settings.
Question 94:
You need to delegate the ability to review and release quarantined emails without granting access to other Exchange settings. Which role should you assign?
A) Hygiene Management role
B) Security Administrator
C) Quarantine Administrator
D) Organization Management
Answer: A
Explanation:
The Hygiene Management role provides specific permissions to manage quarantined messages in Exchange Online Protection without granting broader administrative access to other Exchange settings or organizational configuration. Users assigned this role can view quarantined emails, release messages to recipients, delete quarantined items, and report false positives to Microsoft for analysis. This role is designed specifically for security personnel or help desk staff who handle quarantine management as part of their email security responsibilities.
When users have the Hygiene Management role, they can access the quarantine interface in the Microsoft 365 Defender portal and review messages that have been quarantined due to anti-spam or anti-malware detection. They can examine message headers, preview content when safe to do so, and make decisions about releasing legitimate messages that were incorrectly quarantined. The role allows managing quarantine without permissions to modify anti-spam policies, mail flow rules, or other Exchange Online configuration settings that could affect organization-wide email security.
The Hygiene Management role is often assigned to first-line security operations staff or help desk personnel who field user complaints about missing emails. These staff members can quickly review quarantine, release legitimate messages, and escalate sophisticated threats to senior security administrators. The role separation ensures that quarantine management does not require elevated privileges that could be misused to modify security policies.
Organizations typically combine this role with appropriate training on identifying phishing attempts, malware indicators, and legitimate business communications. Role holders should understand when to release quarantined messages versus when to permanently delete obvious threats. The quarantine management interface provides risk indicators and spam confidence levels to help decision making.
Option B is incorrect because Security Administrator has extensive permissions across Microsoft 365 security features including policy configuration and threat management, which exceeds the requirement for quarantine management only. Option C is incorrect because while conceptually correct, the actual role name in Exchange Online for quarantine management is Hygiene Management rather than Quarantine Administrator. Option D is incorrect because Organization Management is a high-privilege role group with comprehensive Exchange administrative permissions far beyond quarantine management requirements.
Question 95:
Your company wants to ensure that all SharePoint modern pages are reviewed and approved before publishing. What should you configure?
A) Page approval workflow with SharePoint approvals
B) SharePoint content approval settings
C) Version control with check-in requirements
D) SharePoint governance policy
Answer: B
Explanation:
SharePoint content approval settings provide built-in functionality to require review and approval of modern pages before they become visible to site visitors. When you enable content approval for the Site Pages library in a SharePoint site, all new pages and changes to existing pages must be approved by designated approvers before the content is published. This feature ensures editorial control over site content and maintains quality standards for published information.
To configure content approval for modern pages, you access the Site Pages library settings and enable the content approval feature. You then specify which users or groups have approval permissions, typically site owners or designated content reviewers. When authors create or modify pages, those pages remain in draft status visible only to the author and approvers until someone with approval permissions reviews and approves them. Once approved, pages become visible to all site visitors according to the site’s permissions.
The approval workflow provides notifications to approvers when pages are submitted for review. Approvers can view pending pages, read the content, and either approve or reject with comments explaining needed changes. If pages are rejected, authors receive notifications with feedback and can make revisions before resubmitting for approval. This iterative process ensures published content meets organizational standards.
Content approval for Site Pages integrates with SharePoint’s version history, maintaining records of all drafts, approvals, and rejections. Organizations can audit the approval history to understand who published content and when approval decisions were made. This provides accountability for published information and supports compliance requirements for content governance.
Option A is incorrect because while SharePoint supports approval workflows through Power Automate, the built-in content approval feature for libraries provides native functionality specifically designed for page approval without requiring custom workflow development. Option C is incorrect because version control with check-in requirements prevents simultaneous editing but does not provide approval workflows that require designated reviewers to approve content before publication. Option D is incorrect because SharePoint governance policy is a general term for organizational rules rather than a specific technical feature that implements page approval.
Question 96:
You need to ensure that emails sent by executives are automatically marked with high importance. What should you configure?
A) Mail flow rule with header modification for executive senders
B) Outlook default importance settings
C) Exchange message classification
D) Transport rule with X-header insertion
Answer: A
Explanation:
Mail flow rules with header modification for executive senders provide centralized control to automatically mark emails sent by designated executives with high importance without requiring executives to manually set importance on each message. You create a mail flow rule in Exchange Online that applies to messages sent by specific users or members of an executive group, and configure the rule to set the importance header to high. This ensures all communications from executives are visually distinguished in recipient inboxes.
When you configure the mail flow rule, you specify conditions that identify executive senders using either individual email addresses or membership in a specific distribution group or security group containing executives. The rule action modifies the message importance property to high before delivering the message. Recipients see the high importance indicator in their email clients, typically displayed as a red exclamation mark or high priority flag that draws attention to executive communications.
This automation ensures consistency in how executive communications are presented without relying on executives remembering to set importance manually. It helps recipients prioritize reading and responding to leadership communications. The mail flow rule operates transparently at the transport layer, requiring no action from senders or recipients. Organizations can create similar rules for other scenarios such as marking messages from specific departments or regarding particular projects.
The rule can include exceptions to prevent importance marking for certain types of executive communications such as automated notifications or out-of-office replies that should not receive high importance treatment. You can also combine importance marking with other actions like prepending subject lines with tags or copying messages to specific mailboxes for tracking purposes.
Option B is incorrect because Outlook default importance settings are client-side configurations that individual users control, and there is no way to centrally enforce default importance for specific users through Outlook settings. Option C is incorrect because Exchange message classification applies metadata labels for categorization but does not directly set message importance that affects how recipients see messages in their inboxes. Option D is incorrect because inserting X-headers adds custom headers for routing or processing but does not set the standard importance property that email clients recognize and display to users.
Question 97:
Your organization needs to prevent users from using personal Microsoft accounts to sign in to Microsoft 365 services. What should you configure?
A) Azure AD tenant restrictions
B) Conditional Access policy blocking personal accounts
C) Azure AD external identities settings
D) Authentication methods policy
Answer: A
Explanation:
Azure AD tenant restrictions provide the capability to control which Azure AD tenants users can access from your organization’s network, preventing users from signing in to Microsoft 365 services with personal Microsoft accounts or accounts from unauthorized organizations. This feature works by inserting special HTTP headers into outbound traffic at your network proxy or firewall that instruct Azure AD to restrict authentication to only approved tenant IDs. When users attempt to sign in with personal accounts or accounts from other organizations, Azure AD blocks the authentication based on the tenant restriction headers.
To implement tenant restrictions, you configure your network proxy to add specific headers to HTTPS traffic destined for Microsoft authentication endpoints. These headers specify which Azure AD tenant IDs are allowed for authentication from your network. When users on your corporate network try to sign in to Microsoft 365 services, Azure AD evaluates the tenant restriction headers and permits authentication only for accounts from approved tenants. Personal Microsoft accounts and business accounts from unapproved organizations are blocked with error messages explaining the restriction.
Tenant restrictions provide network-level control that prevents users from accessing Microsoft cloud services with unauthorized accounts even if they have valid credentials. This protects against data exfiltration scenarios where users might upload corporate data to personal OneDrive accounts or share information through personal Microsoft Teams. The restrictions apply regardless of which device users employ, making them effective for both corporate and personal devices connected to the corporate network.
Implementation requires network infrastructure capable of modifying HTTP headers, typically through proxy servers or next-generation firewalls. Organizations must carefully plan tenant restriction deployment to ensure all approved partner tenants for legitimate B2B collaboration are included in the allowed list. The feature works in conjunction with other security controls like Conditional Access to provide comprehensive authentication security.
Option B is incorrect because Conditional Access policies cannot directly distinguish between personal Microsoft accounts and Azure AD organizational accounts during authentication in a way that blocks personal accounts. Option C is incorrect because Azure AD external identities settings control guest user capabilities and B2B collaboration but do not prevent users from authenticating with personal Microsoft accounts to access services. Option D is incorrect because authentication methods policy controls which authentication methods users can register and use but does not restrict which account types can authenticate to services.
Question 98:
You need to ensure that all Microsoft Forms responses are automatically saved to a specific SharePoint list. What should you configure?
A) Power Automate flow triggered by form submission
B) Forms integration with SharePoint
C) Forms response export to SharePoint
D) Microsoft Lists connection to Forms
Answer: A
Explanation:
Power Automate flow triggered by form submission provides flexible automation to capture Microsoft Forms responses and save them to SharePoint lists with customizable field mapping and data transformation. You create a cloud flow that uses the Microsoft Forms connector with a trigger that activates when a new response is submitted to a specific form. The flow then uses SharePoint actions to create list items in the designated SharePoint list, mapping form responses to corresponding list columns.
When you configure the flow, you select the specific Microsoft Form as the trigger source and configure the flow to extract response values for each form question. You then add a SharePoint action to create items in the target list, mapping each form field to the appropriate list column. The flow can include data transformation steps such as formatting dates, parsing choice selections, or calculating values based on responses before saving to SharePoint.
This automation ensures every form submission is immediately captured in SharePoint without requiring manual export or data entry. The SharePoint list serves as a centralized repository for form responses where additional workflows, approvals, or reporting can process the data. Multiple users can review and act on form submissions through familiar SharePoint list views, and Power BI can connect to the list for analytics and visualization.
Power Automate flows for form responses support error handling and notifications, ensuring administrators are alerted if submission processing fails. You can configure the flow to send confirmation emails to respondents, notify relevant stakeholders about new submissions, or trigger additional business processes based on response content. The flow maintains an execution history showing all processed submissions and any errors that occurred.
Option B is incorrect because while Forms can integrate with SharePoint through sharing and embedding, there is no direct built-in integration that automatically saves responses to SharePoint lists without Power Automate or custom development. Option C is incorrect because Forms response export is a manual process where users export responses to Excel rather than an automatic process that continuously saves responses to SharePoint lists. Option D is incorrect because Microsoft Lists does not have a native connection feature that automatically receives Forms responses; automation through Power Automate is required.
Question 99:
Your company wants to ensure that all Microsoft 365 group mailboxes have a maximum size of 50GB. What should you configure?
A) Group mailbox quota settings in Exchange Online
B) Microsoft 365 Groups policy
C) Mailbox plan for groups
D) Azure AD group settings
Answer: A
Explanation:
Group mailbox quota settings in Exchange Online provide administrative control over the maximum size for Microsoft 365 group mailboxes, preventing unlimited growth that could impact storage and performance. In Exchange Online PowerShell, you can configure mailbox quota settings specifically for group mailboxes using cmdlets that set prohibition quotas. These quotas determine the maximum mailbox size and whether users can send messages when the mailbox approaches or exceeds size limits.
When you configure group mailbox quotas, you typically set three threshold values: warning quota that alerts group owners when the mailbox is approaching the limit, prohibition send quota that prevents sending new messages when reached, and prohibition send/receive quota that blocks all message flow. For a 50GB maximum, you might set the prohibition send/receive quota to 50GB, prohibition send quota to 48GB, and warning quota to 45GB. These progressive thresholds give group owners notice to archive or delete content before hitting the absolute limit.
The quota configuration applies to all existing group mailboxes and can be set as the default for new groups created in the future. Group mailbox quotas work similarly to user mailbox quotas but may have different default values based on organizational licensing. Some Microsoft 365 subscriptions provide larger default quotas for group mailboxes to accommodate shared collaboration content.
Monitoring group mailbox sizes helps organizations manage Exchange Online storage consumption and prevent performance issues associated with extremely large mailboxes. Administrators can generate reports showing mailbox sizes and quota status to identify groups approaching limits. Group owners should receive notifications when their mailbox approaches quota thresholds so they can take action before message flow is impacted.
Option B is incorrect because Microsoft 365 Groups policy typically refers to group creation and management policies rather than storage quotas for group mailboxes. Option C is incorrect because mailbox plans in Exchange Online apply primarily to user mailboxes rather than group mailboxes, and group quotas are configured separately through PowerShell commands. Option D is incorrect because Azure AD group settings control group properties and lifecycle policies but do not configure Exchange mailbox quotas for the associated group mailboxes.
Question 100:
You need to prevent users from forwarding meeting recordings to external recipients. What should you configure?
A) Teams meeting policy with external participant restrictions
B) Sensitivity label with forwarding restriction for recordings
C) Information Rights Management for Teams recordings
D) Stream video sharing settings
Answer: B
Explanation:
Sensitivity labels with forwarding restrictions for recordings provide content-level protection that prevents users from forwarding meeting recordings stored in SharePoint and OneDrive to external recipients. When you configure a sensitivity label with protection settings that restrict forwarding and apply this label to recordings automatically or through policy, the recordings inherit these restrictions. Users can view recordings but cannot forward them through email or share them with people outside the organization.
To implement this protection, you create a sensitivity label that includes encryption and usage rights restricting forwarding and external sharing. You can configure auto-labeling policies that automatically apply this label to Teams meeting recordings based on file location or file type. When recordings are stored in SharePoint or OneDrive with this label applied, SharePoint respects the label’s protection settings and prevents external sharing through the sharing interface.
The sensitivity label protection travels with the recording file, meaning restrictions persist even if users download the recording or move it to different locations within Microsoft 365. When users attempt to forward labeled recordings or share them with external email addresses, they receive error messages explaining that the label prevents external distribution. This ensures meeting content remains within organizational boundaries regardless of how users interact with the recordings.
Organizations typically apply forwarding restrictions to recordings of sensitive meetings such as executive discussions, strategic planning sessions, or confidential project reviews. The labels can be configured with different restriction levels for different types of meetings, with some recordings allowed for broader sharing while others remain strictly internal.
Option A is incorrect because Teams meeting policies control participant capabilities during live meetings but do not provide content protection for recordings after meetings conclude. Option C is incorrect because while Information Rights Management can protect content, the modern approach for protecting Teams recordings uses sensitivity labels rather than legacy IRM templates. Option D is incorrect because Stream video sharing settings were relevant for the classic Stream service, but modern Teams recordings are stored in SharePoint and OneDrive where sensitivity labels provide protection rather than Stream-specific settings.
