DECK 3

Question 1

Office file types that support sensitivity labels are .docx and .xlsx

Office versions requiring an add-in for sensitivity labels are Office 2016 and….

Sensitivity labels aren’t visible in apps to users in other orgs or guest

Documents and emails can have both a sensitivity label and a…

Answer 1

-Office 2019

-retention label

Question 2

Among others, sensitivity labels can encrypt an email, apply watermarks, and be used to….

Labels need scopes, such as what apps/services the label can be used for.

Labels need priorities. Lowest restrictive is at top, most restrictive is at bottom

Answer 2

-allow some to mod a document while others can only read.

Question 3

Sublabels are what the user chooses. If a label has a sublabel, the parent label…

Label policies need to be created after making label.

-……records prevent an item from being deleted, even by global admins

Answer 3

-can’t be chosen

-regulatory

Question 4

Content CANNOT be defined for Exchange in you DLP policy if you choose….

Answer 4

-retention labels

Question 5

SENSITIVITY LABELS

On the DLP chart, what is the only content that CANNOT be defined by a sensitivity label?

On the DLP chart, only sharepoint and one drive has content that can be defined by a… label

https://learn.microsoft.com/en-us/purview/dlp-policy-reference#location-support-for-how-content-can-be-defined

Answer 5

-Teams

Retention

Question 6

Mail enabled security, security, and 365 groups can all be used to assign the Endpoint Security Manager role

If you are a user admin SPECIFICALLY for a group/admin unit, you can only reset the passwords of that unit.

Question 7

Signing users out for inactivity is found in…settings.

Intergrating tools (support integration) is found in Org settings

Devices that match more than 1 group take on which group?

Answer 7

Privacy/security

Highest ranked

Question 8

Global AND Security admins can turn on RBAC

Question 9

Windows 10 and later and Server 2019 and later can do discovery

….discovery allows onboarded devices in Defender for Endpoint to PASSIVELY (NO NETWORK TRAFFIC) discover unmanaged devices

standard discovery uses a little net traffic to probe devices to ENRICH data found from basic discovery.

Discovery can be turned off

Question 10

Use local scripts to onboard MacOS devices in INTUNE

Licenses can be assigned to ANY security group, including…

When creating reports, you can choose the columns for different apps or services

Answer 10

-M365 groups that are security enabled

Question 11

Entra Connect Health needs to be installed on ALL on premises servers. It monitors health of servers. What license do you need?

Only fully setup domains can receive inbound emails. But, fully setup domains and domains with….
can have usernames added

-Teams files are stored in…

Answer 11

-P1
-incomplete services
-sharepoint

Question 12

To view stats on teams storage usage you must go to Sharepoint site usage report

Changing primary domain WONT change usernames of existing users

Verifying a root domain automatically verifies what?

Answer 12

-sub domains (but each subdomain needs enterpriseregristation DNS records)

Question 13

Can’t delete custom domains if ANY resource in ORG relies on it. Also, best to use a global admin account that uses either the default domain (onmicrosoft.com) OR…

Set-AzureADDomain= updates a domain

New-AzureADDomain=creates a domain

….-AzureADDomainName Reference= retrieves objects that are referenced by a given domain name

Answer 13

-different custom domain
-Get

Question 14

Azure monitor workbooks support KQL and retain reports for a year.

it is found in Azure portal > monitor> workbooks

Standard roles with access to the workbooks are Monitoring Reader and…

Answer 14

-Monitoring Contributor

Question 15

Endpoint Analytics is part of adoption score. They give…

Devices can enroll in Endpoint via Configuration Managment or…

Windows 10 1903 or later and July 2021 cumulative updated are needed for Endpoint

Answer 15

-insight on user experience

-Intune

Question 16

to join endpoint, devices must be Entra or Entra….

Global Admins, Intune Service Admins, and Reports Readers have access. Which is least priv?

Answer 16

-hybrid joined

-Reports Reader

Question 17

Least priv role for naming groups is….

-Group name policies are created in Entra ID and apply only to 365 groups

Security groups can be members of other security groups.

Answer 17

-Groups admin

Question 18

Licensing doesn’t support nested groups. Only first level users get licenses in terms of nested groups.

EX: Group 2 is part of group 1. User 2 is part of group 2. User 1 is part of Group 1. User 1 gets the license because of membership to group 1, 2 doesn’t because of membership to group 2

Question 19

Only roles that can invite guest users are Global admin, user admin, and….when “specific roles can invite guest” radio button is on.

Directory read permissions are applied TENANT wide, not to AUs

If external share settings are default, ALL users can invite guest.

Only Security admins and Global admins can change….

Answer 19

-Guest inviter

-password policy

Question 20

Only Global admins and…..can add, remove, modify domains.

Conditional access policies only apply after first factor auth is completed

GPS based conditional access ONLY works if you have first factor auth (like a password) and that auth completes and if you must have…

Answer 20

-Domain Name Admins

-Authenticator app

Question 21

CONDITIONAL ACCESS LOCATION POLICY

-You can set “Any location” which applies to all IPs but you can still add exception, like corporate network

Admins are always enabled to use SSPR but admins MUST use two methods to reset password (like security questions)

Question 22

Only non-admin role that can both CHANGE and VIEW settings in Entra Connect health. What role can only view?

Entra Hybrid Identity Admins receive what role by default in Entra Connect Health?

Entra Connect Health must be installed on every server and needs a P1 or P2 license

Answer 22

-Contributor. Reader

-Owner