You have a Microsoft 365 E5 subscription that contains the labels shown in the following table.
 
You have the items shown in the following table.
 
Which items can you view in Content explorer?

A. File1 only

B. File1 and File2 only

C. File1 and Mail1 only

D. File2 and Mail2 only

E. File1, File2, Mail1, and Mail2

HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You need to configure Privileged Identity Management (PIM) for the User Administrator role in Microsoft Entra. Eligible users must meet the following requirements:
• Always be able to request the User Administrator role
• Must provide a reason when requesting the User Administrator role
• Must require multi-factor authentication (MFA) when activating the User Administrator role
The solution must minimize administrative effort.
How should you configure the Role settings for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT -
You have a Microsoft 365 E5 subscription.
All company-owned Windows 11 devices are onboarded to Microsoft Defender for Endpoint.
You need to configure Defender for Endpoint to meet the following requirements:
Block a vulnerable app until the app is updated.
Block an application executable based on a file hash.
The solution must minimize administrative effort.
What should you configure for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
Your network contains an on-premises Active Directory domain named contoso.com.
Your company purchases Microsoft 365 subscription and establishes a hybrid deployment of Azure AD by using password hash synchronization. Password writeback is disabled in Azure AD Connect.
You create a new user named User10 on-premises and a new user named User20 in Azure AD.
You need to identify where an administrator can reset the password of each new user.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 E5 subscription.
Conditional Access is configured to block high-risk sign-ins for all users.
All users are in France and are registered for multi-factor authentication (MFA).
Users in the media department will travel to various countries during the next month.
You need to ensure that if the media department users are blocked from signing in while traveling, the users can remediate the issue without administrator intervention.
What should you configure?

A. an exclusion group

B. the MFA registration policy

C. named locations

D. self-service password reset (SSPR)

HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You plan to use a mailbox named Mailbox1 to analyze malicious email messages.
You need to configure Microsoft Defender for Office 365 to meet the following requirements:
• Ensure that incoming email is NOT filtered for Mailbox1.
• Detect impersonation and spoofing attacks on all other mailboxes in the subscription.
Which two settings should you configure? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 subscription that contains more than 2,000 guest users.
You need to ensure that when guest users are added to Microsoft 365 groups in the subscription, their membership is validated by the group owner every 30 days.
What should you configure?

A. group expiration policies

B. retention policies

C. access reviews

D. Conditional Access policies

HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.
 
The subscription has the following two anti-spam policies:
• Name: AntiSpam1
• Priority: 0
• Include these users, groups and domains
• Users: User3
• Groups: Group1
• Exclude these users, groups and domains
• Groups: Group2
• Message limits
• Set a daily message limit: 100
• Name: AntiSpam2
• Priority: 1
• Include these users, groups and domains
• Users: User1
• Groups: Group2
• Exclude these users, groups and domains
• Users: User3
• Message limits
• Set a daily message limit: 50
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
 

Your company has 10,000 users who access all applications from an on-premises data center.
You plan to create a Microsoft 365 subscription and to migrate data to the cloud.
You plan to implement directory synchronization.
User accounts and group accounts must sync to Azure AD successfully.
You discover that several user accounts fail to sync to Azure AD.
You need to resolve the issue as quickly as possible.
What should you do?

A. From Active Directory Administrative Center, search for all the users, and then modify the properties of the user accounts.

B. Run idfix.exe, and then click Edit.

C. From Windows PowerShell, run the start-AdSyncSyncCycle -PolicyType Delta command.

D. Run idfix.exe, and then click Complete.

HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You need to configure a group naming policy.
Which portal should you use, and to which types of groups will the policy apply? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You need to configure Microsoft Defender for Office 365 to meet the following requirements:
• A user's email sending patterns must be used to minimize false positives for spoof protection.
• Documents uploaded to Microsoft Teams, SharePoint Online, and OneDrive must be protected by using Defender for Office 365.
What should you configure for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 subscription.
You need to create a data loss prevention (DLP) policy that is configured to use the Set headers action.
To which location can the policy be applied?

A. Exchange email

B. OneDrive accounts

C. SharePoint sites

D. Teams chat and channel messages

HOTSPOT -
You have a Microsoft 365 E5 tenant.
You have the alerts shown in the following exhibit.
 
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains a SharePoint site named Site1. Site1 contains the files shown in the following table.
 
You have the users shown in the following table.
 
You create a data loss prevention (DLP) policy with an advanced DLP rule and apply the policy to Site1. The DLP rule is configured as shown in the following exhibit.
 

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From Azure AD Connect, you modify the Azure AD credentials.
Does this meet the goal?

A. Yes

B. No

HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365.
The subscription has the default inbound anti-spam policy and a custom Safe Attachments policy.
You need to identify the following information:
The number of email messages quarantined by zero-hour auto purge (ZAP)
The number of times users clicked a malicious link in an email message
Which Email & collaboration report should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365 and contains a user named User1.
User emails a product catalog in the PDF format to 300 vendors. Only 200 vendors receive the email message, and User1 is blocked from sending email until the next day.
You need to prevent this issue from reoccurring.
What should you configure?

A. anti-spam policies

B. Safe Attachments policies

C. anti-phishing policies

D. anti-malware policies

HOTSPOT
-
You have a Microsoft 365 subscription that contains the users shown in the following table.
 
The Global Administrator role has the Privileged Identity Management (PIM) settings shown in the following table.
 
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
You have a Microsoft 365 subscription.
From the Microsoft 365 admin center, you open the Microsoft 365 Apps usage report as shown in the following exhibit.
 
You need ensure that the report meets the following requirements:
• The Username column must display the actual name of each user.
• Usage of the Microsoft Teams mobile app must be displayed.
What should you modify for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains a user named User1.
Azure AD Password Protection is configured as shown in the following exhibit.
 
User1 attempts to update their password to the following passwords:
F@lcon -
Project22 -
T4il$pin45dg4 -
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
 

HOTSPOT -
Your network contains an on-premises Active Directory domain. The domain contains the servers shown in the following table.
 
You purchase a Microsoft 365 E5 subscription.
You need to implement Azure AD Connect cloud sync.
What should you install first and on which server? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

DRAG DROP -
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You need to configure policies to meet the following requirements:
Customize the common attachments filter.
Enable impersonation protection for sender domains.
Which type of policy should you configure for each requirement? To answer, drag the appropriate policy types to the correct requirements. Each policy type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 E5 subscription.
You onboard all devices to Microsoft Defender for Endpoint.
You need to use Defender for Endpoint to block access to a malicious website at www.contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.

A. Create a web content filtering policy.

B. Enable Custom network indicators.

C. Enable automated investigation.

D. Create an indicator.

E. Configure an enforcement scope.

You have a Microsoft 365 E5 tenant.
You create an auto-labeling policy to encrypt emails that contain a sensitive info type. You specify the locations where the policy will be applied.
You need to deploy the policy.
What should you do first?

A. Run the policy in simulation mode.

B. Turn on co-authoring for files with sensitivity labels.

C. Review the sensitive information in Activity explorer.

D. Turn on the policy.

Your network contains an Active Directory domain and an Azure AD tenant.
The network uses a firewall that contains a list of allowed outbound domains.
You begin to implement directory synchronization.
You discover that the firewall configuration contains only the following domain names in the list of allowed domains:
• *.microsoft.com
• *.office.com
Directory synchronization fails.
You need to ensure that directory synchronization completes successfully.
What is the best approach to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.

A. From the firewall, modify the list of allowed outbound domains.

B. From Azure AD Connect, modify the Customize synchronization options task.

C. From the firewall, create a list of allowed inbound domains.

D. Deploy an Azure AD Connect sync server in staging mode.

E. From the firewall, allow the IP address range of the Azure data center for outbound communication.

Your network contains an on-premises Active Directory domain named contoso.com. The domain contains 1,000 Windows 10 devices.
You perform a proof of concept (PoC) deployment of Microsoft Defender for Endpoint for 10 test devices. During the onboarding process, you configure Microsoft Defender for Endpoint-related data to be stored in the United States.
You plan to onboard all the devices to Microsoft Defender for Endpoint.
You need to store the Microsoft Defender for Endpoint data in Europe.
What should you do first?

A. Delete the workspace.

B. Create a workspace.

C. Onboard a new device.

D. Offboard the test devices.

You have a new Microsoft 365 E5 tenant.
You need to enable an alert policy that will be triggered when an elevation of Microsoft Exchange Online administrative privileges is detected.
What should you do first?

A. Enable auditing.

B. Enable Microsoft 365 usage analytics.

C. Create an Insider risk management policy.

D. Create a communication compliance policy.

You have a Microsoft 365 E5 subscription.
You plan to create a data loss prevention (DLP) policy that will be applied to all available locations.
Which conditions can you use in the DLP rules of the policy?

A. sensitive info types

B. content search queries

C. keywords

D. sensitivity labels

Overview -
Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000 employees worldwide.
Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the United States.
Existing Environment -
Active Directory Environment -
The network contains an Active Directory forest named fabrikam.com. The forest contains all the identities used for user and computer authentication. Each department is represented by a top-level organizational unit (OU) that contains several child OUs for user accounts and computer accounts.
All users authenticate to on-premises applications by signing in to their device by using a UPN format of
username@fabrikam.com
.
Fabrikam does NOT plan to implement identity federation.
Network Infrastructure -
Each office has a high-speed connection to the Internet.
Each office contains two domain controllers. All domain controllers are configured as DNS servers.
The public zone for fabrikam.com is managed by an external DNS server.
All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All the Exchange servers have the latest cumulative updates installed.
All shared company documents are stored on a Microsoft SharePoint Server farm.
Requirements -
Planned Changes -
Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared documents to the subscription.
Fabrikam plans to implement two pilot projects:
Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to Microsoft 365.
Project2: After the successful completion of Project1, Microsoft Teams will be enabled in Microsoft 365 for the sales department users.
Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft 365 bulk licenses.
Technical Requirements -
Fabrikam identifies the following technical requirements:
All users must be able to exchange email messages successfully during Project1 by using their current email address.
Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
A user named User1 must be able to view all DLP reports from the Microsoft Purview compliance portal.
Microsoft 365 Apps for enterprise applications must be installed from a network share only.
Disruptions to email access must be minimized.
Application Requirements -
Fabrikam identifies the following application requirements:
An on-premises web application named App1 must allow users to complete their expense reports online. App1 must be available to users from the My Apps portal.
The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.
Security Requirements -
Fabrikam identifies the following security requirements:
After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.
The membership of the UserLicenses group must be validated monthly. Unused user accounts must be removed from the group automatically.
After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-based applications automatically.
The principle of least privilege must be used.
You need to ensure that all the sales department users can authenticate successfully during Project1 and Project2.
Which authentication strategy should you implement for the pilot projects?

A. pass-through authentication

B. pass-through authentication and seamless SSO

C. password hash synchronization and seamless SSO

D. password hash synchronization

HOTSPOT
-
You have a Microsoft 365 E5 subscription and an Azure AD tenant named contoso.com.
All users have computers that run Windows 11, are joined to contoso.com, and are protected by using BitLocker Drive Encryption (BitLocker).
You plan to create a user named Admin1 that will perform following tasks:
• View BitLocker recovery keys.
• Configure the usage location for the users in contoso.com.
You need to assign roles to Admin to meet the requirements. The solution must use the principle of least privilege.
Which two roles should you assign? To answer, select the appropriate options in the answer area.
 

You have a Microsoft 365 E5 subscription that contains a user named User1.
You create a retention label named Retention1 that is published to all locations.
You need to ensure that User1 can label email messages by using Retention1 as soon as possible.
Which cmdlet should you run in Microsoft Exchange Online PowerShell?

A. Start-ManagedFolderAssistant

B. Start-MpScan

C. Start-AppBackgroundTask

D. Start-Process

You have a Microsoft 365 E5 tenant.
You create an auto-labeling policy to encrypt emails that contain a sensitive info type. You specify the locations where the policy will be applied.
You need to deploy the policy.
What should you do first?

A. Run the policy in simulation mode.

B. Configure Azure Information Protection analytics.

C. Review the sensitive information in Activity explorer.

D. Turn on the policy.

HOTSPOT -
Your company has a Microsoft 365 E5 subscription.
You need to perform the following tasks:
View the Adoption Score of the company.
Create a new service request to Microsoft.
Which two options should you use in the Microsoft 365 admin center? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 subscription.
You register two applications named App1 and App2 to Azure AD.
You need to ensure that users who connect to App1 require multi-factor authentication (MFA). MFA is required only for App1. What should you do?

A. From the Microsoft Entra admin center, create a conditional access policy.

B. From the Microsoft 365 admin center, configure the Modem authentication settings.

C. From the Enterprise applications blade of the Microsoft Entra admin center, configure the Users settings.

D. From Multi-Factor Authentication, configure the service settings.

You have a Microsoft 365 subscription that uses retention policies.
You implement a preservation lock on a retention policy that is assigned to all executive users.
Which two actions can you perform on the retention policy after you implemented the preservation lock? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Add locations to the policy.

B. Reduce the duration of policy.

C. Remove locations from the policy.

D. Extend the duration of the policy.

E. Disable the policy.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft Entra admin center, you assign SecAdmin1 the Security Administrator role.
Does this meet the goal?

A. Yes

B. No

You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com. The tenant includes a user named User1.
You enable Azure AD Identity Protection.
You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for risk. The solution must use the principle of least privilege.
To which role should you add User1?

A. Compliance Administrator

B. Security Administrator

C. Service Administrator

D. User Administrator

You have a Microsoft 365 E5 tenant.
You create a retention label named Retention1 as shown in the following exhibit.
 
When users attempt to apply Retention1, the label is unavailable.
You need to ensure that Retention1 is available to all the users.
What should you do?

A. Create a new label policy.

B. Modify the Authority type setting for Retention1.

C. Modify the Business function/department setting for Retention1.

D. Use a file plan CSV template to import Retention1.

HOTSPOT
-
Your company has a Microsoft 365 subscription that uses an Azure AD tenant named contoso.com. The tenant contains the users shown in the following table.
 
You create a retention label named Label1 that has the following configurations:
• Retains content for five years
• Automatically deletes all content that is older than five years
You turn on Auto labeling for Label1 by using a policy named Policy1. Policy1 has the following configurations:
• Applies to content that contains the word Merger
• Specifies the OneDrive accounts and SharePoint sites locations
You run the following command.
Set-RetentionCompliancePolicy Policyl -RestrictiveRetention $true -Force
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 E5 subscription that is linked to an Azure AD tenant named contoso.com.
You purchase 100 Microsoft 365 Business Voice add-on licenses.
You need to ensure that the members of a group named Voice are assigned a Microsoft 365 Business Voice add-on license automatically.
What should you do?

A. From the Licenses page of the Microsoft 365 admin center, assign the licenses.

B. From the Microsoft Entra admin center, modify the settings of the Voice group.

C. From the Microsoft 365 admin center, modify the settings of the Voice group.

You have a Microsoft 365 subscription that contains the alerts shown in the following table.
 
Which properties of the alerts can you modify?

A. Status only

B. Status and Comment only

C. Status and Severity only

D. Status, Severity, and Comment only

E. Status, Severity, Comment and Category

HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You plan to create the data loss prevention (DLP) policies shown in the following table.
 
You need to create DLP rules for each policy.
Which policies support the sender is condition and the file extension is condition? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
You configure an anti-phishing policy as shown in the following exhibit.
 
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 E5 subscription.
You need to create a mail-enabled contact.
Which portal should you use?

A. the Microsoft Teams admin center

B. the Intune admin center

C. the Microsoft 365 Defender portal

D. the Exchange admin center

Your network contains an Active Directory forest named contoso.local.
You have a Microsoft 365 subscription.
You plan to implement a directory synchronization solution that will use password hash synchronization.
From the Microsoft 365 admin center, you successfully verify the contoso.com domain name.
You need to prepare the environment for the planned directory synchronization solution.
What should you do first?

A. From the Microsoft 365 admin center, verify the contoso.local domain name.

B. From the public DNS zone of contoso.com, add a new mail exchanger (MX) record.

C. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix.

D. From Active Directory Users and Computers, modify the UPN suffix for all users.

HOTSPOT
-
You have a Microsoft 365 subscription.
You need to identify all users that have an Enterprise Mobility + Security plan, and then provide a list of the users in the CSV format.
Which settings should you use in the Microsoft 365 admin center, and which option should you select? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have a Microsoft 365 E5 subscription.
Users access Microsoft 365 from both their laptop and a corporate Virtual Desktop Infrastructure (VDI) solution.
From Azure AD Identity Protection, you enable a sign-in risk policy.
Users report that when they use the VDI solution, they are regularly blocked when they attempt to access Microsoft 365.
What should you configure?

A. the Tenant restrictions settings in Azure AD

B. a trusted location

C. a Conditional Access policy exclusion

D. the Microsoft 365 network connectivity settings

You have a Microsoft 365 E5 subscription.
From the Microsoft 365 Defender portal, you review your company’s Microsoft Secure Score.
You discover a large number of recommended actions.
You need to ensure that the actions can be filtered based on specific department names.
What should you create first?

A. a dynamic security group

B. a tag

C. an administrative unit

D. a custom detection rule

Your company has a Microsoft 365 E5 subscription.
You onboard a device on the company's network to Microsoft Defender for Endpoint.
In the Microsoft 365 Defender portal, you notice that the device inventory displays many devices that have an Onboarding status of Can be onboarded.
You need to ensure that onboarded devices are prevented from polling the network for device discovery but can still discover devices with which they communicate directly.
What should you configure in the Microsoft 365 Defender portal?

A. standard discovery

B. device discovery exclusions

C. basic discovery

D. a network assessment job

You have a Microsoft 365 E5 subscription that contains the following user:
Name: User1 -
UPN:
user1@contoso.com
-
Email address:
user1@marketmg.contoso.com
MFA enrollment status: Disabled -
When User1 attempts to sign in to Outlook on the web by using the
user1@marketing.contoso.com
email address, the user cannot sign in.
You need to ensure that User1 can sign in to Outlook on the web by using
user1@marketing.contoso.com
.
What should you do?

A. Assign an MFA registration policy to User1.

B. Reset the password of User1.

C. Add an alternate email address for User1.

D. Modify the UPN of User1.