SC - 900 Exam Questions Flashcards

Question

Which feature provides the extended detection and response (XDR) capability of Azure Sentinel? A. integration with the Microsoft 365 compliance centre B. support for threat hunting C. integration with Microsoft 365 Defender D. support for Azure Monitor Workbooks

Answer 1

C. integration with Microsoft 365 Defender Azure Sentinel is a cloud-native security information and event management (SIEM) solution offered by Microsoft. It provides intelligent security analytics and threat intelligence across an organization's hybrid cloud and on-premises infrastructure. Integration with Microsoft 365 Defender allows Azure Sentinel to leverage the threat detection and response capabilities of Microsoft 365 Defender. Microsoft 365 Defender is a comprehensive security solution that provides protection for Microsoft 365 services, including Exchange Online, SharePoint Online, Teams, and more. By integrating with Microsoft 365 Defender, Azure Sentinel gains access to a wide range of security telemetry and threat intelligence from Microsoft 365 services. This integration enhances the XDR capabilities of Azure Sentinel by enabling correlation of security events and alerts from both on-premises and cloud environments, providing a more holistic view of the organization's security posture.

Answer 2

C. Microsoft Defender for Cloud Microsoft Defender for Cloud (formerly known as Azure Security Centre) is a cloud-native security solution that provides threat detection, prevention, and response capabilities for various Azure services, including Azure SQL Managed Instance. It helps protect cloud workloads by providing visibility into security risks and offering recommendations to enhance security posture. When enabled for Azure SQL Managed Instance, Microsoft Defender for Cloud continuously monitors and analyses network traffic, user activities, and other telemetry data to identify potential threats and security vulnerabilities. It uses advanced analytics and machine learning algorithms to detect anomalies, suspicious behaviour, and known attack patterns. By leveraging Microsoft Defender for Cloud, you can gain insights into potential threats targeting your Azure SQL Managed Instance, receive alerts for suspicious activities, and take necessary actions to mitigate risks. It helps in protecting your database environment and enhances your overall security posture.

Answer 3

C. conditional access policies Conditional access policies in Azure AD allow you to define and enforce access controls based on various conditions, such as user roles, device compliance status, network location, and more. With conditional access policies, you can create rules that determine whether a device managed by Microsoft Intune is allowed or denied access to specific corporate resources. By configuring a conditional access policy, you can require that only compliant devices managed by Microsoft Intune are allowed access to corporate resources such as applications, data, or services. If a device is not enrolled in Intune or does not meet the specified compliance requirements, access can be denied, helping to maintain a secure environment.

Answer 4

B. Reports The Reports section in the Microsoft 365 Defender portal provides a comprehensive view of security-related data, trends, and insights across various Microsoft 365 services. It offers a range of reports that allow you to analyze and track the protection status of identities, devices, applications, and data within your organization. Within the Reports section, you can find reports specifically focused on identity-related security information, such as user sign-ins, risky sign-ins, and compromised identities. These reports provide visibility into the activities and security events associated with identities and help you monitor and assess the overall protection status of your organization's identities.

Answer 5

C. 90 days The unified audit log in Microsoft 365 captures a comprehensive set of user and administrator activity across various Microsoft services such as Exchange Online, SharePoint Online, OneDrive for Business, and more. It helps in tracking and investigating security incidents, compliance violations, and user behavior. By default, the audit records in the unified audit log are retained for 90 days. This means you can access and review the activity logs for a period of up to 90 days. However, it's important to note that you can extend the retention period by configuring audit log retention policies in Microsoft 365 Security & Compliance Centre. With appropriate configurations, you can retain the audit records for a longer duration, such as 1 year or more.

Answer 6

C. Azure virtual machines Azure Bastion is a fully managed platform-as-a-service (PaaS) offering by Azure that allows secure and seamless remote access to Azure virtual machines (VMs) over the internet. It provides a secure web-based console within the Azure portal for accessing VMs without the need for exposing them directly to the public internet or managing public IP addresses. By using Azure Bastion, you can establish Remote Desktop Protocol (RDP) connections to Windows-based VMs or Secure Shell (SSH) connections to Linux-based VMs through a secure and encrypted channel. This helps protect against common attack vectors, such as port scanning, brute-force attacks, and other vulnerabilities associated with direct internet access to VMs.

Answer 7

A,C & E. A. to discover and control the use of shadow IT. Cloud App Security helps organizations discover and gain visibility into the cloud services being used within their environment, including unauthorized or unmanaged cloud applications. It enables IT administrators to gain control over the use of these services and implement policies to ensure compliance and security. C. to protect sensitive information hosted anywhere in the cloud. Cloud App Security provides data protection capabilities to safeguard sensitive information hosted in various cloud environments. It offers features such as data loss prevention (DLP), which helps prevent the accidental or intentional exposure of sensitive data, and encryption for data-at-rest and data-in-transit. E. to prevent data leaks to noncompliant apps and limit access to regulated data. Cloud App Security helps organizations prevent data leaks by identifying and restricting access to noncompliant applications. It provides granular controls to enforce policies that limit access to regulated data, ensuring that sensitive information is accessed and used only by authorized users and within compliant applications.

Answer 8

B: the Azure portal. Azure Bastion is a fully managed service by Azure that provides secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to Azure virtual machines over the internet. It eliminates the need for exposing virtual machines to the public internet or managing public IP addresses for each virtual machine. By using Azure Bastion through the Azure portal, you can securely access your virtual machine without exposing it directly to the internet or relying on other remote access methods.

Answer 9

D. Microsoft Defender for Office 365 Attack simulation training in Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 lets you run benign cyberattack simulations in your organization. These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks.

Answer 10

C. Microsoft Defender for Endpoint Microsoft Defender for Endpoint is a comprehensive endpoint security solution that provides protection, detection, investigation, and response capabilities for endpoints such as Windows, macOS, Linux, and mobile devices. It helps organizations defend against advanced threats, detect suspicious activities, and respond effectively to security incidents. From the Microsoft 365 Defender portal, you can manage and monitor alerts generated by Microsoft Defender for Endpoint. These alerts can include indicators of compromise, security vulnerabilities, suspicious behaviour, or known attack patterns detected on the endpoints within your organization. The portal allows you to view, investigate, and respond to these alerts to mitigate potential security risks.

Answer 11

A: alerts. An incident is created when multiple alerts are correlated and grouped together based on common attributes and contextual information. Alerts within the Microsoft 365 Defender portal represent individual security events or observations that indicate potential threats or suspicious activities. These alerts are generated by various security solutions and services across the Microsoft 365 ecosystem, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. By correlating and grouping related alerts, the Microsoft 365 Defender portal creates an incident to provide a holistic view of a potential security event or breach. Incidents help security analysts to better understand the scope and impact of an incident, investigate related alerts collectively, and coordinate their response to mitigate the threat.

Answer 12

YES TO ALL Microsoft Purview data loss prevention (DLP) is a way to protect sensitive information and prevent its inadvertent disclosure. DLP allows you to set policies to identify, monitor, and protect sensitive items across a multitude of resources including Microsoft 365 services such as Microsoft Teams, SharePoint, and OneDrive; Microsoft Office applications such as Word, Excel, and PowerPoint; Windows 10, Windows 11 and macOS endpoints; non-Microsoft cloud apps and on-premises file shares; and on-premises SharePoint. DLP policies protect content through the enforcement of rules that consist of: 1. Conditions that the content must match before the rule can be enforced. 2. Actions that the admin wants the rule to take automatically when content that matches the conditions has been matched. 3. Locations where the policy will be applied, such as Exchange, SharePoint, OneDrive, and more. DLP capabilities can be implemented in Microsoft Teams messages in private channels. DLP capabilities have been extended to Microsoft Teams chat and channel messages, including messages in private channels. With DLP, administrators can define policies that prevent users from sharing sensitive information in a Teams chat session or channel, whether it is in a message or a file.

Answer 13

Threat Trackers & Attack Simulator Threat Trackers and Attack Simulator require Microsoft Defender for Office 365 Plan 2. Threat Trackers provide the most recent information on cybersecurity issues, and Attack Simulator lets you identify vulnerabilities by running realistic attack scenarios. Office 365 Plan 2 also provides support for Threat Explorer and Automated investigation and response (AIR). Office 365 Plan 2 is included with an Office 365 E5 subscription. Support for Safe Attachments, Anti-phishing protection, and Safe Links is included with Microsoft Defender for Office 365 Plan 1. Office 365 Plan 1 also supports real-time detections and protection for SharePoint, OneDrive, and Microsoft Teams by identifying and blocking malicious files. Office 365 Plan 1 is included with Office 365 E3 subscriptions or it can be purchased separately as an add-on to other Office 365 subscriptions. All features supported by Defender for Office 365 Plan 1 are also supported by Defender for Office 365 Plan 2.

Answer 14

Certifications, Regulations and Standards The Certifications, Regulations and Standards feature in the Microsoft Service Trust Portal provides information about how Microsoft Cloud services align with various compliance frameworks, regulations, and standards, including the General Data Protection Regulation (GDPR). It offers detailed documentation and resources that can help organizations understand how Microsoft's services meet the requirements of GDPR and other relevant regulations. By accessing this feature, your company can retrieve specific information about how Microsoft Cloud services address GDPR requirements and ensure compliance with data protection regulations.

Answer 15

Azure Policy Azure Policy is the Azure solution that can enforce geo-compliance requirements for the Azure resources you deploy. Azure Policy is a service that allows you to create, assign, and enforce policies across your Azure environment. These policies help ensure compliance with specific rules and regulations, including geo-compliance requirements. With Azure Policy, you can define policies that specify the allowed geolocation or data residency requirements for your Azure resources. These policies can be applied at the subscription, resource group, or individual resource level. When a policy is enforced, Azure will automatically evaluate the deployed resources against the defined policy and take action to ensure compliance. By using Azure Policy, you can enforce geo-compliance requirements and have greater control over the geographical location where your Azure resources are deployed, helping you meet your specific data residency and compliance needs.

Answer 16

Hybrid Identity. Hybrid Identity provides a common user identity for authentication and authorization to all resources, irrespective of their location. Hybrid Identity is a concept and set of technologies that allow organizations to integrate on-premises Active Directory environments with cloud-based identity and access management solutions, such as Azure Active Directory (Azure AD). By implementing Hybrid Identity, organizations can establish a unified identity infrastructure that enables users to authenticate and access resources across both on-premises and cloud environments using a single set of credentials. This helps provide a seamless and consistent authentication and authorization experience, regardless of where the resources are located.

Answer 17

Voice call, OATH tokens & SMS Voice call: Users can receive a phone call where they will be prompted to approve or deny the authentication request. OATH tokens: This refers to the use of hardware or software tokens that follow the OATH (Initiative for Open Authentication) standards. These tokens generate one-time passcodes that users can enter to complete the authentication process. SMS: Users can receive a text message containing a verification code that they need to enter to complete the authentication. The following additional forms of verification can be used with Azure AD MFA: Microsoft Authenticator app Windows Hello for Business FIDO2 security key OATH tokens SMS Voice call

Answer 18

To sanction and unsanction apps in your cloud - [Defender for cloud apps] To detect threats in Windows 10 computers - [Defender for endpoint] To identify malicious insider actions directed at your organization - [Defender for Identity] You should use Microsoft Defender for Cloud Apps to sanction or unsanction apps in your organization by using the Cloud apps catalog. Defender for Cloud Apps is a cross-SaaS solution that brings deep visibility, strong data controls, and enhanced threat protection to your cloud apps. You should use Microsoft Defender for Endpoint, formerly Microsoft Defender Advanced Threat Protection, to protect devices including Windows 10 computers on your network. Microsoft Defender for Endpoint prevents, detects, investigates, and responds to advanced threats using technology built into Windows 10 and Azure cloud services. You should use Microsoft Defender for Identity, formerly Azure Advanced Threat Protection (Azure ATP) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Answer 19

A guest user identity for each external user When using Azure AD business-to-business (B2B) collaboration, you should create a guest user identity for each external user. This allows you to provide access to Azure resources for users from a partner organization while maintaining control over their access and permissions. Guest user identities are created in your own Azure AD tenant and provide a secure and manageable way to grant access to external users without requiring them to have a separate account in their own organization.

Answer 20

Active Directory (AD) To achieve the goal of delegating administrative rights to on-premises network resources using a combination of domains, organizational units, and groups, you should use Active Directory (AD) as the identity provider. Active Directory is a directory service provided by Microsoft for Windows-based networks and allows for centralized management of users, groups, and resources in an on-premises environment. With Active Directory, you can create and manage domains, organizational units (OUs), and groups to define administrative roles and permissions, granting specific access rights to different resources based on your organizational needs. Azure AD, on the other hand, is a cloud-based identity and access management service provided by Microsoft, primarily designed for managing access to cloud-based resources and applications. While Azure AD can integrate with Active Directory, for the specific requirement of delegating administrative rights to on-premises network resources, Active Directory would be the appropriate choice.

Answer 21

1. [Extender detection and response (XDR)] 2. [Security orchestration automated response (SOAR)] 3. [Security incident and event management (SIEM)] Extender detection and response (XDR) is designed to deliver enhanced security detection and response capabilities across an organization's domain. Security orchestration automated response (SOAR) receives input from an organization's security monitoring systems to define and drive specific response activities. Security incident and event management (SIEM) consolidates data from an organization's IT environment, conducts real-time monitoring, establishes correlation between events, and generates security alerts and notifications.

Answer 22

[Conditional Access] Conditional Access is a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data by analysing signals. Conditional Access is a feature in Azure Active Directory (Azure AD) that allows organizations to apply additional security measures and control access to their resources based on specific conditions. It enables administrators to define policies that evaluate signals such as user location, device health, and risk levels before granting access to sensitive data or applications. By implementing Conditional Access policies, organizations can enforce multi-factor authentication, require device compliance checks, restrict access based on network location, and apply other security controls. This helps ensure that only authorized and trusted users can access valuable resources, reducing the risk of unauthorized access and data breaches. Overall, Conditional Access enhances the security posture of an organization by adding an extra layer of protection and allowing fine-grained control over access to critical assets.

Answer 23

Power Platform Intune Office 365 Dynamics 365 Azure Azure AD is available in four editions: Free, Office 365 Apps, Premium P1 and Premium P2. The Free edition is included with subscriptions to Office 365, Azure, Dynamics 365, Intune, and Power Platform. Microsoft Teams and Microsoft Xbox Game Pass Ultimate subscriptions do not include Azure AD Free edition.

Answer 24

A newly created network security group denies all inbound traffic from the internet. [Yes] A network security group can filter inbound traffic based on its IP address and port number. [Yes] Network security groups can only filter inbound traffic. [No] A newly created network security group (NSG) in Azure, by default, denies all inbound traffic from the internet. This means that no incoming traffic from the internet will be allowed unless specific rules are configured to permit it. A network security group can indeed filter inbound traffic based on its IP address and port number. NSGs allow you to define inbound security rules that specify the source IP addresses, source ports, destination IP addresses, destination ports, and protocols for incoming traffic. These rules determine which traffic is allowed or denied based on these criteria. However, network security groups are not limited to filtering inbound traffic only. They can also be used to control outbound traffic from virtual machines or subnets within Azure. By defining outbound security rules, you can control which traffic is allowed to leave the virtual network based on similar criteria such as source IP addresses, source ports, destination IP addresses, destination ports, and protocols.

Answer 25

Microsoft Defender for Identity protects on-premises Active Directory (AD) users. [Yes] Microsoft Defender for Identity protects cloud-only Azure AD users. [No] Microsoft Defender for Identity can detect on-premises attacks on AD Federation Services (AD FS). [Yes] Microsoft Defender for Identity (formerly Azure ATP) protects on-premises Active Directory (AD) users, so the statement "Microsoft Defender for Identity protects on-premises Active Directory (AD) users" is true (Yes). Microsoft Defender for Identity does not directly protect cloud-only Azure AD users. It focuses on detecting and responding to attacks targeting on-premises AD infrastructure. Therefore, the statement "Microsoft Defender for Identity protects cloud-only Azure AD users" is false (No). Microsoft Defender for Identity can indeed detect attacks on AD Federation Services (AD FS), which is commonly used for single sign-on (SSO) in hybrid environments. It monitors and analyses AD FS traffic to detect suspicious activities and potential attacks. Therefore, the statement "Microsoft Defender for Identity can detect on-premises attacks on AD Federation Services (AD FS)" is true (Yes).

Answer 26

Custom banned password lists in Password Protection are a feature of Azure AD Premium 1 or 2. [Yes] Brand names are excluded from the custom banned password list. [No] Admins can integrate Azure AD Password Protection within an on-premises Active Directory environment. [Yes] Custom banned password lists in Azure AD Password Protection are indeed a feature of Azure AD Premium 1 or 2, so the statement "Custom banned password lists in Password Protection are a feature of Azure AD Premium 1 or 2" is true (Yes). Brand names are not automatically excluded from the custom banned password list. The customization of the banned password list is up to the organization's administrators. Therefore, the statement "Brand names are excluded from the custom banned password list" is false (No). Admins can integrate Azure AD Password Protection within an on-premises Active Directory environment. By installing a component in the on-premises environment, the global banned password list and custom password protection policies can be received and utilized. Hence, the statement "Admins can integrate Azure AD Password Protection within an on-premises Active Directory environment" is true (Yes).

Answer 27

Microsoft cloud security benchmark (MCSB) The MCSB provides comprehensive guidance and recommendations for securing Azure resources and aligning with industry best practices. It covers various aspects of Azure security and can be a valuable resource for organizations looking to enhance their security posture on the Azure platform.

Answer 28

Sensitivity labels can be applied to content in third-party apps and services. [Yes] The Files and emails scope for sensitivity labels is disabled by default. [No] You can apply multiple sensitivity labels to an item. [No] Sensitivity labels can be applied to content in third-party apps and services. By using Microsoft Defender for Cloud Apps, you can label content in third-party apps and services, even if they do not read or support sensitivity labels by design. The Files and emails scope for sensitivity labels is not disabled by default. The Files & emails scope is enabled by default. Two other scope options, Groups & sites and Microsoft Purview assets (preview), are enabled by default only if you configure their settings explicitly on the tenant level. You cannot apply multiple sensitivity labels to an item. An item, such as an Office document, email, or SharePoint site can have only one sensitivity label applied to it.

Answer 29

Sign-in from a malware-linked IP address = [sign-in risk] Atypical travel = [sign-in risk] Sign-in from anonymous IP address = [sign-in risk] Leaked credentials = [user risk] Password spray = [sign-in risk] Identity Protection calculates and categorizes risks as sign-in risk, and user identity risk. Sign-in risk is the probability that the sign-in was not performed by the user. It can be calculated both in real time or calculated offline using Microsoft's threat intelligence sources. Identity Protection in Azure AD is able to identify following types of sign-in risks: Signing in from a malware-linked IP address indicates signing in from a potentially hazardous location and usually indicates a stolen identity Atypical travel is when a user signs in from an atypical location based on the user's recent activity Anonymous IP addresses indicate a sign-in from an anonymous IP address. This could be signing in from a Tor browser or anonymized VPNs A password spray attack is an attack against multiple user identities using common passwords and indicates that multiple user identities have been compromised A user risk represents the probability that a given identity or account is compromised. It is usually calculated offline using Microsoft's threat intelligence sources. Identity Protection in Azure AD is able to identify following types of user identity risks: Leaked credentials is based on an indication that the user credentials have been compromised Other signals used to calculate user risk are unfamiliar sign-in properties of Azure AD threat intelligence. Azure AD threat intelligence identifies known treat patterns based on Microsoft's internal and external threat intelligence sources. Identity Protection provides reports on risky users, risky sign-ins, and risk detections. Events should be investigated to identify any weak points in your security strategy and then take actions to remediate any risks.

Answer 30

Identity In a modern hybrid network environment, the primary security perimeter is focused on securing identities. With the increasing adoption of cloud services and the integration of on-premises and cloud resources, identity becomes a critical factor in establishing secure access and protecting resources. By implementing strong identity and access management practices, organizations can ensure that only authorized users have access to their network and resources, regardless of the location or type of infrastructure being used.

Answer 31

Enable the Defender for Servers plan in Microsoft Defender for Cloud. By enabling the Defender for Servers plan in Microsoft Defender for Cloud, you can extend the protection to servers operating in public clouds other than Azure, such as Amazon Web Services (AWS) EC2 instances. This plan allows you to centrally manage and monitor the security of your hybrid cloud workloads, providing unified security management across different cloud environments. It enables you to apply security policies, monitor security events, and respond to threats effectively.

Answer 32

Azure Bastion can provide Remote Desktop protocol (RDP) connectivity to an Azure virtual machine (VM). [Yes] Azure Bastion requires a public IP on an Azure VM. [No] You connect to Azure Bastion via an SSH connection to your Linux VMs directly through the Azure portal. [Yes] Azure Bastion can provide RDP connectivity to an Azure VM directly in the Azure portal. It can also provide Secure Shell (SSH) connectivity. Azure Bastion does not require a public IP on an Azure VM. Azure Bastion establishes RDP/SSH connection using the private IP of your Azure VMs. Therefore, you do not need to expose the VMs publicly to the internet. You connect to Azure Bastion via an SSH connection to your Linux VMs directly through the Azure portal. When you use Azure Bastion, your VMs do not require a client, agent, or additional software. When connecting to a Linux virtual machine using SSH, you can use both username/password and SSH keys for authentication.

Answer 33

Azure AD Premium P2 Azure AD Premium P2 is the minimum edition required to support multi-factor authentication (MFA), conditional access, and privileged identity management (PIM). MFA adds an extra layer of security, conditional access provides granular control over resource access, and PIM helps manage privileged access. Subscribing to Azure AD Premium P2 enables organizations to enhance security and control in their Azure AD environment.

Answer 34

Regulations that govern the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally. Data residency refers to the regulations that govern the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally. Trust no one, verify everything describes the Zero Trust model. Zero Trust is a security strategy. Data sovereignty is the concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it is physically collected, held, or processed. Data privacy refers to the fact that the collection, processing, usage and sharing of personal data should be a transparent process and are fundamental principles of privacy laws and regulations.

Answer 35

Authenticate on-premises accounts in the cloud even when on-premises AD is not available. = [Password hash synchronization] Validate users with AD by redirecting cloud authentication requests to on-premises software agent(s). = [Pass-through authentication] Delegate authentication from Azure AD to on-premises Active Directory Federation Services (ADFS). = [Federated authentication] You should use password hash synchronization to authenticate on-premises accounts in the cloud even when on-premises AD is not available. With password hash synchronization, the password hash is synchronized between AD and Azure AD allowing on-premises users to authenticate directly with Azure AD to access cloud applications even when on-premises AD infrastructure itself is not available. You should use pass-through authentication to validate users with AD by redirecting cloud authentication requests to on-premises software agent(s). With pass-through authentication, end user’s password validation always happens on-premises. This authentication method requires the deployment of additional software agents on the selected on-premises servers. You should use federated authentication to delegate authentication from Azure AD to on-premises Active Directory Federation Services (ADFS). With federated authentication, Azure AD redirects authentication requests to ADFS or similar trusted authentication systems. Federated authentication requires additional efforts and overhead with setup and management of ADFS farm. At the same time, it enables advanced features not supported by Azure AD, like the sign-in with smart cards.

Answer 36

Microsoft Sentinel Microsoft Sentinel provides action-driven automated responses to security threats across your organization. A security orchestration automated response (SOAR) system takes alerts from many sources, such as a security incident and event management (SIEM) system. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue. Microsoft Sentinel combines both SIEM and SOAR capabilities. Azure Bastion is a service that provides secure connection to Azure Virtual Machines (VMs) without requiring a public IP address. Azure Blueprints enable you to define a standardized set of Azure resources for a workload. Blueprints can then be used to deploy resources to meet your organization's requirements. Azure Policy helps enforce standards and assess compliance of Azure resources across your organization. Azure Policy is not used for responding to security threats.

Answer 37

Billing administrator & Global administrator Azure AD roles allow you to control permissions to manage Azure AD resources. Azure AD supports two types of roles: built-in and custom. Role-based access control (RBAC) refers to the process of managing access using roles in Azure. Azure AD built-in and custom roles are a form of RBAC as Azure AD roles control access to Azure AD resources. Within Azure AD RBAC, built-in roles come with a fixed set of permissions, which include: 1. Global administrator - users with this role have access to all administrative features in Azure AD. 2. User administrator - users with this role can create and manage all aspects of users and groups. 3. Billing administrator - users with this role can make purchases, manage subscriptions and support tickets, and monitor service health, etc. You can see the list of Azure AD roles on the Roles and administrators blade in the Azure portal. Contributor and User Access administrator are examples of Azure roles. There are four fundamental Azure roles, which include: Owner, Contributor, Reader, and User Access administrator. These are not Azure AD RBAC roles. It is important to note the difference between Azure roles and Azure AD RBAC. Azure roles are mainly targeted towards managing access to Azure resources; whereas, Azure AD RBAC is mainly targeted towards managing access to Azure AD resources. It is important to note that Azure roles are also sometimes referred to as Azure RBAC, which is different to Azure AD RBAC, as explained above.

Answer 38

Microsoft Defender for Cloud Microsoft Defender for Cloud provides a secure score by continually assessing your organization's Azure, hybrid, and multi-cloud resources. Microsoft Defender for Cloud is a tool which provides security posture management and threat protection for organizations. It provides threat protection for all organizational resources hosted in Azure, hybrid, and other cloud platforms. The central feature in Microsoft Defender for Cloud that enables you to achieve your organizational security goals is secure score. Microsoft Defender for Cloud includes a range of advanced intelligent protections for your workloads, which come in the form of plans, e.g., Microsoft Defender for servers, Microsoft Defender for App Service, Microsoft Defender for Storage, Microsoft Defender for SQL, Microsoft Defender for Kubernetes, Microsoft Defender for container registries, Microsoft Defender for Key Vault, etc. Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. This benchmark is part of a set of holistic security guidance that also includes Cloud Adoption Framework, Azure Well-Architected Framework, Microsoft Security Best Practices, and Microsoft Cybersecurity Reference Architectures (MCRA). Microsoft Sentinel provides security information event management (SIEM) and security orchestration automated response (SOAR) security insights and security automation that can enhance an organization's threat visibility and response. Microsoft Sentinel is a scalable, cloud native SIEM/SOAR solution that delivers intelligent security analytics and threat intelligence across the enterprise. Cloud security posture management (CSPM) is a set of tools that are focused on improving your organization's cloud security posture and improving its return on investment (ROI). CSPM uses a combination of tools and services, including Zero Trust-based access control, Real-time risk scoring, Threat and vulnerability management (TVM), and Threat modelling systems and architectures.

Answer 39

Authentication is the process through which you prove who you say you are. Authorisation is the process of granting an identity the permission to do something. Authentication is the process through which you prove who you say you are. Traditionally, the primary method for authentication was verification of a username and password. Other authentication methods have come into use, including requiring multiple authentication methods through multi-factor authentication (MFA) and the use of passwordless authentication methods such as the Microsoft Authenticator app and Windows Hello. Authorization is the process of granting an identity the permission to do something. An identity such as a user account is first authenticated to gain access and then authorized to set the level of access to identify which resources are accessible. Features such as Conditional Access and role-based access control (RBAC) let you manage and apply authorization.

Answer 40

User administrator You should add User22 to the User Administrator role. This role grants the permissions required by the scenario. The only additional ability that is granted but not listed in the scenario is the ability to change passwords for other User Administrators. With the exception of Helpdesk Administrator and User Administrator passwords, User Administrators cannot change administrator passwords. The Global Administrator role would grant the user more rights than required by the scenario. Members of this role can access all Azure AD management features, including user management features. Members of this role can also assign RBAC roles to other users and reset passwords for any users, including administrative users. The Password Administrator role are limited to changing passwords for users and Password Administrators. Members cannot change passwords for other administrators. The Security Administrator role are able to read security information and reports. They can also manage configurations in Azure AD and Office 365. The role does not meet the rights requirements in the scenario.

Answer 41

Authentication Authentication is a security process that verifies that you are who you say you are. The most common type of authentication is the use of a username and password combinations. Multi-factor authentication (MFA) may require the use of different authentication methods: something that you know (for example, by asking you for a password), something that you have (for example, by calling or sending a text message to your mobile phone) and something that you are (for example, by checking your biometrics). Authorization is a security process of granting somebody or something access to specific resources. Authorization permission may define the level of access, duration, etc. Security systems typically authenticate users or devices first before authorizing their access to resources. Encryption is a security process that encodes data to protect its confidentiality. Encryption may use the same symmetric key for both encryption and decryption operations or use a pair of a private and public keys to perform encryption/decryption operations asymmetrically. Hashing is a security operation that can use mathematical functions or algorithms to map source data to a fixed-size value. You can use it, for example, to generate a hash for your file. Recipients of that file can then use the same hashing algorithm to compare it with the original hash value as a proof that the file was not tampered with while in transit.

Answer 42

Azure Graph API Azure AD roles control access to Azure AD resources such as users, groups, and applications using Azure Graph API. Azure AD roles control access to Azure AD resources such as users, groups, and applications using the Graph API. When determining access, the user first acquires a token to the Microsoft Graph or Azure AD Graph endpoint. Using the token, the user makes an API call to Azure AD via Microsoft Graph or Azure AD Graph. Azure AD uses this to evaluate the user's role membership or retrieve their applicable role assignments. Azure roles control access to Azure resources such as virtual machines (VMs) or storage using Azure Resource Management and the Representational State Transfer (REST) API. Requests are managed through HTTP request message header fields. The Azure command line interface (Azure CLI) is not used by Azure AD roles to control access. Azure CLI is the Azure environment's command line interface through which you can run management commands.

Answer 43

Preventative mandatory actions have the greatest impact on your Compliance Manager compliance score. Preventative mandatory actions have the greatest impact on your Compliance Manager compliance score. The values assigned to actions in Compliance Manager are: Preventative mandatory - 27 points Preventative discretionary - 9 points Detective mandatory - 3 points Detective discretionary - 1 points Corrective mandatory - 3 points Corrective discretionary - 1 points Mandatory actions are actions that cannot be bypassed. Actions, such as setting a centrally managed password policy or requiring multi-factor authentication (MFA), are examples of mandatory actions. Discretionary actions depend on users understanding and choosing to adhere to a policy. Requiring users to place their computers in Sleep mode any time they leave their desk is an example of a discretionary action. Preventative actions are actions that directly address a specific risk. They can be actions implemented through technical controls, such as data encryption, or through policy, such as implementing separation of duties. Detective actions are actions that actively monitor systems to detect irregular conditions or risky behaviour, such as system access auditing. Corrective actions are designed to minimize the risk from a security incident. You would take a corrective action to minimize the immediate effect of an incident and attempt to reverse any damage or adverse conditions.

Answer 44

Insider risk management provides a triage capability. [Yes] With insider risk management, you can enable forensic evidence capturing for offline devices. [Yes] Insider risk management automatically generates cases for the medium and high severity alerts. [No] Insider risk management provides a triage capability. When new alerts with a Need review status are generated, reviewers are able to review them to dismiss, resolve by opening a new case or assign to one of the existing cases. With insider risk management, you can enable forensic evidence capturing for offline devices. As a prerequisite, target devices should be onboarded into the Microsoft Purview compliance portal and they must also have the Microsoft Purview client application installed. The organization can then enable forensic evidence capturing for both online and offline devices. Insider risk management does not automatically generate cases for the medium and high severity alerts. Reviewers create cases manually when they decide that the raised alerts require further action; for example, assignment for a deeper investigation. Each case is focused on a single user, although a case may have several alerts assigned.

Answer 45

Content Explorer provides a current snapshot of the items that have a sensitivity label, that have a retention label, or that have been classified as a sensitive information type. Content explorer provides a current snapshot of the items that have a sensitivity label, that have a retention label, or that have been classified as a sensitive information type. The content explorer is available as a tab in the Microsoft Purview compliance portal. You can use it for content that was tagged in your organization with a specific sensitivity or retention label, or that is considered to be sensitive because it contains credit card or bank account numbers. Activity explorer helps you to monitor and understand what is being done with your labelled sensitive content. Activity explorer can gather information from various audit logs to monitor sensitivity label activities, retention label activities, Azure Information Protection (AIP) scanner, AIP clients and data loss prevention (DLP) policy matches events. Azure Data Explorer is a managed data analytics service that can collect, store and process large volumes of data in near real time. You can use Azure Data Explorer to get insights, identify patterns and forecast trends on data streamed from applications, web sites, IoT (Internet of Things) devices and other sources.

Answer 46

Conditional Access policies can be applied to external users. [Yes] Conditional Access policies can be applied to user groups. [Yes] Conditional Access policies are enforced before first-factor authentication is completed. [No] Conditional Access policies can be applied to external users. In the Conditional Access policy settings, you can choose the All guests and external users option, which will enforce it to any B2B guest account or user with the value guest in their user type attribute. Conditional Access policies can be applied to user groups. In the Conditional Access policy settings, you can choose the Users and groups option and assign the policy to the relevant Azure AD dynamic, distribution, or security groups. Conditional Access policies are not enforced before first-factor authentication is completed. Conditional Access policies can help you to enforce multi-factor authentication (MFA); for example, when users try to access specific applications or sign in from certain locations. However, Conditional Access policies are enforced after first-factor authentication is completed, when the user identity is verified.

Answer 47

A security information and event management (SIEM) system is used to collect data from multiple sources and perform analysis to look for correlations or anomalies and to generate alerts and incidents. SIEM security solutions are designed to proactively recognize potential security threats and vulnerabilities. A security orchestration automated response (SOAR) system receives alerts from various sources, including SIEM systems and it uses the alerts to trigger automated processes and workflows to run security tasks designed to mitigate the security issue resulting in the alert. Microsoft Sentinel is Microsoft's cloud-native SIEM/SOAR security solution. An extended detection and response (XDR) system is designed to deliver integrated automated security across an organization's domain. XDR security systems help prevent, detect, and respond to threats. Microsoft Defender for Cloud and Microsoft 365 Defender both support XDR capabilities.

Answer 48

Entitlement management is a feature of identity governance. [Yes] Entitlement management is a part of Azure AD Premium 1 and Premium 2 editions. [No] Azure AD access reviews can be used to review and manage access for both users and guests. [Yes] Azure AD Entitlement management is an identity governance feature that enables organizations to manage the identity and access lifecycle to a set of resources. This set of resources could be group memberships, SharePoint online sites, or organizational and technical roles for users, both within and outside of your organization. With this specific feature, you can choose to automate approval workflows, access requests, and also manage the entire lifecycle for a specific user. Entitlement management is a feature of Azure AD Premium P2 only. Azure AD access reviews enable organizations to efficiently manage group memberships and access enterprise applications and role assignment. Access reviews can be used to review and manage access for both internal and guest user accounts.

Answer 49

Active Directory (AD) is a set of directory services that connect users with the on-premises network resources. [Yes] AD provides a special class of identity to manage external identities. [No] AD supports Software-as-a-Service (SaaS) apps natively. [No] Active Directory (AD) is a set of directory services that connect users with the on-premises network resources. AD consists of different directory services such as Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Certificate Services (AD CS) and others. It was designed for on-premises domain-based networks and it contains information about users and devices, their credentials and defined access to the relevant network resources. AD does not provide a special class of identity to manage external identities. AD administrators create external users in AD as regular users, typically in a dedicated AD forest. To simplify the management of external identities, a special class of identity was enabled in Azure AD. AD does not support Software-as-a-Service (SaaS) apps natively. The integration of SaaS apps with AD requires the use of additional federation systems such as Active Directory Federation Services (ADFS). Azure AD, in contrast, provides better integration with SaaS apps supporting OAuth2, SAML and WS-Security authentication.

Answer 50

Mobile and PC devices Information and data Accounts and identities Under the shared responsibility model, the customer organization is always responsible for: *Accounts and identities *Information and data *Mobile and PC devices. The shared responsibility model defines responsibilities based on where the workload is hosted and includes: *Software as a Service (SaaS) *Platform as a Service (PaaS) *Infrastructure as a Service (IaaS) *On-premises. With SaaS, the service is hosted and managed by the cloud provider. The customer takes sole responsibility for accounts and identities, information and data, and mobile and PC devices. The customer and cloud provider share responsibility for identity and directory infrastructure. PaaS is designed to provide the customer organization with an environment for building, testing, and deploying software applications. Customer responsibilities include all those for SaaS plus shared responsibility for applications and network controls. In IaaS, the cloud provider maintains and manages the physical infrastructure, with all other responsibilities falling on the customer organization. In addition to the customer responsibilities under SaaS, the customer also takes full responsibility for identity and directory infrastructure, applications, network controls, and operating system. Cloud provider responsibilities include physical hosts, physical datacentres, and the physical network. Under the on-premises model, the customer is responsible for all hosting, management, and maintenance activities.

Answer 51

Specify what data you are allowed to access. [Authorisation] Prove that you are who you say you are. [Authentication] Track who does what, where and how. [Auditing] You should use authorization to specify what data an identity can access. Authorization determines the level of access to data and the functionality an authenticated identity has within the application or service. Authorization is sometimes shortened to AuthZ. You should use authentication for an identity to prove that they are who they say they are. Authentication is the process of proving that you are who you say you are by providing information to validate you and match you to a user account in the system. Authentication is sometimes shortened to AuthN. You should use auditing to track who does what, when, where, and how. Auditing captures access about users who perform actions and when they perform those actions. Auditing includes in-depth reporting, alerts, and governance of identities. You should not use federation. Federation enables the access of services across organizational boundaries by establishing trust relationships between the identify providers of the two organizations. Federation uses the authentication of the trusted party to access the resources of the other party.

Answer 52

Retention labels You should use retention labels to configure the retention period and delete status for items in a container such as an Exchange Online mailbox. Retention labels are applied to individual items and you should use them when you need to specify different retention periods for items in the same container. There are restrictions when using retention labels with Exchange Online. The mailbox must contain at least 10 MB of data before you can publish a label to the mailbox. It can take up to seven days before labels appear as available to use after they have been published. You should not use a retention policy. A retention policy is used to apply the same retention settings at the site or mailbox level. Items in the site or mailbox inherit the retention settings and the same settings are applied to all items. This does not meet the requirements. You should not use sensitivity labels or a sensitivity policy. Sensitivity labels are not used to set retention settings. You can use sensitivity labels to: Encrypt email only or email and documents Mark content with headers, footers, and (for documents only) watermarks Apply a label automatically or prompt users to apply a recommended label Mark the content by controlling access to the container Extend sensitivity labels to third-party apps and services Classify content without adding protection settings Sensitivity label policies are used to publish labels to make them available to users and group. You can also use label policy to automatically apply a default label or require users to apply a label.

Answer 53

A. Défense in depth This security model is a classic example of defense in depth. Defense in depth is based on a layered security model that discourages attacks and slows the advance of an attack. Security is modeled around overlapping security perimeters, each providing a specific implementation of security and controls. Each layer is designed to provide additional protections if the layer above is breached. This is not an example of role-based access control (RBAC), though RBAC would likely be used to meet some of the configuration requirements. RBAC is designed to help you manage who has access to resources and what level of access they are allowed. This is not an example of shared responsibility. Shared responsibility is a model describing the customer organization and cloud provider responsibilities based on where a workload is hosted. It defines responsibilities for: *Software as a Service (SaaS) *Platform as a Service (PaaS) *Infrastructure as a Service (IaaS) *On-premises. This is not an example of the principle of least privilege (POLP). The principle of least privilege defines granting only the level of access necessary to complete a task or for a user to do their job. You would probably want to follow the principle of least privilege when implementing your defence in depth changes.

Answer 54

Transparent Data Encryption You should use Transparent data encryption (TDE). TDE helps to protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. TDE allows real-time encryption and decryption of the database, associated backups, and transaction log files at rest. TDE does not require any development changes to the application. TDE performs real-time I/O encryption and decryption of the data at the page level, where each page is decrypted when it is read into memory and then encrypted before being written to disk. Azure Storage Service Encryption helps to protect data at rest by automatically encrypting before persisting it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and it decrypts the data before retrieval. It does not cater to encryption of Azure SQL Database. Azure Disk Encryption helps you encrypt Windows and Linux IaaS virtual machine disks. It does not cater to encryption of Azure SQL Database. Azure Key Vault is not an Azure Encryption / Decryption strategy. Rather, Azure Key Vault is a centralized cloud service for storing your application secrets. But Azure Key Vault is useful for storing tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.

Answer 55

Microsoft Purview compliance portal provides recommendations to reduce risks around data protection and regulatory standards. Microsoft Purview compliance portal provides recommendations to reduce risks around data protection and regulatory standards. This portal allows you to assess your organization's compliance posture using a risk-based score, get recommendations, and measure progress in achieving data protection and regulatory compliance. It also provides various solutions and tools (policies, alerts, reports) to meet your potential compliance needs. Microsoft 365 admin center does not provide recommendations to reduce risks around data protection and regulatory standards. It is a portal that allows you to manage your Microsoft 365 subscriptions. You can use it to set up and manage users and groups, keep track of the health and upcoming changes to Microsoft 365 services, set up billing, and raise support service requests. Microsoft Defender for Endpoint does not provide recommendations to reduce risks around data protection and regulatory standards. It is a portal that provides you with access to the Microsoft Defender for Endpoint functionality. You can use it to review alerts generated for your corporate devices and users, assess your organization’s security posture, and get recommendations on how to address software vulnerabilities and protect exposed devices.

Answer 56

Configure information barriers. You should configure information barriers. Microsoft Purview information barriers can help to restrict communication and collaboration among specific groups of users in order to safeguard customer information and avoid conflicts of interests. Information barrier policies can be applied to Microsoft Teams, SharePoint Online and OneDrive for Business communications. You should not deploy WAF. WAF can be deployed with Azure Front Door, Azure Application Gateway and Azure Content Delivery Network (CDN) services to protect your web applications from common exploits and vulnerabilities. You should not enforce organizational standards via Azure Policy. Azure policies can enforce defined rules for your Azure resources; for example, to use only specific tiers of selected resources and only in allowed geographical regions, or to ensure that organizational Azure resources have consistently applied taxonomic tags. You should not integrate Microsoft Teams with Microsoft Sentinel. Integration with Microsoft Sentinel enables threat hunting in Teams logs or real-time monitoring and detection of suspicious behavior. However, Microsoft Sentinel cannot restrict communication between certain groups of Teams users to meet regulatory requirements.

Answer 57

Encryption enables authorized users to access data and makes data unusable to unauthorized users. Encryption enables authorized users to access data and makes data unusable to unauthorized users. To use or read encrypted data, it must be decrypted, which requires the use of a secret key. Data can be encrypted both at rest and in transit. Hashing converts text to a unique value. Hashing means that the data cannot be decrypted and read. Hashing is commonly used to store and compare passwords. Hashing does not allow an authorized user to read data. Signing creates a digital signature to verify that a message has not been tampered with and the content altered. Signing does not allow an authorized user to read the message. Zero Trust assumes everything is on an open and untrusted network and that unauthorized users will not have access to data. The Zero Trust model operates on the principle of "trust no one, verify everything". Zero Trust alone does not allow an authorized user to read data.

Answer 58

With B2B direct connect, external users can log in with their social media accounts. [No] The B2C sign-in page can be customized with the company branding. [Yes] B2B collaboration users are typically created as guest users. [Yes] (B2B - Business to business) (B2C - Business to customer) With B2B direct connect, external users cannot log in with their social media accounts. B2B direct connect requires the setup of a mutual trust relationship between two organizations’ Azure AD tenants. External users then log in and collaborate using their Azure AD work or school accounts. The B2C sign-in page can be customized with the company branding. Azure AD B2C supports the branding and customization of the user interface, which allows you to change the banner logo, the background image and background color on Sign In and Sign Up pages. B2B collaboration users are typically created as guest users. After accepting host organization’s invitation, B2B collaboration users are typically represented in Azure AD as guest users. They can then be added to the same groups as internal users to access Microsoft or organization’s custom applications.

Answer 59

Your improvement actions Microsoft actions Microsoft actions and your improvement actions are the action types that can be tracked by the Microsoft Purview Compliance Manager. Microsoft actions are managed by Microsoft as a cloud service provider, while your improvement actions are managed by your organization. Completion of those actions is counted and reflected in your organization’s overall compliance score. Microsoft Purview Compliance Manager cannot track ApiConnection or Execute JavaScript Code action types. These action types are specific to Azure Logic Apps. The ExecuteJavaScript Code action can be used to run JavaScript code snippets, and the ApiConnection action can call different Microsoft-managed connectors and APIs.

Answer 60

Microsoft Defender can be used to protect on-premises solutions. [Yes] Microsoft Defender can be used to protect solutions in Amazon Web Services (AWS) and Google Cloud Platform (GCP) clouds. [Yes] You need a Qualys license to enable vulnerability scanning in Microsoft Defender. [No] Microsoft Defender can be used to protect on-premises solutions. Microsoft Defender can also be used to protect solutions in Amazon Web Services (AWS) and Google Cloud Platform (GCP) clouds. To extend the capabilities of Microsoft Defender to the hybrid environment, you need to deploy Azure Arc first. Azure Arc enabled servers become Azure resources and they can therefore be monitored and protected by the Microsoft Defender service. You do not need a Qualys license to enable vulnerability scanning in Microsoft Defender. Microsoft Defender for Servers includes a free vulnerability assessment solution powered by Qualys and you do not need to buy any additional licenses or set up a Qualys account to use it.

Answer 61

Privileged Identity Management (PIM) You should use Privileged Identity Management (PIM). Azure AD PIM can be used to provide JIT access to your resources. Identity Protection is used for securing identities in Azure AD. It does not provide access to resources. MFA is used to add an extra level of authentication during the entire authentication process in Azure AD. It does not provide access to resources. Azure AD access reviews check that the right users have the right access to resources.

Answer 62

Azure Virtual Network (VNet) is the fundamental building block for your organization's private network in Azure which enables organizations to segment their networks. Azure Virtual Network (VNet) is the fundamental building block for your organization's private network in Azure. VNet is similar to a traditional network that you would operate in your own data center but it brings with it additional benefits of Azure's infrastructure. Azure VNet is important since it allows organizations to leverage network segmentation in Azure. Network segmentation supports the Zero Trust model and implements a layered approach to security that is part of a defense-in-depth strategy. VNet allows further layers of network segmentation by permitting users to create multiple VNets per region per Azure subscription, and smaller layers called subnets could be created within each VNet. Azure Network Security groups (NSGs) let you filter network traffic to and from Azure resources in an Azure virtual network (VNet). An NSG consists of rules that define how the traffic should be filtered. You can associate only one NSG to each VNet subnet and network interface in a virtual machine (VM). The same network security group, however, can be associated to as many different subnets and network interfaces as you choose. Azure Bastion is a service that allows you to connect to a virtual machine (VM) using your browser and the Azure portal. The Azure Bastion service is a platform as a service (PaaS) that you provision inside your VNet. Azure Bastion provides secure and seamless RDP and SSH connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS).

Answer 63

Limiting user access with just in time (JIT) access Limiting user access with just-in-time (JIT) access represents a guiding principle of Zero Trust. Using least privileged access is one of the guiding principles of Zero Trust. Limiting user access with just-in-time (JIT) and just-enough-access (JEA) is part of implementing a Zero Trust policy. Using hashes to store passwords does not represent a guiding principle of Zero Trust. Hash is a unique fixed-lengths value generated from a source data, for example password, by the relevant hashing algorithm. Algorithm always generates the same hash for the same input text. This mechanism allows password verification without storing them in plain text. Being transparent about data collection does not represent a guiding principle of Zero Trust. Transparency is one of Microsoft's privacy principles and it is not part of the Zero Trust model. Using the shared responsibility model does not represent a guiding principle of Zero Trust. The shared responsibility model deals with which security tasks are handled by the cloud provider and which tasks are handled by you. It is not part of the Zero Trust model.

Answer 64

We will be transparent about data collection and use so you can make informed decisions. [Transparency] We protect your data with strong security and encryption. [Security] We will not use your email, chat, files, or other personal content to target ads at you. [No content-based targeting] According to the Transparency privacy principle, Microsoft will be transparent about data collection and use so that the customer can make informed decisions. Microsoft will clearly indicate what data will be collected and at what stage, so that customers have visibility and understanding of the process. Customers can also explicitly deny or allow data collection operations. According to the Security privacy principle, Microsoft protects its customers' data with strong security and encryption. Many Microsoft cloud resources, for example storage and databases, already have encryption enabled by default. Customers may use strong encryption keys generated by Microsoft or provide their own. According to the No content-based targeting privacy principle, Microsoft will not use customer email, chat, files, or other personal content to target ads at customers. The privacy of customers' personal data will be respected and the content itself will not be mined or monetized to push targeted ads.

Answer 65

Protocol attacks Volumetric attacks The Azure DDoS Protection service can help to defend your resources in Azure virtual networks (VNets) against DDoS attacks. It can mitigate three types of attacks: protocol attacks, volumetric attacks and resource (application) layer attacks. A Protocol attacks is when hackers attempt to disrupt services by exploiting weaknesses in the layer 3 (network) and layer 4 (transport) protocols. Azure DDoS Protection mitigates this attack by analysing and differentiating traffic in order to let legitimate traffic through and block malicious traffic. A Volumetric attack is the most common type of DDoS attack and this is when a target solution is overwhelmed by seemingly legitimate traffic; for example, with a high volume of DNS response traffic from compromised DNS servers. Azure DDoS mitigates volumetric attacks using auto-scalability to absorb and scrub multi-gigabyte traffic. The Azure DDoS Protection service cannot defend against XSS, phishing or SQL injection attacks. With XSS, hackers inject malicious scripts into legitimate web sites. Compromised web sites are then manipulated to send those scripts to visiting web site users. With phishing, hackers send fraudulent texts or emails to trick a victim into revealing their personal information, passwords or financial details relating to credit cards or bank accounts. To spot a phishing attack, it is recommended to check the sender details, look for vague or misspelled wording, and avoid opening any links and disclosing personal details. During a SQL injection attack, hackers insert malicious SQL commands into an input field of a target solution. To prevent SQL injection attacks, user-provided input should be pre-processed and validated, without direct processing by an internal SQL engine.

Answer 66

Activity explorer You should use activity explorer to see a historical view of what is being done with content labels. Activity explorer provides detailed information about sensitivity label activities, retention label activities, Azure Information Protection (AIP) protection activity, and data loss prevention (DLP) policy matches events, including endpoint data loss prevention. There is a limitation for Exchange Online: sensitivity label activity is included, but retention label activity is not. You should not use content explorer. Content explorer provides a snapshot view of items that have a sensitivity label, retention label, or those that are classified as sensitive information. Content explorer also lets you read the contents of scanned files. You should not use the compliance score. The compliance score is provided as a tool to help measure your progress as you complete improvement actions within controls. Compliance score does not provide detailed information about label usage. You should not use Azure secure score. Azure secure score helps you identify your security profile and track your progress in securing your environment. The total secure score is based on the current score for all controls divided by the total maximum score for all controls, expressed as a percentage.

Answer 67

Microsoft Defender for Endpoint is a unified endpoint for preventative protection, post breach detection, automated investigation, and response. Microsoft Defender for Office 365 is designed to protect against malicious threats posed by e-mail messages, URLs, and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients. Microsoft Defender for Cloud Apps is a cloud access security broker (CASB). This is a comprehensive cross-software as a service (SaaS) solution that operates as an intermediary between a cloud user and the cloud provider.

Answer 68

Privileged Identity Management can be configured to require approval to activate just-in-time, time-bound access to Azure AD, Azure, and Microsoft online resources. Privileged Identity Management (PIM) can be configured to require approval to activate just-in-time, time-bound access to Azure AD, Azure, and other Microsoft online resources. It gives you a way to monitor, manage, and control access to resources. You can configure access to resources by assigning Azure AD roles. User must request approval for roles that require activation. You can set start and end times for access. Conditional Access does not meet these requirements. Conditional Access is a feature of Azure AD that applies an extra layer of security before allowing authenticated users to access Azure AD assets such as data and applications. Conditional Access analyses signals such as user, device, and location to make policy decisions. Identity Protection does not meet these requirements. Identity Protection is designed to automate the detection and remediation of identity-based risks. It can also export risk detection data to third-party tools for additional analysis. Identity Protection can identify sign-in risk, the risk that the sign-in was not performed by the user, user risk, and the risk that a user's identity has been compromised.

Answer 69

B2B collaboration You should use B2B collaboration. Business-to-Business (B2B) collaboration allows you to share your apps and resources with external users. B2B collaboration allows external users to access your resources using their own credentials. You should not use B2C access management. Business-to-Customer (B2C) is an identity management solution for consumer and customer-facing apps. B2C allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on to your applications. Conditional Access uses signals from the user and their device to control access to your organization's resources. Conditional Access is for all identities, not just external identities. Hybrid identities are identities managed on-premises in Active Directory that are synchronized to the cloud with Azure AD. Hybrid identities allow access to on-premises and cloud resources. Hybrid identities are not used for external identities. B2B collaboration can be added to a hybrid environment.

Answer 70

Microsoft Defender for Cloud You should use Microsoft Defender for Cloud. A network map is provided with Microsoft Defender for Cloud as a way to continuously monitor your network security status, including network topology, node connections, and node configuration. You should not use Microsoft cloud security benchmark (MCSB). MCSB provides recommendations for best practices and recommendations to help improve the security of data, services, and workloads. It provides security baselines based on best practices developed by Microsoft's cybersecurity group and the Center for Internet Security (CIS). MCSB provides recommendations and instructions but it does not include the tools to apply the controls. You should not use Azure Monitor. Azure Monitor is designed to collect, analyze, and act on telemetry from your cloud and on-premises environments. The information collected is used to help you determine how well your applications are performing and proactively identify potential issues.

Answer 71

Information Barriers can restrict communication and collaboration among specific groups of users to avoid a conflict of interest. You can define and apply information barrier policies to prevent unauthorized communication and collaboration between certain user groups via Microsoft Teams, SharePoint Online, and OneDrive for Business. Insider risk management cannot restrict communication and collaboration among specific groups of users to avoid a conflict of interest. It can be used to minimize internal risks through the detection, investigation, and mitigation of intentional and unintentional breaches of your organization’s insider policies. It can help you to minimize or avoid risks of sensitive data leaks, intellectual property theft, insider trading, and fraud. Privileged access management cannot restrict communication and collaboration among specific groups of users to avoid a conflict of interest. It enables granular access control over privileged administrative tasks in Office 365. It helps you to replace constant admin access privileges with just-in-time elevated access permissions.

Answer 72

There are two basic-level types of encryption: symmetric and asymmetric. [Yes] Symmetric encryption uses two different keys to encrypt and decrypt the data. [No] Asymmetric encryption uses a public key and private key pair. [Yes] There are two basic types of techniques for encrypting information: symmetric and asymmetric encryption. Symmetric encryption is also referred to as secret key encryption. Asymmetric encryption is also referred to as public key encryption. Symmetric encryption uses the same key to encrypt and decrypt data. As long as both the sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key for symmetric encryption. Asymmetric encryption uses a public key and private key pair. Either key can encrypt data, but a single key cannot be used to decrypt encrypted data. To decrypt data, you need a paired key.

Answer 73

Conditional Access policies configured to apply to all users will apply to Azure AD B2B collaboration guest users. [Yes] Conditional Access lets you apply time-sensitive access permissions that can be configured to automatically expire. [No] Evaluating sign-in risk and user risk as part of a Conditional Access policy requires access to Azure Identity Protection. [Yes] You can configure Conditional Access policies to apply to no users, to all users, or to a select subset of users, such as a user or group list, or you can limit them to guests and external users only. Conditional Access policies that are configured to apply to all users will automatically apply to Azure AD B2B collaboration guest users. Conditional Access does not let you apply time-sensitive access permissions that can be configured to automatically expire. This is a feature of Azure Privileged Identity Management (PIM). Conditional Access is a feature of Azure AD and it applies an extra layer of security before allowing authenticated users access to Azure AD assets such as data and applications. Conditional Access analyzes signals such as the user, device, and location to make policy decisions. Sign-in risk and user risk are supported as signals for evaluating a Conditional Access policy. However, evaluating sign-in risk and user risk requires access to Azure Identity Protection. Identity Protection is designed to automate the detection and remediation of identity-based risks.

Answer 74

System-assigned managed identity A system-assigned managed identity meets these requirements. A system-assigned managed identity acts as the service principal for the linked resource. When you enable a system-assigned managed identity, it is linked to a single resource and tied to the resource lifecycle. Azure automatically deletes the managed identity when the resource identity is deleted. A user-assigned managed identity does not meet these requirements. A user-assigned managed identity is a managed identity that you can create and then assign to one or more resources. You create the managed identity as a stand-alone Azure resource. As the managed identity is a stand-alone resource, it is not linked to any other resource lifecycle and is not automatically deleted. A guest user does not meet these requirements. A guest user gives you a way to enable anyone to collaborate with your organization. After creating the guest user, you can send an invitation with a redemption link or send a direct link to an app that the user should have access to. A device identity does not meet these requirements. A device identity is used to identify hardware devices such as mobile devices, laptops, servers, or printer. It lets you use tools like Microsoft Intune to secure and manage the devices.

Answer 75

Azure Firewall Azure Firewall can utilize the MTI feed to alert and deny traffic from known malicious IP addresses. It is a managed service that protects resources that are deployed in your Azure Virtual Network (VNet). Integration with MTI enables filtering to alert and deny traffic that originates from or is addressed to known malicious IP addresses and web domains. Azure Bastion cannot utilize the MTI feed to alert and deny traffic from known malicious IP addresses. It is a service that provides secure Remote Desktop Control (RDP) or Secure Shell (SSH) access to your Azure virtual machines (VM). It enables these types of access in a browser via the Azure portal, eliminating the need to expose your VMs to the internet via public IPs. Azure NSG cannot utilize the MTI feed to alert and deny traffic from known malicious IP addresses. It can be used to filter traffic to or from Azure resources in your VNet, but it does not support integration with MTI. Therefore, it does not provide intelligence-based filtering of network traffic from known malicious IP addresses. eDiscovery cannot utilize the MTI feed to alert and deny traffic from known malicious IP addresses. It is the process of identifying, holding and exporting electronic content to support your organization’s internal or external investigations. It is one of the features of Microsoft 365 and it is intended for content search in Exchange Online mailboxes, SharePoint sites, Microsoft Teams, and other Microsoft productivity solutions. eDiscovery does not support integration with MTI for the analysis and denial of network traffic.

Answer 76

Encryption Encryption is the secure encoding of data used to protect the confidentiality of data. You may encrypt the data with symmetric keys and asymmetric keys. In the case of symmetric keys, you use the same key for both encoding and decoding operations; while with asymmetric keys there is a pair of the private and public keys, where one key is used for encoding and another for decoding processes. Logging is not the secure encoding of data used to protect the confidentiality of data. You use logging to generate, collect, and analyze logs to get insights into the health of your services and solutions, troubleshoot potential issues, and automate responses to specific events in order to improve the security and support of your applications. Hashing is a security operation that can use mathematical functions or algorithms to map source data to fixed size value. You can use it, for example, to generate a hash for your file. Recipients of that file can then use the same hashing algorithm to compare it with the original hash value as proof that the file was not tampered with while in transit.

Answer 77

Microsoft Defender for cloud provides unified security management and advanced threat protection across hybrid and on-premises workloads. Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud and on-premises workloads. It provides you with the necessary tools that you can leverage to harden your resources, assess and track your resource security posture and streamline existing security management. Three key security requirements are met with Microsoft Defender for Cloud: firstly, Continuous Assessment, wherein you receive a secure score informing you of the current security situation; secondly, Secure, wherein you harden all connected resources and services; thirdly, Defend, wherein you detect and resolve threats pro-actively for your resources. Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. Data Loss Prevention (DLP) protects sensitive data and minimizes the risk of inappropriate sharing with others. DLP is just one of the Microsoft Purview tools that you could use to help protect your sensitive items wherever they live or travel. You implement DLP through the definition and application of DLP policies. DLP policies allow you to identify, monitor, and protect sensitive data across your cloud and on-premises solutions. eDiscovery s the process of identifying, holding, and exporting electronic content to support your organization’s internal or external investigations. It is part of the Microsoft Purview offering and intended for content search in Exchange Online, OneDrive for Business, SharePoint Online, Microsoft Teams, Microsoft 365 Groups, and Yammer teams. eDiscovery is not intended to provide unified security management and advanced threat protection.

Answer 78

Conditional Access analyses signals to make decisions and enforce organizational policies. Conditional Access analyses signals to make decisions and enforce organizational policies. A list of the common signals include user or group membership, IP location information, device, application, real-time and calculated risk detection, and Microsoft Defender for Cloud Apps. As an example, a conditional access policy can analyse IP addresses to identify named location and enforce multi-factor authentication before granting access to a requested app. Azure Bastion does not analyse signals to make decisions and enforce organizational policies. Azure Bastion enables SSH or RDP connectivity to Azure virtual machines (VMs) via browser and Azure portal. Azure Bastion protects Azure VMs from direct exposure to the internet, as VMs do not need a public IP address. Retention Policy does not analyse signals to make decisions and enforce organizational policies. You use retention policies to apply retention configuration to your Microsoft 365 content. Retention labels assign retention settings at an item level, for example, a specific document or email; however, a retention policy would help to apply those settings on a more aggregated level, for example, to all documents in a SharePoint site or all emails in an Exchange mailbox.

Answer 79

Information barriers You should use information barriers. Information barriers are used to establish two-way restrictions to prevent individuals or groups from communicating. Information barriers support Microsoft Teams, OneDrive for Business, SharePoint Online, as well as other Microsoft products. Information barriers for Microsoft Teams let you restrict several types of activity related to meetings, chats, screen sharing, and file sharing. You should not use privileged access management (PAM). PAM is used to manage access control over privileged administrative tasks in Microsoft 365. It lets you configure requirements for users to request the just-in-time (JIT) access needed to complete privileged tasks. You should not use privileged identity management (PIM). PIM is also used to manage JIT access but it controls protections at the role level and it gives the user the ability to perform multiple tasks. PIM is typically used in combination with PAM to provide a more complete security profile. You should not use data loss prevention (DLP). You can use DLP policies to prevent inadvertent sharing or disclosure of sensitive information. DLP policies give you a way to identify, monitor, and protect data in OneDrive for Business, SharePoint Online, Microsoft Teams, and Exchange Online.

Answer 80

You can apply zero, one, or two sensitivity labels to an item. [No] You can specify that a default label is to be applied to all items in a container through a label policy. [Yes] You can include multiple sensitivity labels in the same label policy. [Yes] Sensitivity labels are part of the Microsoft Information Protection (MIP) solution and let you classify and protect your data. You can use sensitivity labels to: *Encrypt email only or email and documents *Mark content with headers, footers, and (for documents *only) watermarks *Apply a label automatically or prompt users to apply a recommended label *Mark the content by controlling access to the container *Extend sensitivity labels to third-party apps and services *Classify content without adding protection settings You cannot apply multiple sensitivity labels to an item. Items, such as emails, documents or containers, can only have one sensitivity label applied. You can specify that a default label is to be applied to all items in a container through a label policy. The default label is applied to new items and existing unlabeled items. The default label will not be used to replace the label on a item that is already labeled. You can include multiple sensitivity labels in the same label policy. The order in which the labels are included determines their priority. The label with the lowest priority is at the top of the list, and the label with the highest priority is at the bottom.

Answer 81

Managing users' identity lifecycle is at the heart of Identity Governance in Azure AD. Managing user's identity lifecycle is at the heart of identity governance in Azure AD. Azure AD identity governance provides organizations with the ability to perform the following three tasks: 1. Govern the identity lifecycle: the core in managing the lifecycle of an identity is about updating the access that users need, whether through interaction with a system, or through the user provisioning applications. 2. Govern the access lifecycle: this core lies in managing access throughout the users' organizational life. 3. Secure privileged access for admin: this fundamentally focuses on providing extra controls tailored to securing access rights. Azure AD Privileged Identity Management (PIM) provides this.

Answer 82

On-premises datacentre Infrastructure as a Service (IaaS) The shared responsibility model is a framework that defines responsibilities for the security tasks that are handled between the cloud provider and the customer. Those tasks include information and data, account and identity, operating system, physical datacenter and other areas of responsibilities. As per the shared responsibility model, Infrastructure as a Service (IaaS) and On-premises datacentre deployments require the customer to retain responsibility for the operating system management. With the on-premises datacentre, the customer maintains and owns the whole stack from the physical environment up to data and identities. The on-premises datacentre also includes the management of the relevant operating systems. With IaaS, the cloud provider is responsible for the security of the deployment’s physical components, which include the datacentre itself, the network, and hosting computers. The customer can choose which operating system to install and they retain responsibility for its management. Azure Virtual Machine (VM) is an example of an IaaS deployment. With Platform as a Service (PaaS) deployment, the cloud provider is responsible for the physical components of the underlying infrastructure and operating system. The customer’s responsibility covers applications, identities and data handling. Azure SQL Database is an example of PaaS deployment. With Infrastructure as a Service (SaaS) deployment, the cloud provider manages the hosting and handling of the cloud-based solution. It includes the handling of operating system management. The customer retains responsibility for accounts and identities, client devices, information and data. Dynamics CRM Online is an example of SaaS deployment.

Answer 83

To provision resources that are in line with compliance requirements - [Azure Blueprints] To monitor resources for compliance - [Azure Policy] You should use Azure Blueprints to provision resources that are in line with compliance requirements. Azure Blueprints enables you to define a repeatable set of Azure resources that should be deployed. You should use Azure Policy to monitor resources for compliance. Azure Policy is a solution that helps to ensure that resources stay compliant with business and regulatory requirements. Azure Policy cannot be used to provision resources. Resource locks are used to prevent resources from being accidentally deleted or changed. Azure Resource Manager (ARM) allows you to create, update, and delete Azure resources. It cannot verify whether those Azure resources stay compliant with specific business and regulatory requirements.

Answer 84

You can access, modify, or delete your data at any time. [Control] Authorized data collection is used to provide personalized improvements. [Benefits to you] Your data is protected using strong encryption. [Security] According to the Control privacy principle, you can access, modify, or delete your data at any time. Microsoft puts you in control of your data. Using provided intuitive tools and interfaces, you can access, change or remove your data when required. According to the Benefits to you privacy principle, authorized data collection is used to provide personalized improvements. When you authorize Microsoft to collect your data, it will be used to benefit you and improve your customer experience. For example, findings from the troubleshooting process can be used to develop new features to prevent re-occurrences of reported issues or customize the user interface to make it more adaptable to your needs and requirements. According to the Security privacy principle, your data is protected using strong encryption. Microsoft will utilize strong security and encryption mechanisms to protect your data against compromises at rest and while in transit. According to the Transparency privacy principle, Microsoft is transparent about the collection and use of customer data. This privacy principle ensures that Microsoft and its subcontractors only access your data with your agreement, and its use is regulated by the contractually agreed security and privacy requirements and procedures.

Answer 85

Cross-service role Azure AD roles can be classified into three broad categories: Security Administrator is an example of a cross-service role. There are some roles within Azure AD that span services. For example, Azure AD has security-related roles, like Security Administrator, that grant access across multiple security services within Microsoft 365. Similarly, with the Compliance Administrator role you can manage Compliance-related settings in Microsoft 365 Compliance Centre etc. The other two Azure AD role types are: 1. Azure AD-specific roles: these roles grant permissions to manage resources within Azure AD only. For example, such roles include Application Administrator and Groups Administrator, which grant permissions to manage resources that live in Azure AD. 2. Service-specific roles: for major Microsoft 365 services, Azure AD includes built-in, service-specific roles that grant permissions to manage features within the service. For example, Azure AD includes built-in roles for Intune Administrator, SharePoint Administrator, and Teams Administrator roles that can manage features with their respective services.

Answer 86

Administrator self -service password reset requires a strong two-gate password policy that cannot be overridden. [Yes] When you enable self-service password reset, you must also enable multi-factor authentication. [No] If passwords are managed on-premises, you must configure self-service password reset (SSPR) writeback to enable users to reset passwords. [Yes] Users' contact information must be registered before using self-service password reset (SSPR). [Yes] Self-service password reset (SSPR) is an Azure AD feature that can enable users to change or reset their password or unlock their user account without administrator intervention. You can configure the number of authentication methods users are required to register and the number of methods required to reset. The number of methods required can be set to one or two. With either number option, administrator SSPR requires a strong two-gate password policy. You cannot override this requirement. You are not required to enable multi-factor authentication (MFA) when you enable SSPR. You can use SSPR without MFA, but Microsoft recommends enabling MFA to provide greater security. If passwords are managed on-premises, you must configure SSPR writeback to enable users to reset passwords. This would be the situation in a hybrid network using password hash synchronization, pass-through, or federated authentication. If write-back is not enabled, users will not be able to reset their own passwords. Users' contact information must be registered before using self-service password reset (SSPR). An administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves.

Answer 87

Microsoft Defender for Identity Microsoft Defender for Identity uses on-premises Active Directory signals to reduce the attack surface by discovering identities that are used to move laterally inside an organization. Defender for Identity lets you identify and investigate advanced threats, such as lateral movement, compromised identities, and malicious insider actions. Microsoft Defender for Endpoint does not fulfill the requirements. Defender for Endpoint helps enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Office 365 does not fulfill the requirements. Defender for Office 365 is designed to protect against malicious threats such as those posed by malicious emails, unsafe links, phishing attacks, and attacks targeting collaboration tools. Microsoft Defender for Cloud Apps does not fulfill the requirements. Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that acts as an intermediary between a cloud user and the cloud provider.

Answer 88

Privileged Identity Management (PIM) Privileged Identity Management (PIM) mitigates the risks of excessive, unnecessary, or misused access permissions. This is a service in Azure AD that enables a user to manage, control, and monitor access to important resources within your organization. In this use-case scenario, you were required to provide time-bound access. PIM is the most appropriate solution, as you can use it to assign start and end dates for which a user can access specific resources. Besides time-bound, PIM can also provide just-in-time, approval-based, visible and auditable types of access. PIM is a feature of Azure AD Premium P2 edition. Azure AD Identity Protection is a tool that organizations can use to automate detection and mitigation of identity-related risks, conduct manual investigation and export risk detection data to other third-party security analysis tools. Identity Protection is a feature of the Azure AD Premium P2 edition. Azure AD multi-factor authentication (MFA) requires more than one form of verification, such as a trusted device or a fingerprint scan, to prove that an identity is legitimate. MFA improves the security of an identity while keeping it simple for the end user. The following additional forms of verification can be used with Azure AD MFA: Microsoft Authenticator app, Windows Hello for Business, FIDO2 security key, OATH tokens, SMS, and voice call. Azure AD roles allow you to control permissions to manage Azure AD resources. Azure AD supports two types of roles: built-in roles and custom. Role-based access control (RBAC) refers to the process of managing access using roles in Azure. Azure AD built-in and custom roles are a form of RBAC in the way that Azure AD roles control access to Azure AD resources.

Answer 89

Microsoft Sentinel You should use Microsoft Sentinel. Microsoft Sentinel is a security information event management (SIEM) and security orchestration automated response (SOAR) solution that aggregates data from your data sources on-premises and in the cloud and it uses its built-in AI capabilities to provide security analytics and threat intelligence across your entire enterprise. Azure Bastion is a service that provides secure Remote Desktop Control (RDP) or Secure Shell (SSH) access to your Azure virtual machines (VMs). It enables such access in a browser via the Azure portal, eliminating the need to expose your VMs to the internet via public IPs. Azure Firewall is a managed service that can protect Azure resources deployed in your VNet. Azure Firewall enables turnkey firewall capabilities to control and log access to your apps and resources. However, it is not intended to provide intelligent security analytics across your entire enterprise. Azure Network Watcher is a solution that monitors, diagnoses and gets insights into network performance and the health of your infrastructure-as-a-service (IaaS) resources in an Azure VNet. You can use it to capture data packets, understand network traffic patterns and diagnose common connectivity issues.

Answer 90

Microsoft Defender for Office 365 Microsoft Defender for Office 365 includes an attack simulator that lets you run realistic attack scenarios. Defender for Office 365 is designed to protect against malicious threats such as those posed by malicious emails, unsafe links, phishing attacks, and attacks targeting collaboration tools. Support for the attack simulator requires Defender for Office 365 Plan 2, which is included with Office 365 E5 licenses. Defender for Identity lets you identify and investigate advanced threats, such as lateral movement, compromised identities, and malicious insider actions. Defender for Endpoint helps enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that acts as intermediary between a cloud user and the cloud provider.

Answer 91

Azure AD Azure AD is Microsoft's cloud-based identity and access management service. Azure AD is available in four editions: Free, Office 365 Apps, Premium P1, and Premium P2. On-premises Active Directory refers to Microsoft Active Directory (AD) that is hosted within an on-premises environment for an organization. It is not hosted on Microsoft's Public Cloud or Azure. Active Directory is a group of on-premises features included in Windows Server that has the following components: Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), Active Directory Rights Management Services (AD RMS) and Active Directory Lightweight Directory Services (AD LDS). Active Directory domain service (AD DS) is the on-premises directory service that is used to store identities, groups, computers, and other objects. AD DS stores passwords in the form of a hash value representation of the actual user password. Azure AD Connect simplifies the integration and management of organization's hybrid identity infrastructure. It takes care of all the operations that are related to synchronization of identity data between on-premises environment and Azure AD.

Answer 92

Microsoft Secure Score Microsoft 365 Defender manages, inhibits, probes, and reacts across endpoints, identities, email, and requests to provide integrated protection against advanced assaults. The portal brings this functionality together into a central place. Microsoft Secure Score, one of the tools in the Microsoft 365 Defender portal, is a representation of a company's security posture. The higher the score, the better your protection. From a centralized dashboard in the Microsoft 365 Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Advanced hunting is a query-based threat hunting tool. It is a part of the Microsoft 365 Defender portal that lets security professionals explore up to 30 days of raw data. Advanced hunting queries enable security professionals to proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes. Threat analytics is a threat intelligence solution. It is a part of the Microsoft 365 Defender portal that is designed to assist security teams track and respond to emerging threats.

Answer 93

Microsoft Defender for Cloud provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Microsoft cloud security benchmark provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The recommendations are categorized by the control to which they belong. The areas covered include network security, identity management, posture and vulnerability management, and endpoint security. Microsoft Defender for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources and, with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms. Cloud security posture management (CSPM) is a class of tools to improve your cloud security management. CSPM assesses your systems and automatically alerts security staff when a vulnerability is found.

Answer 94

Data loss prevention policies (DLP) are used to automatically prevent the inadvertent sharing or disclosure of sensitive information and to warn users when attempts are made. Data loss prevention (DLP) policies are used to automatically prevent the inadvertent sharing or disclosure of sensitive information and warn users when attempts are made. DLP policies give you a way to identify, monitor, and protect data in OneDrive for Business, SharePoint Online, Microsoft Teams, and Exchange Online. A single policy can contain multiple rules with different conditions to identify how to recognize the data, actions to be taken automatically when matching conditions are found, and locations (such as applications) where the policy is applied. You can create and manage DLP policies through the Microsoft Purview compliance centre. Endpoint data loss prevention policies extend these protections to Windows 10. eDiscovery policies are not used to prevent the inadvertent sharing or disclosure of sensitive information. eDiscovery is used to identify and deliver data that can be used in legal proceedings. The Content Search tool lets you search multiple different data sources using the eDiscovery policy. Retention labels are not used to prevent the inadvertent sharing or disclosure of sensitive information. Retention labels are used to assign retention settings at the item label. Retention labels are used to ensure that content is kept for a specified period of time and then deleted. When you want to apply retention settings at the site level or mailbox level you would use retention policies. Sensitivity label policies are not used to prevent the inadvertent sharing or disclosure of sensitive information. Sensitivity label policies are used to publish sensitivity labels to users and groups. Sensitivity labels can be used to encrypt emails and documents, mark the content, protect content in containers, and classify data without adding data protections.

Answer 95

Azure Policy You should use Azure Policy to enforce standards in your organization by evaluating if resource properties match business rules. Azure Policy evaluates resources for ongoing compliance assessment. Azure Policy ensures that resources remain compliant no matter who attempts to make changes to the resource. You should not use sensitivity label policies. Sensitivity label policies are used to publish sensitivity labels to users and groups. Sensitivity labels can be used to encrypt e-mails and documents, mark the content, protect content in containers, and classify data without adding data protections. You should not use Azure Resource Manager locks. Resource locks are used to prevent resources from being deleted or changed. Resource locks can be applied at the subscription level, to a resource group, or to a resource. The lock level can be set to CanNotDelete or ReadOnly. A CanNotDelete means the resource can be modified but cannot be deleted. A ReadOnly lock prevents the resource from being modified or deleted. You can apply more than one lock to a resource. You should not use Azure role-based access control (RBAC). RBAC is used to manage access to resources and what a user can do to the resources. If a user is granted the necessary permission to perform an action through RBAC, but the action would make the resource non-compliant, the action would be blocked.

Answer 96

Azure Blueprints orchestrates the deployment of various resources and preserves a relationship between what should be deployed and what was deployed, supporting the tracking and auditing of deployments. Azure Blueprints lets you define a repeated set of Azure resources that can be used for multiple deployments. A blueprint can include resource templates, role assignments, policy assignments, resource groups, and Azure Resource Manager (ARM) templates. Azure Bastion is not used for resource deployment. Azure Bastion provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) connectivity with virtual machines (VMs) through the Azure portal. It also prevents VMs from exposing RDP/SSH ports to possible attacks and unauthorized access. Azure Policy is not used for resource deployment. Azure Policy is used to enforce standards and assess compliance. Azure Policy evaluates resource compliance at various times during the resource lifecycle, including once every 24 hours as part of the standard compliance evaluation cycle. ARM templates are used for resource deployment but they do not support all of the functionality provided with Azure Blueprints. For example, once resources are deployed, there is no active connection or relationship to the ARM template.

Answer 97

Retention label You can use a retention label to assign retention settings at an item level. This applies retention settings to the relevant folder, document, or email item. You cannot use an alert policy to assign retention settings at an item level. Alert policies can be used in the Microsoft Purview compliance portal or the Microsoft 365 Defender portal to specify conditions and threshold levels to monitor who the policy should apply to and who should be notified when the alerts are triggered. You cannot use a retention policy to assign retention settings at an item level. Retention policies are intended to apply retention settings to the content at a more aggregated level, such as a SharePoint site or an Exchange mailbox. You cannot use a sensitivity label to assign retention settings at an item level. Sensitivity labels allow you to classify your organization’s data and enforce relevant protection settings, such as encryption or watermarking.

Answer 98

Reports, Whitepapers and Artifacts You should check the Reports, Whitepapers and Artifacts section. This section provides the results of activities performed during penetration tests and security assessments of Intune, Azure, Dynamics 365, Office 365 and other Microsoft cloud solutions. You can run Pen Test and Security Assessments to get attestation of Penetration tests and security assessments conducted by third parties. Additionally, here you can find business continuity plans (BCP) and disaster recovery plans (DRP) developed and validated with representatives from Microsoft's business units, information on how Microsoft services comply with privacy and data protection requirements, as well as white papers and answers to frequently asked questions. You should not check the Certifications, Regulations and Standards section. This section contains security implementation and design information to meet compliance requirements with International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC), System and Organization Controls (SOC), General Data Protection Regulation (GDPR), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry (PCI) Data Security Standards (DSS), Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR), Australia Information Security Registered Assessors Program (IRAP), Multi-Tier Cloud Security (MTCS) Singapore Standard and Spain's Esquema Nacional de Seguridad (ENS) regulations. You should not check the Industry and Regional Resources section. This section contains documents describing Microsoft's online services' compliance with the United States Government, various regional policies and regulations, as well as information relating to the regulatory compliance of industries including financial services, healthcare and life sciences, and media and entertainment. You should not check the Resources for your Organization section. This section contains documents specific to your organization’s subscription and permissions for Microsoft online services.

Answer 99

By default, Compliance Manager provides monitoring and recommended actions for Microsoft cloud services only. [Yes] Your action status on the Compliance Manager dashboard is updated immediately after implementing a control in response to an action. [No] Compliance Manager tracks only improvement actions that your company manages and ignores actions that Microsoft manages in calculating a compliance score. [No]

Answer 100

Mark items as a regulatory record. You should mark items as a regulatory record. Applying retention labels and marking the content as a regulatory record will enforce your records management policies. Even global administrators will not be able to remove the label. For this reason, this option is disabled by default and it needs to be explicitly enabled through a PowerShell cmdlet. You should not apply a standard retention label to content. A standard retention label helps to apply your organization’s retention settings and actions either manually or automatically. It allows for the deletion of files and the label itself can be removed by end users and administrators. You should not apply a sensitivity label to content. Sensitivity labels allow you to label and protect your organization’s sensitive content, such as enforcing its encryption, adding watermarks and extending protection settings to third-party applications and services. You should not mark items as a record and lock them. Content marked as a record enforces certain restrictions to block delete and other operations. However, administrators are still able to change or remove the label.

Answer 101

Microsoft Defender for Cloud Apps Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that lets you find uses of Shadow IT and control its use. This is the process of identifying cloud apps, and IaaS and PaaS services not authorized by an organization's IT department. This means that, without a tool like Microsoft Defender for Cloud Apps, the apps and services are not managed or controlled. Microsoft Defender for Endpoint does not find uses of Shadow IT and control its use. It helps enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats. Azure WAF does not find uses of Shadow IT and control its use. WAF is designed to protect web applications from common exploits and vulnerabilities. It protects against attacks that exploit known vulnerabilities such as SQL injection and cross-site scripting. Azure Application Gateway does not find uses of Shadow IT and control its use. Application Gateway is a web traffic load balancer that works at the application layer and makes routing decisions based on HTTP request attributes.

Answer 102

Microsoft Defender for Office 365 protects your organization from malicious threats presented in email messages, web links and collaboration tools. With the Defender for Office 365 Plan 1, you can safeguard your organization with safe attachment, safe link, and anti-phishing capabilities, while Plan 2 provides additional features such as threat tracker, attack simulator, and automated investigation and response. Microsoft Defender for Endpoint does not protect your organization from malicious threats presented in email messages, web links and collaboration tools. It is an endpoint security solution that helps to detect, investigate, respond to, and prevent advanced threats against enterprise networks. It delivers preventative protection, detects security breaches from behavioural sensors, identifies attacker tools and techniques, and offers automatic investigation and remediation capabilities. Microsoft Defender for Identity does not protect your organization from malicious threats presented in email messages, web links and collaboration tools. It is an identity security solution that helps to protect enterprise hybrid environments from advanced identity threats, compromised credentials and malicious insider activities. It can monitor and profile user behaviour, it identifies attempts to compromise account credentials, and it provides timeline-based insights for the fast triaging of detected advanced threats.

Answer 103

Microsoft Purview Communication Compliance helps decrease communication dangers by enabling organizations to identify, secure, and take remedy actions for unacceptable messages. This highlight enables reviewers to examine scanned mails and messages across Microsoft Teams, Exchange Online, or third-party communications in an organization, taking appropriate remedy activities to make sure they are in compliance with the organization's communication guidelines. Insider risk management, a part of the Microsoft Purview compliance portal, is a resolution that helps minimize internal hazards by enabling an organization to detect, investigate, and act on risky and malevolent behaviors. Information barriers are policies that admins can configure to prevent individuals or groups from communicating with each other. Microsoft Purview Information Barriers is supported in Microsoft Teams, SharePoint Online, and OneDrive for Business.

Answer 104

Microsoft Sentinel Microsoft Sentinel is Microsoft's SIEM/SOAR security solution. Microsoft Sentinel: *Collects data from on-premises and multiple clouds for all users, devices, applications, and infrastructure *Detects previously uncovered threats and minimizes false positives *Investigates threats and hunts suspicious activities at scale *Responds to incidents with built-in orchestration and security task automation Microsoft Defender for Cloud is not an SIEM/SOAR security solution. Microsoft Defender for Cloud helps you identify and implement hardening tasks across your machines, data services, and applications through the continuous evaluation of security controls and resources. Microsoft 365 Defender is not an SIEM/SOAR security solution. Microsoft 365 Defender is a comprehensive extended detection and response (XDR) security solution. It represents a defense suite that coordinates detection, prevention, investigation, and response to determine the full scope and impact of threats. Microsoft Intune is not an SIEM/SOAR security solution. Microsoft Intune is a cloud-based service for mobile device management (MDM) and mobile application management (MAM). Microsoft Intune can be used to manage both corporate-owned and personal devices.

Answer 105

Network security groups (NSGs) filter traffic to and from Azure resources in an Azure virtual network (VNet). [Yes] You can associate zero, one, or more network security groups (NSGs) to each virtual subnet or virtual machine network interface. [No] You can associate one network security group (NSG) with multiple virtual subnets and virtual machine network interfaces. [Yes] Network security groups (NSGs) apply to intra-subnet traffic in a virtual network. [Yes] NSGs filter traffic to and from Azure resources in an Azure virtual network. Filtering is based on security rules contained in the NSG. Security rules are defined by source, destination, port, protocol, and direction. Each rule is also given a priority number between 100 and 4096, and the rules are processed in priority order within the NSG. You can associate zero or one NSGs to each virtual subnet or virtual machine network interface. However, you cannot associate more than one NSG with the same subnet or network interface. If you need to process multiple filtering rules, you would have to create the NSG with multiple security rules. You can associate one NSG with multiple virtual subnets and virtual machine network interfaces. The same NSG can be associated with any number of virtual subnets or virtual machine interfaces, including multiple interfaces on the same virtual machine. NSGs apply to intra-subnet traffic in a VNet. An NSG can block communication between subnets in the same VNet.

Answer 106

Microsoft Purview governance portal Microsoft Purview governance portal is designed to address the challenges associated with the rapid growth of data and help enterprises obtain the most value from their information assets. It provides a unified data governance service in your organization that will help you to manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. It does so by creating a holistic map of the data landscape within the organization, including data discovery, sensitive data classification, and end-to-end data lineage. The Microsoft Purview governance portal includes the following five components: 1) Data Map, 2) Data Catalog, 3) Data Estate Insights, 4) Data Sharing and 5) Data Policy. At the time of writing, Data Sharing and Data Policy features are currently in Preview. Azure Policy is designed to help enforce standards and assess compliance across your organization. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments with the knowledge that they are in line with the organization's compliance requirements.

Answer 107

Access review Access review is implemented as part of the Azure Identity Governance feature. Access review can help to manage resource access lifecycle, i.e., schedule reviews of who has access to specific resources, monitor for compliance, determine if users still should have access and automate its removal. Access review requires Azure AD Premium P2. You should not use Conditional Access. Conditional Access is a feature of Azure AD that applies an extra layer of security before allowing authenticated users to access Azure AD assets such as data and applications. Conditional Access analyses signals such as user, device and location to make policy decisions. You should not use Password Protection. Azure AD Password Protection is used to detect and block known weak passwords and their variants based on a default global banned password list and an optional custom list of banned passwords. These are stored in Azure AD but can also be applied to an on-premises Active Directory Domain Services (AD DS) domain. You should not use Identity Protection. Identity Protection automates the detection and remediation of identity-based risks. It can also export risk detection data to third party tools for additional analysis. Identity Protection can identify sign-in risk (the risk that the sign-in was not performed by the user), and user risk (the risk that a user's identity has been compromised).

Answer 108

Azure Bastion Azure Bastion provides secure RDP/SSH connectivity without exposing RDP/SSH ports to the internet. Azure Bastion lets users establish an RDP/SSH session through the Azure portal. The connection is secured over the internet using Transport Layer Security (TLS). It is not necessary to configure public IP addresses for the VMs. Remote VMs are also protected against port scanning attempts. Microsoft is responsible for keeping Azure Bastion hardened and up to date to prevent attacks such as the use of zero-day exploits against Azure Bastion. You should not use Azure Application Gateway. Azure Application Gateway is a web traffic load balancer for web applications. You can also implement Azure Web Application Firewall when you deploy Azure Application Gateway. Azure Application Gateway supports web application access only and it does not provide direct access to VMs. You should not use ExpressRoute. ExpressRoute provides a way to create and maintain secure connections between Microsoft datacenters and your on-premises infrastructure. ExpressRoute connections do not go over the public internet. You should not use Azure AD Connect. Azure AD Connect use is not related to resource access and connections. Azure AD Connect provides identity synchronization between on-premises Active Directory and Azure AD in a hybrid network environment.

Answer 109

Dynamic groups The company should use dynamic groups to automatically manage access assignments. Identity Governance lets you manage access throughout a user's digital identity lifecycle. You can assign role-based access control (RBAC) roles to dynamic groups. Group membership is automatically controlled through changes to user attributes specified in attribute-based rules. When a rule no longer applies, the user is removed from the group. The company should not use Azure AD Connect. Azure AD Connect is used in a hybrid network environment to provide synchronization between on-premises Active Directory and Azure AD. This ensures that on-premises users and group digital identities are synchronized to the cloud. The company should not use Azure Identity Protection. Identity Protection automates the detection and remediation of identity-based risks. It can also export risk detection data to third party tools for additional analysis. Identity Protection can identify sign-in risk (the risk that the sign-in was not performed by the user), and user risk (the risk that a user's identity has been compromised). The company should not use Azure access reviews. Access reviews are used to determine if users should continue to have access to resources. Access reviews can help manage risk by lowering the risk of data leakage and data spill. Access reviews make recommendations for user and group access to specific resources.

Answer 110

C. Password change D. Account unlock Account unlock and password change are two functionalities that are provided by self-service password reset (SSPR). SSPR reduces the involvement of the system administrators and help desk teams by allowing end users to reset or change their passwords, or unlock their accounts as a self-service. If users forget their passwords they can trigger a reset, or if they know it, they can change it themselves. Additionally, they can also unlock their accounts. Regulatory compliance dashboard and secure score are part of Cloud Security Posture Management (CSPM) delivered by the Microsoft Defender for Cloud. Regulatory compliance dashboard assesses whether your Azure, on-premises and multi-cloud resources are compliant with the relevant jurisdiction's laws, rules and regulations, what are the potential risk factors and what are best practices to apply. Secure score provides you with an overall Azure secure score along with per-subscription breakdown. Secure score provides recommendations for unhealthy resources and indicates how their implementation can contribute to potential score increase.

Answer 111

Microsoft's privacy principle of Strong legal protections mandates respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right. [Yes] Microsoft's privacy principle of Benefits to you mandates that when Microsoft collects data, it is used to benefit the customer, and to make their experiences better. [Yes] Microsoft's privacy principle of Transparency mandates putting the customer in control of their data and privacy with easy-to-use tools and clear choices. [No] Microsoft’s products and services are based on trust. Microsoft's privacy principle of Strong legal protections mandates respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right. Microsoft's privacy principle of Benefits to you mandates that when Microsoft collects data, it is used to benefit the customer, and to make their experiences better. Microsoft's privacy principle of Control mandates putting the client in control of their data and privacy with easy-to-use tools and clear choices. The principle of Transparency, in contrast, is about being transparent about data collection and use so that everyone can make informed decisions.

Answer 112

Salting Implementing an additional layer that adds a fixed-length random value to the input of hash functions to create unique hashes for the same input is an example of salting. When you use hashing to store passwords, a user enters their password, and a hashing algorithm then creates a hash of the entered password. Although hashing provides a secure way of storing passwords, hashing algorithms are also known to malicious hackers. The issue lies in the fact that, as hash functions are deterministic (the same input produces the same output), hackers often use brute-force dictionary attacks to recover the encrypted password. To prevent this brute-force breaking in, an additional layer of security is added using so-called salting. The way salting works is by adding a fixed-length random value to the input of hash functions to create unique hashes for the same input. In other words, a salt adds complexity to a single password and, for every password in a database, it is unique. Symmetric encryption and asymmetric encryption are not an example of this scenario. Symmetric encryption is also referred to as secret key encryption. Asymmetric encryption is also referred to as public key encryption. Symmetric encryption uses the same key to encrypt and decrypt the data. As long as both the sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key for symmetric encryption. Asymmetric encryption uses a public and private key pair. Either key can encrypt data, but a single key cannot be used to decrypt encrypted data. To decrypt data, you need a paired key. Role-based access control (RBAC) gives you the ability to implement fine-grained access control to your resources hosted on Azure. The way you control access to resources using Azure RBAC is by assigning Azure roles. A role assignment consists of three elements: security principal, role definition, and scope. You should use RBAC in situations when you wish to allow access to a user to manage virtual machines in a subscription and another user to manage virtual networks or, alternatively, allow a DBA group to manage SQL databases in a subscription.

Answer 113

Password hash synchronization (PHS) Password hash synchronization (PHS) handles user authentication in the cloud completely. With this hybrid identity sign-in method, you synchronize a hash of the end user’s password to Azure AD. Users can then be authenticated directly in the cloud. The federation sign-in method does not handle user authentication in the cloud completely. It ensures that users are authenticated on-premises. Because of the trust established between on-premises AD and Azure AD, authenticated users can then be re-directed to the cloud to access relevant applications. On-premises Active Directory Domain Services (AD DS) does not handle user authentication in the cloud completely. It authenticates end users and authorizes their access to the internal networks. To enable cloud-based authentication, you can either utilize PHS to sync hashes to the cloud or set up user identities directly in Azure AD. Pass-through Authentication (PTA) does not handle user authentication in the cloud completely. It is another sign-in method that enables hybrid identity. However, it still requires the installation of a lightweight on-premises agent that reacts to the sign-in requests in the cloud and validates the username and password against on-premises AD.

Answer 114

The action would add 1.2 raw points to the Remediate vulnerabilities control points. he Remediate vulnerabilities control has a maximum of 6 points. Divide the maximum points by the total number of resources for that control to determine the increase per resource: 6 points/50 resources = 0.12 points/per resource To determine the change to the security store report, multiply the number of resources corrected by the points per resource: 0.12 points/per resource x 10 resources = 1.2 points This is added to the raw points for the control. The control originally had seven healthy resources for 0.84 points, plus the 1.2 points for the new healthy control for a total of 2.04 points for the control. The total security score is based on the current score for all controls divided by the total maximum score for all controls, expressed as a percentage. You are not given these values and you would have no way to calculate the percentage change, but it would be different than the raw points value.

Answer 115

As a communication compliance feature, intelligent customizable templates allow you to apply machine learning classifiers to detect communication violations in your organization. Intelligent customizable templates can utilize pre-built Microsoft Purview’s machine learning classifiers to recognize potentially inappropriate or sensitive content in images and text. The use of such templates helps reviewers to perform investigation and remediation processes more effectively. Actionable insights are the interactive dashboards that allow you to verify the status and actions assigned to pending and resolved alerts. Actionable insights can be used to analyse trends by users and policies, and export policy and review activity logs to meet audit requirements. Flexible remediation workflows allow you to identify and take quick actions on your organization’s policy matches. As a response to the policy match, the workflow may escalate messages to other reviewers, send pre-configured notifications to users with policy matches, and even translate messages in other languages to a reviewer’s display language.

Answer 116

Privileged Identity Management (PIM) is an Azure AD service that enables the management, control and monitoring of access to important organizational resources in the cloud. PIM provides time-based privileged access to resources in Azure AD, Azure, Microsoft Intune, Microsoft 365, and other Microsoft cloud services. Azure Bastion is not an Azure AD service. It is an Azure platform as a service solution that you deploy inside a virtual network (VNet) to enable secure RDP or SSH connectivity to your virtual machines (VMs) using the Azure portal. Privileged Access Management (PAM) is similar to PIM and helps to restrict privileged access. However, the scope of PAM is limited to an isolated on-premises AD environment and does not cover cloud resources.

Answer 117

Microsoft cloud security benchmark provides guidance on how to implement security controls in Azure. [Yes] A security baseline is not specific to a technology or implementation. [No] A control is a benchmark recommendation for the individual Azure service. [No] Microsoft cloud security benchmark (MCSB) provides guidance on how to implement security controls in Azure. Some of the controls used in MCSB include network security, identity and access control, data protection, data recovery, incident response, and more. Security baselines for Azure apply guidance from the MCSB to the specific service for which it is defined. Each organization decides which benchmark recommendation and corresponding configurations are needed in the Azure implementation scope. An example of a baseline would be Azure SQL security baseline, which helps us to ensure Azure SQL Database is protected. A control is not a benchmark recommendation for the individual Azure service. A control is a high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation. An example of a control would be Data Protection, which helps us to ensure critical data is protected.

Answer 118

Identity Protection categorizes risks into two tiers. [No] With Identity Protection, you can automate the remediation of identity-based risks. [Yes] You can query Identity Protection data through Microsoft Graph APIs. [Yes] Identity Protection does not categorize risks into two tiers, it categorizes risks into three tiers. Those three tiers are low, medium and high. Higher risk tier means higher probability of the user account or sign-in being compromised. With Identity Protection, you can automate the remediation of identity-based risks. Automated remediation can be enabled through the setup of risk-based policies. Depending on the policy configuration, user accounts may be blocked or end users may be required to pass multi-factor authentication (MFA) or change their passwords. You can query Identity Protection data through Microsoft Graph APIs. As a unified API endpoint, the Microsoft Graph enables API access to various Microsoft solutions including Azure Active Directory (AD) Identity Protection. You should have Azure AD Premium P1 or P2 licenses to use Identity Protection’s risk detection APIs.

Answer 119

Create a template. You should first create a template. You can create assessment templates to help you create assessments and you can add your own controls and actions to the template. Templates serve as a framework containing the necessary controls and improvement actions for completing an assessment. You should not create an assessment. Each assessment is created from an assessment template. There are pre-built templates, but you would need to create a custom template for your internal business process. You should not upload actions. Improvement actions are uploaded after you create the assessment template. Improvement actions contain the details and guidance to help you meet the requirements of your process. Actions are assigned to users to perform when the assessment is created from the template. You should not create alert policies. Alert polices are used to create alerts in the the Microsoft Purview compliance portal or the Microsoft 365 Defender portal. Alerts are not used in compliance manager.

Answer 120

When implementing an Azure AD external identity solution, Azure AD B2C access management allows external users to sign in with their preferred social, enterprise, or local account identities. Azure AD External Identities is a set of capabilities that enables organizations to allow access to external users such as customers or partners. Your customers, partners, and other guest users can "bring their own identities" to sign in. There are three types of Azure AD External Identities: B2B collaboration, B2B direct connect and, B2C access management. 1. Azure AD B2B collaboration allows you to share your apps and resources with with business partners from external organizations. For example, you can allow external B2B users to sign into your Microsoft applications or other enterprise applications, such as software as a service (SaaS) apps, custom-developed apps, etc. 2. Azure AD B2B direct connect establishes a mutual, two-way trust with another Azure AD organization for seamless collaboration. For example, B2B direct connect currently supports Microsoft Teams shared channels. This enables external users to access your resources from their home instances of Teams. 3. Azure AD B2C access management is an identity management solution for both consumer and customer-facing apps. This is an example of a customer identity access management (CIAM) solution. Azure AD B2C allows external users to sign in with their own social, enterprise, or local account identities. For example, you can publish modern SaaS apps, or custom-developed apps with Azure AD B2C.

Answer 121

The default Microsoft 365 data protection baseline assessment Your initial Compliance Manager compliance score is based on the Microsoft 365 data protection baseline. This is a set of controls that include regulations and standards for data protection and data governance. You can view an overall compliance score based on these data protection standards. Your initial compliance score is not based on completed Microsoft actions only. Improvement actions include Microsoft actions (those that Microsoft manages) and your improvement actions (those that are managed by your company). Both are added to your compliance score as a part of continuous assessment. Your initial compliance score is not based on your current Microsoft Secure Score. Improvement actions that are monitored by both Compliance Manager and Secure Score are both used in compliance score calculations, but it can take up to seven days to collect and include Secure Score data. Your initial compliance score is not based on automated testing monitored improvement actions only. Automated testing is limited to only those improvement actions that are monitored by both Compliance Manager and Secure Score. Automated testing is enabled by default when you first start using Compliance Manager.

Answer 122

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). Defender for Cloud Apps is a software as a service (SaaS) solution that works across clouds and operates as an intermediary between a cloud user and a cloud provider. CASBs help organizations to protect their environment by providing a wide range of capabilities across four pillars: visibility, threat protection, data security, and compliance. Microsoft Defender for Identity is a cloud-based security solution. Microsoft Defender uses on-premises AD signals to identify, detect, and investigate threats and identities. Microsoft Defender for Endpoint is a solution that helps enterprise networks protect their own endpoints. Microsoft Defender for Endpoint prevents, detects, investigates, and responds to advanced threats by embedding technology built into Windows 10 and Microsoft cloud services.

Answer 123

Password hash synchronization You should use password hash synchronization. Password hash synchronization supports authentication of on-premises identities without passing the credentials of AD DS for authentication. Azure AD Connect synchronizes passwords by extracting password hashes from on-premises AD DS. You should not use pass-through authentication (PTA), with or without SSO. PTA uses a software service running on one or more on-premises servers. The servers validate users with the on-premises AD DS domain. SSO enables users to sign in and use different applications without having to go through multiple sign-ins. Enabling SSO does not change where the users are authenticated. You should not use federated authentication. With federated authentication, Azure AD hands off authentication to a trusted authentication system. In this scenario, you would need to configure AD Federation Services (AD FS) for your on-premises domain. Authentication does not occur with Azure AD. An advantage of federated authentication is that you can support advanced authentication methods such as smartcard-based authentication and third-party multi-factor authentication.

Answer 124

Microsoft Sentinel You should choose Microsoft Sentinel. Microsoft Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution from Microsoft. Sentinel provides a solution for alert detection, visibility of threats, and pro-active hunting of threats. Since you are looking for a tool that will allow you to analyze, look for correlations or anomalies, and be able to generate alerts and incidents, you should opt for Microsoft Sentinel as the solution. You should not choose Microsoft Defender for Cloud. Microsoft Defender for Cloud continuously assesses an organization's hybrid cloud environment to analyze the risk factors according to the controls and best practices in Azure Security Benchmark (ASB). ASB includes controls such as network security, identity and access control, data protection, data recovery and incident response. Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) tool. You should not choose Azure Bastion. Azure Bastion is a service that allows you to connect to a virtual machine (VM) using your browser and the Azure portal. The Azure Bastion service is a platform-managed platform as a service (PaaS) service that you provision inside your virtual network (VNet). Azure Bastion provides secure and seamless RDP and SSH connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS). You should not choose Microsoft cloud security benchmark. Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.

Answer 125

Records management tracks the usage of certain documents and emails and ensures that these documents and emails are not deleted until they are no longer required. Records management helps an organization look after their legal obligations. Records management adds restrictions that prevent documents and emails from being edited or deleted. Activities on documents and emails will be tracked. To declare documents and emails as records, you use retention labels that mark the content as a record or a regulatory record. Data loss prevention does not track the usage of certain documents and emails and ensures that these documents and emails are not deleted until they are no longer required. Data loss prevention protects access to sensitive information across Microsoft 365 and prevents inadvertent disclosure; for example, on sharing a document externally. Data loss prevention does not prevent a document from being edited or deleted. Sensitivity labels do not track the usage of certain documents and emails and ensure that these documents and emails are not deleted until they are no longer required. You should not use sensitivity labels. Sensitivity labels enable the labelling and protection of content without affecting productivity and collaboration. Sensitivity labels do not define how long documents should be kept.

Answer 126

In a Zero Trust security model, only devices inside the corporate network are considered to be trustworthy. [No] The Zero Trust security model always assumes breach. [Yes] The Zero Trust security model enforces the principle of always trust everyone. [No] In a Zero Trust security model, no devices are considered to be trustworthy. This model never trusts anything and always requires explicit verification of every access request, irrespective of the device's location. That is why each system, whether it is a user identity, device, network, or an application, always needs to be authenticated and authorized before it is granted an access. The Zero Trust security model always assumes breach. This is one of the core principles of the Zero Trust security model. That is why access is limited only to what is needed, only for a required time period, and there is a constant search for any potential anomalies and malicious activities. The Zero Trust security model enforces the Principle Of Least Privileged (POLP) access. POLP is based on the principle: never trust, always verify. Data and solutions are protected by limiting user access with just-in-time (JIT) and just-enough-access (JEA) security policies.

Answer 127

Azure Web Application Firewall Azure Web Application Firewall (WAF) provides centralized protection. You can deploy WAF with the Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) services. WAF automatically updates to include protection against new vulnerabilities. In addition, you can configure custom rules to work with WAF. WAF operates in two modes: In Detection mode, WAF monitors and logs threat alerts but it does not attempt to block incoming requests; in Prevention mode, it monitors and logs threat alerts but then it also blocks intrusions and attacks, returning a "403 unauthorized access" status code and closing the connection. Azure Bastion does not provide the desired protection. Azure Bastion provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) connectivity with virtual machines (VMs) through the Azure portal. It also prevents VMs from exposing RDP/SSH ports to possible attack and unauthorized access. Azure DDoS protection does not provide the desired protection. Azure DDoS protection helps to protect your network and resources from Distributed Denial of Service (DDoS) attacks. Azure DDoS protection identifies when attackers are trying to overwhelm a network and it blocks traffic from the attack. Azure Firewall does not provide the desired protection. Azure Firewall is a cloud-based network security service that is designed to protect Azure virtual network (VNet) resources. You can deploy Azure Firewall on a centralized VNet to extend its protection across all your VNets, across multiple subscriptions, and in your on-premises network.

Answer 128

Insider risk management policy replaces data loss prevention policy (DLP) for detecting data leaks. [No] Insider risk management policies are created from pre-defined templates provided by Microsoft. [Yes] Insider risk management policy can use the Microsoft 365 HR connector to import resignation and termination date information. [Yes] Insider risk management policy does not replace data loss prevention policy (DLP) for detecting data leaks. Data leaks templates are used to generate insider risk alerts for intentional or accidental exposure of sensitive information. A policy created from a data leak template must have a DLP policy assigned to the data leak policy. Insider risk management policies are created from pre-defined templates provided by Microsoft. Pre-defined templates include templates for data theft by departing users and general data leaks. At any point, Microsoft may have several templates in preview. Insider risk management policy can use the Microsoft 365 HR connector to import resignation and termination date information. This is used with policies created with the Data theft by departing users template and other templates. You can also monitor user account deletion in Azure Active Directory (Azure AD).

Answer 129

Federation uses a trust relationship to allow access to resources. [Yes] With federation, a user needs to maintain a separate username(s) and corresponding password(s) when accessing resources in other domains. [No] With federation, trust is always bi-directional. [No] Federation uses a trust relationship to allow access to resources. The level of trust may vary, but it typically includes authentication and almost always includes authorization. Federation allows access of services across organizational or domain boundaries by virtue of establishing trust relationships between the respective domain's identity providers. With federation, there is absolutely no need for a user to maintain a different username and password when accessing resources in other domains. With federation, trust is not always bi-directional. A common example of federation is when a user logs into a third-party site with their social media account (e.g., LinkedIn). LinkedIn acts as an identity provider, and the third-party site might be using a different identity provider, such as Azure AD. There is a trust relationship between Azure AD and LinkedIn.

Answer 130

Enable security defaults. You should enable security defaults to quickly enforce Multi-Factor Authentication (MFA) registration for all your Azure Active Directory (AD) users. Enabling security defaults in Azure AD is a quick and easy way to enforce MFA registration. End users will be prompted and they will have 14 days to complete their MFA registration, as otherwise their sign-in will be blocked. You should not assign the Managed Identity Contributor role to the end users. The Managed Identity Contributor role provides end users with access to create, read, update or delete user assigned identities. This role cannot enforce MFA registration. You should not configure Azure Policy. Azure Policy can be used to enforce organizational standards in the setup and deployment of Azure resources, for example, what Azure virtual machine’s (VM) type to use and in what geographies. You should not grant the Owner role to all Resource Groups. Owner is one of the Azure built-in roles. It grants end users with full access to manage relevant Azure resources.

Answer 131

Transparent Data Encryption (TDE) is the encryption technology that protects Azure SQL Database and Azure Synapse Analytics against the threat of malicious activity through the real-time encryption and decryption of databases, associated backups, and transaction log files. TDE is enabled by default for all new Azure SQL Database instances. Data is encrypted at the page level. Pages are encrypted before being written to disk and they are decrypted before they are read into memory. Storage Service Encryption (SSE) is the encryption technology that is used to protect data at rest in Azure storage. Azure does this by automatically encrypting before writing the data to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage. Data is decrypted before retrieval. Azure Disk Encryption is the encryption technology that encrypts Windows and Linux IaaS virtual machine disks using the BitLocker feature of Windows or the dm-crypt feature of Linux. Azure Disk Encryption supports both operating system and data disk encryption. Azure Key Vault is used to protect the encryption keys used. Azure Information Protection (AIP) is not an encryption technology. AIP is used to discover, classify, and protect documents and emails by applying labels to content. This includes support for multiple file types including data files, email messages, and PowerPoint content files. AIP includes an on-premises scanner that can scan for sensitive content. Transport Layer Security (TLS) is an encryption technology but it does not match any of the encryption descriptions. All of the given encryption examples encrypt data at rest. TLS is used to encrypt data in transit between cloud services and customers.

Answer 132

An identity provider creates, maintains, and manages identity information while providing authentication services to applications. It can be used to manage end users’ digital identities. It also provides authentication, authorization and auditing services. Microsoft Azure AD, Google federation, and Facebook federation are all examples of cloud-based identity providers. Identity Protection does not create, maintain, and manage identity information while providing authentication services to applications. You can use Azure AD Identity Protection to detect various types of identity risks such as the use of anonymous IP addresses, unfamiliar sign-in properties, leaked credentials and others. You can automate the mitigation of detected risks, their investigation and further export into third party security information and event management (SIEM) solutions. A retention policy does not create, maintain, and manage identity information while providing authentication services to applications. You use retention policies to apply retention configuration to your Microsoft 365 content. Retention labels assign retention settings at an item level; for example, to a specific document or email; however, a retention policy helps to apply those settings on a more aggregated level, for example, to all documents in a SharePoint site or all emails in an Exchange mailbox.

Answer 133

Monitor service health - [Free] Create custom role for specific resources - [Premium P1] Monitoring service health can be performed by users with the built-in roles in Azure AD such as the Service Support Administrator role. Using the built-in roles only requires the Azure AD Free license. Creating a custom role in Azure AD requires an Azure AD Premium license. The Premium P1 is lower cost that Premium P2 and can meet the requirement.

Answer 134

Configure just-in-time (JIT) in Defender for Cloud. You should configure just-in-time (JIT) in Defender for Cloud. Configuring JIT in Defender for Cloud will ensure that SSH traffic is blocked most of the time and enabled only for specific external IP addresses and only for the period of time needed. Access to a VM can be requested from the Azure portal or programmatically via code or script, and JIT logged for audit purposes. You should not setup NSG rules to allow or deny traffic to port 22 as this would keep the SSH port constantly open or closed. As per this scenario, you need to enable SSH access when needed. You should not use Azure Bastion. Azure Bastion enables SSH or RDP connectivity to Azure virtual machines (VMs) via a browser and Azure portal. Azure Bastion does not allow direct SSH access to the target VMs from external IP addresses.

Answer 135

Data Catalog With the Microsoft Purview Data Catalog, both business and technical users can instantly and effortlessly find important data using search capabilities with filters based on glossary terms, classifications, sensitivity labels and more. Microsoft Purview Data Map provides the foundation for data discovery and data governance. Data Map does not provide you with a search capability based on the filtering of glossary terms, etc. Microsoft Purview Data Estate Insights offers security officers a bird's eye viewpoint and the ability to understand at a glance what data is actively examined, where complex data is, and how it moves. Data Insights does not provide you with a search capability based on the filtering of glossary terms etc. Microsoft Purview Data Sharing allows organizations to securely share data both within your organization or across organizations with business partners and customers. At the time of writing the Data Sharing feature in the Microsoft Purview governance portal is currently in Preview. Microsoft Purview Data Policy allows organizations to manage access to different data systems across their organizational data estate. At the time of writing the Data Policy feature in the Microsoft Purview governance portal is currently in Preview.

Answer 136

Data Catalog With the Microsoft Purview Data Catalog, both business and technical users can instantly and effortlessly find important data using search capabilities with filters based on glossary terms, classifications, sensitivity labels and more. Microsoft Purview Data Map provides the foundation for data discovery and data governance. Data Map does not provide you with a search capability based on the filtering of glossary terms, etc. Microsoft Purview Data Estate Insights offers security officers a bird's eye viewpoint and the ability to understand at a glance what data is actively examined, where complex data is, and how it moves. Data Insights does not provide you with a search capability based on the filtering of glossary terms etc. Microsoft Purview Data Sharing allows organizations to securely share data both within your organization or across organizations with business partners and customers. At the time of writing the Data Sharing feature in the Microsoft Purview governance portal is currently in Preview. Microsoft Purview Data Policy allows organizations to manage access to different data systems across their organizational data estate. At the time of writing the Data Policy feature in the Microsoft Purview governance portal is currently in Preview.

Answer 137

The privacy principles of Microsoft are about making meaningful choices for how and why data is collected and used. They ensure that you have the information you need to make the right choices for your organization. Microsoft's privacy principles include information about where your data located and how Microsoft collects and protects data. Compliance Manager measures your progress in reducing risks around regulatory standards. The Compliance Manager tool defines the tasks you need to complete to reduce risks around data protection and other regulatory standards. The Shared responsibility model is concerned with which security tasks are handled by the cloud provider and which tasks are handled by you. The Shared responsibility model does not explain how Microsoft protects your data or how risks are managed. Zero Trust assumes everything is on an open and untrusted network. Zero Trust methodology operates on the principle of "trust no one, verify everything." Zero Trust does not explain how Microsoft protects your data or how risks are managed.

Answer 138

Azure AD registered devices can include Windows 10 or later, and mobile devices, are typically personal devices, and use a personal Microsoft account or another local account to sign in. Supported devices include Windows 10, iOS, Android, and macOS devices. This enables a company to use tools like Microsoft Intune to ensure standards for security and compliance on the devices. Azure AD joined devices are managed in Azure AD. Only Windows 10 or later devices except Home editions and Azure virtual machines (VMs) running Windows Server 2019 or later can be configured as Azure AD joined devices. The devices are owned by the organization. Users sign in with Azure AD or synced AD work or school accounts only. Hybrid Azure AD joined devices include those supported in a hybrid environment with synced Active Directory Domain Services (AD DS) and Azure AD identities. Supported devices are limited to devices owned by the organization and running Windows 10 or later, or Windows 2008 or later devices. Users sign in with an AD DS account owned by the organization.

Answer 139

You can use Azure Monitor Workbooks to monitor Microsoft Sentinel data using built-in workbook templates and custom workbooks. [Yes] You can create security playbooks based on Azure Logic Apps in Microsoft Sentinel to automate and orchestrate responses to incidents. [Yes] Microsoft Sentinel provides a continuously-updated, consolidated secure score that identifies recommended configurations for security features. [No] You can use Azure Monitor Workbooks to monitor Microsoft Sentinel data using built-in workbook templates and custom workbooks. This is possible because Microsoft Sentinel is integrated with Azure Monitor Workbooks. This includes the ability to create interactive reports through Azure Monitor Workbooks. This functionality enables you to gain insights across your data as soon as you connect a data source. You can create security playbooks based on Azure Logic Apps in Microsoft Sentinel to automate and orchestrate responses to incidents. This provides a highly-extensible development architecture that lets you scale automation as necessary to meet changing requirements. You can develop custom playbooks and choose from built-in playbooks. Microsoft Sentinel does not provide a continuously-updated, consolidated secure score that identifies recommended configurations for security features. This is a feature of Microsoft Defender for Cloud.

Answer 140

Data, particularly personal data, is subject to the laws and regulations of the country/region in which it is physically collected, held, or processed. Data sovereignty refers to that data, particularly personal data, is subject to the laws and regulations of the country/region in which it is physically collected, held, or processed. Data residency refers to the regulations that govern the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally. Trust no one, verify everything describes the Zero Trust model. Zero Trust is a security strategy. Data privacy refers to the fact of being transparent about the collection, processing, use, and sharing of personal data are fundamental principles of privacy laws and regulations.

Answer 141

Compliance Manager Compliance Manager in the navigation pane of the Microsoft Purview compliance portal gives you access to a detailed breakdown of your compliance score. Reports in the navigation pane does not direct you to the information you want. Reports lets you view information about label usage and retention, Data Loss Prevention (DLP) policies, shared files, and third-party apps in use. Policies in the navigation pane does not direct you to the information you want. Policies lets you create and manage policies used to govern data, managed devices, and receive compliance alerts. It also links you to your DLP and retention policies. Home in the navigation pane takes you to the Microsoft Purview compliance portal main page. This gives you access to a summary compliance score but it does not give you access to a detailed breakdown.

Answer 142

Solution catalog card Within the Microsoft Purview compliance portal, the Solution catalog card provides links to collections of integrated solutions to help you manage end-to-end compliance scenarios. The following solution areas are included: Information protection & governance, Privacy, Insider risk management and Discovery & respond. Within the Microsoft Purview compliance portal, the Compliance Manager card links you to the Compliance Manager solution. Compliance Manager helps to simplify the way you manage compliance. Within the Microsoft Purview compliance portal, the Active alerts card includes a synopsis of the most effective alerts and a link where admins can view more detailed communication, such as alert difficulty, level, category, and more.

Answer 143

B. Data, particularly personal data, is subject to the laws and regulations of the country/region in which it's physically collected, held, or processed. Data sovereignty is the concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it's physically collected, held, or processed.

Answer 144

C. Encryption at rest. Encryption at rest could be part of a security strategy to protect stored employee data.

Answer 145

B. Multifactor authentication for all users. Multifactor authentication is an example of defence in-depth at the identity and access layer.

Answer 146

A. The organization. In the shared responsibility model, the customer organization always has responsibility for their data, including information and data relating to employees, devices, and accounts and identities.

Answer 147

A. Verifying that a user or device is who they say they are. Authentication is the process of verifying that a user or device is who they say they are.

Answer 148

C. Trust relationship. Federated services use a trust relationship to allow access to resources.

Answer 149

B. The user signs in once and can then access many applications or resources. With single sign-on, a user signs in once and can then access a number of applications or resources.

Answer 150

B. Managed identity Managed identities are a type of service principal that are automatically managed in Azure AD and eliminate the need for developers to manage credentials.

Answer 151

B. These devices are set up as Azure AD joined. An Azure AD joined device is a device joined to Azure AD through an organizational account, which is then used to sign in to the device. Azure AD joined devices are generally owned by the organization.

Answer 152

B. Azure AD B2C Azure AD B2C is an authentication solution for customers that you can customize with your brand identity.

Answer 153

A. Self-service password reset. Self-service password reset allows users to change or reset their own passwords, thereby reducing the cost of providing administrators and help desk personnel.

Answer 154

A. Microsoft Authenticator app, SMS, Voice call, FIDO2, and Windows Hello for Business These are all valid forms of verification with multi-factor authentication.

Answer 155

A. Multi-factor authentication. Multi-factor authentication dramatically improves the security of an identity.

Answer 156

A. Create policies that enforce organizational rules. Conditional Access is implemented using policies that enforce organizational rules.

Answer 157

B. The probability that the authentication request isn't authorized by the identity owner. Sign-in risk is the real-time calculation that a given authentication request isn't authorized by the identity owner.

Answer 158

C. Replace global admin roles with specific Azure AD roles. By following the least privilege security model and assigning specific admin roles, such as billing administrator or user administrator, to more users, instead of global admin roles, organizational security is improved.

Answer 159

B. Azure AD Terms of Use. Azure AD Terms of Use presents information to users before they access data and can be configured to require users to accept the terms of use.

Answer 160

C. Entitlement management. Entitlement management is well suited to handling project-based access needs. Entitlement management automates access requests, access assignments, reviews, and expiration for bundles of resources relevant to a project.

Answer 161

B. Privileged Identity Management. Privileged Identity Management mitigates the risks of excessive, unnecessary, or misused access permissions.

Answer 162

A. Identity Protection. Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats.

Answer 163

B. Create a new network security rule that allows RDP traffic and that has a higher priority than the default rule. You can create a new rule to allow RDP that has a higher priority than the default rule

Answer 164

B. DDoS Network Protection. DDoS Network Protection provides the default DDoS infrastructure-level protection plus advanced capabilities, including logging, alerting, and telemetry.

Answer 165

A. Azure Bastion is deployed per virtual network, with support for virtual network peering. Azure Bastion deployment is per virtual network with support for virtual network peering, not per subscription/account or virtual machine.

Answer 166

C. Azure Key Vault. Azure Key Vault is a centralized cloud service that that can be used for secrets management, key management, and certificate management.

Answer 167

A. Cloud security posture management (CSPM). The CSPM pillar of Microsoft Defender for Cloud provides visibility and to help you understand your current security situation and provides hardening recommendations.

Answer 168

B. The enhanced functionality that is provided through the Microsoft Defender plans and is part of the CWP pillar of Microsoft Defender for Cloud. Microsoft Defender plans provide enhanced security features for your workloads, including vulnerability scanning.

Answer 169

A. Security baselines for Azure apply guidance from the Microsoft cloud security benchmark (or previous benchmarks) to the specific service for which it's defined and provide organizations a consistent experience when securing their environment. Security baselines for Azure apply guidance from the Microsoft cloud security benchmark (or previous benchmarks) to the specific service for which it's defined and provide organizations a consistent experience when securing their environment.

Answer 170

B. Collect, Detect, Investigate, and Respond. A SIEM/SOAR solution uses collect, detect, investigate, and respond to identify and protect your organization's network perimeter.

Answer 171

A. Azure Monitor Workbooks. Using the Microsoft Sentinel integration with Azure Monitor Workbooks allows you to monitor data and provides versatility in creating custom workbooks.

Answer 172

A. Microsoft Defender for Office 365. Microsoft Defender for Office 365 safeguards against malicious threats posed by email messages, links (URLs), and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients.

Answer 173

C. Data Security. Through the Data Security pillar, an admin can identify and control sensitive information and respond to classification labels on content.

Answer 174

B. Microsoft Defender for Identity Microsoft Defender for Identity is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Answer 175

B. Secure Score. Secure Score, in the Microsoft 365 Defender portal, will give a snapshot of an organization’s security posture, and provide details on how to improve it.

Answer 176

A. Save the documents to your My Library. Saving the document to the My Library section of the Service Trust Portal, will ensure you have the latest updates.

Answer 177

A. Customer control, transparency, and security. The foundation of Microsoft's approach to privacy is built on the following six principles: *customer control *transparency *security *strong legal protections for privacy *no content-based targeting *benefits to customers from any data we collect.

Answer 178

A. Compliance Administrator role This is one of the multiple roles you can use to access the compliance portal

Answer 179

C. Controls that both your organization and Microsoft share responsibility for implementing. Both your organization and Microsoft work together to implement these controls.

Answer 180

A. Compliance Manager is an end-to-end solution, in the Microsoft Purview compliance portal, to enable admins to manage and track compliance activities. Compliance score is a calculation of the overall compliance posture across the organization. Compliance Manager provides admins with the capabilities to understand and improve their compliance score so that they can ultimately improve the organization’s compliance posture and help it to stay in line with its compliance requirements.

Answer 181

C. Govern your data Capabilities like retention policies, retention labels, and records management enable organizations to govern their data.

Answer 182

C. Use sensitive information types Microsoft provides built-in sensitive information types that you can use to identify data such as credit card numbers.

Answer 183

B. Use sensitivity labels Sensitivity labels help ensure that emails can only be decrypted only by users authorized by the label's encryption settings.

Answer 184

A. Use data loss prevention policies With data loss prevention policies, administrators can now define policies that can prevent users from sharing sensitive information in a Microsoft Teams chat session or Teams channel, whether this information is in a message, or in a file.

Answer 185

C. Use retention policies You can use retention policies to define data retention for all documents in a SharePoint site.

Answer 186

A. To identify and protect against risks like an employee sharing confidential information. Use risk management to help protect your organization against these risks.

Answer 187

B. Use Microsoft Purview Communication Compliance. Microsoft Purview Communication Compliance helps minimize communication risks by enabling you to detect, capture, and take remediation actions for inappropriate messages in the organization.

Answer 188

C. Use Microsoft Purview Information Barriers. With Microsoft Purview Information Barriers, you're able to restrict communications among specific groups of users when necessary.

Answer 189

A. Add them as a member of the eDiscovery Manager role group. Members of this role group can create and manage eDiscovery cases. They can also add and remove members, place an eDiscovery hold on users, create and edit searches, and export content from an eDiscovery case.

Answer 190

C. eDiscovery (Premium). The eDiscovery (Premium) solution allows you to collect and copy data into review sets, where you can filter, search, and tag content so you can identify and focus on content that's most relevant.

Answer 191

A. Audit (Premium). Audit (Premium) helps organizations to conduct forensic and compliance investigations by providing access to these crucial events.

Answer 192

C) Azure Blueprints Blueprint will enable your development teams to define a repeatable set of Azure resources, and achieve shorter development times and faster delivery.

Answer 193

B) Use Azure Policy. Azure Policy is used to ensure that your Azure resources comply with your organization's business rules.

Answer 194

B) Data Map. Microsoft Purview Data Map is able to capture metadata about enterprise data, to identify and classify sensitive data.

Answer 195

resource layer attacks, protocol attacks, and volumetric attacks Resource layer attacks, protocol attacks, and volumetric attacks are the most common DDoS attacks. Password sprays and MITM attacks are not DDoS attacks.

Answer 196

Azure Firewall Azure Firewall provides all these capabilities. DDoS protection does not provide filtering. Azure WAF does not provide network filtering, just application-level filtering. Bastion does not provide filtering.

Answer 197

Azure Web Application Firewall (WAF) Azure WAF provides all these capabilities. DDoS protection does not provide filtering. Azure Firewall does not provide SSL termination. Bastion does not provide filtering.

Answer 198

virtual networks Virtual networks are the core component for network segmentation. Firewalls can be used to control access between networks. Bastion hosts provide RDP and SSH access to virtual machines through a web portal. Security groups group users together to simplify assigning access to resources.

Answer 199

Provide network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. NSGs provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription.

Answer 200

Azure Bastion Bastion is a service that lets you connect to virtual machines by using a browser and the Azure portal. The Bastion service is a fully platform-managed platform as a service (PaaS) service that you provision on a virtual network.

Answer 201

The AllowVNetInBound rule is processed first. The AllowAzureLoadBalancerInBound rule is processed second. The last rule that will be processed in the NSG, is the DenyAllInBound rule. The lowest priority value always has the priority.

Answer 202

Microsoft Defender for Cloud Defender for Cloud gives you the ability to connect and secure resources hosted in AWS and GCP.

Answer 203

endpoint detection and response (EDR) vulnerability scanning for SQL resources EDR and vulnerability scanning for SQL is part of Defender for Cloud enhanced security. SIEM coloration is part of Microsoft Sentinel and Security Benchmark Recommendation is part of Azure Security Benchmark. Enhanced security features: Comprehensive endpoint detection and response - Microsoft Defender for servers includes Microsoft Defender for Endpoint for comprehensive endpoint detection and response (EDR). Vulnerability scanning for virtual machines, container registries, and SQL resources - Easily deploy a scanner to all of your virtual machines. View, investigate, and remediate the findings directly within Microsoft Defender for Cloud. Multicloud security - Connect your accounts from Amazon Web Services (AWS) and Google Cloud Platform (GCP) to protect resources and workloads on those platforms with a range of Microsoft Defender for Cloud security features. Hybrid security – Get a unified view of security across all of your on-premises and cloud workloads. Apply security policies and continuously assess the security of your hybrid cloud workloads to ensure compliance with security standards. Collect, search, and analyse security data from multiple sources, including firewalls and other partner solutions. Threat protection alerts - Monitor networks, machines, and cloud services for incoming attacks and post-breach activity. Streamline investigation with interactive tools and contextual threat intelligence. Track compliance with a range of standards - Microsoft Defender for Cloud continuously assesses your hybrid cloud environment to analyse the risk factors according to the controls and best practices in Azure Security Benchmark. When you enable the enhanced security features, you can apply a range of other industry standards, regulatory standards, and benchmarks according to your organization's needs. Add standards and track your compliance with them from the regulatory compliance dashboard. Access and application controls - Block malware and other unwanted applications by applying machine learning powered recommendations adapted to your specific workloads to create allow lists and blocklists. Reduce the network attack surface with just-in-time, controlled access to management ports on Azure VMs. Access and application controls drastically reduce exposure to brute force and other network attacks.

Answer 204

C. The Secure Score is a percentage based KPI that informs you of your environment's security posture. The higher your Secure Score is, the more secure your environment is. The Secure Score increases when you remediate recommendations and alerts. The closer your score is to 100 the more secure your environment is.

Answer 205

A. Defender for Cloud uses the Secure Score to inform you of the misconfigurations, threats, misuse and compliance violations across your multicloud infrastructure. Cloud Security Posture Management (CSPM) is a proactive system by which organizations can identify and remediate misconfigurations, threats, misuse and compliance violations across a multicloud infrastructure.

Answer 206

B. Defender for Cloud will use the Alerts page to inform the Casino about any known attacks. Alerts are generated through Defender for Cloud's enhanced security features on the Alerts page in Defender for Cloud. The Alerts page informs you via alerts, about possible cyberattacks or potential malicious actions taken against your resources.

Answer 207

A. Defender for Cloud has various plans that can protect databases. Defender for Cloud uses its various plans and functionality to protect the following types of databases: SQL DBs, SQL on machines, MariaDB, MySQL, PostGreSQL, Cosmos DB.

Answer 208

C. Defender for Cloud protects Azure, AWS, GCP and on-premises environments. Defender for Cloud uses both reactive and proactive measures that will protect Azure, AWS, GCP and on-premises environments.

Answer 209

security information and event management (SIEM) security orchestration automated response (SOAR) Microsoft Sentinel is a mix of SIEM and SOAR systems.

Answer 210

Microsoft Sentinel Aggregating security alerts into incidents and creating automated responses to security alerts can be completed by using Microsoft Sentinel. Microsoft for Cloud and Microsoft 365 Defender cannot help you manage cyber incidents unless it is connected to Microsoft Sentinel. Intune cannot help you manage cyber incidents.

Answer 211

alerts Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve.

Answer 212

App connectors Connectors retrieve data from apps and their activity logs. Policies detect risky behavior, violations, and suspicious data points. The Cloud apps catalog is used to sanction or unsanction apps. Cloud Discovery is used to identify cloud environments and apps used by an organization.

Answer 213

Azure AD & Microsoft Teams Microsoft Secure Score supports recommendations for Microsoft 365 (including Exchange Online), Azure AD, Microsoft Defender for Endpoint, Defender for Identity, Defender Cloud Apps, and Teams.

Answer 214

Microsoft Defender for Cloud Apps Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It allows you to meet the compliance standards for GDPR and PCI.

Answer 215

security The security principle defines the use of encryption and key management. The control principle states that customers are in control of their data. The strong legal protection principle states that any request from legal authorities for access to customer data must go to the customer, not Microsoft. The transparency principle describes how Microsoft informs all parties of how data is used and accessed.

Answer 216

control, transparency, security, strong legal protections, no content-based targeting, and benefits to you Control, transparency, security, strong legal protections, no content-based targeting, and benefits to you are the Microsoft approach to privacy.

Answer 217

Global Administrator Compliance Administrator Compliance Data Administrator The compliance portal is available to customers with a Microsoft 365 SKU and one of the following roles: Global Administrator, Compliance Administrator, Compliance Data Administrator.

Answer 218

the Microsoft Purview compliance portal The Microsoft Purview compliance portal helps admins manage an organization’s compliance requirements with greater ease and convenience and can help reduce data risks. The Service Trust Portal only provides compliance practices via Compliance Manager. Defender for Cloud is a cloud workload protection solution. Intune helps organizations let their users use devices and applications.

Answer 219

Microsoft-managed controls Microsoft-managed controls are used to control Microsoft cloud services.

Answer 220

a sensitivity label and a sensitivity label policy A sensitivity label and a sensitivity label policy are needed to publish a label for users to use. The other options are for data loss prevention (DLP), not sensitivity labelling. DLP policies cannot encrypt data.

Answer 221

data loss prevention (DLP) policy A DLP policy is used to handle data loss. Sensitivity label policies are used to apply a label to a document. A retention policy is used to define how long a document is maintained. Azure Policy is used to determine how Azure services are configured.

Answer 222

classify, protect, and govern Information protection and data lifecycle management work together to classify, protect, and govern data. You cannot share data via Microsoft Purview.

Answer 223

Microsoft Purview Microsoft Purview is a unified data governance service that helps you manage and govern on-premises, multi-cloud, and software-as-a-service (SaaS) data. It can be used to set up a unified data governance service, enabling end-to-end data lineage.

Answer 224

information barrier policy DLP policies can prevent data loss, but only based on sensitivity labels, not based on which application (Teams) is used. Retention policies are used to specify how long files are kept. Azure policies are used to govern Azure resources, not files. Information barrier policies can be used to prevent users from sharing files and communicating in Teams.

Answer 225

Communication compliance Communication compliance allows you to detect and remediate inappropriate language. Information barriers can be used to disable certain interactions, but not based on language. Activity explorer can be used to view activities in Compliance Manager. Policy compliance lets you see which policies are in or out of compliance.

Answer 226

Audit (Premium) Audit (Premium) can be used to investigate possible security or compliance breaches and identify their scope based on records. Content search is used to search documents. eDiscovery (Standard) allows you to create cases and assign managers, not auditing. eDiscovery (Premium) allows you to assign custodians.

Answer 227

Azure Policy is designed to help enforce standards and assess compliance across an organization. Azure Policy is designed to help enforce standards and assess compliance across an organization. Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure role-based access control (RBAC) manages who has access to Azure resources, what they can do with the resources, and which areas they can access. Microsoft Purview is designed to address the challenges associated with the rapid growth of data and help enterprises get the most value from their information assets.

Answer 228

operating system The customer must manage the operating system for virtual machines. The cloud provider manages the physical hosts, network, and data center.

Answer 229

verify explicitly The Zero Trust model has three guiding principles which are verify explicitly, least privilege access, and assume breach.

Answer 230

asymmetric encryption Asymmetric encryption uses a public key and private key pair. Either the public or private key can encrypt data, but either on their own cannot be used to decrypt encrypted data.

Answer 231

authorization Authorization is responsible for determining which level of access authenticated users have. Administration is responsible for managing user accounts. Authentication is responsible for identifying who a user is. Auditing is responsible for keeping track of how authentication, authorization, administration, and access to resources occurs.

Answer 232

Software as a service (SaaS) applications for business-critical workloads can be hosted outside of a corporate network. & Bring your own device (BYOD) can be used to complete corporate tasks. SaaS applications for business-critical workloads can be hosted outside of the corporate network and BYOD can be used to complete corporate tasks in the identity as the primary security perimeter model. The other options represent the traditional perimeter-based security model.

Answer 233

uses one credential to access multiple applications or resources SSO allows a user to sign in with a single credential and have access to multiple applications and resources. It does not ensure that a user will not have to sign in again. It leverages a centralized identity provider. It has nothing to do with password resets.

Answer 234

Federation enables access to services across organizations. Federation enables access to services across organizations. Identity providers can be on-premises, trust is not always bidirectional, and users do not need to maintain different usernames in other domains.

Answer 235

single sign on (SSO) for users Azure AD provides SSO. Azure AD provides federation. Azure AD is one perimeter of defense in depth. Azure AD does not provide file services. Azure AD does not provide the encryption of data in transit.

Answer 236

managed identity Managed identities are fully managed by Azure AD and can be used by Azure resources when accessing other Azure resources. Users need to manage passwords manually. Device is used for devices but cannot be used to access Azure resources. Service principal is used for apps, but not for Azure resources.

Answer 237

Azure AD Connect Azure AD Connect is designed to meet and accomplish hybrid identity goals. ADFS cannot be used for hybrid identity models. Microsoft Sentinel is not an identity product. PIM is used for managing and monitoring access to important resources.

Answer 238

OATH hardware tokens Initiative for Open Authentication (OATH) hardware tokens use time-based, one-time passwords. Password hash synchronization syncs hashes across Active Directory and Azure AD. Windows Hello uses a camera or passcode for authentication.

Answer 239

the Microsoft Authenticator app voice call The Microsoft Authenticator app and FIDO2 security key are available in Azure AD for MFA from any device. Face and fingerprint recognition are only available for Windows devices with Windows Hello.

Answer 240

Azure AD Password Protection Azure AD Password Protection provides protection from password spray.

Answer 241

using the Microsoft Authenticator app The Microsoft Authenticator app (phone sign in) is the strongest authentication method. Enforcing a password change or enforcing a complex password will not provide the greatest protection alone. Using soft tokens does not offer as strong a protection as Microsoft Authenticator.

Answer 242

Self-service password reset (SSPR) SSPR is a feature of Azure AD that allows users to change or reset their password without administrator or help desk involvement. Without enabling SSPR, Identity protection cannot provide the requested solution. Conditional Access brings signals together, to make decisions, and enforce organizational policies but not SSPR. Azure AD Password Protection reduces the risk when users set weak passwords.

Answer 243

user risk User risk can evaluate the likelihood that a user account was compromised. Sign-in risk can identify whether the sign-in attempt is considered risky, such as attempts to sign-in from compromised IP networks. Device state verifies the device platform. Locations are associated to specific IP networks.

Answer 244

roles Roles in Azure AD have permission to perform certain administrative tasks. You assign these roles to users.

Answer 245

group membership device platform Conditional Access signals include User or group membership, Named location information, Application, Real-time sign-in risk detection, Cloud apps or actions and User risk.

Answer 246

User Administrator User Administrator can manage both users and groups. Global Administrator can also manage users and groups, but the role has far too many privileges.

Answer 247

user risk User risk represents the probability that a given identity or account is compromised. User risk can be configured for high, medium, or low probability. Admins can set up this signal without interrupting user sign-ins.

Answer 248

Azure AD roles control access to resources such as users, groups, and applications. Azure roles control access to resources, such as virtual machines. Azure AD built-in and custom roles are a form of RBAC in that Azure AD roles control access to Azure AD resources. This is referred as Azure AD RBAC. In the same way that Azure AD roles can control access to Azure AD resources, so too can Azure roles control access to Azure resources. This is referred to as Azure RBAC. Although the concept of RBAC applies to both Azure AD RBAC and Azure RBAC, what they control is different.

Answer 249

password SMS-based authentication Passwords are the most common form of authentication and are supported in Azure AD. Text messaging can be used as a primary form of authentication. The Google Authenticator app can be used as a primary form of authentication to sign in to any Azure AD account. Calling the Microsoft Helpdesk is not a valid authentication method in Azure AD. Security questions are not used during sign in.

Answer 250

B. an identity provider Azure Active Directory (Azure AD) is an identity provider used for authentication and authorisation.

Answer 251

B. an identity provider

Answer 252

C. Azure Active Directory (Azure AD) Business 2 business Azure Active Directory (Azure AD) Business 2 business Enables collaborations with business partners from external organisations such as suppliers, partners and vendors , external users appear as guest users in the directory.

Answer 253

All Azure AD License editions include the same features [No] You can manager an Azure AD tenet by using the azure portal. [Yes] You must deploy azure virtual machines to host an Azure AD tenet. [No]

Answer 254

Azure ad connect can be used to implement hybrid identity. [Yes] Hybrid identities requires the implementation of two Microsoft 365 tenants. [No] Hybrid identities refers to the synchronisation of AD DS and Azure AD. [Yes]

Answer 255

You can create custom roles in Azure AD. [Yes] Global Administrator is a role in Azure AD. [Yes] An Azure AD user can be assigned only one role. [No]

Answer 256

Azure AD is deployed to an on-premises environment. [No] Azure AD is provided as part of a Microsoft 365 Subscription. [Yes] Azure AD is an identity and access management service. [Yes] Azure Identity is Cloud based.

Answer 257

Azure AD identity protection can add users to groups based on the users risk level. [No] Azure AD identity protection can detect whether user credentials were leaked to the public. [Yes] Azure AD identity protection can be used to invoke MFA based on a user's risk level. [Yes]

Answer 258

A. MFA Multi-factor authentication requires additional verification, such as a verification code sent to a mobile phone.

Answer 259

C. Which watermark to add to files After a sensitivity label is applied to an email, meeting invite, or document, any configured protection settings for that label are enforced on the content. You can configure a sensitivity label to: 1. Encrypt emails, meeting invites, and documents to prevent unauthorized people from accessing this data. You can additionally choose which users or group have permissions to perform which actions and for how long. For example, you can choose to allow all users in your organization to modify a document while a specific group in another organization can only view it. Alternatively, instead of administrator-defined permissions, you can allow your users to assign permissions to the content when they apply the label. 2. Mark the content when you use Office apps, by adding watermarks, headers, or footers to email, meeting invites, or documents that have the label applied. Watermarks can be applied to documents but not email or meeting invites. Example header and watermark:

Answer 260

A. Display policy tips to users who are about to violate your organisations polices C. Protect documents in Microsoft OneDrive that contains sensitive information. DLP policies are how you monitor the activities that users take on sensitive items at rest, sensitive items in transit, or sensitive items in use and take protective actions. For example, when a user attempts to take a prohibited action, like copying a sensitive item to an unapproved location or sharing medical information in an email or other conditions laid out in a policy, DLP can: show a pop-up policy tip to the user that warns them that they may be trying to share a sensitive item inappropriately block the sharing and, via a policy tip, allow the user to override the block and capture the users' justification block the sharing without the override option for data at rest, sensitive items can be locked and moved to a secure quarantine location for Teams chat, the sensitive information won't be displayed

Answer 261

B. Sensitivity Labels You can use sensitivity labels to: - Provide protection settings that include encryption and content markings. For example, apply a "Confidential" label to a document or email, and that label encrypts the content and applies a "Confidential" watermark. Content markings include headers and footers as well as watermarks, and encryption can also restrict what actions authorized people can take on the content.

Answer 262

B. to restrict Microsoft Teams chats between certain groups within an organization Information barriers are supported in Microsoft Teams, SharePoint Online, and OneDrive for Business. A compliance administrator or information barriers administrator can define policies to allow or prevent communications between groups of users in Microsoft Teams.

Answer 263

C. Content Search The Content Search tool in the Security & Compliance Centre can be used to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. The first step is to starting using the Content Search tool to choose content locations to search and configure a keyword query to search for specific items.

Answer 264

B. data loss prevention (DLP) policies Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).

Answer 265

A. Microsoft Service Trust Portal The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.

Answer 266

D. sensitive data from being exposed to unauthorized users

Answer 267

B. The Microsoft 365 Compliance centre The Microsoft 365 Compliance centre provides a central location for managing information protection, information governance, and DLP polices.

Answer 268

B. Incidents You can use incidents in the Microsoft 365 Security centre to identity devices that are affected by an alert. An incidents is a collection of alerts.

Answer 269

D. Incidents You can use Incidents in the Microsoft 365 Security centre to view an aggregation of alerts that relate to the same attack.

Answer 270

With advanced audit in Microsoft 365, you can identify when email items were accessed. [Yes] Advanced audit in Microsoft 365 supports the same retention period of audits logs as core auditing. [No] Advanced audit in Microsoft 365 allocates customers-dedicated bandwidth for accessing audit data. [Yes]

Answer 271

Yes No Yes The MailItemsAccessed event is a mailbox auditing action and is triggered when mail data is accessed by mail protocols and mail clients. Basic Audit retains audit records for 90 days. Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This is accomplished by a default audit log retention policy that retains any audit record that contains the value of Exchange, SharePoint, or AzureActiveDirectory for the Workload property (which indicates the service in which the activity occurred) for one year. Advanced Audit in Microsoft 365 provides high-bandwidth access to the Office 365 Management Activity API.

Answer 272

You can use advanced audit in Microsoft 365 to view billing details. [No] You can use advanced audit in Microsoft 365 to view the contents of an email message. [No] You can use advanced audit in Microsoft 365 to identify when a user uses the search bar in Outlook on the web to search for items in a mail box. [Yes]

Answer 273

C. Integration with Microsoft 365 defender Microsoft 365 Defender is an XDR solution that automatically collects, correlates, and analyses signal, threat, and alert data from across your Microsoft 365 environment.

Answer 274

C. Integration with Microsoft 365 defender Microsoft 365 Defender is an XDR solution that automatically collects, correlates, and analyses signal, threat, and alert data from across your Microsoft 365 environment.

Answer 275

C. Microsoft Defender for Identity Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Answer 276

C. On-premises active directory domain services Microsoft Defender for Identity is a cloud-based security solution that uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Answer 277

D. Microsoft Defender for cloud Microsoft defender for cloud can use conditional access policies to control sessions in real-time Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Access and session policies are used within the Defender for Cloud Apps portal to further refine filters and set actions to be taken on a user. With the access and session policies, you can:

Answer 278

YES TO ALL 1. Microsoft Defender for Cloud provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, your storage, and more 2. Cloud security posture management (CSPM) is available for free to all Azure users. 3. Azure Security Centre is a unified infrastructure security management system that strengthens the security posture of your data centres, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.

Answer 279

Microsoft defender for endpoint can protect android devices. [Yes] Microsoft defender for endpoint can protect azure virtual machines that run windows 10. [Yes] Microsoft defender for endpoint can protect Microsoft SharePoint online sites and content from viruses. [No] No because - MS Defender for 365" is taking care of SharePoint Online

Answer 280

YES TO ALL Microsoft Secure Score in Microsoft 365 Security Centre, How it works: You're given points for the following actions: * Configuring recommended security features * Doing security-related tasks * Addressing the improvement action with a third-party application or software, or an alternate mitigation Key scenarios * Check your current score * Compare your score to organizations like yours * View improvement actions and decide an action plan * Initiate work flows to investigate or implement

Answer 281

B. Azure Blueprints Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and start up new environments with trust they're building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery.

Answer 282

D. Azure Sentinel Azure Sentinel is a cloud native security information and event management and security orchestration automated response solution used to provide a single solution for alert detection, threat visibility. proactive hunting and threat response.

Answer 283

C. Playbooks. Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident. A playbook can help automate and orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached to an analytics rule or an automation rule, respectively. It can also be run manually on-demand. playbooks -> automation using Logic App workbooks -> for visualization

Answer 284

B. Authenticated

Answer 285

B. Authorisation Authorisation is the process of identifying whether a signed-in user can access a specific resource.

Answer 286

D. Encrypting Encrypting a file makes the data in the file readable and usable to viewers that have the appropriate key.

Answer 287

C. MFA when you enable security defaults in Azure AD multi factor authentication will be enabled for all Azure AD users.

Answer 288

B. a trust relationship federation is used to establish a trust relationship between organisations.

Answer 289

B. is stored on a local device only With windows hello for business, a user's biometric data used for authentication is stored on a local device only.

Answer 290

Conditional access policies can use the device state as a signal. [Yes] Conditional access policies apply before first-factor authentication is complete. [No] Conditional access policies can trigger MFA if a user attempts to access a specific application. [Yes]

Answer 291

conditional access policies always enforce the use of multi-factor authentication (MFA). [No] conditional access policies can be used to block access to an application based on the location of the user. [Yes] conditional access policies only affect users who have Azure AD joined devices. [No] Conditional Access takes signals from various sources into account when making access decisions. These signals include: User or group membership Policies can be targeted to specific users and groups giving administrators fine-grained control over access. IP Location information Organizations can create trusted IP address ranges that can be used when making policy decisions. Administrators can specify entire countries/regions IP ranges to block or allow traffic from. Device Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies. Use filters for devices to target policies to specific devices like privileged access workstations. Application Users attempting to access specific applications can trigger different Conditional Access policies. Real-time and calculated risk detection Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify and remediate risky users and sign-in behaviour. Microsoft Defender for Cloud Apps Enables user application access and sessions to be monitored and controlled in real time. This integration increases visibility and control over access to and activities done within your cloud environment.

Answer 292

Conditional access policies can be applied to Global administrators. [Yes] Conditional access policies are evaluated before a user is authenticated. [No] Conditional access policies can use a device platform, such as Android or iOS, as a signal. [Yes] Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.

Answer 293

D. Azure AD PIM (Privilege identity management)

Answer 294

A. Microsoft Cloud Adoption Framework The Microsoft Cloud Adoption Framework for Azure is a full lifecycle framework that enables cloud architects, IT professionals, and business decision makers to achieve their cloud adoption goals.

Answer 295

B. Azure AD password protection

Answer 296

B. Govern D. Manage Phase order: Strategy Plan Ready Migrate Innovate Secure Manage Govern

Answer 297

C. the creation and management of user accounts

Answer 298

C. The Microsoft cloud adoption framework for Azure The Microsoft cloud adoption framework for Azure provide best practises for Microsoft employees, partners and customers, including tools and guidance to assists in an Azure deployment.

Answer 299

D. Microsoft Endpoint Manager admin centre Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.

Answer 300

C. Service principle When you register an application with Azure Active Directory (Azure AD), it creates a service principal. A service principal represents the application's identity in Azure AD and allows the application to authenticate and access resources on behalf of itself or other users or services.

Answer 301

D. Virtual networks Azure DDoS protection helps to protect your network and resources from Distributed Denial of Service (DDoS) attacks. Azure DDoS protection identifies when attackers are trying to overwhelm a network and it blocks traffic from the attack.

Answer 302

YES TO ALL 1. A certificate is required that provides a private and a public key. 2. The public key is used to validate the private key that is associated with a digital signature. 3. The private key, or rather the password to the private key, validates the identity of the signer. Reference:

Answer 303

In software as a service (SaaS) applying application updates is the responsibility of the organisation. [No] In infrastructure as a service (IaaS), managing the physical network is the responsibility of the cloud provider [Yes] In all Azure cloud deployment types, managing the security of information and data is the responsibility of the organisation. [Yes] For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type). Regardless of the type of deployment, the following responsibilities are always retained by you: - Data - Endpoints - Account - Access management

Answer 304

Microsoft Intune can be used to manage android devices. [Yes] Microsoft Intune can be used to provision Azure Subscriptions. [No] Microsoft Intune can be used to manage organisations-owned devices and personal devices. [Yes]

Answer 305

YES TO ALL Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software. Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

Answer 306

Azure policies supports automatic remediation. [Yes] Azure policy can be used to ensure that new resources adhere to corporate standards. [Yes] Compliance evaluation in Azure policy occurs only when a target resource is created or modified. [No] Understand evaluation outcomes Resources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance evaluation. The following are the times or events that cause a resource to be evaluated: A resource is created, updated, or deleted in a scope with a policy assignment. A policy or initiative is newly assigned to a scope. A policy or initiative already assigned to a scope is updated. During the standard compliance evaluation cycle, which occurs once every 24 hours.

Answer 307

You can add a resource lock to an Azure subscription. [Yes] You can add only one resource lock to an Azure resource. [No] You can delete a resource group containing resources that have resource locks. [No] You can add more than one resource lock to an Azure resource. According to the Microsoft Learn article1, “You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only. In the command line, these locks are called CanNotDelete and ReadOnly.” Therefore, you can apply both a Delete and a Read-only lock to a resource if you want to prevent any changes to it. You cannot delete a resource group containing resources that have resource locks. According to the Microsoft Learn article1, “If you have a Delete lock on a resource and attempt to delete its resource group, the feature blocks the whole delete operation. Even if the resource group or other resources in the resource group are unlocked, the deletion doesn’t happen. You never have a partial deletion.”

Answer 308

Control is a key privacy principle of Microsoft. [Yes] Transparency is a key privacy principle of Microsoft. [Yes] Shared responsibility is a key privacy principle of Microsoft. [No] The Six privacy principles are: Control: We will put you in control of your privacy with easy-to-use tools and clear choices. Transparency: We will be transparent about data collection and use so you can make informed decisions. Security: We will protect the data you entrust to us through strong security and encryption. Strong legal protections: We will respect your local privacy laws and fight for legal protection of your privacy as a fundamental human right. No content-based targeting: We will not use your email, chat, files or other personal content to target ads to you. Benefits to you: When we do collect data, we will use it to benefit you and to make your experiences better.

Answer 309

A. Verify explicitly B. Assume breach Zero Trust principles: Verify explicitly Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies. Use least-privilege access Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity. Assume breach Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defences.

Answer 310

1. an attack that tries many passwords against one or more accounts, sometimes using dictionaries of commonly used passwords - Brute force attacks 2. an attack which attempts to match a username against a list of weak passwords - Spray Attacks 3. an attack which is received in the form of an email that appears to come from a reputable source - Phishing 4. a highly targeted form of email attack which can be used to create highly credible emails - Spear phishing

Answer 311

1. These devices are owned by an organization and are signed in with an Active Directory Domain Service account belonging to that organization. They exist in the cloud and on-premises. - C. Hybrid Azure AD joined devices 2. These devices are typically personally owned, rather than by the organization. They are signed in with a personal Microsoft account or another local account. - A. Azure AD registered devices 3. These devices exist only in the cloud and are owned by an organization. They are signed in with an organization Azure AD account. - B. Azure AD joined devices Azure AD registered devices can be Windows 10, iOS, Android, or macOS devices. Devices that are Azure AD registered are typically owned personally, rather than by the organization. They are signed in with a personal Microsoft account or another local account. Azure AD joined devices exist only in the cloud. Azure AD joined devices are owned by an organization and signed in with an organization Azure AD account. Users sign into their devices with their Azure AD or synced Active Directory work or school accounts. You can configure Azure AD joined devices for all Windows 10 devices. (except Windows 10 Home). Hybrid Azure AD joined devices can be Windows 7, 8.1, or 10 or Windows Server 2008 or newer. Devices that are hybrid Azure AD joined are owned by an organization and are signed in with an Active Directory Domain Services account belonging to that organization. They exist in the cloud and on-premises.

Answer 312

B. Pass-through authentication Pass-through authentication (PTA). Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with an on-premises Active Directory, which ensures that the password validation does not happen in the cloud.

Answer 313

C. Windows Hello is a secure feature that uses PINs and bio-metric data to authenticate users. Windows Hello, an authentication feature built into Windows 10, replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a bio-metric or PIN.

Answer 314

B. The probability that the authentication request is not authorized by the identity owner. Sign-in risk is the real-time calculation that a given authentication request was made by the specific user’s identity. Real-time sign-in risk detection- Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behaviour. Policies can then force users to perform password changes or multifactor authentication to reduce their risk level or be blocked from access until an administrator takes manual action. Sign-in risk is independent of device, access rights and only works on signals like: Anonymous IP address, Atypical travel, Anomalous Token, Token Issuer Anomaly, Malware linked IP address, Suspicious browser, Unfamiliar sign-in properties, Admin confirmed user compromised, Malicious IP address, Suspicious inbox manipulation rules, Password spray, Impossible travel, New country, Activity from anonymous IP address, Suspicious inbox forwarding, Azure AD threat intelligence.

Answer 315

A. Terms of use B. Conditional Access Policy Conditional Access policies are used to require a terms of use statement being displayed and ensuring the user has agreed to those terms before accessing an application. Admins can then view who has agreed to terms of use, and who has declined. Azure AD terms of use allow information to be presented to users before they access data or an application. Terms of use ensure users read relevant disclaimers for legal or compliance requirements.

Answer 316

B. Azure AD privileged Identity Management (PIM) C. Azure AD privileged Access Management (PAM) Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Privileged Access Management (PAM) is a solution that helps organizations restrict privileged access within an existing and isolated Active Directory environment. PAM adds auditing, alerts, and reports of privileged access requests. You can review the history of privileged access and see who performed an activity. You can decide whether the activity is valid or not and easily identify unauthorized activity, such as an attempt to add a user directly to a privileged group in the original forest. This step is important not only to identify malicious software but also for tracking "inside" attackers.

Answer 317

C. Network Security Groups Network Security Group -Network security groups (NSGs) let you allow or deny network traffic to and from Azure resources that exist in your Azure virtual network, for example, a virtual machine. When you create an NSG, it can be associated with multiple subnets or network interfaces in your VNet. An NSG consists of rules that define how the traffic is filtered.

Answer 318

A. Azure Bastion Service Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. This article shows you how to securely and seamlessly SSH to your Linux VMs in an Azure virtual network. You can connect to a VM directly from the Azure portal. When using Azure Bastion, VMs don’t require a client, agent, or additional software

Answer 319

B. Microsoft Defender for Cloud Microsoft Defender for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources, and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms. Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyberattacks, and streamline security management. Because it's natively integrated, deployment of Defender for Cloud is easy, providing you with simple auto provisioning to secure your resources by default.

Answer 320

D. Sentinel Azure Sentinel – Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Answer 321

A. Threat Trackers B. Automated Investigation and response E. Attack Simulator Microsoft Defender for Office 365 Plan 2 includes all the core features of Plan 1, and provides automation, investigation, remediation, and simulation tools to help protect your Office 365 suite: * Threat Trackers: Provide the latest intelligence on prevailing cybersecurity issues and allow an organization to take countermeasures before there's an actual threat. * Threat Explorer: A real-time report that allows you to identify and analyse recent threats. * Automated investigation and response (AIR): Includes a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually. A security playbook can start an automated investigation, provide detailed results, and recommend actions that the security team can approve or reject. * Attack Simulator: Allows you to run realistic attack scenarios in your organization to identify vulnerabilities

Answer 322

B. Secure Score Microsoft Secure Score, one of the tools in the Microsoft 365 Defender portal, is a representation of a company's security posture. The higher the score, the better your protection. Secure Score helps organizations: * Report on the current state of their security posture. * Improve their security posture by providing discoverability, visibility, guidance, and control. * Compare benchmarks and establish key performance indicators (KPIs).

Answer 323

C. Windows devices Security baseline settings are used only on devices running Windows 10 version 1809 or later.

Answer 324

A. Azure AD B2C Azure AD B2C authentication feature allows users to be able to sign in with their Facebook, Google, or Twitter credentials.

Answer 325

C. Defender for Identity Microsoft Defender for Identity security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Answer 326

B. Password hash synchronization Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance.

Answer 327

A. Self- Service password reset. With SSPR (Self-service password reset) users would have the ability to reset their account passwords without getting in touch with the IT team by using methods such as phone numbers, security questions,

Answer 328

B. Windows Hello Windows Hello for Business is more secure because it uses PINs and biometric data to authenticate

Answer 329

A. Save the documents to your My Library. Save the documents to My Library: Allows you to add documents and resources that are relevant to your organization, everything is in one place. You can also opt to have email notifications sent when a document is updated, as well as the frequency you receive notifications.

Answer 330

A. Use data loss prevention policies With data loss prevention policies, administrators can now define policies that can prevent users from sharing sensitive information in a Microsoft Teams chat session or Teams channel, whether this information is in a message, or in a file. Records Management or Retention policies/AIP will not let you do this.

Answer 331

D. privileged access management You can use privileged access management to require users to request just-in-time access to complete certain tasks. Privileged access management allows granular access control over privileged admin tasks in Microsoft 365. It can help protect organizations from breaches that use existing privileged admin accounts with standing access to sensitive data, or access to critical configuration settings.

Answer 332

B. Add custodians to a case, search custodial sources for relevant data, add data to a review set, review and analyse data, then finally export, and download the case data. eDiscovery Workflow 1. Add Custodians 2. search custodial sources for relevant data 3. add data to a review set 4. review and analyse data 5. export and download the case data.

Answer 333

1. manages who has access to Azure resources, what they can do with those resources, and what areas they can access. - D. Azure Role-based access control 2. enforces standards and assess compliance across your organization. - C. Azure Policy 3. rapidly provisions and runs new environments with the knowledge that they are in line with the organization’s compliance requirements. - B. Azure Blueprints 4. prevents resources from being accidentally deleted or changed - A. Azure Resource Locks Resource locks can be used to prevent resources from being accidentally deleted or changed. Even with role-based access control policies in place there is still a risk that people with the right level of access could delete a critical resource. Azure Resource Manager locks prevent users from accidentally deleting or modifying a critical resource, and can be applied to a subscription, a resource group, or a resource Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they're in line with the organization’s compliance requirements. Teams can also provide Azure resources across several subscriptions simultaneously, meaning they can achieve shorter development times and quicker delivery. Azure Policy is designed to help enforce standards and assess compliance across your organization. Through its compliance dashboard, you can access an aggregated view to help evaluate the overall state of the environment. You can drill down to a per resource, or per-policy level granularity. You can also use capabilities like bulk remediation for existing resources and automatic remediation for new resources, to resolve issues rapidly and effectively Azure RBAC manages who has access to Azure resources, what they can do with those resources, and what areas they can access. If actions need to be controlled, then you would use Azure RBAC.

Answer 334

B. Retention policies To assign your retention settings to content, use retention policies and retention labels with label policies. You can use just one of these methods or combine them. Use a retention policy to assign the same retention settings for content at a site or mailbox level and use a retention label to assign retention settings at an item level (folder, document, email).

Answer 335

B. Network map. The network map provides a map of the topology of your network workloads, which lets you block unwanted connections. The interactive network map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources.

Answer 336

B. Azure Key Vault Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal.

Answer 337

D. Create policies that enforce organizational rules. Conditional access is implemented using policies that enforce organizational rules.

Answer 338

C. Phishing A phishing attack is when a hacker sends an email that appears to come from a reputable source. The email contains a credible story, such as a security breach, instructing the user to sign in and change their password. Instead of going to a legitimate website, the user is directed to the scammer’s website where they enter their username and password. The hacker has now captured the user’s identity and password.

Answer 339

A. Create an eDiscovery hold. Create an eDiscovery hold. The first step after creating a case is placing a hold (also called an eDiscovery hold) on the content locations of the people of interest in your investigation.

Answer 340

C. eDiscovery The eDiscovery (Premium) tool builds on the existing case management, preservation, search, and export capabilities in eDiscovery (Standard). eDiscovery (Premium) provides an end-to-end workflow to identify, preserve, collect, review, analyse, and export content that's responsive to your organization's internal and external investigations."

Answer 341

A. Customer Lockbox Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, and OneDrive when Microsoft engineers need to access customer content to determine root cause and fix an issue. Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow.

Answer 342

A. Continually compliance manager assesses compliance data continually for an organization.

Answer 343

D. Security baseline for Azure Security baselines for Azure help you strengthen security through improved tooling, tracking, and security features. They also provide you a consistent experience when securing your environment.

Answer 344

Azure Firewall - Provides network address Translation (NAT) Services. Azure Bastion - Provides secure and seamless remote Desktop connectivity to Azure virtual machines. Network Security Groups - Provides traffic filtering that can be applied to specific network interfaces on a virtual machines. Azure Firewall provide Source Network Address Translation and Destination Network Address Translation. Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network.

Answer 345

YES TO ALL You can configure a sensitivity label to: Encrypt emails, meeting invites, and documents to prevent unauthorized people from accessing this data. You can additionally choose which users or group have permissions to perform which actions and for how long. For example, you can choose to allow all users in your organization to modify a document while a specific group in another organization can only view it. Alternatively, instead of administrator-defined permissions, you can allow your users to assign permissions to the content when they apply the label. Mark the content when you use Office apps, by adding watermarks, headers, or footers to email, meeting invites, or documents that have the label applied. Watermarks can be applied to documents but not email or meeting invites. Example header and watermark:

Answer 346

Compliance Manager tracks only customer-managed controls. [No] Compliance Manager provides predefined templates for creating assessments. [Yes] Compliance Manager can help you access whether data adheres to specific data protection standards. [Yes]

Answer 347

Users can apply sensitivity labels manually. [Yes Multiple sensitivity labels can be applied to the same file. [No] A sensitivity label can apply a watermark to a Microsoft word document. [Yes]

Answer 348

YES TO ALL Network security groups (NSGs) can deny inbound traffic from the internet. [Yes] Network security groups (NSGs) can deny outbound traffic from the internet. [Yes] Network security groups (NSGs) can filter traffic based on IP address, protocol, and port. [Yes] A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Answer 349

YES TO ALL Applying system updates increases an organisation's secure score in Azure security centre. [Yes] The secure score in Azure security centre can evaluate resource across multiple azure subscriptions. [Yes] Enabling MFA increases an organisation's secure score in Azure Security centre. [Yes]

Answer 350

Verify explicitly is one of the guiding principles of zero trust. [Yes] Assume breach is one of the guiding principles of zero trust. [Yes] The zero trust security model assumes that a firewall secures the internal network from external threats. [No]

Answer 351

Service Principle A service principal is, essentially, an identity for an application. For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD to enable its integration. Once registered, a service principal is created in each Azure AD tenant where the application is used.

Answer 352

email & security questions Email and security questions are two authentication methods that are available for SSPR in Azure AD.

Answer 353

Enable SSPR for the user. Assign an Azure AD license. Register an authentication method. To use SSPR, users must be assigned an Azure AD license that is enabled for SSPR by an administrator and registered with the authentication methods they want to use. Two or more authentication methods are recommended in case one is unavailable.

Answer 354

dynamic groups Dynamic groups have their membership determined automatically based on use attributes, such as city. No roles in Azure AD have dynamic membership. PIM allows you to force authentication based on rights.

Answer 355

Provide network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. NSGs provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription.

Answer 356

issue mitigation action-driven workflows Action-driven workflows and issue mitigation are done by SOAR systems.

Answer 357

the Microsoft Service Trust Portal The Service Trust Portal is where you can find information, tools, and resources on security and privacy. The Azure portal is used to manage Azure resources. The Microsoft 365 Defender portal is where you manage Microsoft Defender.

Answer 358

an organization’s progress toward implementing controls The compliance score in Compliance Manager measures an organization’s progress toward implementing controls.

Answer 359

Azure AD Premium P2 Azure AD Premium P2 is the only edition that provides PIM support.

Answer 360

Azure App Service Azure Storage Defender for Cloud has the following Defender plans: Microsoft Defender for Servers Microsoft Defender for Storage Microsoft Defender for SQL Microsoft Defender for Containers Microsoft Defender for App Service Microsoft Defender for Key Vault Microsoft Defender for Resource Manager Microsoft Defender for DNS Microsoft Defender for open-source relational database Microsoft Defender for Azure Cosmos DB

Answer 361

National Institute of Standards and Technology (NIST) Centre for Internet Security (CIS) CIS is the main industry standard used. NIST is another standard used in ASB. FIPS 140 is a standard for hardware security modules. OWASP is a Web Application Firewall (WAF) standard.

Answer 362

the Microsoft Purview compliance portal The Microsoft Purview compliance portal helps admins manage an organization’s compliance requirements with greater ease and convenience and can help reduce data risks. The Service Trust Portal only provides compliance practices via Compliance Manager. Defender for Cloud is a cloud workload protection solution. Intune helps organizations let their users use devices and applications.

Answer 363

Microsoft Purview Microsoft Purview is a unified data governance service that helps you manage and govern on-premises, multi-cloud, and software-as-a-service (SaaS) data. It can be used to set up a unified data governance service, enabling end-to-end data lineage.

Answer 364

Azure AD Premium P1 Both Azure AD Premium P1 and P2 allow external users, but Azure AD Premium P1 is the minimum edition that allows this. Free and Office 365 apps do not provide external access.

Answer 365

collection of data from IT estate correlation of data The collection of data from IT estate and the correlation of data are part of a SIEM system.

Answer 366

issue mitigation action-driven workflows Action-driven workflows and issue mitigation are done by SOAR systems.

Answer 367

Azure AD Microsoft Teams Microsoft Secure Score supports recommendations for Microsoft 365 (including Exchange Online), Azure AD, Microsoft Defender for Endpoint, Defender for Identity, Defender Cloud Apps, and Teams.

Answer 368

information barrier policy Information barrier policies can be used to prevent users from sharing files and communicating in Teams. DLP policies can prevent data loss, but only based on sensitivity labels, not based on which application (Teams) is used. Retention policies are used to specify how long files are kept. Azure policies are used to govern Azure resources, not files.

Answer 369

Azure AD Privileged Identity Management (PIM) role-based access control (RBAC) Azure AD Identity Protection Azure AD Identity Protection is a tool that allows organizations to utilize security signals to identify potential threats. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. RBAC in Azure AD roles control access to Azure AD resources.

Answer 370

attack surface reduction (ASR) ASR handles access to malicious endpoints. AIR uses playbooks to analyze alerts and take action. Microsoft threat experts handle the SOCs of Microsoft. Threat and vulnerability management scans for vulnerabilities and misconfiguration.

Answer 371

visibility, compliance, data security, and threat protection Visibility, compliance, data security, and threat protection are the four pillars of a CASB.

Answer 372

the Microsoft Purview compliance portal Scanned source content that is stored in different locations, such as Exchange, SharePoint, and OneDrive can be accessed and reviewed by using the Compliance Manager.

Answer 373

Microsoft Purview eDiscovery eDiscovery is the process of identifying and delivering electronic information that can be used as evidence in legal cases. It can help you to identify documents that are needed for a compliance audit.

Answer 374

Microsoft-managed controls, shared controls, and customer-managed controls Compliance Manager uses Microsoft-managed controls, shared controls, as well as customer controls. It does not use third-party controls or government controls.

Answer 375

Azure AD Premium P2 Azure AD Premium P2 allows the use of entitlement management, which enables access packages.

Answer 376

something the claimant has something the claimant knows something the claimant is Azure AD MFA works by requiring something you know (such as a password), and something you have (such as a phone), or something you are (biometrics).

Answer 377

b) Identities c) Apps

Answer 378

A. automated investigation and remediation D. attack surface reduction Microsoft Defender for Endpoint is a comprehensive security solution that provides advanced threat protection and endpoint security capabilities. The two capabilities of Microsoft Defender for Endpoint are: A. Automated investigation and remediation: Microsoft Defender for Endpoint uses artificial intelligence and machine learning algorithms to automatically investigate and respond to security incidents. It can detect and analyse suspicious activities, perform threat hunting, and provide automated remediation actions to contain and mitigate threats. This capability helps reduce the response time and workload for security teams, allowing them to efficiently manage and address security incidents. D. Attack surface reduction: Microsoft Defender for Endpoint offers attack surface reduction features to minimize the potential vulnerabilities and attack vectors in an organization's environment. It includes various security controls and configurations that help protect endpoints from known attack techniques. This can include features like application control, exploit protection, network protection, and web content filtering. By reducing the attack surface, organizations can enhance their overall security posture and mitigate the risk of successful attacks.

Answer 379

You can use Azure Monitor Workbooks to monitor Microsoft Sentinel data using built-in workbook templates and custom workbooks. [Yes] You can create security playbooks based on Azure Logic Apps in Microsoft Sentinel to automate and orchestrate responses to incidents. [Yes] Microsoft Sentinel provides a continuously-updated, consolidated secure score that identifies recommended configurations for security features. [No] You can use Azure Monitor Workbooks to monitor Microsoft Sentinel data using built-in workbook templates and custom workbooks. This is possible because Microsoft Sentinel is integrated with Azure Monitor Workbooks. This includes the ability to create interactive reports through Azure Monitor Workbooks. This functionality enables you to gain insights across your data as soon as you connect a data source. You can create security playbooks based on Azure Logic Apps in Microsoft Sentinel to automate and orchestrate responses to incidents. This provides a highly-extensible development architecture that lets you scale automation as necessary to meet changing requirements. You can develop custom playbooks and choose from built-in playbooks. Microsoft Sentinel does not provide a continuously-updated, consolidated secure score that identifies recommended configurations for security features. This is a feature of Microsoft Defender for Cloud.

Answer 380

Password Hash Synchronisation (PHS) Password hash synchronization (PHS) handles user authentication in the cloud completely. With this hybrid identity sign-in method, you synchronize a hash of the end user’s password to Azure AD. Users can then be authenticated directly in the cloud. The federation sign-in method does not handle user authentication in the cloud completely. It ensures that users are authenticated on-premises. Because of the trust established between on-premises AD and Azure AD, authenticated users can then be re-directed to the cloud to access relevant applications. On-premises Active Directory Domain Services (AD DS) does not handle user authentication in the cloud completely. It authenticates end users and authorizes their access to the internal networks. To enable cloud-based authentication, you can either utilize PHS to sync hashes to the cloud or set up user identities directly in Azure AD. Pass-through Authentication (PTA) does not handle user authentication in the cloud completely. It is another sign-in method that enables hybrid identity. However, it still requires the installation of a lightweight on-premises agent that reacts to the sign-in requests in the cloud and validates the username and password against on-premises AD.

Answer 381

Identity Protection categorizes risks into two tiers. [No] With Identity Protection, you can automate the remediation of identity-based risks. [Yes] You can query Identity Protection data through Microsoft Graph APIs. [Yes] Identity Protection does not categorize risks into two tiers, it categorizes risks into three tiers. Those three tiers are low, medium and high. Higher risk tier means higher probability of the user account or sign-in being compromised. With Identity Protection, you can automate the remediation of identity-based risks. Automated remediation can be enabled through the setup of risk-based policies. Depending on the policy configuration, user accounts may be blocked or end users may be required to pass multi-factor authentication (MFA) or change their passwords. You can query Identity Protection data through Microsoft Graph APIs. As a unified API endpoint, the Microsoft Graph enables API access to various Microsoft solutions including Azure Active Directory (AD) Identity Protection. You should have Azure AD Premium P1 or P2 licenses to use Identity Protection’s risk detection APIs.

Answer 382

hashing Hashing is the best option for password encryption. Asymmetric and symmetric encryption permits decryption, which you do not want for passwords.