Visit here for our full Microsoft MS-102 exam dumps and practice test questions.
Question 141:
You need to ensure that administrative role assignments in Azure AD are reviewed quarterly. What should you configure?
A) Azure AD access reviews for directory roles
B) Privileged Identity Management role review
C) Administrative unit access certification
D) Role assignment audit policy
Answer: A
Explanation:
Azure AD access reviews for directory roles provide automated periodic certification of administrative role assignments ensuring that role members are regularly reviewed and revalidated. When you create access reviews targeting Azure AD directory roles like Global Administrator, User Administrator, or other privileged roles, you configure quarterly review schedules requiring designated reviewers to confirm whether each role member still requires their administrative permissions.
Access reviews send notifications to configured reviewers on the scheduled cadence prompting them to review role membership and certify whether each administrator should retain their privileges. Reviewers evaluate whether administrators still need roles based on current job responsibilities and organizational requirements. The review interface shows each role member with options to approve continued access, remove access, or defer decision to another reviewer.
The access review system tracks reviewer decisions and can automatically remove users from roles when access is denied during reviews. This automation ensures prompt privilege revocation when administrators no longer need elevated permissions. Organizations can configure reviews to require justification for approval decisions creating audit trails explaining why administrators retained privileges.
Access reviews for directory roles support various reviewer configurations including having managers review their reports, having role members self-attest to continued need, or designating security teams as reviewers. Multiple reviewers can be required with all approving before access continues providing additional oversight for highly privileged roles. Review results are logged for compliance auditing demonstrating regular certification of administrative access.
Option B is incorrect because while Privileged Identity Management includes review capabilities for eligible role assignments, Azure AD access reviews provide the comprehensive periodic review functionality for all directory role assignments including permanent assignments. Option C is incorrect because administrative units are organizational containers for delegating management permissions rather than a review mechanism for role assignments. Option D is incorrect because role assignment audit policy tracks assignment events but does not implement periodic review and certification processes.
Question 142:
Your company wants to prevent users from using unapproved browser extensions when accessing Microsoft 365. What should you configure?
A) Conditional Access policy with app-enforced restrictions
B) Microsoft Edge browser policy
C) Azure AD application control
D) Device compliance policy for browsers
Answer: B
Explanation:
Microsoft Edge browser policy deployed through Microsoft Intune or Group Policy provides comprehensive control over browser extensions that users can install and use when accessing Microsoft 365 services. Organizations can configure policies that whitelist approved extensions while blocking all others, preventing users from installing potentially malicious or data-leaking browser extensions. These policies apply to Microsoft Edge browsers on managed devices ensuring consistent extension restrictions.
Browser policies for extension management include settings that specify allowed extension IDs from the Edge Add-ons store, block specific extension IDs, prevent users from overriding blocked extensions, and require extensions to be installed from the managed store only. When users attempt to install unapproved extensions, they receive policy enforcement messages preventing installation. Pre-approved extensions can be automatically installed organization-wide ensuring users have necessary tools.
Extension policies protect against risks associated with browser extensions including data exfiltration where malicious extensions capture form data or session tokens, keylogging that records passwords and sensitive input, unauthorized network requests to attacker-controlled servers, and modification of page content. By restricting extensions to approved lists, organizations reduce attack surface when users access Microsoft 365.
Implementation requires deploying browser management policies through device management tools like Intune or traditional Group Policy for domain-joined Windows devices. The policies synchronize to managed browsers and enforce extension restrictions continuously. Organizations should regularly review approved extension lists ensuring extensions remain necessary and maintained by trusted publishers.
Option A is incorrect because Conditional Access policies with app-enforced restrictions control session-level protections like preventing downloads but do not manage browser extension restrictions. Option C is incorrect because Azure AD application control manages enterprise application consent rather than browser extension management. Option D is incorrect because device compliance policies evaluate device health and security configurations but do not specifically control browser extension installations.
Question 143:
You need to delegate the ability to manage eDiscovery holds without granting permissions to export content. Which role should you assign?
A) eDiscovery Manager
B) Compliance Administrator
C) Organization Management
D) Custodian role in eDiscovery
Answer: A
Explanation:
eDiscovery Manager role provides permissions to create eDiscovery cases, place content locations on hold, and manage case membership without requiring export permissions which are separately controlled. Users assigned the eDiscovery Manager role can create cases, add custodians, place mailboxes and sites on hold, run searches, and manage holds across content locations. However, exporting search results requires additional permissions through the Export role that can be granted independently.
The separation between eDiscovery management and export capabilities allows organizations to delegate hold management responsibilities to legal or compliance personnel who need to preserve content without necessarily having authority to extract and export content for external review. This role separation supports security and compliance requirements where content preservation and content extraction require different authorization levels.
eDiscovery Managers access the Microsoft Purview compliance portal where they create cases representing legal matters or investigations. Within cases, they identify relevant custodians, place custodian mailboxes and OneDrive accounts on hold, and configure query-based holds that preserve content matching specific criteria. Holds ensure content cannot be permanently deleted while legal matters are pending.
Hold management includes monitoring hold status, modifying hold scopes as investigation requirements evolve, and releasing holds when matters conclude. eDiscovery Managers receive notifications about hold failures or compliance issues requiring attention. They can generate hold reports showing what content is preserved and which users are affected by holds.
Option B is incorrect because Compliance Administrator has broad compliance management permissions including policy configuration and compliance feature management beyond specific eDiscovery hold management. Option C is incorrect because Organization Management is a high-privilege role group with extensive Exchange administrative permissions exceeding eDiscovery hold management requirements. Option D is incorrect because custodian role in eDiscovery relates to users whose content is being preserved rather than an administrative role for managing holds.
Question 144:
Your organization needs to ensure that all Microsoft Forms submissions are automatically saved to a SharePoint list with approval workflow. What should you configure?
A) Power Automate flow with Forms trigger and SharePoint actions
B) Forms integration settings
C) SharePoint list Forms connection
D) Microsoft Lists automation
Answer: A
Explanation:
Power Automate flow with Forms trigger and SharePoint actions provides comprehensive automation to capture form submissions, create SharePoint list items, and initiate approval workflows without requiring manual data transfer. You create a cloud flow triggered when new Forms responses are submitted. The flow extracts response values for each question and uses SharePoint connector actions to create list items mapping form fields to list columns.
The flow can include approval actions that route new list items to designated approvers before marking them as approved in SharePoint. When forms are submitted, the flow creates pending list items and sends approval requests to managers or review teams. Approvers receive notifications with response details and options to approve or reject. Based on approval decisions, the flow updates list items with approval status and timestamps.
This automation ensures every form submission flows into SharePoint for centralized tracking and reporting. Organizations use this pattern for scenarios like IT service requests where form submissions require approval before fulfillment, employee feedback that requires manager acknowledgment, or vendor applications requiring procurement team review. The flow maintains complete audit trails showing submission times, approval decisions, and approver identities.
Power Automate flows support complex logic including conditional routing where different approvers receive requests based on form responses, parallel approval requiring multiple approvers, and escalation when approvals are not completed within timeframes. The flow can send notifications to submitters when their requests are approved or rejected explaining approval outcomes.
Option B is incorrect because Forms integration settings do not provide direct automation for saving responses to SharePoint lists with approval workflows; Power Automate provides this capability. Option C is incorrect because SharePoint list Forms connection allows viewing lists in Forms but does not automatically capture form submissions into lists. Option D is incorrect because Microsoft Lists automation refers to list-level rules that do not connect to external form submissions requiring Power Automate for cross-service integration.
Question 145:
You need to prevent users from synchronizing Microsoft 365 email to third-party mail applications. What should you configure?
A) Conditional Access policy blocking ActiveSync for unapproved apps
B) Exchange ActiveSync device policy
C) Mobile Application Management policy
D) Mail flow rule
Answer: A
Explanation:
Conditional Access policy blocking ActiveSync for unapproved apps provides application-level access control that prevents third-party mail applications from synchronizing Microsoft 365 email using Exchange ActiveSync protocol. When you create a Conditional Access policy targeting Exchange Online, you can configure client app conditions that specifically identify legacy authentication and ActiveSync clients. The policy blocks these connections while allowing approved mail clients like Outlook that support modern authentication.
Third-party mail applications typically use Exchange ActiveSync or IMAP protocols to access Exchange Online mailboxes. By configuring Conditional Access to block legacy authentication protocols and require approved client applications, you prevent unauthorized mail clients from connecting. Users attempting to configure third-party mail apps receive authentication failures directing them to use approved applications.
The policy supports approved client app requirements where you specify which applications are authorized for email access. Microsoft Outlook for iOS, Android, Windows, and Mac can be designated as approved apps. When users connect from approved apps using modern authentication, access is granted. Connections from unapproved third-party apps using ActiveSync or basic authentication are blocked.
Implementation should include communication to users about approved mail applications and migration assistance for users currently using third-party clients. Organizations benefit from improved security by ensuring email access occurs through applications that support multi-factor authentication, device compliance checks, and application-level data protection policies. Approved apps provide better security logging and threat detection integration.
Option B is incorrect because Exchange ActiveSync device policies control mobile device access settings but do not distinguish between approved and unapproved mail applications at the application level. Option C is incorrect because Mobile Application Management policies control data handling within managed apps but do not block unapproved apps from connecting to Exchange Online. Option D is incorrect because mail flow rules process messages in transit rather than controlling which client applications can connect to mailboxes.
Question 146:
Your company wants to automatically notify compliance officers when users access confidential SharePoint sites. What should you configure?
A) SharePoint site access audit alert policy
B) Data Loss Prevention policy with alert notifications
C) SharePoint site permissions reporting
D) Microsoft Defender for Cloud Apps activity policy
Answer: A
Explanation:
SharePoint site access audit alert policies provide automated notifications when specific activities occur on designated SharePoint sites including user access events. In the Microsoft Purview compliance portal, you create alert policies that monitor audit logs for SharePoint site access activities and send notifications to compliance officers when users access confidential sites. The alert policy can detect file access, site access, permission changes, and other activities warranting compliance oversight.
Alert policies for site access configure conditions specifying which sites to monitor, which activities trigger alerts, and which users or groups are monitored. For confidential sites, you might configure alerts for any user access, or specifically monitor access by users outside designated authorized groups. The policy generates alerts when activities match configured conditions sending email notifications to compliance officers with activity details.
The alert system aggregates multiple activities into single notifications preventing alert fatigue when many users access sites simultaneously. Compliance officers receive alerts containing user identities, access timestamps, specific files or pages accessed, and IP addresses. This information supports compliance investigations and helps identify unauthorized access attempts or unusual access patterns requiring follow-up.
Alert policies support various activity types beyond simple site access including file downloads, external sharing, permission elevation, and sensitive content access. Organizations create comprehensive monitoring by configuring multiple alert policies covering different activity categories and sensitivity levels. High-priority alerts can trigger immediate notifications while lower-priority events generate daily summary reports.
Option B is incorrect because Data Loss Prevention policies detect sensitive content and prevent data loss but are not primarily designed for generating access alerts for site visits. Option C is incorrect because SharePoint site permissions reporting provides periodic reports on permission structures but does not generate real-time alerts when users access sites. Option D is incorrect because while Microsoft Defender for Cloud Apps can monitor SharePoint activities, native SharePoint audit alert policies provide direct integration with Microsoft 365 auditing for site access monitoring.
Question 147:
You need to ensure that all Microsoft Teams channels related to specific projects have consistent retention policies. What should you configure?
A) Retention policy for Teams with adaptive scope based on project groups
B) Teams channel retention settings
C) Microsoft 365 group retention policy
D) Teams admin center channel policies
Answer: A
Explanation:
Retention policies for Teams with adaptive scopes based on project groups provide dynamic policy application that automatically includes Teams associated with specific projects ensuring consistent retention across project-related communications. Adaptive scopes use query-based logic to identify target locations based on attributes like group membership, naming patterns, or applied labels. When you create a retention policy with adaptive scope targeting project-related groups, the policy automatically applies to all Teams meeting the criteria.
The adaptive scope evaluates Teams membership and properties continuously updating policy application as new project Teams are created or existing Teams change status. This dynamic application eliminates manual policy assignment for each project Team ensuring retention compliance without ongoing administrative overhead. Project Teams receive appropriate retention settings automatically based on their classification or association with project groups.
Retention policy configuration specifies retention duration and whether content should be deleted after retention expires or preserved indefinitely. For project-related channels, organizations might configure retention matching project lifecycle requirements such as retaining communications for seven years after project completion. The policy preserves channel messages, files, and meeting recordings according to configured settings.
Adaptive scopes support complex query logic combining multiple criteria like group naming conventions, sensitivity labels, or custom attributes identifying project Teams. Organizations can create separate policies with different retention periods for different project types or sensitivity levels. The scope automatically includes relevant Teams without requiring manual updates when new projects begin.
Option B is incorrect because Teams does not have channel-specific retention settings; retention policies apply at the Teams location level rather than individual channels. Option C is incorrect because Microsoft 365 group retention policies can target groups but adaptive scopes provide more dynamic and query-based policy application specifically for project-related scenarios. Option D is incorrect because Teams admin center channel policies control channel features and permissions rather than retention and lifecycle management.
Question 148:
Your organization needs to prevent sensitive documents from being printed when accessed from Windows devices. What should you configure?
A) Sensitivity label with platform-specific print restrictions
B) Windows Information Protection policy
C) Conditional Access device-based policy
D) Microsoft Purview device restrictions
Answer: A
Explanation:
Sensitivity labels with platform-specific print restrictions provide document-level protection that enforces print blocking specifically on Windows devices while potentially allowing printing on other platforms based on organizational requirements. When you configure sensitivity label protection settings, you can enable encryption with usage rights that deny print permissions. The label enforcement through Azure Information Protection client or built-in Office protection ensures print restrictions apply when labeled documents are opened on Windows devices.
Label protection settings support granular permission configuration where you specify which operations are allowed or denied for labeled content. For sensitive documents requiring print restrictions on Windows devices, you configure labels that encrypt content and explicitly deny print rights while allowing view and edit operations. When users open protected documents in Office applications on Windows, the print option becomes unavailable and attempts to print generate error messages.
Platform-specific policies allow organizations to implement stricter controls on corporate Windows devices while potentially relaxing restrictions for mobile devices where print functionality may be less risky or practically unavailable. The label protection travels with documents ensuring restrictions persist regardless of where documents are stored or how they are shared. Recipients of labeled documents face the same print restrictions unless their accounts have explicit permissions overriding label protections.
Implementation requires deploying sensitivity labels through label policies that publish labels to users. Organizations should communicate label meanings and handling requirements ensuring users understand why certain documents cannot be printed and what alternative workflows exist for scenarios legitimately requiring physical copies with appropriate security controls.
Option B is incorrect because Windows Information Protection policies provide application-level data protection for Windows devices but are deprecated in favor of modern endpoint data loss prevention and sensitivity labels. Option C is incorrect because Conditional Access device-based policies control access to cloud applications based on device conditions but do not enforce document-level print restrictions. Option D is incorrect because Microsoft Purview device restrictions is not a specific feature; document print restrictions are implemented through sensitivity label protection settings.
Question 149:
You need to delegate the ability to review audit logs without granting permissions to modify retention or security settings. Which role should you assign?
A) Audit Reader
B) Security Reader
C) Compliance Administrator
D) Global Reader
Answer: A
Explanation:
Audit Reader role provides specific permissions to view and search Microsoft 365 audit logs without granting capabilities to modify audit settings, retention policies, or security configurations. Users assigned this role can access the audit log search interface in the Microsoft Purview compliance portal where they execute searches across audit records from various Microsoft 365 services including Exchange, SharePoint, OneDrive, Azure AD, and Teams. The role enables audit review without administrative privileges.
Audit Readers can create detailed audit searches using filters for date ranges, users, activities, and services. They can export search results for analysis in external tools or reporting systems. The role provides read-only access to audit data supporting compliance monitoring, security investigations, and operational troubleshooting without risk of users modifying evidence or tampering with audit configurations.
Organizations assign the Audit Reader role to security analysts, compliance officers, or operational personnel who need to investigate user activities, troubleshoot issues, or generate compliance reports based on audit data. The role separation ensures audit investigation capabilities do not include permissions to disable auditing, modify retention, or change security policies that could compromise audit integrity.
The role provides access to audit records across the organization enabling investigations into user behaviors, administrative actions, and system events. Audit Readers can identify security incidents, track configuration changes, investigate data access patterns, and generate reports demonstrating compliance with regulatory requirements. The read-only nature ensures audit data remains trustworthy for compliance and legal purposes.
Option B is incorrect because Security Reader provides read-only access to security configurations and reports but does not specifically grant audit log search capabilities which require the Audit Reader role. Option C is incorrect because Compliance Administrator has extensive permissions including policy modification and compliance feature management beyond read-only audit access. Option D is incorrect because Global Reader provides read-only access to administrative interfaces but does not specifically include audit log search permissions which require dedicated Audit Reader role assignment.
Question 150:
Your company wants to ensure that all Microsoft Bookings appointments require manager approval before confirmation. What should you configure?
A) Bookings business approval workflow with custom settings
B) Power Automate flow for Bookings approvals
C) Bookings staff approval requirements
D) Microsoft 365 group moderation for Bookings
Answer: B
Explanation:
Power Automate flow for Bookings approvals provides customizable workflow automation that intercepts new booking requests and routes them to managers for approval before appointments are confirmed on staff calendars. You create a cloud flow triggered when new Bookings appointments are created. The flow extracts appointment details and sends approval requests to designated managers using approval actions. Based on manager decisions, the flow either confirms bookings or cancels appointments notifying requesters of approval outcomes.
Microsoft Bookings itself does not include built-in approval workflows requiring manager authorization before appointment confirmation. Power Automate bridges this gap by providing workflow capabilities that extend Bookings functionality. The flow can implement business logic determining which managers receive approval requests based on factors like appointment type, requested staff member, or appointment duration.
The approval workflow sends notifications to managers including appointment details like requested time, service type, customer information, and staff member assignment. Managers review requests and approve or reject with comments. The flow processes approval decisions updating Bookings accordingly and sending confirmation or cancellation notifications to customers. This ensures appointments appear on staff calendars only after manager authorization.
Organizations use approval workflows for scenarios like executive schedule management where assistants screen meeting requests, specialized services requiring qualification verification before scheduling, or resource-constrained services where capacity must be carefully managed. The workflow provides governance over schedule commitments while maintaining customer self-service booking convenience pending approval.
Option A is incorrect because Bookings business approval workflow with custom settings is not a built-in Bookings feature; approval workflows require Power Automate implementation. Option C is incorrect because Bookings staff approval requirements relate to staff accepting or declining individual appointment assignments rather than implementing manager approval before appointments are confirmed. Option D is incorrect because Microsoft 365 group moderation applies to group communications rather than implementing approval workflows for Bookings appointments.
Question 151:
Your organization needs to prevent users from creating Microsoft Teams meetings that can be joined anonymously. What should you configure?
A) Teams meeting policy with anonymous join disabled
B) External access settings in Teams admin center
C) Azure AD Conditional Access policy
D) Teams guest access restrictions
Answer: A
Explanation:
Teams meeting policy with anonymous join disabled provides direct control over whether users can create meetings that allow anonymous participants to join without authentication. When you configure meeting policies in the Teams admin center, you can disable the setting that allows anonymous users to join meetings, ensuring that all meeting participants must authenticate with either organizational accounts or guest accounts before accessing meetings.
When this setting is disabled, meeting organizers cannot enable anonymous join for their meetings, and any attempts by unauthenticated users to join meetings are blocked. Users clicking meeting links without signing in receive prompts to authenticate before joining. This ensures all meeting participants are identifiable and prevents unauthorized individuals from accessing potentially sensitive discussions through shared meeting links.
The policy applies to all meetings created by users assigned the policy, providing consistent security across organizational communications. Organizations can create different meeting policies for different user groups, allowing executives or security-sensitive departments to have stricter anonymous join restrictions while other users have more flexible settings for external collaboration scenarios.
Option B is incorrect because external access settings control federation with other organizations rather than anonymous join capabilities. Option C is incorrect because Conditional Access policies control authenticated access conditions but do not prevent anonymous meeting join at the application level. Option D is incorrect because guest access restrictions control authenticated guest users rather than anonymous participants.
Question 152:
You need to ensure that all Microsoft 365 alerts for suspicious sign-in activities are automatically forwarded to your security team’s email distribution list. What should you configure?
A) Azure AD Identity Protection alert notification settings
B) Security and Compliance Center alert policy with email notification
C) Microsoft Defender for Cloud Apps activity policy
D) Azure AD sign-in log export
Answer: A
Explanation:
Azure AD Identity Protection alert notification settings provide automated email notifications to designated recipients when suspicious sign-in activities or identity risks are detected across the organization. When you configure notification settings in Azure AD Identity Protection, you specify email addresses or distribution lists that should receive alerts for risky sign-ins, users at risk, and risk detections. This ensures your security team receives immediate notifications when suspicious activities occur.
The notification settings allow configuring separate recipients for different alert types including weekly digest emails summarizing all detected risks and real-time alerts for high-priority risk events. When Azure AD Identity Protection detects anomalous sign-in patterns such as impossible travel, anonymous IP addresses, unfamiliar locations, or malware-linked IP addresses, it generates risk detections and sends notifications to configured recipients.
Security teams receiving these alerts can quickly investigate suspicious activities, take protective actions like requiring password resets or blocking affected accounts, and monitor trends in identity-based threats across the organization. The automated notification ensures no delays between risk detection and security team awareness, enabling rapid incident response that minimizes potential damage from compromised accounts.
Option B is incorrect because Security and Compliance Center alert policies focus on compliance and data governance events rather than identity-specific suspicious sign-in detection. Option C is incorrect because Microsoft Defender for Cloud Apps monitors cloud application usage but Azure AD Identity Protection provides more specialized identity risk detection and alerting. Option D is incorrect because sign-in log export provides historical data access but does not send automated real-time alerts to security teams.
Question 153:
Your company wants to automatically expire guest user accounts that have not signed in for 90 days. What should you configure?
A) Azure AD access reviews with inactive guest detection
B) Guest user lifecycle policy
C) Azure AD Identity Protection inactive user policy
D) Conditional Access policy for guest users
Answer: A
Explanation:
Azure AD access reviews with inactive guest detection provide automated processes to identify and remove guest accounts that have not been used within specified timeframes such as 90 days. When you create access reviews targeting guest users, you can configure the review to automatically detect inactive guests based on last sign-in date and either remove them automatically or flag them for reviewer decision.
Access reviews for guest users can be scheduled to run quarterly or at other intervals, evaluating each guest account’s activity status. The review process checks the last interactive sign-in date for each guest and identifies accounts exceeding the 90-day inactivity threshold. You can configure the review to automatically remove inactive guests without requiring manual reviewer action, or send the list to designated reviewers who confirm removal decisions.
Automated guest account cleanup helps organizations maintain security by ensuring external access privileges do not persist indefinitely for individuals who no longer need access. Inactive guest accounts represent potential security risks as former partners or contractors might retain access credentials that could be compromised. Regular removal of inactive accounts reduces the attack surface and ensures guest access reflects current business relationships.
The access review system generates reports showing which guest accounts were removed and tracks the history of guest lifecycle management. Organizations can configure grace periods where guests receive notifications before removal allowing them to sign in if they still need access. This prevents premature removal of guests who have legitimate ongoing access needs but temporarily haven’t used their accounts.
Option B is incorrect because guest user lifecycle policy is not a specific standalone feature; guest lifecycle management is implemented through access reviews. Option C is incorrect because Azure AD Identity Protection focuses on risk detection rather than lifecycle management based on inactivity periods. Option D is incorrect because Conditional Access policies control access conditions but do not automate account expiration based on inactivity.
Question 154:
You need to prevent users from sharing OneDrive files with specific external domains that are competitors. What should you configure?
A) OneDrive sharing settings with domain restrictions
B) Azure AD B2B collaboration domain allowlist
C) Data Loss Prevention policy with domain blocking
D) Conditional Access policy for external sharing
Answer: A
Explanation:
OneDrive sharing settings with domain restrictions provide administrative controls to block or allow file sharing with specific external domains ensuring users cannot share content with competitor organizations. In the SharePoint admin center under sharing settings, you can configure domain restrictions that apply to both SharePoint and OneDrive. When you add competitor domains to the blocked list, users attempting to share files with email addresses from those domains receive error messages preventing the sharing action.
Domain restriction settings support both allowlists and blocklists. For preventing sharing with competitors, you create a blocklist containing competitor domain names. The system evaluates sharing attempts in real-time and blocks any operations targeting blocked domains regardless of sharing method including direct sharing, anonymous links shared with blocked domain users, or adding blocked domain users as site members.
This configuration provides comprehensive protection against intentional or accidental information disclosure to competitors. Users cannot circumvent the restrictions through different sharing mechanisms since the domain check occurs at the platform level before any sharing operation completes. The restrictions apply organization-wide ensuring consistent enforcement across all OneDrive accounts and SharePoint sites.
Organizations should carefully maintain the blocked domain list ensuring it includes all known competitor domains and their variations. Regular review ensures newly identified competitors are added promptly. The restriction prevents business-sensitive information from reaching competitors while still allowing collaboration with legitimate partners and customers from non-blocked domains.
Option B is incorrect because Azure AD B2B collaboration domain allowlist controls guest account creation broadly but OneDrive sharing restrictions provide more specific file-sharing control. Option C is incorrect because DLP policies detect content patterns but domain-based sharing restrictions are configured in sharing settings. Option D is incorrect because Conditional Access policies control application access conditions rather than domain-specific sharing permissions.
Question 155:
Your organization needs to ensure that all Power Automate flows accessing financial data undergo security review before activation. What should you configure?
A) Power Platform DLP policy with connector restrictions and approval workflows
B) Power Automate flow checker requirements
C) Azure AD Conditional Access for Power Automate
D) Power Platform environment approval gates
Answer: A
Explanation:
Power Platform DLP policy with connector restrictions and approval workflows provides governance controls ensuring flows accessing financial data cannot be activated without security review. When you configure DLP policies for Power Platform, you classify data connectors into categories and define which connectors can be used together in flows. For financial data connectors like SQL databases containing financial information or enterprise financial systems, you can apply restrictions requiring administrative approval before flows using those connectors can be activated.
The implementation combines DLP policies that identify high-risk connector usage with organizational approval processes where flow creators must submit flows for security review before production deployment. DLP policies prevent flows from running when they attempt to use restricted financial data connectors until proper approvals are obtained. This ensures security teams can examine flow logic, data handling practices, and access permissions before flows access sensitive financial information.
Organizations typically establish formal review processes where developers create flows in development environments and submit them through change management systems for security assessment. Reviewers evaluate whether flows implement appropriate error handling, logging, data protection, and access controls before approving deployment to production environments where they can access live financial data.
Power Platform environment strategies support this governance by separating development and production environments with different DLP policies. Development environments might allow broader connector access for testing while production environments enforce strict DLP policies requiring approval for financial data access. This staged approach balances development flexibility with production security.
Option B is incorrect because Power Automate flow checker validates technical correctness but does not implement security approval workflows for data access. Option C is incorrect because Conditional Access controls authentication to Power Automate but does not review flow logic before activation. Option D is incorrect because environment approval gates are not a built-in feature; approval processes are implemented through DLP policies and organizational workflows.
Question 156:
You need to delegate the ability to manage SharePoint term store taxonomy without granting site collection administration permissions. Which role should you assign?
A) Term Store Administrator
B) SharePoint Administrator
C) Taxonomy Manager
D) Site Collection Administrator
Answer: A
Explanation:
Term Store Administrator role provides specific permissions to manage the SharePoint term store including creating term groups, term sets, and terms without granting broader SharePoint administrative capabilities like site collection management. Users assigned this role can access the term store management interface where they organize enterprise metadata taxonomies, configure term hierarchies, set term properties, and manage term store permissions.
The role enables comprehensive taxonomy management supporting organizational metadata strategies and content classification systems. Term Store Administrators create managed metadata structures that users across the organization employ to tag and categorize content consistently. They can configure term sets for departments, document types, project classifications, or any other organizational categorization needs.
Term store management includes setting term deprecation, configuring term synonyms, enabling term translation for multilingual environments, and defining term stakeholders who can propose changes to specific term sets. The role provides sufficient permissions for enterprise information architects or content managers to maintain metadata taxonomies without requiring full SharePoint administrative access that would grant unnecessary privileges over sites, users, and configurations.
Organizations benefit from delegating term store management to business users who understand organizational taxonomy requirements and content classification needs. These users can evolve metadata structures as business needs change without depending on IT administrators. The role separation ensures taxonomy management remains agile while preventing unauthorized changes to SharePoint infrastructure or site configurations.
Option B is incorrect because SharePoint Administrator has comprehensive permissions across all SharePoint settings including site management which exceeds term store management requirements. Option C is incorrect because Taxonomy Manager is not a distinct built-in role; term store permissions are granted through Term Store Administrator role. Option D is incorrect because Site Collection Administrator manages individual site collections rather than the organization-wide term store.
Question 157:
Your company wants to automatically apply watermarks to all documents downloaded from specific SharePoint sites containing intellectual property. What should you configure?
A) Sensitivity label with dynamic watermark for site-based auto-labeling
B) Information Rights Management template for SharePoint
C) SharePoint site download policy with watermarking
D) Data Loss Prevention policy with watermark action
Answer: A
Explanation:
Sensitivity label with dynamic watermark for site-based auto-labeling provides automated document protection that applies watermarks containing user information when documents are downloaded from intellectual property sites. You create sensitivity labels configured with watermark content markings showing dynamic properties like user email and download date. Then configure auto-labeling policies that automatically apply these labels to documents stored in specified SharePoint sites containing intellectual property.
When users download documents from these protected sites, the sensitivity label ensures watermarks are applied to the files showing who downloaded them and when. The watermark becomes part of the document visible on every page deterring unauthorized sharing since recipients can identify the source. Dynamic watermarks use variables that populate with actual user information at the time documents are accessed making each downloaded copy uniquely identifiable to its recipient.
Site-based auto-labeling policies target entire SharePoint sites or document libraries ensuring all content in intellectual property repositories receives watermark protection automatically without requiring manual label application. As new documents are uploaded to protected sites, the auto-labeling policy applies labels with watermark settings ensuring comprehensive protection for all intellectual property content.
The watermarks appear in Office applications when documents are viewed and persist when documents are printed or converted to PDF format. This comprehensive marking ensures intellectual property attribution remains visible regardless of how documents are used or distributed. Organizations can investigate unauthorized sharing by identifying watermarked documents and tracing them back to the user who downloaded them.
Option B is incorrect because Information Rights Management templates provide encryption but lack the site-based auto-labeling and dynamic watermark capabilities of sensitivity labels. Option C is incorrect because SharePoint site download policy with watermarking is not a built-in feature; watermarking is implemented through sensitivity labels. Option D is incorrect because DLP policies detect and prevent data loss but do not apply watermarks to documents.
Question 158:
You need to ensure that all Microsoft Teams channels created for executive leadership have message retention of 10 years. What should you configure?
A) Retention policy for Teams with adaptive scope targeting executive teams
B) Teams messaging policy with retention settings
C) Microsoft 365 group retention for executive groups
D) Teams admin center channel retention configuration
Answer: A
Explanation:
Retention policy for Teams with adaptive scope targeting executive teams provides automated application of 10-year retention to all channels within teams associated with executive leadership without requiring manual policy assignment for each team. Adaptive scopes use query-based logic to dynamically identify teams based on properties like membership, naming patterns, or applied labels. When you create a retention policy with adaptive scope targeting executive teams, the policy automatically applies to all matching teams and their channels.
The adaptive scope evaluates team properties continuously updating policy application as new executive teams are created or team classifications change. This ensures executive communications receive appropriate long-term retention matching governance requirements for leadership communications without ongoing administrative overhead. The policy preserves all channel messages for 10 years even when users delete messages ensuring compliance with records retention requirements.
Retention policy configuration specifies the 10-year retention period and whether messages should be permanently deleted after retention expires or retained indefinitely. For executive communications, organizations typically configure indefinite retention or very long periods reflecting the historical significance of leadership decisions and communications. The preserved messages remain searchable through eDiscovery tools supporting investigations, audits, or historical research.
Organizations can define adaptive scopes using various criteria such as teams where specific executives are members, teams with particular naming conventions like Executive or Leadership, or teams with sensitivity labels indicating executive content. The flexible scope definition ensures all relevant teams receive appropriate retention regardless of how they are organized or named.
Option B is incorrect because Teams messaging policies control messaging features but do not implement retention periods for content preservation. Option C is incorrect because Microsoft 365 group retention can preserve group content but adaptive policy scopes provide more dynamic targeting for executive teams. Option D is incorrect because Teams admin center does not have channel-specific retention configuration; retention is managed through retention policies.
Question 159:
Your organization needs to prevent users from forwarding emails outside the organization that contain attachments larger than 10MB. What should you configure?
A) Mail flow rule with attachment size condition and external recipient restriction
B) Data Loss Prevention policy with attachment size detection
C) Exchange Online Protection policy
D) Outlook attachment blocking policy
Answer: A
Explanation:
Mail flow rule with attachment size condition and external recipient restriction provides transport-level enforcement that evaluates email attachment sizes and blocks forwarding to external recipients when attachments exceed specified thresholds like 10MB. When you create a mail flow rule in Exchange Online, you configure conditions that detect when messages contain attachments larger than 10MB and when recipients are outside the organization. The rule action blocks message delivery or redirects messages for approval preventing large file transfers to external addresses.
The mail flow rule processes all outbound email evaluating attachment sizes before delivery. When messages match both the size condition and external recipient condition, the rule takes configured actions such as blocking with notification to sender, quarantining for administrator review, or allowing with warning. This prevents intentional or accidental transfer of large files that might contain sensitive information or consume excessive bandwidth.
Organizations implement attachment size restrictions to manage email infrastructure costs, prevent data exfiltration through email, and encourage use of proper file sharing mechanisms like OneDrive or SharePoint for large file collaboration. The rule can include exceptions for approved external partners or business processes legitimately requiring large file transfers while restricting general users.
The mail flow rule provides audit logging showing blocked messages including sender information, intended recipients, attachment sizes, and enforcement actions. This visibility helps organizations monitor large file transfer attempts and identify users who may need training on appropriate file sharing methods. The rule can be configured with policy tips that warn users before sending about attachment size restrictions.
Option B is incorrect because DLP policies focus on sensitive content detection rather than attachment size-based blocking for external recipients. Option C is incorrect because Exchange Online Protection focuses on anti-malware and anti-spam rather than attachment size restrictions. Option D is incorrect because Outlook attachment blocking policy is not a centralized enforcement mechanism; mail flow rules provide server-side attachment restriction.
Question 160:
You need to delegate the ability to create and manage Microsoft 365 service requests without granting other administrative permissions. Which role should you assign?
A) Service Support Administrator
B) Global Administrator
C) Helpdesk Administrator
D) User Administrator
Answer: A
Explanation:
Service Support Administrator role provides specific permissions to create and manage service requests with Microsoft support without granting broader administrative capabilities across the tenant. Users assigned this role can open support tickets through the Microsoft 365 admin center, track existing service requests, provide additional information to support engineers, and view service health information. This role is designed for IT support personnel who handle escalations to Microsoft without requiring full administrative access.
The role enables effective support case management ensuring organizational issues receive appropriate attention from Microsoft support teams. Service Support Administrators can describe technical problems, upload diagnostic information, and communicate with support engineers throughout case resolution. They have permissions to view case history and track progress without accessing configuration settings or user data that could be misused.
Service Support Administrators cannot modify organizational settings, manage users, configure security policies, or access sensitive administrative functions. This role separation ensures support case management responsibilities do not grant excessive privileges that could introduce security risks. Organizations benefit from enabling multiple staff members to manage support cases without elevating them to Global Administrator or other high-privilege roles.
The role includes permissions to view service health dashboard and message center communications helping support staff understand service incidents and planned maintenance that might affect users. This visibility enables informed communication with organizational users about service issues and expected resolution timelines. Support administrators can provide context from Microsoft communications when responding to user reports about service problems.
Option B is incorrect because Global Administrator has unlimited permissions across all services which far exceeds support request management requirements and violates least privilege principles. Option C is incorrect because Helpdesk Administrator focuses on user support tasks like password resets rather than service request management with Microsoft. Option D is incorrect because User Administrator manages user accounts and properties but does not have permissions to create and manage service requests with Microsoft support.
