Questions 61-90 Flashcards
Your company has devices that run either Windows 10, Windows 11, or Windows Server.
You are in the process of improving the security posture of the devices.
You plan to use security baselines from the Microsoft Security Compliance Toolkit.
What should you recommend using to compare the baselines to the current device configurations?
A. Microsoft Intune B. Local Group Policy Object (LGPO) C. Windows Autopilot D. Policy Analyzer
D. Policy Analyzer
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. Azure Active Directory (Azure AD) Conditional Access App Control policies B. OAuth app policies in Microsoft Defender for Cloud Apps C. app protection policies in Microsoft Endpoint Manager D. application control policies in Microsoft Defender for Endpoint
D. application control policies in Microsoft Defender for Endpoint
Your company has a hybrid cloud infrastructure.
The company plans to hire several temporary employees within a brief period. The temporary employees will need to access applications and data on the company’s on-premises network.
The company’s security policy prevents the use of personal devices for accessing company data and applications.
You need to recommend a solution to provide the temporary employee with access to company resources. The solution must be able to scale on demand.
What should you include in the recommendation?
A. Deploy Azure Virtual Desktop, Azure Active Directory (Azure AD) Conditional Access, and Microsoft Defender for Cloud Apps. B. Redesign the VPN infrastructure by adopting a split tunnel configuration. C. Deploy Microsoft Endpoint Manager and Azure Active Directory (Azure AD) Conditional Access. D. Migrate the on-premises applications to cloud-based applications.
A. Deploy Azure Virtual Desktop, Azure Active Directory (Azure AD) Conditional Access, and Microsoft Defender for Cloud Apps.
Your company has a Microsoft 365 E5 subscription.
The Chief Compliance Officer plans to enhance privacy management in the working environment.
You need to recommend a solution to enhance the privacy management. The solution must meet the following requirements:
✑ Identify unused personal data and empower users to make smart data handling decisions.
✑ Provide users with notifications and guidance when a user sends personal data in Microsoft Teams.
✑ Provide users with recommendations to mitigate privacy risks.
What should you include in the recommendation?
A. communication compliance in insider risk management B. Microsoft Viva Insights C. Privacy Risk Management in Microsoft Priva D. Advanced eDiscovery
C. Privacy Risk Management in Microsoft Priva
HOTSPOT -
You have a Microsoft 365 E5 subscription and an Azure subscription.
You need to evaluate the existing environment to increase the overall security posture for the following components:
✑ Windows 11 devices managed by Microsoft Intune
✑ Azure Storage accounts
✑ Azure virtual machines
What should you use to evaluate the components? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area:
Windows 11 devices:
* Microsoft 365 compliance center
* Microsoft 365 Defender
* Microsoft Defender for Cloud
* Microsoft Sentinel
Azure virtual machines:
* Microsoft 365 compliance center
* Microsoft 365 Defender
* Microsoft Defender for Cloud
* Microsoft Sentinel
Azure Storage accounts:
* Microsoft 365 compliance center
* Microsoft 365 Defender
* Microsoft Defender for Cloud
* Microsoft Sentinel
Windows 11 devices: Microsoft 365 Defender
Azure virtual machines: Microsoft Defender for Cloud
Azure Storage accounts: Microsoft Defender for Cloud
DRAG DROP -
You have a Microsoft 365 subscription.
You need to recommend a security solution to monitor the following activities:
✑ User accounts that were potentially compromised
✑ Users performing bulk file downloads from Microsoft SharePoint Online
What should you include in the recommendation for each activity? To answer, drag the appropriate components to the correct activities. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Components:
* A data loss prevention (DLP) policy
* Azure Active Directory (Azure AD) Conditional Access
* Azure Active Directory (Azure AD) Identity protection
* Microsoft Defender for Cloud
* Microsoft Defender for Cloud Apps
Answer Area:
User accounts that were potentially compromised: ??????????
Users performing bulk file downloads from SharePoint Online: ??????????
User accounts that were potentially compromised: Azure Active Directory (Azure AD) Identity protection
Users performing bulk file downloads from SharePoint Online: Microsoft Defender for Cloud Apps
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. adaptive application controls in Defender for Cloud B. app protection policies in Microsoft Endpoint Manager C. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps D. Azure Security Benchmark compliance controls in Defender for Cloud
A. adaptive application controls in Defender for Cloud
A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions.
You are evaluating the security posture of the customer.
You discover that the AKS resources are excluded from the secure score recommendations.
You need to produce accurate recommendations and update the secure score.
Which two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable Defender plans. B. Configure auto provisioning. C. Add a workflow automation. D. Assign regulatory compliance policies. E. Review the inventory.
A. Enable Defender plans.
B. Configure auto provisioning.
Your company is exploring migrating data into Azure. They would like to have a central authentication solution when accessing the data. They have chosen Azure Active Directory.
Which two storage types natively support Active Directory authentication?
A. Azure Data Box B. Azure Data Lake Storage Gen2 C. Azure File Share D. Azure Storage blob containers
B. Azure Data Lake Storage Gen2
D. Azure Storage blob containers
Your company has Microsoft 365 E5 licenses and Azure subscriptions.
The company plans to automatically label sensitive data stored in the following locations:
✑ Microsoft SharePoint Online
✑ Microsoft Exchange Online
✑ Microsoft Teams
You need to recommend a strategy to identify and protect sensitive data.
Which scope should you recommend for the sensitivity label policies? To answer, drag the appropriate scopes to the correct locations. Each scope may only be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Scopes:
* Files and emails
* Groups and sites
* Schematized data assets
Answer Area:
SharePoint Online: ??????????
Microsoft Teams: ??????????
Exchange Online: ??????????
SharePoint Online: Groups and sites
Microsoft Teams: Groups and sites
Exchange Online: Files and emails
Your company has a Microsoft 365 E5 subscription.
The company plans to deploy 45 mobile self-service kiosks that will run Windows 10.
You need to provide recommendations to secure the kiosks. The solution must meet the following requirements:
✑ Ensure that only authorized applications can run on the kiosks.
✑ Regularly harden the kiosks against new threats.
Which two actions should you include in the recommendations? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Implement Automated investigation and Remediation (AIR) in Microsoft Defender for Endpoint. B. Onboard the kiosks to Microsoft Intune and Microsoft Defender for Endpoint. C. Implement threat and vulnerability management in Microsoft Defender for Endpoint. D. Onboard the kiosks to Azure Monitor. E. Implement Privileged Access Workstation (PAW) for the kiosks.
B. Onboard the kiosks to Microsoft Intune and Microsoft Defender for Endpoint.
E. Implement Privileged Access Workstation (PAW) for the kiosks.
You have a Microsoft 365 E5 subscription.
You are designing a solution to protect confidential data in Microsoft SharePoint Online sites that contain more than one million documents.
You need to recommend a solution to prevent Personally Identifiable Information (PII) from being shared.
Which two components should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. data loss prevention (DLP) policies B. retention label policies C. eDiscovery cases D. sensitivity label policies
A. data loss prevention (DLP) policies
D. sensitivity label policies
Your company has a Microsoft 365 E5 subscription.
Users use Microsoft Teams, Exchange Online, SharePoint Online, and OneDrive for sharing and collaborating.
The company identifies protected health information (PHI) within stored documents and communications.
What should you recommend using to prevent the PHI from being shared outside the company?
A. sensitivity label policies B. data loss prevention (DLP) policies C. insider risk management policies D. retention policies
B. data loss prevention (DLP) policies
Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C. The application will be deployed as an App Service web app.
You need to recommend a solution to the application development team to secure the application from identity-related attacks.
Which two configurations should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD workbooks to monitor risk detections B. Azure AD Conditional Access integration with user flows and custom policies C. smart account lockout in Azure AD B2C D. access packages in Identity Governance E. custom resource owner password credentials (ROPC) flows in Azure AD B2C
B. Azure AD Conditional Access integration with user flows and custom policies
C. smart account lockout in Azure AD B2C
Your company develops several applications that are accessed as custom enterprise applications in Azure Active Directory (Azure AD).
You need to recommend a solution to prevent users on a specific list of countries from connecting to the applications.
What should you include in the recommendation?
A. activity policies in Microsoft Defender for Cloud Apps B. sign-in risk policies in Azure AD Identity Protection C. Azure AD Conditional Access policies D. device compliance policies in Microsoft Endpoint Manager E. user risk policies in Azure AD Identity Protection
C. Azure AD Conditional Access policies
You have a customer that has a Microsoft 365 subscription and an Azure subscription.
The customer has devices that run either Windows, iOS, Android, or macOS. The Windows devices are deployed on-premises and in Azure.
You need to design a security solution to assess whether all the devices meet the customer’s compliance rules.
What should you include in the solution?
A. Microsoft Defender for Endpoint B. Microsoft Endpoint Manager C. Microsoft Information Protection D. Microsoft Sentinel
B. Microsoft Endpoint Manager
Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Defender for Cloud, review the secure score recommendations. B. From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector. C. From Defender for Cloud, review the Azure security baseline for audit report. D. From Defender for Cloud, add a regulatory compliance standard.
D. From Defender for Cloud, add a regulatory compliance standard.
You have Windows 11 devices and Microsoft 365 E5 licenses.
You need to recommend a solution to prevent users from accessing websites that contain adult content such as gambling sites.
What should you include in the recommendation?
A. Compliance Manager B. Microsoft Defender for Cloud Apps C. Microsoft Endpoint Manager D. Microsoft Defender for Endpoint
D. Microsoft Defender for Endpoint
You have a Microsoft 365 E5 subscription.
You need to recommend a solution to add a watermark to email attachments that contain sensitive data.
What should you include in the recommendation?
A. Microsoft Defender for Cloud Apps B. Microsoft Purview Information Protection C. insider risk management D. Azure Purview
B. Microsoft Purview Information Protection
You have an on-premises network that has several legacy applications. The applications perform LDAP queries against an existing directory service.
You are migrating the on-premises infrastructure to a cloud-only infrastructure.
You need to recommend an identity solution for the infrastructure that supports the legacy applications. The solution must minimize the administrative effort to maintain the infrastructure.
Which identity service should you include in the recommendation?
A. Azure Active Directory (Azure AD) B2C B. Azure Active Directory Domain Services (Azure AD DS) C. Azure Active Directory (Azure AD) D. Active Directory Domain Services (AD DS)
B. Azure Active Directory Domain Services (Azure AD DS)
HOTSPOT -
Your company is migrating data to Azure. The data contains Personally Identifiable Information (PII).
The company plans to use Microsoft Information Protection for the PII data store in Azure.
You need to recommend a solution to discover PII data at risk in the Azure resources.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
To connect the Azure data sources to Microsoft Information Protection:
* Azure Purview
* Endpoint data loss prevention
* Microsoft Defender for Cloud Apps
* Microsoft Information Protection
To triage security alerts related to resources that contain PII data:
* Azure Monitor
* Endpoint data loss prevention
* Microsoft Defender for Cloud
* Microsoft Defender for Cloud Apps
To connect the Azure data sources to Microsoft Information Protection: - Azure Purview
To triage security alerts related to resources that contain PII data: - Microsoft Defender for Cloud
Your company is developing a serverless application in Azure that will have the architecture shown in the following exhibit.
–>Key ^Vault<–
Other services and clients–>Patient API in API Management–>Patient API–>Audit API
–>Mongo API on Azure Cosmos DB<–
You need to recommend a solution to isolate the compute components on an Azure virtual network.
What should you include in the recommendation?
A. Azure Active Directory (Azure AD) enterprise applications B. an Azure App Service Environment (ASE) C. Azure service endpoints D. an Azure Active Directory (Azure AD) application proxy
B. an Azure App Service Environment (ASE)
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report as shown in the following exhibit.
Microsoft Defender for Cloud
Azure Security Benchmark V3
You need to verify whether Microsoft Defender for servers is installed on all the virtual machines that run Windows.
Which compliance control should you evaluate?
A. Asset Management B. Posture and Vulnerability Management C. Data Protection D. Endpoint Security E. Incident Response
D. Endpoint Security
HOTSPOT -
Your company has a multi-cloud environment that contains a Microsoft 365 subscription, an Azure subscription, and Amazon Web Services (AWS) implementation.
You need to recommend a security posture management solution for the following components:
✑ Azure IoT Edge devices
✑ AWS EC2 instances
Which services should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
For the IoT Edge devices:
* Azure Arc
* Microsoft Defender for Cloud
* Microsoft Defender for Cloud Apps
* Microsoft Defender for Endpoint
* Microsoft Defender for IoT
For the AWS EC2 instances:
* Azure Arc only
* Microsoft Defender for Cloud and Azure Arc
* Microsoft Defender for Cloud Apps only
* Microsoft Defender for Cloud only
* Microsoft Defender for Endpoint and Azure Arc
* Microsoft Defender for Endpoint only
For the IoT Edge devices: - Microsoft Defender for IoT
For the AWS EC2 instances: - Microsoft Defender for Cloud and Azure Arc
