Visit here for our full Microsoft MS-102 exam dumps and practice test questions.
Question 21:
You need to prevent users from accessing SharePoint Online if they are not on the corporate network. What should you configure?
A) Conditional Access policy with trusted network location
B) SharePoint Online access control settings
C) Network firewall rules
D) VPN requirement
Answer: A
Explanation:
Conditional Access policies with trusted network locations provide identity-based access control that restricts SharePoint Online access based on user location. You define trusted network locations in Azure AD by specifying your corporate network IP address ranges, and then create a Conditional Access policy that blocks access to SharePoint Online when users connect from outside these trusted locations. This approach provides centralized control that applies regardless of which device or application users employ to access SharePoint. The solution leverages Azure AD authentication, ensuring enforcement at the identity layer before users can reach SharePoint resources. You can configure the policy to apply to all users or specific groups, and you can include exceptions for certain scenarios. The trusted network requirement integrates with other Conditional Access controls such as device compliance and multi-factor authentication to provide layered security.
Option B is incorrect because while SharePoint has access control settings for limiting external sharing and controlling anonymous access, these settings don’t provide the capability to restrict access based on network location for authenticated internal users. Option C is incorrect because network firewall rules can’t effectively control access to cloud services that users access directly via the internet; additionally, SharePoint Online uses distributed endpoints that bypass traditional network perimeters. Option D is incorrect because requiring VPN is a network-level approach that doesn’t integrate with identity-based access controls and may not be practical for all scenarios; Conditional Access provides more flexible and modern access control.
Question 22:
You need to ensure that users cannot create Microsoft 365 groups unless they are members of a specific security group. What should you configure?
A) Azure AD group creation restrictions
B) Teams creation policy
C) SharePoint site creation settings
D) Exchange Online group creation policy
Answer: A
Explanation:
Azure AD group creation restrictions provide centralized control over who can create Microsoft 365 groups across all workloads and applications. By configuring these settings, you can limit group creation to members of a specific security group, ensuring that only authorized users can create new groups. This restriction applies universally across all group creation scenarios including Teams, Outlook, SharePoint, Planner, and any other service that creates Microsoft 365 groups.
To implement this control, you use PowerShell commands to configure the group settings template in Azure AD. You create a security group containing the users who should have group creation permissions, then apply the restriction policy that references this security group. Once configured, users who are not members of the designated security group will see error messages when attempting to create groups through any interface.
Option B) is incorrect because Teams creation policy only controls who can create teams within Microsoft Teams and doesn’t prevent underlying Microsoft 365 group creation through other workloads like Outlook or SharePoint.
Option C) is incorrect because SharePoint site creation settings only control the creation of SharePoint sites and don’t restrict the creation of Microsoft 365 groups from other services.
Option D) is incorrect because there is no separate Exchange Online group creation policy that controls Microsoft 365 groups. Group creation restrictions are managed centrally through Azure AD settings that apply across all services.
Question 23:
Your organization needs to archive all mailbox data that is older than 2 years to a separate archive mailbox. What should you implement?
A) Retention policy with archiving action
B) Archive policy
C) Litigation hold
D) In-Place Archive with retention tags
Answer: D
Explanation:
In-Place Archive combined with retention tags provides the functionality to automatically move mailbox items to a separate archive mailbox based on age. When you enable In-Place Archive for a user, they receive an additional archive mailbox that appears in Outlook and Outlook on the web. Retention tags, which are part of retention policies, define when items should be moved to the archive mailbox based on their age.
You create a retention tag that specifies a retention age of 2 years and sets the retention action to move items to the archive mailbox. This tag can be applied as a default policy tag that affects all items in the mailbox, or as specific tags for different folder types. Once configured and assigned to users, the Managed Folder Assistant processes mailboxes periodically and automatically moves items older than 2 years to the archive mailbox. Users can access their archive mailbox seamlessly through their email client.
Option A) is incorrect because retention policies with archiving action don’t automatically move items to a separate archive mailbox based on age. They primarily focus on retention and deletion actions.
Option B) is incorrect because archive policy is not a specific feature in Exchange Online. Archiving functionality is implemented through In-Place Archive combined with retention tags.
Option C) is incorrect because litigation hold preserves all mailbox content and prevents deletion but doesn’t move items to an archive mailbox based on age criteria.
Question 24:
You need to prevent users from downloading email attachments on their mobile devices. What should you configure?
A) Exchange ActiveSync device policy
B) Mobile Application Management policy
C) Conditional Access policy
D) Data Loss Prevention policy
Answer: B
Explanation:
Mobile Application Management policies in Microsoft Intune provide granular control over how users interact with corporate data on mobile devices, including the ability to prevent downloading of email attachments. MAM policies can be applied to mobile apps like Outlook without requiring full device enrollment in mobile device management. These policies allow administrators to control actions such as save as, copy, paste, and download while users access corporate email and documents.
When you configure a MAM policy for Outlook mobile, you can disable the save attachments option, preventing users from downloading email attachments to their device storage. The policy ensures that attachments can only be viewed within managed apps and cannot be extracted to unmanaged locations. This approach protects sensitive data while maintaining user productivity by allowing email access on personal devices.
Option A) is incorrect because Exchange ActiveSync device policies provide basic mobile device controls but don’t offer the granular attachment download restrictions available in MAM policies. They focus more on device-level settings.
Option C) is incorrect because Conditional Access policies control whether users can access services based on conditions like location and device state, but they don’t provide specific controls over attachment download behavior within applications.
Option D) is incorrect because DLP policies detect and prevent sharing of sensitive information but don’t directly control the download behavior of attachments on mobile devices at the application level.
Question 25:
Your company needs to ensure that all Microsoft Teams meetings are recorded automatically. What should you configure?
A) Teams meeting policy with automatic recording enabled
B) Compliance recording policy
C) Teams recording policy
D) Stream retention policy
Answer: B
Explanation:
Compliance recording policy in Microsoft Teams provides the capability to automatically record all Teams calls and meetings for regulatory compliance purposes. This feature is specifically designed for organizations that need to record communications for legal, compliance, or regulatory requirements. When enabled, compliance recording operates transparently in the background and captures all audio, video, and screen sharing content from Teams meetings and calls.
The compliance recording policy requires configuration of a recording application that integrates with Teams to capture and store the recordings. Microsoft partners provide certified recording solutions that work with this feature. Once configured, the policy automatically applies to designated users or groups, ensuring that all their Teams communications are recorded without requiring manual intervention. Participants are notified that recording is in progress through visual indicators in the Teams interface.
Option A) is incorrect because standard Teams meeting policies allow meeting organizers to enable recording, but they don’t automatically record all meetings. Users must manually start recording for each meeting.
Option C) is incorrect because there is no separate Teams recording policy that automatically records all meetings. Recording functionality is controlled through meeting policies or compliance recording policies.
Option D) is incorrect because Stream retention policies manage how long recorded content is retained in Microsoft Stream but don’t control the automatic recording of meetings. They apply after recordings are created.
Question 26:
You need to allow users to classify documents manually with sensitivity labels. What should you configure?
A) Publish sensitivity labels to users
B) Enable auto-labeling policies
C) Configure default labels
D) Create DLP policies
Answer: A
Explanation:
Publishing sensitivity labels to users makes the labels available for manual application in Microsoft Office applications and other supported platforms. When you publish sensitivity labels, users can see and apply them through the sensitivity button in applications like Word, Excel, PowerPoint, and Outlook. This enables users to classify their documents and emails based on the sensitivity of the content they are working with.
To publish labels, you create a label policy in the Microsoft Purview compliance portal that specifies which labels should be made available and to which users or groups. You can publish labels to all users in the organization or to specific groups based on departmental or role-based needs. Once published, the labels appear in the sensitivity menu within Office applications, allowing users to select the appropriate classification. You can also configure label policy settings such as requiring justification for label removal or requiring users to apply a label to documents.
Option B) is incorrect because auto-labeling policies automatically apply labels based on content detection rules without requiring user action. This doesn’t enable manual classification by users.
Option C) is incorrect because configuring default labels automatically applies a specific label to new documents but doesn’t provide users with the ability to manually select and apply different labels based on content sensitivity.
Option D) is incorrect because DLP policies detect and protect sensitive information but don’t provide users with the interface to manually classify documents with sensitivity labels. They operate independently of manual classification.
Question 27:
Your organization needs to prevent users from copying data from managed apps to personal apps on mobile devices. What should you implement?
A) Mobile Device Management policy
B) Mobile Application Management policy with data transfer restrictions
C) Conditional Access policy
D) Information Rights Management
Answer: B
Explanation:
Mobile Application Management policies with data transfer restrictions provide precise control over how users can move data between managed and unmanaged applications on mobile devices. These policies are part of Microsoft Intune’s app protection capabilities and can be applied without requiring full device enrollment. When configured, MAM policies prevent users from copying, cutting, or sharing data from managed apps like Outlook or OneDrive to personal applications.
You can configure data transfer settings within the MAM policy to restrict sending org data to only policy-managed apps. This means that users can copy data between managed apps but cannot paste that data into personal apps like personal email or messaging applications. The policy uses app-level controls that the managed applications enforce, creating a secure container for corporate data. Additional settings allow you to control actions like screen capture, contact sync, and printing from managed apps.
Option A) is incorrect because Mobile Device Management policies control device-level settings and compliance but don’t provide the application-level data transfer restrictions needed to prevent copying between managed and personal apps on the same device.
Option C) is incorrect because Conditional Access policies control access to cloud services based on conditions but don’t manage data transfer restrictions between applications on a device.
Option D) is incorrect because Information Rights Management protects documents with encryption and usage rights but doesn’t prevent users from copying unencrypted data between applications at the operating system level.
Question 28:
You need to ensure that all SharePoint Online sites comply with GDPR requirements by automatically applying retention labels. What should you configure?
A) Auto-apply retention label policy based on location
B) Published retention labels
C) Site collection retention policy
D) Information management policy
Answer: A
Explanation:
Auto-apply retention label policies based on location provide the mechanism to automatically apply retention labels to all content in specified SharePoint Online sites without requiring user action. This approach ensures consistent compliance with GDPR requirements by automatically classifying and applying appropriate retention settings to all documents. You can configure the policy to target specific site collections or all SharePoint locations within your organization.
When you create an auto-apply policy based on location, you select the retention label that contains the appropriate retention and deletion settings for GDPR compliance. The policy then applies this label to all existing content in the specified locations and automatically labels new content as it is created. This ensures that all documents are subject to the retention requirements without relying on users to manually apply labels. The location-based auto-apply policy is particularly useful for ensuring organization-wide compliance with regulatory requirements.
Option B) is incorrect because published retention labels require users to manually apply them to content, which doesn’t ensure automatic compliance across all SharePoint sites and relies on user awareness and action.
Option C) is incorrect because site collection retention policies are not a specific feature in modern SharePoint Online. Retention is managed through retention labels and policies in the Microsoft Purview compliance portal.
Option D) is incorrect because information management policies are legacy SharePoint features that have been superseded by the retention labels and policies available in the Microsoft Purview compliance portal.
Question 29:
Your company wants to monitor all file activities in SharePoint Online for security purposes. What should you enable?
A) SharePoint audit logging
B) Advanced audit in Microsoft 365
C) Cloud App Security
D) Azure AD audit logs
Answer: B
Explanation:
Advanced audit in Microsoft 365 provides comprehensive logging capabilities for SharePoint Online file activities including access, modification, download, and sharing events. This feature extends beyond basic audit logging by capturing additional high-value events and providing longer retention periods for audit data. Advanced audit includes specific events for file and folder activities such as FileAccessed, FilePreviewed, FileModified, and FileDeleted that are crucial for security monitoring.
When you enable advanced audit, the system captures detailed information about user activities including timestamps, user identities, IP addresses, and specific actions performed on files. The audit data is searchable through the Microsoft Purview compliance portal and can be exported for analysis or integration with security information and event management systems. Advanced audit also provides intelligent insights that help identify unusual patterns and potential security threats. The extended retention period ensures that historical audit data remains available for long-term investigations and compliance requirements.
Option A) is incorrect because basic SharePoint audit logging captures some activities but doesn’t provide the comprehensive event coverage and extended retention periods available with advanced audit. It has limitations on event types and retention.
Option C) is incorrect because Cloud App Security focuses on cloud application discovery, threat detection, and governance across multiple cloud services but is not the primary tool for detailed file activity monitoring within SharePoint Online.
Option D) is incorrect because Azure AD audit logs capture identity and authentication events but don’t include detailed file activity events from SharePoint Online. They focus on directory operations and sign-in activities.
Question 30:
You need to delegate the ability to manage Exchange Online mailboxes without granting access to other Microsoft 365 services. Which role should you assign?
A) Exchange Administrator
B) Global Administrator
C) User Administrator
D) Helpdesk Administrator
Answer: A
Explanation:
The Exchange Administrator role provides comprehensive permissions to manage all aspects of Exchange Online mailboxes and settings without granting access to other Microsoft 365 services. Users assigned this role can create and manage mailboxes, configure mail flow rules, manage distribution groups, and configure Exchange Online protection settings. This role follows the principle of least privilege by limiting administrative access to only Exchange-related tasks.
Exchange Administrators can perform tasks such as managing mailbox permissions, configuring retention policies for mailboxes, managing mobile device access settings, and troubleshooting mail delivery issues. They have full access to the Exchange admin center but cannot manage other Microsoft 365 workloads like SharePoint, Teams, or Azure AD settings. This role is ideal for email administrators who need to manage messaging infrastructure without broader organizational permissions. The role can be assigned to multiple users to distribute email administration responsibilities.
Option B) is incorrect because Global Administrator has unlimited access to all Microsoft 365 services and settings, which exceeds the requirement of managing only Exchange Online mailboxes. This violates the principle of least privilege.
Option C) is incorrect because User Administrator can manage user accounts and some basic user properties but doesn’t have the comprehensive Exchange mailbox management permissions needed for tasks like configuring mail flow rules or managing Exchange-specific settings.
Option D) is incorrect because Helpdesk Administrator has limited permissions focused on password resets and basic user support tasks. This role doesn’t include the mailbox management capabilities required for full Exchange administration.
Question 31:
Your organization needs to prevent users from sending emails to external recipients if the email contains credit card numbers. What should you configure?
A) Mail flow rule with pattern matching
B) Data Loss Prevention policy with sensitive information types
C) Sensitivity label with encryption
D) Exchange Online Protection policy
Answer: B
Explanation:
Data Loss Prevention policies with sensitive information types provide the specific capability to detect credit card numbers in email content and prevent transmission to external recipients. DLP policies in Microsoft 365 include pre-built sensitive information types for various credit card formats including Visa, MasterCard, American Express, and other major card issuers. These patterns use sophisticated matching algorithms that identify credit card numbers based on format, checksum validation, and contextual keywords.
When you create a DLP policy for Exchange Online, you configure rules that scan outbound emails for credit card numbers. If the policy detects credit card information in an email addressed to external recipients, it can automatically block the message, quarantine it for review, or notify administrators and users. You can configure the policy to apply to all users or specific groups, and you can set different actions based on the number of credit card numbers detected or other contextual factors. The DLP policy provides detailed incident reports that help track and investigate potential data leakage attempts.
Option A) is incorrect because while mail flow rules can use pattern matching, they don’t have the sophisticated sensitive information type detection capabilities built into DLP policies. Manual pattern creation is error-prone and less reliable than DLP’s validated patterns.
Option C) is incorrect because sensitivity labels with encryption protect email content after it’s sent but don’t prevent the email from being sent to external recipients. They focus on protecting authorized recipients’ access rather than blocking transmission.
Option D) is incorrect because Exchange Online Protection policies focus on anti-spam and anti-malware protection for inbound email. They don’t provide content inspection and data loss prevention capabilities for outbound emails.
Question 32:
You need to ensure that specific users can bypass multi-factor authentication when connecting from trusted locations. What should you configure?
A) Conditional Access policy with location exclusion
B) Trusted IPs in MFA service settings
C) Named locations with MFA exemption
D) Per-user MFA settings
Answer: A
Explanation:
Conditional Access policies with location exclusions provide the flexible and modern approach to allowing specific users to bypass multi-factor authentication when connecting from trusted network locations. This solution allows you to create granular policies that require MFA for most scenarios but exclude trusted locations where additional authentication is unnecessary. You define named locations in Azure AD that represent your corporate network IP ranges, then create Conditional Access policies that apply to specific users or groups.
The policy configuration includes the MFA requirement as the grant control, and you add location conditions with exclusions for the trusted named locations. When users from the specified group connect from excluded locations, they authenticate with just their password and are not prompted for MFA. When the same users connect from other locations, they must complete multi-factor authentication. This approach provides better security than blanket MFA exemptions while maintaining user convenience on corporate networks.
Option B) is incorrect because trusted IPs in MFA service settings is a legacy configuration method that has been superseded by Conditional Access policies. It provides less granular control and doesn’t integrate as well with other access conditions.
Option C) is incorrect because named locations alone don’t provide MFA exemption. They are building blocks used within Conditional Access policies to make location-based access decisions.
Option D) is incorrect because per-user MFA settings enable or disable MFA for individual users globally but don’t provide location-based exemptions. This approach lacks the flexibility needed for trusted location scenarios.
Question 33:
Your company needs to ensure that all devices accessing Microsoft 365 have endpoint protection enabled. What should you configure?
A) Device compliance policy requiring antivirus
B) Conditional Access policy
C) Windows Defender policy
D) Mobile threat defense integration
Answer: A
Explanation:
Device compliance policies requiring antivirus provide the mechanism to ensure that all devices accessing Microsoft 365 have endpoint protection enabled before they are granted access. In Microsoft Intune, you create compliance policies that define security requirements including antivirus software status, real-time protection enablement, and signature definition currency. These policies support multiple platforms including Windows, iOS, Android, and macOS.
When you configure a compliance policy with antivirus requirements, the policy evaluates device status and marks devices as compliant or non-compliant based on whether they meet the criteria. For Windows devices, the policy checks Windows Defender or third-party antivirus status and ensures real-time protection is active. The compliance status is reported to Azure AD and can be used by Conditional Access policies to make access decisions. Devices that don’t meet the antivirus requirements are marked non-compliant and can be blocked from accessing Microsoft 365 services until they install and enable appropriate endpoint protection.
Option B) is incorrect because Conditional Access policies enforce access requirements based on conditions but don’t define what makes a device compliant. They rely on compliance policies to determine device status.
Option C) is incorrect because Windows Defender policies configure specific antivirus settings but don’t evaluate overall device compliance or work across multiple platforms. They are platform-specific configuration policies.
Option D) is incorrect because mobile threat defense integration extends security capabilities to detect advanced threats but doesn’t specifically ensure that basic endpoint protection is enabled. It’s an advanced feature that complements basic compliance requirements.
Question 34: You need to allow external users from specific partner organizations to access your Teams channels. What should you configure?
A) Guest access in Teams
B) External access in Teams
C) Azure AD B2B collaboration
D) Cross-tenant access settings
Answer: A
Explanation:
Guest access in Teams provides the capability to add external users from partner organizations as guests to your Teams channels, enabling full collaboration capabilities including channel conversations, file sharing, and meeting participation. When you enable guest access, external users receive guest accounts in your Azure AD tenant and can be added as members to specific teams. Guest users have access to the channels within teams they are added to and can participate in conversations, edit documents, and collaborate just like internal team members.
To configure guest access, you enable the feature in the Teams admin center and set permissions that control what guests can do within Teams. You can configure settings such as whether guests can create, update, or delete channels, whether they can use chat, and whether they can participate in meetings. Once enabled, team owners can invite external users by email address, and the invited users receive invitation emails to join the team. Guest access provides deep integration for external collaboration while maintaining security boundaries.
Option B) is incorrect because external access in Teams is federation that allows users from other organizations to find, call, and chat with your users, but it doesn’t provide access to team channels or shared content. It’s limited to person-to-person communication.
Option C) is incorrect because Azure AD B2B collaboration is the underlying technology that enables guest access, but configuring guest access in Teams is the specific setting needed to allow external users to access Teams channels.
Option D) is incorrect because cross-tenant access settings control trust relationships between organizations for B2B collaboration but don’t directly enable external users to access Teams channels. These settings work in conjunction with guest access configuration.
Question 35:
Your organization needs to ensure that all OneDrive files are synchronized only to domain-joined devices. What should you configure?
A) OneDrive sync client restrictions by domain
B) Conditional Access policy requiring device join
C) OneDrive for Business policy settings
D) Intune device configuration policy
Answer: A
Explanation:
OneDrive sync client restrictions by domain provide direct control over which devices can synchronize OneDrive files based on whether they are joined to your organization’s Active Directory or Azure AD domain. This setting is configured in the OneDrive admin center and uses the device’s domain join status to determine whether synchronization is allowed. When you enable this restriction, the OneDrive sync client checks the device’s domain membership before allowing file synchronization.
You configure this restriction by specifying your organization’s domain GUID in the OneDrive admin center settings. Once configured, users attempting to sync OneDrive files on non-domain-joined devices will receive an error message indicating that synchronization is not allowed. Users on domain-joined devices can sync files normally without additional prompts or authentication requirements. This setting provides a straightforward way to ensure that corporate data synchronized to devices is only stored on managed, domain-joined computers that meet organizational security standards.
Option B) is incorrect because while Conditional Access policies can require device join for accessing OneDrive through web browsers, they don’t specifically control the OneDrive sync client’s ability to synchronize files to the local file system.
Option C) is incorrect because general OneDrive for Business policy settings include various sync and sharing configurations but the specific domain join restriction requires configuring the dedicated sync client restriction setting.
Option D) is incorrect because Intune device configuration policies manage device settings and configurations but don’t directly control OneDrive sync client restrictions based on domain join status. This is a OneDrive-specific setting.
Question 36:
You need to enable users to recover deleted items from their mailboxes for up to 90 days. What should you configure?
A) Retention policy with 90-day hold
B) Deleted item retention period to 90 days
C) Litigation hold
D) Single item recovery
Answer: B
Explanation:
The deleted item retention period setting in Exchange Online controls how long deleted items remain recoverable from the Recoverable Items folder before being permanently purged. By default, this period is 14 days, but it can be extended up to 30 days through standard configuration. However, when single item recovery is enabled along with a retention policy or litigation hold, items can be retained for longer periods including 90 days as specified in organizational requirements.
When you configure the deleted item retention period, items that users delete from their mailbox remain in the Deleted Items folder initially. If users empty the Deleted Items folder or use Shift+Delete, the items move to the Recoverable Items folder where they remain for the specified retention period. During this time, users can recover the items using the Recover Deleted Items feature in Outlook or Outlook on the web. After the retention period expires, items are permanently deleted during the next Managed Folder Assistant processing cycle.
Option A) is incorrect because retention policies manage the lifecycle of content including when items should be deleted but don’t specifically control the recovery period for items users have already deleted. They work differently than deleted item retention.
Option C) is incorrect because litigation hold prevents all mailbox content from being permanently deleted but is designed for legal preservation scenarios rather than general user recovery capabilities. It’s typically used for specific users involved in litigation.
Option D) is incorrect because single item recovery is a feature that prevents items from being purged before the retention period expires, but it doesn’t set the retention period itself. It works in conjunction with retention period settings.
Question 37:
Your company wants to prevent synchronization of specific file types to OneDrive. What should you configure?
A) File type exclusion in OneDrive admin center
B) Conditional Access app control
C) Data Loss Prevention policy
D) OneDrive sync client Group Policy
Answer: D
Explanation:
OneDrive sync client Group Policy settings provide the capability to block synchronization of specific file types from OneDrive to user devices. This is accomplished using the “Block syncing specific file types” policy setting that allows administrators to specify file extensions that should not be synchronized by the OneDrive sync client. When configured, the sync client prevents files with the specified extensions from being uploaded to OneDrive or downloaded to local devices.
You implement this setting through Group Policy Objects in Active Directory or through Intune configuration policies for cloud-managed devices. The policy requires you to specify file extensions you want to block, such as executable files, video files, or other file types that may pose security risks or consume excessive storage. When users attempt to sync blocked file types, they receive notification that the files cannot be synchronized due to administrative policy. This approach helps organizations maintain security and control storage consumption while still allowing users to sync approved file types.
Option A) is incorrect because the OneDrive admin center doesn’t provide a built-in setting for blocking specific file types from synchronization. File type restrictions require Group Policy or Intune policy configuration.
Option B) is incorrect because Conditional Access app control manages session-level controls for cloud apps but doesn’t provide file type filtering for the OneDrive sync client’s upload and download operations.
Option C) is incorrect because DLP policies detect and protect sensitive content based on information patterns but don’t block synchronization based on file extensions. They focus on content inspection rather than file type restrictions.
Question 38:
You need to ensure that emails containing specific keywords are automatically forwarded to a compliance mailbox. What should you configure?
A) Mail flow rule with forward action
B) Inbox rule for all users
C) Journal rule
D) DLP policy with notification
Answer: A
Explanation:
Mail flow rules with forward action provide centralized control for automatically forwarding emails that contain specific keywords to designated mailboxes such as a compliance mailbox. These rules operate at the Exchange Online transport layer, processing all email messages as they flow through the organization. When you create a mail flow rule, you specify conditions such as subject or body containing specific keywords, and configure the forward action to send copies of matching messages to the compliance mailbox.
The mail flow rule approach ensures that forwarding happens automatically and consistently for all users without requiring individual user configuration. You can configure the rule to forward messages while still delivering them to the original recipients, or to redirect them exclusively to the compliance mailbox. The rule can include exceptions to exclude certain senders or recipients from the forwarding action. Mail flow rules provide detailed logging and can be tested before full implementation to ensure they work as intended.
Option B) is incorrect because inbox rules are user-configured settings that would require individual setup for every user, making them impractical for organization-wide compliance requirements. Users could also disable or modify their inbox rules.
Option C) is incorrect because journal rules capture entire messages for compliance archival but don’t provide keyword-based filtering. Journaling captures all messages for specified users or global communications rather than content-specific forwarding.
Option D) is incorrect because DLP policies can detect sensitive content and send notifications but don’t provide the forwarding capability needed to route matching emails to a compliance mailbox. They focus on policy enforcement and alerts.
Question 39:
Your organization needs to prevent users from installing third-party add-ins in Outlook. What should you configure?
A) Outlook add-in management policies
B) Exchange Online organization settings
C) Azure AD application control
D) Conditional Access policy
Answer: A
Explanation:
Outlook add-in management policies in the Microsoft 365 admin center provide granular control over which add-ins users can install and use in Outlook. These policies allow administrators to block all third-party add-ins, allow only specific add-ins, or require administrator approval before users can install add-ins. When you configure a policy to prevent third-party add-ins, users will not be able to install add-ins from the Office Store or from external sources.
You can create different add-in policies for different user groups, allowing flexibility based on departmental needs and security requirements. The policies control add-ins across all Outlook platforms including Outlook on the web, Outlook desktop clients, and Outlook mobile apps. Administrators can deploy approved add-ins centrally that users cannot remove, ensuring that required tools are available while blocking unapproved add-ins. The add-in management interface provides visibility into which add-ins are installed across the organization and allows administrators to remove add-ins that violate policy.
Option B) is incorrect because Exchange Online organization settings include various mailbox and transport configurations but don’t provide specific controls for managing Outlook add-ins. Add-in management requires dedicated policy configuration.
Option C) is incorrect because Azure AD application control manages consent for enterprise applications that integrate with Azure AD but doesn’t specifically control Outlook add-ins, which are Office add-ins managed through different mechanisms.
Option D) is incorrect because Conditional Access policies control access to cloud applications based on conditions but don’t manage the installation or usage of add-ins within Outlook. They operate at a different layer of access control.
Question 40:
You need to configure Microsoft 365 to prevent guest users from seeing other users in the Global Address List. What should you configure?
A) Azure AD external collaboration settings for guest visibility
B) Exchange Online address list policies
C) Guest user access restrictions in Azure AD
D) SharePoint external sharing settings
Answer: C
Explanation:
Guest user access restrictions in Azure AD provide specific controls over what guest users can see and access within the directory, including visibility of other users in the Global Address List. These settings are configured in the External Identities section of the Azure AD admin center under External collaboration settings. The “Guest user access restrictions” setting has three levels that control what information guests can enumerate from the directory.
When you configure the most restrictive option, guest users cannot see any directory objects including users, groups, or other guests in the Global Address List or through directory browsing. This setting ensures that guests can only collaborate with users and resources they are explicitly granted access to, without being able to discover other users in the organization. The restriction applies across all Microsoft 365 services including Outlook, Teams, and SharePoint. This setting helps maintain privacy and security by limiting guest users’ visibility into organizational structure and membership.
Option A) is incorrect because Azure AD external collaboration settings include multiple configurations for B2B collaboration, but the specific control for Global Address List visibility is found in the guest user access restrictions setting.
Option B) is incorrect because while Exchange Online address list policies can create filtered address lists for different user groups, they don’t provide the specific functionality to hide all users from guest accounts at the directory level.
Option D) is incorrect because SharePoint external sharing settings control how content can be shared with external users but don’t manage guest users’ visibility of other users in the Global Address List.
