In the following pages, we will review all practice questions from each of the chapters in this book, and provide the correct answers (and explanations, where applicable).
Explanation: MFA is a secure authentication method as opposed to an identity method.
Explanation: IdFix is a tool that scans Active Directory (AD) and identifies any objects with attributes that are incompatible with Office 365 or that would result in a conflict or duplicate object.
Explanation: Password hash synchronization provides the same sign-on experience, where users are authenticated directly to Office 365/Azure AD.
Explanation: Azure AD Premium P1 is the minimum subscription requirement for Self-Service Password Reset (SSPR). It is also available with Azure AD Premium P2. Intune and Azure Information Protection P1 licenses bear no relevance to SSPR.
Explanation: The Start-ADSyncSyncCycle -PolicyType Initial command will run a full synchronization. The Start-ADSyncSyncCycle -PolicyType Delta command will run only a delta/incremental synchronization. The remaining options in this question are not valid commands.
Explanation: Conditional Access is as described in the statement in this question.
Explanation: 40 is the maximum number of agents permitted.
Explanation: Azure AD Connect will automatically perform a synchronization to Azure AD every 30 minutes. Manual synchronizations may also be performed on demand.
Explanation: Security questions and email addresses are not valid methods.
Explanation: Two Web Application Proxy servers is the minimum recommended requirement as per Microsoft best practice guidelines.
Explanation: N/A
Explanation: OAuth tokens can be used with MFA, not SSPR.
Explanation: The other roles do not have the required privileges
Explanation: N/A
Explanation: Users may not create access reviews but may be configured as reviewers by administrators.
Explanation: New-AzureADGroup will create a new Azure AD group to which members must be statically added. New-UnifiedGroup will create a new Office 365 group. Set-UnifiedGroup will allow changes to be made to existing Office 365 groups.
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: Require Azure Advanced Threat Protection is not a condition that exists or that can be applied to any Microsoft 365 location or service.
Explanation: N/A
Explanation: No such baseline policy exists.
Explanation: The other options do not relate to Conditional Access.
Explanation: N/A
Explanation: The other options do not provide the ability to monitor Conditional Access events.
Explanation: The three correct answers are available under the Assignments | Conditions section of a Conditional Access policy. Directory Roles is available under Assignments | Users and Groups, while MFA is available under Access Controls | Grant.
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: Security Reader is an actual role, not a role component.
Explanation: Azure AD Premium P2 is the requirement for Privileged Identity Management (PIM).
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: An MFA registration policy may be configured from the Azure AD Identity Protection portal under the Protect section.
Explanation: MFA in fact helps to mitigate sign-in risk.
Explanation: Identity Protection is not available with the other subscriptions.
Explanation: This can be achieved by using User risk and Sign in risk policies from Azure AD Identity Protection.
Explanation: N/A
Explanation: The other options are not relevant to the goal.
Explanation: With a user risk policy, you may enforce a password reset. To enforce MFA, you would use a sign-in risk policy.
Explanation: No such level exists.
Explanation: Administrators may apply these settings in Azure AD Identity Protection by navigating to Report | Risky Users, highlighting the user, and then selecting the option to Confirm user compromised.
Explanation: N/A
Explanation: N/A
Explanation: EM+S E5 or a standalone Azure ATP license is the minimum requirement.
Explanation: Neither Azure ATP Configuration Manager nor Azure ATP Cloud App Security exist.
Explanation: N/A
Explanation: N/A
Explanation: No such report exists
Explanation: This can be achieved by accessing the Azure ATP portal, navigating to Configuration | Windows Defender ATP, and setting the option for Integration with Windows Defender ATP to On.
Explanation: N/A
Explanation: Azure Advanced Threat Protection (ATP) creates three Azure AD groups – Administrators, Viewers, and Users.
Explanation: The remaining answers will not enable the use of Microsoft Defender ATP.
Explanation: This can be achieved by configuring an Endpoint Protection Device configuration profile.
Explanation: The other URLs are not valid.
Explanation: The remaining choices would not enable the required configuration.
Explanation: The remaining choices would not enable the required configuration.
Explanation: Windows Defender Application Guard (WDAG) may be configured and deployed using either System Center Configuration Manager (SCCM) or Intune.
Explanation: The remaining choices would not enable the required configuration.
Explanation: N/A
Explanation: This can be done when configuring Microsoft Defender ATP for the first time during step 3 of the setup.
Explanation: The remaining choices are not available options.
Explanation: ATP is not included with Office 365 E3.
Explanation: You can use Get-SafeAttachmentPolicy, Get-SafeAttachmentPolicy, New-SafeAttachmentPolicy, or Remove-SafeAttachmentPolicy.
Explanation: New-SafeLinksRule will allow you to create a custom safe links rule. Get-SafeLinksRule allows you to view the safe links rule settings. Set-SafeLinksRule lets you edit existing safe links rule settings. Start-SafeLinksRule is not a valid command.
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: Edit and Scan are not valid actions.
Explanation: Sender Policy Framework (SPF) does not prevent users from sending external emails. It is used to ensure that external mails can be verified as originating from authorized sources to prevent spoofing.
Explanation: The Service Administrator may only open and manage service requests, and view and share message center posts.
Explanation: N/A
Explanation: N/A
Explanation: The quarantine is not accessible from the other sections.
Explanation: The maximum setting is 30 days.
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: Privileged Access Management (PAM) currently only supports Exchange Online, and no other Office 365 locations.
Explanation: N/A
Explanation: N/A
Explanation: A task group is not a policy type.
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: SharePoint Online external sharing settings are set from the SharePoint Admin Center.
Explanation: The customer lockbox is only available in E5 subscriptions.
Explanation: This can be set up by using a Conditional Access Policy.
Explanation: N/A
Explanation: This can be done with the Enable-AIPService command.
Explanation: N/A
Explanation: N/A
Explanation: Unified labeling enables sensitivity labels to be used on other platforms, such as macOS.
Explanation: The other commands listed are invalid.
Explanation: N/A
Explanation: The Azure Information Protection scanner requires a server.
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: N/A
Explanation: There is no such setting.
Explanation: Conditions are set within Data loss prevention (DLP) policy rules, and the actions will be applied if the policy is triggered.
Explanation: The only other location you can configure DLP policies is from the Exchange Admin Center.
Explanation: When DLP policies are set to test with policy tips, users will receive policy tips and administrators will receive alerts relating to the DLP policy.
Explanation: Only Teams Chat and Channel Messages may be protected.
Explanation: Distribution Groups are used to target or exclude Exchange email content from DLP policies.
Explanation: Policy tips are not available within Office for Mac.
Explanation: Advanced Cloud App Security is not the name of a product.
Explanation: Cloud App Security may be used with Office 365 Enterprise E5, EM+S E5, and Microsoft 365 E5.
Explanation: There is no such report as Administrator overview.
Explanation: Session Based Conditional Access policies may be set up within the Azure portal and then integrated with Cloud App Security.
Explanation: N/A
Explanation: Microsoft Flow and RSS feeds are not available as alerts.
Explanation: Only the Security Administrator and Global Administrator roles have permission to configure Cloud App Security.
Explanation: This may be configured from the Discover | Create snapshot report option.
Explanation: The other options are not valid URLs.
Explanation: Investigate | Files will show you activity on files. You could also use Investigate | Activity log. The other option in this question would not provide you with information on files.
Explanation: Telemetry data may only be viewed by using the telemetry Excel workbook.
Explanation: Audit logging may be turned on from the Security and Compliance Center. However, PowerShell must be used if you want to turn it off.
Explanation: The other URLs link to other Microsoft 365 dashboards.
Explanation: The other commands are not valid.
Explanation: The telemetry agent collects telemetry data and sends it to the shared folder. The telemetry processor then collects the data from the shared folder and sends it to the telemetry database. Finally, the data placed in the database is presented in the telemetry dashboard.
Explanation: Alerts | Alert policies will allow you to set up a policy for audit alerts.
Explanation: EM+S E3 does not have rights to configure Desktop Analytics. You would need one of the other licenses listed in the options.
Explanation: 90 days is the maximum number of days that the audit log can provide information. However, it is possible to set up an audit log retention policy.
Explanation: The Office Deployment Tool will deploy Microsoft Office, not Windows diagnostics.
Explanation: Several default polices for alerts are available.
Explanation: Content searches may be applied to all Office 365 locations, or to specific locations by clicking on Modify within the search. This will enable you to select individual services such as Exchange email, Teams messages, SharePoint sites, and OneDrive accounts.
Explanation: Retention labels cannot be configured from the other options.
Explanation: The eDiscovery export tool may be used to export content search results and reports.
Explanation: Threat detection reports relate to security as opposed to compliance.
Explanation: As well as New search, you may conduct a Guided search, which will initiate a wizard to take you through the process of setting up a content search.
Explanation: File plan descriptors will automatically apply labels to content based on conditions that are set within file plan descriptors.
Explanation: If you have file plan descriptors enabled in your retention label, then it is not possible to choose settings to manually apply the retention labels.
Explanation: You would typically start the content search from Search | Content search. It is also possible to start a content search from within an eDiscovery case. Therefore, eDiscovery | Advanced eDiscovery, and eDiscovery | eDiscovery are both possible answers.
Explanation: From the Control | Templates option, you may highlight a template and choose the option to Create Policy. You may also create policies from the Control | Policies option, however, you may not base policies on a template from here.
Explanation: This can be done from the Outlook Web App (OWA) by right-clicking on a message and selecting Assign policy.
Explanation: The other options will not allow you to enable the online archives. It is, however, also possible to enable online archives for users in the Exchange admin center.
Explanation: Exchange Online Plan 2 is the minimum requirement to set Litigation Hold for a user mailbox.
Explanation: Retention policies are a compliance feature, not a security feature.
Explanation: Unless a hold duration is specified, the hold will have no end date and will continue indefinitely or until the hold is removed.
Explanation: One of the main reasons for an Online Archive is to minimize the space that Offline Outlook Data (OST) files take up on a user's computer. Therefore, Online Archives (as the name suggests) may only be accessed when connected to the internet.
Explanation: This may only be done from the Microsoft 365 compliance center.
Explanation: Teams Channel Messages and Teams Chats may not exist in the same retention policy as other Office 365 services.
Explanation: A retention policy is flexible and includes settings that will allow you to delete or retain content depending upon your requirements.
Explanation: Litigation Hold must be applied at the user level.
Explanation: The other roles will not allow pst import.
Explanation: eDiscovery is a compliance feature, not a security feature.
Explanation: None of the other licenses listed will allow Advanced eDiscovery.
Explanation: N/A
Explanation: This function may not be completed within a standard content search.
Explanation: A reviewer may view, but not create or edit.
Explanation: Internet Explorer and Edge are the only eDiscovery-compatible browsers when exporting eDiscovery reports and results.
Explanation: The Security Reader does not have these rights.
Explanation: N/A
Explanation: N/A
Explanation: The other selections would negate the settings already defined in the eDiscovery case.
Explanation: N/A
Explanation: The other options are not valid.
Explanation: Message Trace is a mail flow interrogation tool.
Explanation: The other options do not enable you to carry out the required function.
Explanation: A Data Subject Request (DSR) will trigger the content search as part of the process.
Explanation: This feature may only be accessed via the Microsoft 365 compliance center.
Explanation: N/A
Explanation: The ability to manage assessments directly from the Microsoft Compliance Score dashboard feature is not yet available from this dashboard. You can do so by accessing the Microsoft Compliance Manager tool.
Explanation: N/A
Explanation: You will find these recommendations in the Improvement actions section.
18.119.248.149