Chapter 20: Mock Exam Answers

In this chapter, we will review the mock exam from the previous chapter and provide the answers to each question, as well as explanations for them.

Answers and explanations

1. A

   Explanation: You need to set up a New Location and add the IP ranges for all of your organization's premises. This will ensure that Azure AD has your named/trusted locations established before you set up any policies that may reference them as inclusions or exclusions.

   You should not create a new policy to require MFA for all users, but you should set the policy to apply to all locations and exclude all trusted locations. Doing so would not be effective until you have completed the required first step, which is adding the IP addresses that represent your named/trusted locations.

   You should not create a new certificate under VPN Connectivity. This task is completely irrelevant to the defined requirement.

   You should not set Baseline Policy: End user Protection to Enabled. Baseline policies are inflexible and can only be turned on or off. No granular settings can be modified. At the time of writing this book, baseline policies are scheduled to be deprecated by Microsoft.

2. D

   Explanation: You should set the delivery action to Dynamic Delivery. This will ensure that when the user clicks to access the attachment, it will detonate in Microsoft's sandbox and be checked for malware. If it's safe, it will be opened. This is the fastest way to safely open attachments.

   You should not set the delivery action to Monitor. This will immediately deliver the messages with the attachments and then monitor what happens with any detected malware. A malware scan must be completed before the user can open the attachment.

   You should not set the delivery action to Block. This will prevent any messages with detected malware from proceeding and send any such emails to quarantine.You should not set the delivery action to Replace. This will remove detected malware attachments and notify the users of this.

3. D

   Explanation: You should configure Pass-through authentication. This fulfills the requirement to set authentication for Office 365 via the on-premises AD environment, and also minimizes the effort and need for additional infrastructure.You should not configure Cloud only. This is the native identity methodology for Office 365 and will not fulfill the desired requirement, which is to synchronize with AD and provide a hybrid identity configuration.

   You should not configure Password hash-synchronization. This method establishes a same sign-on experience, but authentication of Office 365 logins will be carried out by Office 365, not the on-premises AD environment.

   You should not configure Active Directory Federation Services. While this method will fulfill the requirement to authenticate Office 365 logins via the on-premises infrastructure, it does not represent the requirement to use minimal effort and deploy additional infrastructure since AD FS requires significant planning and additional servers.

4. B

   Explanation: The requirement states that labels need to be automatically applied when a match to a Sensitive Information type is detected. An Azure Information Protection (P2) license will be required to achieve this goal. Only Azure Information Protection (P1) licenses have been purchased.

5. B

   Explanation: The settings in this screenshot do not meet requirements as they are set to retain content based on when it was last modified, not when it was created. In addition, the content needed to be deleted at the end of the retention period. The screenshot shows that the setting "Do you want us to delete it after this time?" is set to No.

6. B

   Explanation: You need to create a device compliance policy and configure the Device Health settings. The Device Health settings contain the option to block jailbroken devices and mark them as non-compliant.

   You should not create a device compliance policy and configure the Device Properties settings as this setting does not allow you to block jailbroken devices and mark them as non-compliant. You would use this setting to set the minimum and maximum OS versions for iOS devices.

   You should not create a device configuration profile and configure the Device Restrictions settings as this setting does not allow you to block jailbroken devices and mark them as non-compliant. This will instead allow you to create multiple restriction settings for your iOS devices, including password settings and App store settings.

   You should not create a Device configuration profile and configure the Device Features settings as this setting does not allow you to block jailbroken devices and mark them as non-compliant. This will instead allow you to create multiple feature settings for your iOS devices, including AirPrint, App Notifications, and Wallpaper.

7. C

   Explanation: You need to create a user risk policy in the Azure portal. This will allow you to force a user to change their password when the risk level condition is matched.

   You should not create a sign-in risk policy in the Azure portal. This will not allow you to enforce a password reset. Instead, this setting allows you to enforce MFA.You should not create an MFA registration policy in the Azure portal. This will not allow you to enforce a password reset. Instead, this setting allows you to require Azure MFA registration.

   You should not create a Conditional Access Policy in the Azure portal. While you can use risk-based conditional access to detect sign-in risk levels, you are unable to detect user risk, and also cannot force a password change.

8. B

   Explanation: You should use the Exchange Admin Center to place the suspected user's mailbox on Litigation Hold. This will ensure that even if the user deletes any messages, they can be accessed and reviewed by administrators.

   You should not perform a Content search from the Security and Compliance Center. With a Content search, you can search for user activity using search queries, but you are unable to place content on hold.

   You should not perform an audit log search from the Security and Compliance Center. With an audit search, you can search for admin and user activity, but you are unable to place content on hold.

   You should not perform a Message Trace from the Mail Flow section of the Security and Compliance Center. This will allow you to search for messages that have been sent and received in Exchange Online, but it will not enable you to place content on hold.

9. A

   Explanation: The Mass download by a single user policy template will fulfill all of the requirements.

10. A, B

    Explanation: You could go to Investigate | Files in the Cloud App Security portal. This will show you all recent file activity, where you can filter by queries, apps, owner and access level settings, file types, and policy matches.

    You could also go to Investigate | Activity Log. This will show you a wide range of activities, but these can also be filtered by file and folder activities.

    You should not use Investigate | Users and Accounts. This will show you information about all of your users and accounts, such as account settings, alerts, and governance.

    You should not use Investigate | Security Configuration. This area will allow you to carry out a security configuration assessment of your Azure environment.

11. (CASE STUDY ANSWER 1) B, D, E

    Explanation: You should add B, D, and E as these are external IP address ranges and will be needed to establish Named/Trusted locations.

    You should not add A or C as these are internal IP address ranges and irrelevant to Named/Trusted locations.

12. (CASE STUDY ANSWER 2) B

    Explanation: This does not meet security requirements as the Permanently eligible selection is unchecked.

13. (CASE STUDY ANSWER 3) B

    Explanation: This does not meet security requirements as the MFA Users group was supposed to contain users from only the Toronto office, and not the London or Mumbai offices.

14. (CASE STUDY ANSWER 4) A

    Explanation: When configuring an Exchange Hybrid, it is a Microsoft recommended and supported practice to retain at least one Exchange Server at the end of your migration as a management server.Exchange 2016 is recommended as the Hybrid server in order to make the latest features available. Additionally, Microsoft have announced that Exchange 2010 support will cease in October 2020. Therefore, installing Exchange 2016 in the environment overrides the business requirement to minimize additional servers.

15. (CASE STUDY ANSWER 5) A

    Explanation: This meets security requirements, which state that SSPR must require users to provide two authentication methods in order to reset their passwords.

16. B

    Explanation: This does not meet requirements as Pass-through authentication has no bearing on joining devices to Azure AD.

17. A

    Explanation: This meets requirements as configuring Hybrid Azure AD join will automatically join on-premises, domain- joined devices to Azure AD.

18. B

    Explanation: This does not meet requirements as Device Writeback has no bearing on joining devices to Azure AD.

19. B

    Explanation: This does not meet requirements as Directory extension attribute sync has no bearing on joining devices to Azure AD.

20. B

    Explanation: This does not meet requirements as Password hash synchronization has no bearing on joining devices to Azure AD.

21. C, E, and F

    Explanation: EM+S E5, Azure Information Protection P2, and Microsoft 365 E5 all support automatic labeling.

    Azure Information Protection P1, EM+S E3, Microsoft 365 Business, and Microsoft 365 E3 only support manual classification of content using sensitivity labels.

22. A

    Explanation: Multi-Factor Authentication must be enabled in your tenant in order to use Attack Simulator.

    Safe Attachments and Safe Links policies, as well as Azure AD Identity protection, have no bearing on the ability to run Attack Simulator.

23. C

    Explanation: The Set-Mailbox command must be used from the Exchange Online PowerShell, as per the following example:

    Set-Mailbox -Identity "Jane Bloggs" -AuditEnabled $true

    You would not use the Set-MailboxDatabase command as this would apply only to databases that are relevant to Exchange on-premises.

    You would not create a new mail flow transport rule from the Exchange Admin Center. Transport rules have no bearing on Exchange Online auditing.

    You would not create a new audit retention policy in the Security and Compliance Center. Audit retention policies are used to determine how long to retain audit logs in your organization.

24. C

    Explanation: You need to create two separate retention policies in the Security and Compliance Center and set each one to choose specific locations. The first policy should be set to target Exchange email, SharePoint sites, OneDrive accounts, Office 365 groups, Skype for Business, and Exchange public folders. The second policy should be set to target only Teams channel messages and Teams chats. This is because Teams-related retention policies cannot be configured in the same policy as other Office 365 locations – they require a dedicated policy.

    You should not create a single retention policy in the Security and Compliance Center and apply it to the default Office 365 locations. This does not include Teams. The requirements are that all Office 365 locations must be targeted for retention.

    You should not create a single retention policy in the Security and Compliance Center, but you should select the option to Let me choose specific locations. You must target all Office 365 locations for retention. A single policy will not allow you to protect Teams and other Office 365 locations.

    You should not create a single retention policy in the Exchange Admin Center. The Exchange Admin center can only be used to create retention policies that apply to Exchange Online. The requirement was that retention must be applied to all Office 365 locations.

25. B

    Explanation: The policy does not meet the required conditions as it is not set to Test mode with notifications, and is instead turned off completely.