Monitor and investigate data and activities

Question 1

What are the functionalities of Content Search? (2)

Answer 1

Search and export

Question 2

What are the functionalities of eDiscovery Standard? (3)

Answer 2

All of Content Search + case management and legal holds

Question 3

What are the functionalities of eDiscovery Premium? (8)

Answer 3

All of eDiscovery Standard +
1) Assign case to people outside of your organization
2) legal hold notification
3) advanced indexing
4) tagging
5) analytics e.g., ML-based predictive coding
6) end-to-end workflow
7) OCR
8) review sets

Question 4

What is the functionality that helps reducing the number of content match to the most useful one?

Answer 4

ML based predictive coding

Question 5

What are the limitations of Content Search in a hybrid Exchange set-up?

Answer 5

You cannot search on-premise

Question 6

What is the maximum number of conditions in a Content Search query?

Answer 6

100

Question 7

What is a Review Set?

Answer 7

A secure Microsoft-provided Azure storage location where the the result of a search can be added. It is possible to export to customer owner location. This is a eDiscovery Premium feature.

Question 8

What are the two things you need to open exported search results?

Answer 8

1) Export Key 2) eDiscovery Export Tool

Question 9

What are the search preview limitations? (3)

Answer 9

1000 files or max 100/location (whichever is smaller), Other elements than Emails in Outlook (calendar items, tasks, contacts, folders, lists)

Question 10

On which standards is the M365 Baseline Score based on? (3)

Answer 10

NIST CSF, ISO and FedRAMP

Question 11

What can you add in addition to users when adding people that will be able to manage an ediscovery case?

Answer 11

Role groups

Question 12

How long does it take for a eDiscovery hold to take effect?

Answer 12

Up to 24 hours

Question 13

When creating a eDiscovery hold, for which location do you need to select the specific locations where it will apply?

Answer 13

Exchange (specific mailboxes) and SharePoint (specific sites)

Question 14

What are the two options to download a eDiscovery case?

Answer 14

1) Using a Microsoft provided Azure space to export outside of the organization 2) Using eDiscovery Export Tool to download locally

Question 15

How is the compliance score determined?

Answer 15

It is the sum of the improvement actions scores, which depend on whether the action is mandatory/discretionary and if it is preventive/detective/corrective.

Question 16

What is the difference between technical and non-technical remediation actions in how they affect the compliance score?

Answer 16

Non-technical are counted only once per Group, while technical are counted once

Question 17

To which format is data from a Content Search exported?

Answer 17

Email: PST
SharePoint/OneDrive: Native document format

Question 18

What are the 3 technical requirements to be able to export Content Search?

Answer 18

1) Latest Windows or .NET Framework
2) Edge
3) being connected to the temporary Azure space where the files will be stored temporarily

Question 19

How long are results of a Content Search stored for?

Answer 19

2 weeks

Question 20

Why should you protect the Export Key?

Answer 20

Because it can be used by anyone to download search results

Question 21

What other information does an export from Content Search contains? (4)

Answer 21

1) Summary
2) Errors
3) Skipped items reports
4) trace log about the export process
Note that it is also possible to only download these reports

Question 22

What are three tips to speed the download of the Content Search exports?

Answer 22

1) Disabled anti-virus scanning
2) Download only to internal drive (no network/external drive or OneDrive)
3) Download to different folders for concurrent download jobs

Question 23

What is Search Permission Filers?

Answer 23

It limits what an eDiscovery manager is able to search for (content/location)

Question 24

What is the PowerShell command to limit what an eDiscovery Manager is able to search for?

Answer 24

New-ComplianceSecurityFilter

Question 25

What does the New-ComplianceSecurityFilter do?

Answer 25

It limits what an eDiscovery manager is able to search for (content/location)

Question 26

What role group must you be part of in order to use New-ComplianceSecurityFilter?

Answer 26

Organization Management

Question 27

What are the limitations when deleting content identified via a Content Search? (4)

Answer 27

1) Other locations than Exchange Online mailboxes and public folders.
2) Max 10 items per mailbox at a time
3) Max 50’000 mailboxes
4) Content in a review set (i.e., only content from live system can be deleted)

Question 28

What should you do if you want to delete content from more than 50k mailboxes?

Answer 28

Use Search Permission Filters to reduce the scope of the search to e.g., one department

Question 29

What are the steps to search and delete content? What is the PowerShell command to delete?

Answer 29

1) Connect to the Securit&Compliance module in PowerShell
2) Run the search (in PowerShell or in Purview)
3) Delete using New-ComplianceSearch Action -Purge

Question 30

What does the Assessment tab of the Compliance Manager area contains?

Answer 30

List of compliance/security/privacy standard and underlying controls

Question 31

How can you update the improvement actions from the Compliance Manager?

Answer 31

By downloading them into a ExportActions.xlsx file and updating them in Excel

Question 32

Is 10-year audit retention included in E5 license?

Answer 32

No, this has to be purchased as an add-on license for each user

Question 33

When creating an alert based on unusual activity, how long does it take for the baseline to be created?

Answer 33

7 days

Question 34

When implementing an improvement action, how long does it take for the Compliance Manager portal to be updated?

Answer 34

Up to 24 hours

Question 35

What can a eDiscovery Manager do? (5)

Answer 35

1) Create/manage eDiscovery cases
2) Add/remove members/custodians to a case
3) Place hold
4) Create/edit searche
5) Export content

Question 36

What can a eDiscovery Administrator do that a eDiscovery Manager can’t? (2)

Answer 36

1) View and manage any case
2) Remove members of any eDiscovery cases

Question 37

Which role groups can create cases?

Answer 37

eDiscovery Manager/Admin and Organization Management

Question 38

What is the maximum number of keywords in a combined hold + search query?

Answer 38

500

Question 39

What happens if the maximum number of keywords in a combined hold + search query is reached?

Answer 39

The entire mailbox is searched

Question 40

How long does it take for a hold removal to take effect and how is this called?

Answer 40

30 days - Delay hold

Question 41

What is the difference between closed and deleted cases?

Answer 41

A closed case only means that the holds are turned off, but it is still possible to create/export searches and to re-open it, while a deleted case removes all data associated to it (no re-open possible)

Question 42

How long does it take for the closing or re-opening process of an ediscovery case to complete?

Answer 42

60 min

Question 43

What should you pay attention to when re-opening a case?

Answer 43

It does not automatically re-activate the holds

Question 44

What should you pay attention to when deleting a case?

Answer 44

You must first delete all the holds, else you will get an error

Question 45

If you add a Group to a search settings, what will be searched?

Answer 45

The Group mailbox only, NOT the mailboxes of the group members

Question 46

What additional functionalities does Audit Premium offers compared to Audit Standard? (5)

Answer 46

1) Audit log retention policies up to 10 years
2) Intelligent insights
3) More capabilities for searches e.g., more events to search
4) Higher bandwidth for searches through the O365 Management APO
5) 1 year default retention policy instead of 180 days for OneDrive, Exchange, SharePoint and Entra

Question 47

What is the baseline bandwidth for searches?

Answer 47

2000 researches/minute

Question 48

Which role group is able to turn on and off automated remediation action for all actions globally?

Answer 48

Global Admin, and it is the only one

Question 49

What actions are you able to perform on history of users working on remediation actions? (3)

Answer 49

Export, re-assign and delete

Question 50

Which model does the built-in workflow for eDiscovery alignes with?

Answer 50

Electronic Discovery Reference Model

Question 51

What are Data Custodians?

Answer 51

Users of interest that can be added to a case

Question 52

Which of these require a M365 E5 licence: data custodians, users added as manager/lawyers of an eDiscovery case?

Answer 52

Only the data custodians

Question 53

What is advanced re-indexing?

Answer 53

It re-indexes the content associated to a custodian, to allow the content to be easily searchable

Question 54

What should you pay attention to when associating other data sources to a data custodian?

Answer 54

For Teams and Viva, you need to add both the mailbox and the site (adding one does not automatically add the other)

Question 55

What is the maximum number of documents that can be added to a case?

Answer 55

40 millions

Question 56

What is the maximum volume of data that can be collected in a single collection?

Answer 56

1TB

Question 57

What is the maximum volume of data that can be put in a review set (pre-expansion)?

Answer 57

1TB

Question 58

In which format are the Teams/Viva conversations stored?

Answer 58

HTML

Question 59

What is the maximum capacity supported by the export job?

Answer 59

Min (500GB : 5 million documents)

Question 60

What are 3 data analysis tools proposed in eDiscovery Premium?

Answer 60

1) Near duplicate detection
2) Email threading
3) Theme (i.e, assigning a dominent theme to a conversation)h

Question 61

What is a pivot?

Answer 61

When performing near duplicate detection, Microsoft groups textually similar documents and defines a pivot, which is the document that all other documents within the near duplicate group are compared to.

Question 62

What are the 4 categories in which email messages are divided into?

Answer 62

1) Inclusive
2) Inclusive minus
3) Inclusive copy
4) None

Question 63

What does the “Inclusive” email message type entails?

Answer 63

The final email message in an email threat, which contains all the previous content of that email thread

Question 64

What does the “Inclusive minus” email message type entails?

Answer 64

An email message that has one or more attachments associated with it

Question 65

What does the “Inclusive copy” email message type entails?

Answer 65

An email message that is an exact copy of an Inclusive or Inclusive minus message

Question 65

What does the “None” email message type entails?

Answer 65

An email message whose content is wholly contained in at least one other email message marked as Inclusive or Inclusive minus

Question 66

What is the PoweShell command to search audit events?

Answer 66

Search-UnifiedAuditLog

Question 67

What is the role required to search audit log?

Answer 67

View-Only Audit Log

Question 68

How can you search multiple audit events in PowerShell?

Answer 68

As the Search-UnifiedAuditLog supports only one event per query, you need to append the second query to the the first CSV search results

Question 69

How many user and admin activities are being logged?

Answer 69

Over 100

Question 70

How many events can be returned in one audit search?

Answer 70

Max 50k

Question 71

The IP field of my search result is blank, why? (2)

Answer 71

Because the activity that was logged was performed by
1) an admin
2) a system account of Microsoft Entra related event

Question 72

The IP field of my search result is not that of the user who performed the action, why?

Answer 72

When a trust application is calling a service on behalf of a user, its IP address is logged instead of the one from the user

Question 73

What does the AuditData column of the audit export data CSV contains?

Answer 73

Additional information about the event in JSON format (field are event-specific)ow

Question 74

How can you extract the AuditData JSON into columns in Excel, and what you should pay attention to when performing this?

Answer 74

Using PoweQuery Editor, but it will only look at the properties of the first 1000 rows

Question 75

What is one limitation of mailbox auditing?

Answer 75

It does not record activities performed by delegate users

Question 76

What are the two possible commands to search mailbox audit for specific users?

Answer 76

Search-MailboxAuditLog
New Mailbox Audit Log Search

Question 77

To use Audit Premium functionalities, is it sufficient that the person performing the audit has an E5 license?

Answer 77

No, the user whose data you want to retain or use E5 functionalities for such as special types of events needs an E5 license

Question 78

What are the new events that can be recorded in Audit Premium? And which of these first require to be enabled in PoweShell before they are logged?

Answer 78

MailItemAccessed
Send
SearchQueryInitiatedExchange => need to be enabled in PowerShell
SearchQueryInitatedSharePoint => need to be enabled in PowerShell

Question 79

What is the event name corresponding to “MailItemAccessed” cmdlet?

Answer 79

Accessed mailbox items

Question 80

What is the event name corresponding to “Send” cmdlet?

Answer 80

Sent message (incl. reply, forward, send email)

Question 81

What is the event name corresponding to “SearchQueryInitiatedExchange” cmdlet?

Answer 81

Performed email search

Question 82

How does bandwidth of the API using Audit Premium differs from Audit Standard?

Answer 82

Standard: Publisher-level limit
Premium: Tenant-level limit
Baseline is 2000 requests/minute in both cases, that can automatically increase based on the org seat count and license (for Premium it can increase more, as the limit is at tenant level)

Question 83

How many audit log retention policies can you define?

Answer 83

Max 50

Question 84

Is it possible to edit the default audit log retention policy?

Answer 84

No, and it is not display. Custom retention policies take precedence over the default one.

Question 85

What is the PowerShell command to set an audit log retention policy?

Answer 85

New-UnifiedAuditLogRetentionPolicy

Question 86

What is the PowerShell command to 1) view 2) Edit 3) Delete an audit log retention policy?

Answer 86

1) Get 2) Set 3) Remove

Question 87

What is the difference between sync and bind MailItemAccessed?

Answer 87

Bind: Individual access to email message (one event per mail item)
Sync: Desktop version of Outlook accessing the mailbox (only one event per sync, not per mail item)

Question 88

What is the limitation of bind audit log generation?

Answer 88

It stops generating bind audit log if there are more than 1000 records created in less than 24 hours