Visit here for our full Microsoft MS-102 exam dumps and practice test questions.
Question 101:
Your organization needs to ensure that deleted users’ OneDrive content is automatically transferred to their managers. What should you configure?
A) OneDrive retention policy with manager inheritance
B) Access delegation before user deletion
C) PowerShell script for OneDrive ownership transfer
D) Microsoft 365 group provisioning for user files
Answer: B
Explanation:
Access delegation before user deletion provides the structured approach to ensure departing users’ OneDrive content is accessible to their managers by granting managers access to the OneDrive site before the user account is deleted. When you anticipate user departures, you should grant the user’s manager or designated successor permissions to the departing user’s OneDrive account while the account is still active. This allows the manager to review, download, or reorganize content before the user leaves.
The process involves identifying the departing user’s OneDrive URL and using SharePoint admin center or PowerShell to add the manager as a site collection administrator or secondary owner of the OneDrive site. Once access is granted, the manager can access all content in the user’s OneDrive immediately. After the user account is deleted, the OneDrive enters a retention period where it remains accessible to administrators and users who were granted access before deletion.
Microsoft 365 does not provide automatic OneDrive content transfer to managers upon user deletion, so organizations must implement processes to identify departing employees and grant appropriate access proactively. Many organizations integrate this with their offboarding workflows where HR notifications trigger IT to grant manager access before account deletion. The manager can then decide which content to preserve, whether to migratefiles to departmental locations, or archive content for compliance purposes.
For organizations with frequent employee turnover, automating access delegation through PowerShell scripts triggered by HR system events can streamline the process. The scripts identify departing users from HR data and automatically grant their managers access to OneDrive sites before account deletion. This ensures no content is lost and maintains business continuity when employees leave.
Option A is incorrect because while OneDrive retention policies preserve deleted users’ content for recovery, they do not automatically transfer ownership or access rights to managers. Retention policies hold content in a deleted state rather than actively transferring it. Option C is incorrect because while PowerShell can be used to transfer OneDrive ownership, this is typically done manually or through custom automation rather than being a built-in configuration option that automatically transfers content to managers. Option D is incorrect because Microsoft 365 group provisioning relates to creating groups and team sites rather than handling individual user OneDrive content during offboarding.
Question 102:
You need to ensure that emails containing patient health information are automatically encrypted when sent to external healthcare partners. What should you configure?
A) Mail flow rule with domain-based encryption for healthcare domains
B) Sensitivity label for healthcare information
C) DLP policy with healthcare information types
D) Transport rule with recipient filtering
Answer: A
Explanation:
Mail flow rules with domain-based encryption for healthcare domains provide targeted protection that automatically encrypts emails sent to specific external organizations without requiring users to manually classify messages or apply labels. You create a mail flow rule that detects when recipients belong to specific healthcare partner domains and automatically applies Office 365 Message Encryption to those messages. This ensures all communications with healthcare partners are encrypted regardless of content, protecting patient information during transmission.
When configuring the rule, you specify conditions that check whether recipient email addresses belong to designated healthcare partner domains such as partner-hospital.com or clinic-network.org. When messages match these conditions, the rule applies the encryption action before delivery. External recipients at healthcare organizations receive encrypted messages through the Office 365 Message Encryption portal where they authenticate to access the content. This provides end-to-end protection for sensitive healthcare communications.
The domain-based approach ensures comprehensive protection for all messages to healthcare partners, not just those explicitly identified as containing patient information. This prevents accidental exposure if users forget to classify messages or if patient information appears in contexts that automated detection might miss. Healthcare compliance often requires that all communications with external healthcare entities be protected, making domain-based encryption simpler than content-based policies.
Organizations can combine domain-based encryption with content detection for additional security layers. You might create rules that apply stronger encryption or additional restrictions when messages to healthcare partners also contain specific patient identifiers or diagnosis codes. The mail flow rule provides audit logs showing which messages were encrypted and when, supporting HIPAA compliance documentation requirements.
Option B is incorrect because while sensitivity labels can encrypt content, relying on labels requires either manual application or auto-labeling based on content detection, which may not cover all messages to healthcare partners as comprehensively as domain-based mail flow rules. Option C is incorrect because DLP policies focus on detecting and preventing data loss but may not apply encryption to all messages sent to specific partners regardless of content. Option D is incorrect because transport rules with recipient filtering alone do not apply encryption; they need to be combined with encryption actions to protect messages.
Question 103:
Your company wants to ensure that all SharePoint site collections include specific custom site columns for metadata tracking. What should you configure?
A) Content type hub publishing for enterprise columns
B) Site script with field provisioning
C) SharePoint term store management
D) Site collection features activation
Answer: A
Explanation:
Content type hub publishing for enterprise columns provides centralized management and distribution of site columns across all SharePoint site collections in the tenant. When you create site columns in the content type hub and publish them, those columns become available in all site collections that subscribe to the hub. This ensures consistent metadata schema across the organization without requiring manual creation of columns in each site collection.
To implement this solution, you designate a site collection as the content type hub through the SharePoint admin center. In the hub, you create site columns with specific configurations including field types, validation rules, and choice values. When you publish these columns from the hub, a timer job synchronizes them to all subscribing site collections. Site administrators can then add the published columns to their local content types and lists without recreating the column definitions.
The content type hub approach provides several advantages for enterprise metadata management. Changes made to columns in the hub can be republished to update definitions across all site collections, ensuring consistency as requirements evolve. Organizations can define mandatory columns for compliance or governance purposes and distribute them automatically to all sites. The hub also supports publishing content types that include combinations of columns, providing complete metadata templates for common document types.
Site collections automatically subscribe to the content type hub by default in SharePoint Online, receiving published columns and content types through background synchronization. Administrators can verify subscription status and force synchronization if immediate updates are needed. The hub maintains version history for published elements, allowing organizations to track metadata schema changes over time.
Option B is incorrect because while site scripts can provision fields during site creation, they only affect new sites created with those scripts and do not provide centralized management for updating columns across existing sites. Option C is incorrect because SharePoint term store manages managed metadata hierarchies and taxonomies rather than site column distribution across site collections. Option D is incorrect because site collection features enable functionality packages but do not provision custom site columns across multiple site collections.
Question 104:
You need to prevent users from downloading files from Teams channels to iOS devices. What should you configure?
A) Mobile Application Management policy for Teams on iOS
B) Teams app permission policy
C) Conditional Access policy for iOS devices
D) Intune app configuration policy
Answer: A
Explanation:
Mobile Application Management policies for Teams on iOS provide granular control over data handling within the Teams mobile application on iOS devices without requiring full device enrollment in Intune MDM. These app protection policies allow administrators to prevent downloading and saving of files from Teams to device storage while still allowing users to view files within the Teams app. This approach protects corporate data on personal iOS devices that employees use for work purposes.
When you create an MAM policy targeting the Teams application on iOS platform, you configure data protection settings that restrict save operations, copy operations, and file downloads to device storage or personal cloud accounts. The policy allows users to view files shared in Teams channels through integrated viewers and Office mobile apps but prevents extraction to unmanaged locations. When users attempt to download files, the Teams app blocks the action and displays policy compliance messages.
MAM policies for Teams integrate with Azure AD Conditional Access to ensure policy enforcement when users authenticate to Teams. The policies support different restriction levels for corporate-owned versus personal devices, allowing organizations to enable downloads on managed devices while restricting them on unmanaged personal iOS devices. This flexibility balances security with user productivity based on device ownership and management status.
The policy settings persist with the application and continue enforcing restrictions even when devices lose network connectivity. This ensures data protection regardless of where users access Teams. Organizations can customize policy behavior with features like PIN requirements for app access, minimum iOS version enforcement, and jailbreak detection that blocks Teams access on compromised devices.
Option B is incorrect because Teams app permission policies control which apps users can install and use within Teams but do not manage data transfer and download restrictions on mobile devices. Option C is incorrect because Conditional Access policies control access to Teams based on authentication conditions but do not provide granular file download restrictions within the mobile application. Option D is incorrect because Intune app configuration policies deliver settings to managed applications but app protection policies specifically enforce data loss prevention restrictions like download blocking.
Question 105:
Your organization needs to ensure that administrative roles in Azure AD require approval before activation. What should you configure?
A) Privileged Identity Management approval workflow
B) Azure AD access reviews
C) Conditional Access policy for administrators
D) Administrative unit delegation
Answer: A
Explanation:
Privileged Identity Management approval workflow provides comprehensive controls requiring designated approvers to review and approve requests before eligible administrators can activate Azure AD roles. When you configure PIM for Azure AD roles, you can enable approval requirements as part of the activation settings for each role. This ensures that privileged access is granted only after appropriate review and authorization, implementing zero standing privilege principles.
To configure approval workflows, you access the PIM settings for each Azure AD role and enable the require approval option. You then specify which users or groups should act as approvers for activation requests. When eligible administrators need to perform tasks requiring privileged roles, they submit activation requests through PIM that include justification for needing the role. Designated approvers receive notifications and can review the request details, justification, and requestor identity before approving or denying activation.
Approval workflows add accountability and oversight to privileged access by ensuring that role activations are reviewed by trusted personnel before being granted. Organizations typically configure approval for the most sensitive roles like Global Administrator, Privileged Role Administrator, and Security Administrator while allowing automatic approval for less sensitive roles. Approvers can be individuals, groups, or hierarchical chains where escalation occurs if primary approvers do not respond within specified timeframes.
The approval process generates detailed audit logs recording who requested activation, who approved or denied requests, justifications provided, and how long approved activations remained active. These logs support compliance requirements and security investigations. Organizations can configure approval requirements differently based on risk factors such as requiring multi-person approval for Global Administrator activation while single-person approval suffices for less critical roles.
Option B is incorrect because Azure AD access reviews provide periodic certification of existing access rights rather than real-time approval workflows for role activation requests. Option C is incorrect because Conditional Access policies enforce authentication requirements and access conditions but do not provide approval workflows for administrative role activation. Option D is incorrect because administrative unit delegation manages scoped administrative permissions but does not implement approval workflows for role activation.
Question 106:
You need to ensure that all Microsoft 365 alerts are sent to a security information and event management system for centralized monitoring. What should you configure?
A) Security and Compliance Center alert policy with webhook integration
B) Azure AD audit log streaming
C) Microsoft Defender for Cloud Apps SIEM agent
D) Office 365 Management Activity API
Answer: D
Explanation:
Office 365 Management Activity API provides programmatic access to Microsoft 365 audit and alert data that can be consumed by security information and event management systems for centralized security monitoring and analysis. The API enables SIEM platforms to subscribe to various activity content types including audit logs, DLP events, threat intelligence, and security alerts from across Microsoft 365 services. This integration ensures that security events from Exchange Online, SharePoint, Teams, Azure AD, and other workloads flow into the organization’s SIEM for correlation with events from other systems.
To implement SIEM integration, you register an application in Azure AD that has appropriate API permissions to access the Office 365 Management Activity API. The SIEM system authenticates using the application credentials and subscribes to relevant content types through API calls. Once subscribed, the SIEM regularly polls the API or receives push notifications when new events are available. The API provides activity data in JSON format that SIEM systems parse and normalize into their event schemas.
The Management Activity API offers several advantages for SIEM integration including comprehensive coverage of Microsoft 365 activities, filtering capabilities to retrieve only relevant events, and retention of activity data for extended periods. Organizations can configure their SIEM to query the API for specific event types, time ranges, or workloads based on their monitoring requirements. The API supports pagination for retrieving large volumes of events efficiently.
Many SIEM vendors provide pre-built connectors for the Office 365 Management Activity API that simplify integration configuration. These connectors handle authentication, API calls, error handling, and data parsing automatically. Organizations benefit from vendor-supported integrations that receive updates as Microsoft enhances the API. Custom integrations using the API directly offer maximum flexibility for organizations with specific requirements.
Option A is incorrect because while Security and Compliance Center alert policies can send email notifications, webhook integration for SIEM platforms requires using the Management Activity API rather than direct alert policy integration. Option B is incorrect because Azure AD audit log streaming focuses specifically on Azure AD events rather than comprehensive Microsoft 365 security alerts and audit data across all workloads. Option C is incorrect because while Defender for Cloud Apps includes SIEM integration capabilities, the comprehensive API for all Microsoft 365 activity data is the Office 365 Management Activity API rather than the Cloud App Security-specific agent.
Question 107:
Your company wants to automatically apply retention labels to documents based on their creation date. What should you configure?
A) Auto-apply retention label policy using document properties
B) Document set retention settings
C) SharePoint information management policy
D) Power Automate flow with label application
Answer: A
Explanation:
Auto-apply retention label policies using document properties provide the capability to automatically classify content based on metadata attributes including creation date, allowing organizations to implement time-based retention without manual label application. When you create an auto-apply policy in Microsoft Purview, you can configure conditions that detect documents created during specific date ranges or relative time periods and automatically apply appropriate retention labels based on age.
The policy configuration allows you to specify SharePoint, OneDrive, or Exchange locations where the policy should evaluate content. You create rules that check document creation dates and apply retention labels when documents meet age criteria. For example, you might apply a seven-year retention label to financial documents created in specific fiscal years, or apply archival labels to older documents while keeping recent documents on shorter retention schedules.
Auto-apply policies run in the background, continuously evaluating new and existing content against the configured conditions. When documents match the criteria, the policy automatically applies the designated retention label, triggering retention and deletion actions according to the label’s settings. This automation ensures consistent application of retention requirements based on document age without relying on users to manually classify content or understand complex retention rules.
The policy provides simulation and review capabilities allowing administrators to preview which documents will receive labels before full policy deployment. This testing phase helps verify that date-based criteria correctly identify intended content and apply appropriate labels. Once deployed, the policy generates reports showing how many items received labels and tracks policy application progress across large content repositories.
Option B is incorrect because document set retention settings apply to document set content types in SharePoint but do not provide organization-wide auto-labeling based on creation dates across all document types. Option C is incorrect because SharePoint information management policies are legacy features replaced by modern retention labels and policies in Microsoft Purview. Option D is incorrect because while Power Automate flows can apply labels, auto-apply retention label policies provide native functionality specifically designed for condition-based labeling without requiring custom automation.
Question 108:
You need to prevent guest users from downloading attachments from Teams messages. What should you configure?
A) Teams guest access settings with file download restrictions
B) Azure AD B2B collaboration policy
C) Conditional Access session control for Teams
D) SharePoint external sharing settings
Answer: A
Explanation:
Teams guest access settings with file download restrictions provide direct controls over what guest users can do when accessing Teams content including the ability to download files and attachments shared in messages and channels. In the Teams admin center, you configure guest access policies that specify permissions for guest users including whether they can view, upload, edit, or download files within Teams. By disabling file download permissions for guests, you prevent external participants from extracting content from Teams conversations to their local devices.
When you configure guest access settings to restrict downloads, guest users accessing Teams channels and chats can view files through Office Online web viewers but cannot download them to their computers or mobile devices. The download button becomes unavailable in the Teams interface for guest users, and attempting to access files directly through SharePoint links enforces the same restrictions. This approach allows external collaboration while preventing unauthorized file distribution beyond the Teams environment.
Guest access settings apply uniformly to all guest users in the organization providing consistent policy enforcement. Organizations can balance collaboration needs with security requirements by allowing guests to participate in discussions, view documents, and edit files collaboratively online while preventing extraction of sensitive content. The settings work in conjunction with SharePoint external sharing configurations since Teams files are stored in SharePoint.
Implementation requires careful consideration of collaboration scenarios to ensure restrictions do not impede legitimate business needs. Some organizations enable download restrictions only for specific teams containing sensitive content while allowing normal guest access in teams focused on less sensitive collaboration. Regular communication with internal users and external partners helps manage expectations about guest capabilities.
Option B is incorrect because Azure AD B2B collaboration policy controls guest invitation and authentication but does not provide granular file download restrictions within Teams application. Option C is incorrect because Conditional Access session controls work primarily with SharePoint and OneDrive web access rather than controlling file download behavior for guests within the Teams application interface. Option D is incorrect because SharePoint external sharing settings control link-based sharing but do not specifically manage download permissions for authenticated guest users accessing content through Teams.
Question 109:
Your organization needs to ensure that emails deleted by users can be recovered by administrators for up to one year. What should you configure?
A) Single item recovery with extended retention period
B) Litigation hold for all mailboxes
C) Deleted item retention period extension
D) In-Place Hold policy
Answer: A
Explanation:
Single item recovery with extended retention period provides the mechanism to preserve deleted mailbox items for administrators to recover even after users permanently delete them from the Recoverable Items folder. When you enable single item recovery on mailboxes and configure appropriate retention policies, items that users delete remain preserved in hidden locations within the mailbox for the specified period such as one year. Administrators can recover these items through eDiscovery searches or PowerShell commands regardless of user deletion actions.
Single item recovery prevents the Managed Folder Assistant from purging items from the Recoverable Items folder before the retention period expires. When combined with retention policies configured for one-year retention, deleted items remain accessible to administrators through content search and eDiscovery tools throughout that period. Users see items disappear from their mailboxes when deleted, but the items remain in the mailbox’s hidden Recoverable Items structure.
To implement one-year recovery capability, you enable single item recovery on mailboxes using PowerShell or Exchange admin center, then configure retention policies that specify one-year retention for deleted items. The retention policy ensures items are preserved for the full year regardless of when users deleted them. This combination provides administrators with extended recovery windows while maintaining normal user experience.
This configuration supports compliance requirements and legal hold scenarios where organizations must preserve communications for extended periods even when users attempt to delete them. The preserved items remain invisible to users but fully searchable by compliance administrators. Organizations can implement selective recovery policies applying different retention periods to different user groups based on their roles or regulatory requirements.
Option B is incorrect because litigation hold preserves all mailbox content indefinitely until the hold is manually removed rather than providing a specific one-year recovery period with automatic cleanup afterward. Option C is incorrect because deleted item retention period alone controls how long items remain in the Recoverable Items folder but without single item recovery enabled, users can still purge items before the retention period expires. Option D is incorrect because In-Place Hold is a legacy Exchange feature that has been replaced by retention policies and litigation hold in modern Exchange Online.
Question 110:
You need to delegate the ability to create and manage eDiscovery searches without granting permissions to export results. Which role should you assign?
A) Compliance Search role
B) eDiscovery Manager with limited permissions
C) Security Reader
D) Records Management
Answer: A
Explanation:
The Compliance Search role provides specific permissions to create and run content searches across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams locations without granting the ability to export search results or create eDiscovery cases. Users with this role can execute searches to identify content matching specific criteria, preview search results, and generate statistics about discovered content, but they cannot export items for detailed analysis or legal production.
This role is appropriate for compliance personnel who need to conduct preliminary investigations or identify the scope of content relevant to compliance inquiries without requiring full export capabilities that could lead to data exfiltration risks. The role separation ensures that searching and exporting are distinct privileges requiring different authorization levels. Organizations often assign Compliance Search to first-level investigators who perform initial content discovery while reserving export permissions for senior compliance officers or legal counsel.
Users with the Compliance Search role access the content search interface in the Microsoft Purview compliance portal where they can create searches with complex query parameters, specify content locations to search, and refine searches based on dates, senders, keywords, and other criteria. They can view search statistics showing how many items matched the query and which locations contained relevant content. Preview functionality allows reviewing sample items without performing full exports.
The role enables read-only preview of search results where users can view email subjects and snippets, document titles and file paths, but cannot download or export the actual content files. This provides sufficient capability for scoping investigations and making decisions about whether cases warrant escalation to full eDiscovery with export while maintaining data security.
Option B is incorrect because eDiscovery Manager inherently includes export permissions along with search capabilities; there is no eDiscovery Manager variant that removes export rights while maintaining full case management. Option C is incorrect because Security Reader provides read-only access to security reports and configurations but does not include content search capabilities across mailboxes and SharePoint sites. Option D is incorrect because Records Management role focuses on managing retention labels, disposition reviews, and file plans rather than conducting compliance searches across Microsoft 365 content.
Question 111:
Your company wants to ensure that all Power Platform environments require approval before creation. What should you configure?
A) Power Platform environment creation policy
B) Azure AD application consent policy
C) Microsoft 365 admin center environment settings
D) Power Platform admin center creation restrictions
Answer: D
Explanation:
Power Platform admin center creation restrictions provide administrative controls to limit who can create new Power Platform environments and whether environment creation requires approval before provisioning. In the Power Platform admin center, you configure tenant-level settings that determine whether all users can create environments or only specific administrators have creation rights. You can also implement approval workflows through Power Automate that trigger when users request environment creation.
When you restrict environment creation to administrators only, users who need environments must submit requests through designated processes. Many organizations implement Power Automate flows that provide self-service request forms for users to justify their need for environments. These flows route requests to IT administrators or governance teams who review business justifications, ensure proper licensing, and verify that the requested environment aligns with organizational standards before approving creation.
Environment creation restrictions help organizations maintain governance over their Power Platform estate by preventing uncontrolled proliferation of environments that could lead to data sprawl, licensing issues, and security gaps. Centralized approval ensures that each environment serves legitimate business needs, follows naming conventions, includes appropriate security configurations, and has designated administrators and data loss prevention policies.
The Power Platform admin center allows configuring different creation permissions for trial environments versus production environments. Organizations might allow users to create trial environments for testing and learning while requiring approval for production environments that will host business-critical solutions. This approach balances innovation encouragement with production environment control.
Option A is incorrect because Power Platform environment creation policy is not a distinct standalone feature; creation restrictions are configured through admin center settings rather than a separate policy type. Option B is incorrect because Azure AD application consent policy controls user consent for applications requesting permissions rather than Power Platform environment creation. Option C is incorrect because Microsoft 365 admin center does not provide Power Platform environment creation controls; these settings are managed in the dedicated Power Platform admin center.
Question 112:
You need to ensure that all SharePoint Online pages include a disclaimer footer when shared externally. What should you configure?
A) SharePoint footer customization with external sharing detection
B) SharePoint site design with footer provisioning
C) Master page customization for external users
D) Site script with content injection
Answer: A
Explanation:
SharePoint footer customization with external sharing detection provides the capability to display organization-wide footer content on SharePoint pages that can include disclaimers for external users. While SharePoint Online does not have built-in conditional footer display based on user type, organizations can implement footer customization through SharePoint Framework extensions or modern footer configurations that apply to all site pages. The footer can include legal disclaimers, confidentiality notices, or usage terms relevant to external recipients.
To implement disclaimer footers, you can use SharePoint Framework application customizers that inject footer content on pages when external users access sites. The customizer detects whether the current user is a guest or member and displays appropriate disclaimer text accordingly. Alternatively, you can configure site footers through SharePoint communication site settings that apply to all pages viewed by any user including external guests who access shared content.
The footer content remains visible regardless of which pages external users navigate to within permitted sites, ensuring consistent presentation of legal or compliance notices. Organizations typically include information about data handling expectations, restrictions on redistribution, confidentiality requirements, or copyright notices in these footers. The footer persists across user sessions providing continuous reminder of usage terms.
Implementation requires balancing visibility of disclaimers with user experience considerations. Footers should be prominent enough to ensure external users notice them but not so intrusive that they impede content consumption. Many organizations use bold text or distinctive background colors for disclaimer footers while keeping them compact to preserve page real estate for actual content.
Option B is incorrect because site designs provision configurations during site creation but do not provide dynamic footer display based on whether content is being accessed by external users. Option C is incorrect because modern SharePoint Online does not use master pages as the customization mechanism; modern pages use different rendering approaches. Option D is incorrect because site scripts provision configurations but do not enable conditional content injection based on user authentication status or external access detection.
Question 113:
Your organization needs to prevent users from creating Microsoft Lists that contain specific sensitive data types. What should you configure?
A) Data Loss Prevention policy for Microsoft Lists
B) SharePoint list template restrictions
C) Information barriers for Lists
D) List creation policy
Answer: A
Explanation:
Data Loss Prevention policies for Microsoft Lists provide content-based protection that detects when lists contain sensitive information types and enforces organizational policies to prevent unauthorized data storage. You create DLP policies in Microsoft Purview that target SharePoint locations including Microsoft Lists and configure rules that detect sensitive data types such as credit card numbers, social security numbers, or health information. When users create lists containing these sensitive data types, the DLP policy can block creation, generate alerts, or require justification.
The DLP policy continuously monitors list content including column values, list items, and attachments. When sensitive information is detected, the policy can take actions such as preventing external sharing of the list, restricting access to authorized users only, or generating policy tips that warn users about storing sensitive data in lists. Administrators receive incident reports when policy violations occur, enabling investigation and remediation.
DLP policies for Lists support custom sensitive information types allowing organizations to define patterns specific to their data protection needs beyond built-in types. You can create rules that detect proprietary information formats, internal codes, or business-specific identifiers that should not appear in broadly accessible lists. The policies apply across all lists in the organization providing consistent enforcement regardless of which users create lists or which sites contain them.
Policy configuration includes options for different enforcement modes allowing organizations to start with policy tips that educate users about sensitive data handling before progressing to blocking actions that prevent policy violations. This phased approach helps users understand requirements while gradually tightening enforcement. Exceptions can be configured for specific lists that have legitimate needs to contain certain data types with appropriate security controls.
Option B is incorrect because SharePoint list template restrictions control which list templates users can access but do not analyze content for sensitive information or prevent storage of specific data types. Option C is incorrect because information barriers segment communications between groups but do not prevent storage of sensitive data types in lists. Option D is incorrect because there is no standalone list creation policy; data protection for lists is implemented through DLP policies that analyze content.
Question 114:
You need to ensure that all Microsoft Bookings calendars can only be accessed by authenticated users from your organization. What should you configure?
A) Bookings access control settings requiring authentication
B) Conditional Access policy for Bookings
C) Azure AD application restrictions
D) Bookings sharing policy
Answer: A
Explanation:
Bookings access control settings requiring authentication provide direct controls over who can access Bookings calendars and schedule appointments through the Bookings interface. In the Microsoft 365 admin center under Bookings settings, you can configure organization-wide policies that determine whether Bookings pages are publicly accessible or require authentication with organizational credentials. When you enable the setting that requires authentication, only users signed in with accounts from your organization can view available time slots and book appointments.
This configuration prevents public access to Bookings calendars ensuring that appointment scheduling is available only to internal users or specific external partners who have been granted guest accounts in your Azure AD tenant. The authentication requirement protects schedule information from being viewed by unauthorized individuals and ensures that all bookings are associated with identifiable users whose identities have been verified through your authentication systems.
Organizations often enable authentication requirements when Bookings is used for internal services like IT help desk appointments, HR meetings, or internal training sessions where public scheduling would be inappropriate. The setting applies organization-wide to all Bookings calendars unless individual booking pages have additional restrictions configured. Staff members managing Bookings calendars retain full access while scheduling remains restricted to authenticated users.
The authentication requirement integrates with Azure AD sign-in policies including multi-factor authentication requirements and Conditional Access policies. Users attempting to access Bookings must complete all authentication requirements before viewing available appointments. This ensures comprehensive identity verification for appointment scheduling while maintaining convenient self-service booking capabilities for authorized users.
Option B is incorrect because while Conditional Access policies can control access to the Bookings application, the specific setting for requiring authentication for calendar access is configured in Bookings settings rather than through Conditional Access. Option C is incorrect because Azure AD application restrictions control application consent and permissions rather than configuring access requirements for Bookings calendars. Option D is incorrect because Bookings sharing policy is not a distinct configuration feature; access controls are managed through Bookings settings in the admin center.
Question 115:
Your company wants to automatically delete all Teams private chat messages older than 180 days. What should you configure?
A) Retention policy for Teams private chats with deletion action
B) Teams messaging policy
C) Chat retention settings in Teams admin center
D) User mailbox retention policy
Answer: A
Explanation:
Retention policies for Teams private chats with deletion action provide the mechanism to automatically delete chat messages based on age, ensuring that older communications are removed to manage storage and comply with data minimization principles. When you create a retention policy in Microsoft Purview targeting Teams locations, you can specifically include private chats and configure the policy to delete messages after 180 days. The policy operates in the background processing chats and removing messages that exceed the retention period.
The retention period calculation begins from when messages are created, so a message sent 181 days ago is eligible for deletion regardless of whether users have read or referenced it recently. The policy applies to all private chat messages including one-on-one chats and group chats that are not associated with teams. Deleted messages disappear from user chat histories and cannot be recovered through normal Teams interfaces, though copies may remain in mailboxes depending on how the policy is configured.
Organizations implementing chat deletion policies should carefully communicate the retention period to users so they understand that older conversations will automatically disappear. Users should be encouraged to save important information from chats to more permanent locations before messages age out. The deletion policy helps organizations manage storage costs and reduce data retention risks by ensuring that temporary communications do not persist indefinitely.
Retention policies for Teams chats support different retention periods for different user groups allowing organizations to apply longer retention for specific departments or roles with compliance requirements while implementing shorter retention for general users. The policies generate logs showing deletion activities for audit purposes. Before implementing deletion policies, organizations should verify that regulatory requirements do not mandate longer retention for certain types of communications.
Option B is incorrect because Teams messaging policies control messaging features like editing, deleting, and chat capabilities but do not implement automatic message deletion based on age. Option C is incorrect because there are no separate chat retention settings in Teams admin center; retention is configured through retention policies in the Microsoft Purview compliance portal. Option D is incorrect because while Teams chat data is stored in user mailboxes, Teams-specific retention policies provide the appropriate mechanism for managing chat retention rather than general mailbox retention policies.
Question 116:
You need to delegate the ability to reset passwords and manage licenses without granting other administrative permissions. Which role should you assign?
A) User Administrator
B) Helpdesk Administrator and License Administrator
C) Password Administrator and Groups Administrator
D) Authentication Administrator
Answer: B
Explanation:
Helpdesk Administrator and License Administrator roles combined provide the specific permissions needed to reset passwords and manage licenses without granting unnecessary administrative capabilities. The Helpdesk Administrator role allows resetting passwords for non-administrator users and invalidating refresh tokens, while the License Administrator role provides permissions to assign and remove licenses for users. Assigning both roles to a user enables them to handle common support tasks without broader administrative access.
The Helpdesk Administrator role is designed specifically for support personnel who assist users with password problems and account access issues. Users with this role can reset passwords for standard users and users with limited administrative roles but cannot reset passwords for highly privileged administrators. This prevents privilege escalation while enabling effective support operations. The role does not include permissions to modify user properties, create accounts, or configure organizational settings.
The License Administrator role allows managing license assignments across Microsoft 365 subscriptions without providing access to other user management functions. Users with this role can assign licenses from available pools, remove licenses from users, and modify license options like enabling or disabling specific service plans within subscriptions. They cannot view billing information or purchase additional licenses, maintaining separation between license assignment and financial management.
Combining these two roles follows the principle of least privilege by granting exactly the permissions needed for common help desk scenarios without excess capabilities that could be misused. Organizations with dedicated support teams typically assign these roles to help desk staff enabling them to resolve user issues efficiently. Role separation ensures that more sensitive administrative functions like security configuration or data access remain restricted to higher-privileged roles.
Option A is incorrect because User Administrator has extensive permissions including user creation, group management, and modification of user properties beyond password reset and license management. Option C is incorrect because this combination provides password management and group administration but not license assignment, and includes unnecessary group management capabilities. Option D is incorrect because Authentication Administrator focuses on authentication method management but does not include license assignment permissions.
Question 117:
Your organization needs to ensure that all Power Automate flows are reviewed for compliance before deployment to production. What should you configure?
A) Power Platform environment approval process with DLP policies
B) Power Automate flow checker
C) Azure AD application governance
D) Power Platform admin center flow restrictions
Answer: A
Explanation:
Power Platform environment approval process with DLP policies provides governance controls to ensure flows are reviewed and comply with organizational policies before deployment to production environments. By configuring separate development and production environments with restrictions on who can deploy flows to production, you create a review checkpoint where administrators or compliance personnel examine flows before production deployment. Data Loss Prevention policies for Power Platform enforce allowed and blocked connectors ensuring flows cannot access prohibited data sources or external services.
Implementation involves creating organizational processes where developers create flows in dedicated development or test environments. When flows are ready for production use, developers request deployment through formal change management procedures. Reviewers examine flow logic, connector usage, and data handling to verify compliance with security policies, data protection requirements, and business process standards before approving deployment to production environments.
Power Platform DLP policies define which connectors can be used in different environments, preventing flows from accessing high-risk or non-approved services. You can configure policies that block certain connectors entirely or classify connectors into business data and non-business data groups with rules preventing data transfer between groups. These policies enforce technical guardrails ensuring that even approved flows cannot violate connector usage policies.
The governance approach combines technical controls through DLP policies with procedural controls through approval workflows. Organizations might use ServiceNow, SharePoint, or Power Automate itself to manage approval requests for flow deployments. Approvers verify that flows meet security standards, use approved connectors, implement proper error handling, and include necessary documentation before deployment.
Option B is incorrect because Power Automate flow checker provides technical validation of flow syntax and potential errors but does not implement compliance review or approval processes for production deployment. Option C is incorrect because Azure AD application governance manages application access and permissions but does not provide flow-specific compliance review mechanisms. Option D is incorrect because while admin center provides flow management capabilities, formal approval processes require organizational procedures beyond simple flow restrictions.
Question 118:
Your company needs to ensure that all SharePoint document libraries automatically version documents and retain the last 50 versions. What should you configure?
A) Document library versioning settings with major versions
B) Information management policy for versioning
C) SharePoint site collection version limits
D) Content type versioning configuration
Answer: A
Explanation:
Document library versioning settings with major versions provide granular control over how SharePoint tracks changes to documents stored in libraries. When you configure versioning settings for a document library, you can specify whether to create versions when documents are modified, how many versions to retain, and whether to track both major and minor versions. To ensure the last 50 versions are retained, you access the library settings and enable versioning with a limit of 50 major versions.
Versioning in SharePoint creates a new version entry each time a user saves changes to a document, allowing organizations to track document evolution and restore previous versions when needed. The version history records who made changes, when modifications occurred, and optionally requires check-in comments explaining the changes. By setting the version limit to 50, older versions beyond this threshold are automatically deleted to manage storage consumption while maintaining sufficient history for most business scenarios.
When configuring versioning, you can choose between major versions only or major and minor versions. Major versions represent published states of documents visible to all users with read permissions, while minor versions represent draft states visible only to users with edit permissions. For scenarios requiring 50 versions, major version tracking alone provides straightforward version management without the complexity of draft versions.
The versioning configuration applies specifically to the document library where it is enabled, allowing different libraries within the same site to have different versioning policies based on content requirements. Critical document libraries might retain more versions while temporary collaboration spaces might limit versions to reduce storage usage. Library owners and site administrators can modify versioning settings to adjust retention limits as organizational needs evolve.
Option B is incorrect because information management policies are legacy features that have been largely replaced by retention policies and labels in modern SharePoint Online compliance frameworks. Option C is incorrect because site collection version limits set organization-wide defaults but individual library versioning settings provide the specific configuration needed to retain exactly 50 versions. Option D is incorrect because content type versioning configuration affects content type definitions rather than the actual version retention behavior in document libraries.
Question 119:
You need to prevent users from accessing Microsoft 365 services when their devices are not compliant with security policies. What should you configure?
A) Conditional Access policy requiring device compliance
B) Device enrollment restrictions
C) Mobile Device Management policy
D) Azure AD device settings
Answer: A
Explanation:
Conditional Access policies requiring device compliance provide identity-based access control that evaluates device compliance status before granting access to Microsoft 365 services. When you create a Conditional Access policy targeting cloud applications like Exchange Online, SharePoint, and Teams, you can configure grant controls that require devices to be marked as compliant before allowing access. This ensures that only devices meeting organizational security standards can access corporate resources regardless of user location or network.
The policy works by evaluating the device compliance status reported by Microsoft Intune during user authentication. When users attempt to access Microsoft 365 services, Azure AD checks whether their device is enrolled in Intune and marked as compliant based on device compliance policies. If the device is not compliant, the Conditional Access policy blocks access and directs users to enroll their device or remediate compliance issues before access is granted.
Device compliance policies in Intune define the security requirements that devices must meet including encryption enablement, minimum operating system versions, antivirus software presence, jailbreak detection, and password complexity. Devices that fail to meet any configured requirement are marked as non-compliant. The combination of compliance policies and Conditional Access creates a comprehensive security framework ensuring corporate data is accessed only from secure devices.
This approach supports bring-your-own-device scenarios where personal devices can access corporate resources only when they meet security standards. The policy evaluates compliance continuously, so if a device falls out of compliance after initial access is granted, subsequent authentication attempts are blocked until compliance is restored. Organizations can configure different compliance requirements for different device platforms including Windows, iOS, Android, and macOS.
Option B is incorrect because device enrollment restrictions control which devices can enroll in MDM but do not enforce access requirements based on compliance status. Option C is incorrect because MDM policies define device configurations and compliance criteria but must be combined with Conditional Access policies to enforce access restrictions. Option D is incorrect because Azure AD device settings control device registration options but do not enforce compliance-based access control for Microsoft 365 services.
Question 120:
Your organization wants to ensure that all calendar events created by executives are automatically classified as confidential. What should you configure?
A) Sensitivity label auto-labeling policy for calendar items
B) Exchange transport rule for calendar events
C) Outlook default classification settings
D) Information Rights Management for calendars
Answer: A
Explanation:
Sensitivity label auto-labeling policies for calendar items provide automated classification that applies labels to calendar events based on sender identity without requiring manual user action. When you create an auto-labeling policy in Microsoft Purview, you can configure conditions that detect calendar events created by specific users or members of executive groups and automatically apply confidential sensitivity labels. This ensures consistent classification of executive communications without relying on executives remembering to label their calendar invitations.
The auto-labeling policy continuously monitors calendar event creation and evaluates whether events meet the configured conditions. When executives create calendar appointments or meeting invitations, the policy automatically applies the confidential label before the invitations are sent to attendees. The label can include protection settings such as encryption or access restrictions that prevent attendees from forwarding invitations to unauthorized recipients or modifying event details.
Auto-labeling for calendar items supports condition-based application using attributes like sender email address, group membership, or keywords in meeting subjects. For executive calendar events, you typically configure the policy to identify senders who are members of an executive distribution group or security group. The policy applies labels transparently without requiring executive action or awareness, ensuring comprehensive protection for sensitive meeting information.
Once applied, sensitivity labels persist with calendar events throughout their lifecycle. If events are forwarded or copied, the label travels with the event ensuring consistent protection. Attendees see visual indicators showing that events are classified as confidential, promoting awareness about handling requirements. The labels integrate with Data Loss Prevention policies that can enforce additional protections for confidential calendar content.
Option B is incorrect because Exchange transport rules process email messages rather than calendar events and do not provide calendar-specific classification capabilities. Option C is incorrect because Outlook default classification settings are client-side configurations that users control individually and cannot be centrally enforced for specific user groups like executives. Option D is incorrect because Information Rights Management provides encryption capabilities but does not automatically classify calendar events based on sender identity without additional automation.
