Security theory

Question 1

What is MIG?

Answer 1

Microsoft Information Governance (MIG) is a collection of features to govern your data for compliance or regulations.

Question 2

What is the difference between Retention Policies and RM?

Answer 2

While Records Management (RM) leverages Retention Policies, they perform differently.

Retention labels keep a copy of the content hidden from the user (but they can still delete/modify content from the UI), but RM blocks actions in the UI.

Question 3

6 Pillars of Zero Trust

Answer 3

• Identities must be verified
• Devices create a large attack surface needing monitoring
• Applications (inc Shadow IT) must be mapped & protected
• Data must be classified, encrypted & labelled
• Infrastructure must be monitored
• Networks need segmenting, encryption & monitoring

Question 4

What are the THREE features you can configure to provide automated Data classification?

Answer 4

Trainable classifiers
Sensitive Information Types
Exact Data Matches

Question 5

Sensitivity labels are an example of Data classification. List THREE other areas.

Answer 5

• (Sensitivity labels)
• Retention policies
• Communication compliance
• Insider risk management

Question 6

What FOUR actions can you view with the activity explorer?

Answer 6

• Read
• Deletion
• Printed
• Copied to network share/USB

Question 7

True/False: Azure Active Directory (Azure AD) Identity Protection can be used to invoke Multi-Factor Authentication based on a user’s risk level

Answer 7

True. CA is a feature provided by Identity Protection

Question 8

Hot Area:

Answer Area
______ can use conditional access policies to control sessions in real time.

• Azure Active Directory (Azure AD) Privileged - Identity Management (PIM)
• Azure Defender
• Azure Sentinel
• Microsoft Cloud App Security

Answer 8

Cloud App Security /
MS Defender for Cloud

Question 9

How many trainable classifiers and specific file extensions can be applied to a single Insider Risk Policy?

Answer 9

5 classifiers / 50 file extensions

Question 10

What is a Sequence, in regards to Insider Risk Management?

Answer 10

A sequence is a group of two or more potentially risky activities performed one after the other that might suggest an elevated risk.

Question 11

What FOUR categories of activity could trigger alerts for the Data leaks by the priority users sequence?

Answer 11

• Collection eg. downloading files from SharePoint sites or moving files into a compressed folder.
• Obfuscation eg. renaming files on a device.
• Exfiltration eg. sending emails with attachments outside of your organisation.
• Clean-up eg. deleting files from a device.

Question 12

What’s required for an organisation to use Peer groups for cumulative exfiltration detection?

Answer 12

Your organisation agrees to share Azure AD data with the compliance portal, including organisation hierarchy and job titles.

Question 13

What data is typically contained in a security token (claim)?

Answer 13

Issuer
Audience
Expiry/Issued at/Not valid before
Subject
OID/TID
Name
Signature

Question 14

What tech is the MS ID platform built on?

Answer 14

OpenID Connect

Question 15

How does Peer groups for cumulative exfiltration detection work?

Answer 15

It looks for peers outside the organisation, based on the following criteria:

• SharePoint sites: Insider risk management identifies peer groups based on users who access similar SharePoint sites.
• Similar organization: Users with reports and team members based on organization hierarchy.
• Similar job title: Users with a combination of organizational distance and similar job titles.

Question 16

What TWO secondary authentication TYPES are supported in AAD?

Answer 16

OAuth software/hardware, voice-call verification

Question 17

What SIX authentication methods are available for SSPR?

Answer 17

• Mobile app notification
• Mobile app code
• Mobile phone
• Office phone
• Email
• Security questions

Question 18

What licence is required to allow banned password lists?

Answer 18

Banned password lists are a feature of Azure AD Premium P1

Question 19

What licence is required to allow PIM?

Answer 19

Azure AD Premium P2

Question 20

True/False: NSGs can deny inbound traffic from the Internet

Answer 20

TRUE, NSGs deny all in-bound Internet Traffic by default.

Question 21

What’s an Access Package?

Answer 21

A group of access entitlements needed to fulfil a specific role

Question 22

What licence is needed to allow Entitlement Management?

Answer 22

Azure AD Premium P2

Question 23

What licence is needed to allow Access Reviews?

Answer 23

Azure Ad Premium P2

Question 24

What THREE secondary authentication TECHNOLOGIES are supported in AAD?

Answer 24

Authenticator
Hello for Business
FIDO 2 keys

Question 25

What THREE services does Azure Identity Protection (AIP) provide?

Answer 25

• Automate the detection and remediation of identity-based risks.
• Investigate risks using data in the portal.
• Export risk detection data to third-party utilities for further analysis

Question 26

What is Sign-in risk in AIP?

Answer 26

The probability that a given authentication request isn’t authorized by the identity owner

Question 27

What SIX sign-in risks can AIP detect?

Answer 27

Anonymous IP address.
Malware linked IP address.
Atypical travel.
Unfamiliar sign-in properties.
Password spray.
Azure AD threat intelligence.

Question 28

What is User risk in AIP?

Answer 28

The probability that a given identity or account is compromised

Question 29

What are TWO user risks that AIP can detect?

Answer 29

Leaked credentials.
Azure Ad Threat Intelligence

Question 30

What THREE reports are produced by AIP?

Answer 30

Risky users
Risky sign-ins
Risk detections

Question 31

What licence is needed to allow Azure Identity Protection?

Answer 31

Azure AD Premium P2

Question 32

Your organization has implemented important changes in their customer facing web-based applications. You want to ensure that any user who wishes to access these applications agrees to the legal disclaimers. Which Azure AD feature should you implement?

Answer 32

Azure AD Terms of Use

Question 33

An organization is project-oriented with employees often working on more than one project at a time. Which solution is best suited to managing user access to this organization’s resources?

Answer 33

Entitlement management

Question 34

An organization has recently conducted a security audit and found that four people who have left were still active and assigned global admin roles. The users have now been deleted but the IT organization has been asked to recommend a solution to prevent a similar security lapse happening in future. Which solution should they recommend?

Answer 34

PIM

Question 35

What TWO licences allow use of Dynamic groups in AAD?

Answer 35

Azure AD Premium P1
Intune for Education

Question 36

What are three types of DDOS attack?

Answer 36

Volumetric attacks: that flood the network with seemingly legitimate traffic, overwhelming the available bandwidth.

Protocol attacks: Protocol attacks render a target inaccessible by exhausting server resources with false protocol requests that exploit weaknesses in layer 3 (network) and layer 4 (transport) protocols.

Resource (application) layer attacks: These attacks target web application packets, to disrupt the transmission of data between hosts.

Question 37

What three TIERS of Azure DDoS protection are available?

Answer 37

Basic (now renamed Default)
DDoS Network Protection (SKU)
DDoS IP Protection (preview)

Question 38

True/False: By default, NSGs allow outbound traffic to access the Internet

Answer 38

True, unless specifically over-ridden by a higher-priority rule.

Question 39

Describe use of Threat Intelligence with respect to Azure Firewall

Answer 39

Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains

Question 40

Describe FOUR advantages of Azure Firewall

Answer 40

Built-in high availability and availability zones

Outbound SNAT and inbound DNAT to communicate with internet resources

Threat intelligence

Integration with Azure Monitor

Question 41

Describe WAF

Answer 41

Web Application Firewall provides centralised protection of your web applications from common exploits and vulnerabilities

Question 42

True/False: NSGs block incoming Internet Traffic by default?

Answer 42

Communication needs to be explicitly provisioned enables more control over how Azure resources in a VNet communicate with other Azure resources, the internet, and on-premises networks

Question 43

True/False: You can associate multiple NSGs to VNet subnets or NICs?

Answer 43

False -You can associate only one network security group to each virtual network subnet and network interface in a virtual machine

Question 44

True/False: You can associate an NSG with multiple subnets & NICs

Answer 44

True -The same network security group can be associated to as many different subnets and network interfaces as you choose

Question 45

Intune is managed via:
- AAD Admin Centre
- M365 Compliance Centre
- M365 Security Centre
- Endpoint Admin Centre

Answer 45

Microsoft Endpoint Admin Centre

Question 46

What THREE Inbound security rules are provided in NSGs by default?

Answer 46

AllowVNetInBound. This rule allows traffic from any Virtual Network (as defined by the service tag) on any port to any Virtual Network on any port, using any protocol.

AllowAzureLoadBalancerInBound. This rule allows traffic from any Azure Load Balancer on any port to any IP address on any port, using any protocol.

DenyAllInBound rule.
This rule denies all traffic from any source IP address on any port to any other IP address on any port, using any protocol.

Question 47

What is the difference between Network Security Groups (NSGs) and Azure Firewall?

Answer 47

NSGs provide traffic filtering to limit traffic WITHIN VNets in each subscription.

Azure Firewall provides protection ACROSS different subscriptions and VNets.

Question 48

True/False: Intune can be used to provision Azure subscriptions?

Answer 48

False

Question 49

How widely does Bastion protect your VMs, VNets and subscriptions?

Answer 49

Bastion provides secure RDP and SSH connectivity to all VMs in the VNet, and peered VNets, in which it’s provisioned.

Bastion deployment is per VNet, not per subscription/account or virtual machine.

Question 50

True/False: VMs accessed via Bastion need Public IPs

Answer 50

False. Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don’t need a public IP.

Question 51

True/False: The Bastion service eliminates the need for NSGs

Answer 51

True -The service is hardened internally to provide secure RDP/SSH connectivity. You don’t need to apply any NSGs on an Azure Bastion subnet.

Question 52

True/False: The Bastion service does NOT eliminate the need to harden VMs

Answer 52

False -Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each virtual machine in the virtual network

Question 53

How does JIT protect VMs?

Answer 53

JIT allows you to select VM ports to which inbound traffic is blocked.

Defender for Cloud places “deny all inbound traffic” rules for these ports in the NSG/Firewall rules.

Defender applies RBAC to allow blocking to be lifted for a specified time & restores it afterwards.

Question 54

True/False: JIT for VMs requires a Defender for Cloud subscription

Answer 54

True -JIT requires Microsoft Defender for servers to be enabled on the subscription

Question 55

True/False: When JIT VM access expires, the connection is dropped

Answer 55

False -Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.

Question 56

List THREE types of data encryption provided by Azure

Answer 56

Storage encryption (managed disks, blob storage, files & queues)
Disk encryption Win/Linux VM disks (bitlocker/dm-crypt)
Transparent Data Encryption (TDE) in SQL Db & Data Warehouse

Question 57

List FOUR functions of Azure Key Vault

Answer 57

Secrets Mgmt (control access)
Key Mgmt
Cert Mgmt
Hardware Security Module (HSM) (store secrets in FIPS 140-2 HSMs)

Question 58

The security admin wants to protect Azure resources from DDoS attacks and needs logging, alerting, and telemetry capabilities. which Azure service can provide these capabilities?

• Default DDoS infrastructure protection.
• Both DDoS IP Protection and DDoS Network Protection.
• Azure Bastion.

Answer 58

DDoS IP Protection and DDoS Network Protection provide advanced capabilities, including logging, alerting, and telemetry

Question 59

Expand CSPM

Answer 59

Cloud Security Posture Management assesses systems and alerts security staff when a vulnerability is found.

Question 60

Expand TVM

Answer 60

Threat & Vulnerability Management provides a holistic view of the organization’s attack surface and risk and integrates it into operations and engineering decision-making

Question 61

Expand CWP

Answer 61

Cloud Workload Protection

Through CWP, Defender for Cloud is able to detect and resolve threats to resources, workloads, and services

Question 62

An organization wants to add vulnerability scanning for its Azure resources to view, investigate, and remediate the findings directly within Microsoft Defender for Cloud. What functionality would they need to consider?

• Secure score and recommendations functionality that is part of the CSPM pillar of Defender.
• The enhanced functionality that is provided through the Microsoft Defender plans and is part of the CWP pillar of Defender.
• Security Benchmarks.

Answer 62

2 Microsoft Defender plans provide enhanced security features for your workloads, including vulnerability scanning.

The Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations, NOT vulnerability scanning.

Question 63

List THREE deliverables
provided by the Purview Governance Portal

Answer 63

• Create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.
• Enable data curators to manage and secure your data estate.
• Empower data consumers to find valuable, trustworthy data.

Question 64

What functionality is provided by the Purview Data Map?

Answer 64

By scanning registered data sources, Azure Purview Data Map is able to capture metadata about enterprise data, to identify and classify sensitive data.

Question 65

What services are provided by the Purview Data Catalogue?

Answer 65

Users can quickly and easily find relevant data using a search with filters based on various lenses like glossary terms, classifications, sensitivity labels etc.

Question 66

What THREE insights are provided by Purview Data Estate Insights?

Answer 66

Data and security officers can get a bird’s eye view and at a glance understand:
- What data is actively scanned
- Where sensitive data is
- How it moves.

Question 67

What functionality is provided by the Purview Data Sharing & Data Policy (Preview)?

Answer 67

Access policies in Purview enable you to manage access to different data systems across your entire data estate.
Eg. if a user needs read access to an Azure Storage account that has been registered in Purview, you can grant this access directly from Purview.

Question 68

Which application in the Purview governance portal is used to capture metadata about enterprise data, to identify and classify sensitive data?

• Data Catalog
• Data Map
• Data Estate Insights.

Answer 68

2 Purview Data Map captures metadata about enterprise data, to identify and classify sensitive data.

Question 69

What are the FOUR stages of Data Lifecycle Management?

Answer 69

• Know your data (ID important data)
• Protect your data (encrypt, restrict)
• Prevent data loss (oversharing)
• Govern your data (retention/mgmt policies)

Question 70

What THREE data classification methods are used by Purview?

Answer 70

• Manual
• Auto pattern recognition
• Machine learning

Question 71

What are Sensitive Information Types?

Answer 71

Sensitive information types (SIT) are pattern-based classifiers. They have set patterns that can be used to identify them.
Eg. credit card/bank account/passport numbers.

Question 72

What is Exact Data Match (EDM) classification?

Answer 72

EDM-based classification enables you to create custom sensitive information types that refer to exact values in a database of sensitive information.

Question 73

What are Trainable Classifiers?

Answer 73

Trainable classifiers use AI to intelligently classify data. They’re most useful classifying data unique to an organization like specific kinds of contracts, invoices, or customer records.

Question 74

What TWO types of Trainable Classifier are available in Purview?

Answer 74

• Pre-trained (source code/resumes/threats/profanity)
• Custom (specific contracts/invoices/records)

Question 75

Define “Seeding”

Answer 75

Training a custom trainable classifier by presenting many samples of example content.

Question 76

What does the Content Explorer do?

Answer 76

Enable admins to view content that has been summarised in the overview pane.

Question 77

What TWO roles have access to Purview’s Content Explorer?

Answer 77

• Content explorer list viewer.
• Content explorer content viewer.

_{(List view shows matching objects, content enables viewing them).}

Question 78

List FOUR activities associated with a labelled document that can be analysed by Purview’s Activity Explorer

Answer 78

• File copied to removable media
• File copied to network share
• Label applied
• Label changed

Question 79

List THREE properties of Labels

Answer 79

• Customizable. Admins can create different categories specific to the organization.
• Clear text. Each label is stored in clear text in the content’s metadata, third-party apps and services can read it and then apply their own protective actions, if necessary.
• Persistent. After you apply a sensitivity label to content, the label is stored in the metadata of that email or document & moves with the content.

Question 80

True/False: Labels cab be used to protect content in containers such as sites and groups.

Answer 80

True This doesn’t result in documents being automatically labeled. Instead, the label settings protect content by controlling access to the container where documents are stored.

Question 81

True/False: Multiple labels may be applied to one document or email

Answer 81

False Only one label can apply in each case.

Question 82

True/False: Labels may mark content, encrypt it or do nothing

Answer 82

True Labels can:
- Display watermarks
- Encrypt emails and/or documents
- Do nothing other than act as a classification

Question 83

Why would labels be used without protective restrictions?

Answer 83

The label classification can be used to generate usage reports and view activity data for sensitive content.

Question 84

True/False: Labels may be used to link users to custom help pages.

Answer 84

True It helps users to understand what the different labels mean and how they should be used.

Question 85

What is endpoint data loss prevention?

Answer 85

Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices

Question 86

How do retention labels and assigning retention policies help organizations?

(List THREE factors)

Answer 86

• Comply proactively with industry regulations and internal policies that require content to be kept for a minimum time.
• Reduce risk when there’s litigation or a security breach by permanently deleting old content that the organisation is no longer required to keep.
• Ensure users work only with content that’s current and relevant to them. When content has retention settings assigned to it, that content remains in its original location.

Question 87

True/False: A user CANNOT delete or modify a document managed by a retention policy

Answer 87

False People can continue to work with their documents or mail as if nothing’s changed. If they edit or delete retained content, a copy is made in a secure location.

_{In most cases, people don’t even need to know that their content is subject to retention settings.}

Question 88

What FIVE MS products support data retention?

Answer 88

SharePoint
OneDrive
Microsoft Teams
Yammer
Exchange

Question 89

What THREE things happen to content when it’s labeled as a record?

Answer 89

• Restrictions are put in place to block certain activities.
• Activities are logged.
• Proof of disposal is kept at the end of the retention period.

Question 90

What TWO additional restrictions are placed on Regulatory Records?

Answer 90

• A regulatory label can’t be removed when an item has been marked as a regulatory record.
• The retention periods can’t be made shorter after the label has been applied.

Question 91

What are four FEATURES/SELLING POINTS of Azure Insider Risk Management?

Answer 91

• Transparency: Balance user privacy versus organisation risk with privacy-by-design architecture.
• Integrated: Integrated workflow across Microsoft Purview solutions.
• Configurable: Configurable policies based on industry, geographical, and business groups.
• Actionable: Provides insights to enable user notifications, data investigations, and user investigations.

Question 92

What FIVE steps comprise the Insider Risk workflow?

Answer 92

• Policies
• Alerts
• Triage
• Investigation
• Action

Question 93

What THREE eDiscovery solutions are provided with Purview?

Answer 93

• Content search
• eDiscovery (Standard)
• eDiscovery (Premium)

Question 94

What additional FIVE services are provided by eDiscovery (Premium)?

Answer 94

• Workflow (identify, preserve, collect review, analyse & export)
• Manage Custodians
• Use Review Sets to focus on content
• Tag relevant content
• Use AI to further narrow search scopes

Question 95

What additional FOUR services are provided by Purview Audit (Premium)?

Answer 95

• Retention beyond 90 days
• Customise retention periods
• Provides records for crucial events
• Higher bandwidth access to API

Question 95

How long does it take for Purview Audit to log an event?

Answer 95

It can take anywhere from 30 minutes to 24 hours for the corresponding audit log record to be returned in the results of a search.

Question 96

What roles are required to access Audit services?

Answer 96

View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log.

By default, these roles are assigned to the Compliance Management & Organisation Management role groups on the Permissions page in the Exchange admin centre.

Question 97

How does a digital signature work?

Answer 97

A signed document is hashed, and the hash encrypted with the user’s private key.
The recipient decrypts the hash & checks it against the document’s contents.

Question 98

What is Credential stuffing?

Answer 98

Re-using a password in multiple sites/instances

Question 99

What is pretexting?

Answer 99

Gaining a victim’s trust to extract secure info, such as generating a fantasy pop star name from the name of a first pet and the place they were born.

Question 100

What feature in Microsoft Defender for Endpoint provides the first line of defense against cyberthreats by reducing the attack surface?

Answer 100

Network protection

Question 101

Which feature provides the extended detection and response (XDR) capability of Azure Sentinel?

Answer 101

Integration with Microsoft 365 Defender

Question 102

True/False: Conditional access policies apply BEFORE first-factor authentication is complete?

Answer 102

False

Conditional Access policies apply AFTER first-factor authentication is complete.

Question 103

Conditional access policies can use WHAT SERVICE as a signal that provides the ability to control sessions in real time?

Answer 103

Azure Cloud App Security

AKA Defender for cloud

Question 104

Which layer can secure access to VMs either on-prem or in the cloud by closing certain ports?

Answer 104

The Compute layer

Question 105

Which authentication method uses a software agent on an on-prem server to provide simple password validation?

Answer 105

Pass-through Authentication (PTA)

Question 106

What are Microsoft’s SIX privacy principles?

Answer 106

• Control over privacy
• Transparency
• Security
• Strong Legal protections
• No content-based targeting
• Benefits to you

Question 107

What Security Centre tool would you use to continuously monitor the status of your network?

Answer 107

Network map

This provides a topology map of your network workloads, allowing you to block unwanted connections.

Question 108

What is the purpose of Perimeter security in the defence in depth approach?

Answer 108

DDOS protection

Question 109

Can Azure firewall encrypt traffic?

Answer 109

No

Question 110

What’s the max retention period for M365 Audit Logs?

Answer 110

10 years

Question 111

Which THREE features are NOT included in the pricing plan for Office 365 apps?

• Cloud App Discovery
• Password protection
• Group Access Management
• Risk-based Conditional Access
• MFA

Answer 111

• Cloud Discovery
• Group Access Management
• Conditional Access

Question 112

What FOUR AAD editions are available?

Answer 112

• Free
• Office 365 Apps
• Premium P1
• Premium P2

Question 113

List the FOUR AAD Identity types

Answer 113

• User
• Service Principal (ID for an App)
• Managed ID (Managed Service Principals)
• Device

Question 114

What’s the function of Managed Identities?

Answer 114

Managed IDs are auto managed in AAD, eliminating the need for Devs to manage credentials. Managed IDs provide identity for apps to connect to Azure Resources at no extra cost.

Question 115

What is a Service Principal used for?

Answer 115

A Service principal is an identity for an app.

It’s required to register the app with AAD to integrate its ID and access functions.

Question 116

True/False: Application developers need to manage and protect Service Principal credentials used by their products

Answer 116

True.

Managed Identities negate this requirement for supported Azure resources.

Question 117

What licence is needed to use AAD External Identities?

Answer 117

AAD Premium P1

Question 118

True/False: AD FS services will be lost if the on-prem DC service fails

Answer 118

False -AD FS can be configured to use password hash sync should the on-prem service fail.

Question 119

An organization has completed a full migration to the cloud and has purchased devices for all its employees. All employees sign in to the device through an organizational account configured in Azure AD. Select the option that best describes how these devices are set up in Azure AD.

• These devices are set up as Azure AD registered.
• These devices are set up as Azure AD joined.
• These devices are set up as Hybrid Azure AD joined.

Answer 119

AAD Joined. An AAD joined device is joined to AAD through an organizational account, which is then used to sign in to the device. Azure AD joined devices are generally owned by the organization.

Question 120

A developer wants an application to connect to Azure resources that support Azure AD authentication, without having to manage any credentials and without incurring any extra cost. Which option best describes the identity type of the application?

• Service principal
• Managed identity
• Hybrid Identity

Answer 120

Managed identities are a type of service principal that are automatically managed in Azure AD and eliminate the need for developers to manage credentials.

Question 121

What’s the max of the NSG priority range?
- 2096
- 3500
- 4000
- 4096
- 4128

Answer 121

NSG priorities are in the range 100 to 4096

Question 122

What mode can WAF operate in to avoid affecting live services during testing?

Answer 122

Detection mode. Later, it should be switched to Prevention Mode

Question 123

What are FOUR uses of Cloud App Security (Defender for Cloud Apps)?
- Prevent data leaks & limit access to regulated data
- Provide pass-through authentication to on-prem apps
- Provide secure connection to Azure VMs
- Discover & control shadow IT
- Protect sensitive info hosted anywhere in the cloud

Answer 123

Everything BUT Provide secure connection to Azure VMs

Question 124

An audit team needs access to crucial events, such as when mail items were accessed, replied to and forwarded. What capability is required?
- Advanced Auditing
- Core Auditing
- Alert policies to generate & view alerts when actions are performed on mail

Answer 124

Advanced Auditing is needed to access crucial events.

Question 125

When considering Cloud App Security/Defender for Cloud Apps, what is a key consideration?
- Data security of your entire estate
- Architecture of your entire estate
- Use of Shadow IT across your entire estate

Answer 125

Architecture of the estate

Question 126

Settings may have been changed by a user in Teams. What capability is needed to investigate this?
- Turn on MS Teams settings search & ensure you have the right role
- Verify that auditing is enabled & that you have the right role
- Block Teams & ensure you have the appropriate role

Answer 126

Verify that auditing is enabled & you have the appropriate role to perform the search.

Question 127

Retention labels can be applied to _______?
- Exchange (all mailboxes), SharePoint, OneDrive
- Exchange & MS 365 Groups
- Exchange, SharePoint, OneDrive & MS 365 Groups

Answer 127

Exchange, SharePoint, OneDrive & MS 365 Groups

Question 128

Where does retention policy store copies for SharePoint/OneDrive?

Answer 128

Preservation Hold library

Question 129

Where does retention policy store copies for Exchange mailboxes?

Answer 129

Recoverable items folder

Question 130

Where does retention policy store copies for Teams & Yammer?

Answer 130

SubstrateHolds

Question 131

Insider Risk Management exports alerting data for SIEM via what service?

Answer 131

Office 365 Management API integration

Question 132

Where are all data files & emails associated with alert activities captures & displayed?
- Case overview
- User activity
- Content explorer
- Alerts

Answer 132

Content Explorer receives copies of alerts

Question 133

What licence is required for Cloud App Discovery to identify Shadow IT?

Answer 133

AAD Premium P1

Question 134

How long do content holds need to take effect?

Answer 134

Up to 24 hours

Question 135

What service does Sentinel use to store security analytics data?

Answer 135

Azure Log Analytics Workspace

Question 136

What EIGHT services are enabled through Azure AD Premium P1

Answer 136

• (Banned) Password Protection
• External Identities (B2B/B2C)
• Dynamic Azure AD Groups
• Cloud App Discovery (Shadow IT)
• Conditional access
• Self-service password Reset
• Microsoft Identity Manager (HR Connect)
• Azure Terms of Use

Question 137

The Zero-Trust “Limit Blast Radius” principle involves what TWO elements?

Answer 137

Use Identity-based segmentation and Least privilege access

ID Segmentation works by restricting access to apps or workloads, based on job role.

Question 138

Which THREE roles can access the Compliance Centre?

Answer 138

Global Admin
Compliance Admin
Compliance Data Admin

Question 139

What are the THREE features of Compliance Manager?

Answer 139

• Pre-built/custom assessments for common industry and regional standards
• Compliance score
• Step-by-step guidance to help achieve compliance

Question 140

True/False: Conditional access policies can be applied only to users with AAD-joined devices?

Answer 140

False. Conditional access can ALSO be applied to AD DS-joined devices (Win 7 onwards).

Question 141

True/False: With AAD Identity Protection, you can force use of MFA during a user sign-in?

Answer 141

True. Identity Protection can configure a Conditional Access policy for you that requires MFA, regardless of which modern authentication app you use.

Question 142

Which of the following is NOT an Identity Governance feature in AAD?
- PIM
- Access reviews
- Conditional access
- Entitlement Management

Answer 142

Access reviews

Question 143

Which of the following cards is NOT available within the M365 Security Centre?
- Identities
- Devices
- Groups
- Apps

Answer 143

Groups

Question 144

Which of the four MCAS pillars is responsible for identifying and controlling sensitive information?
- Visibility
- Threat protection
- Compliance
- Data security

Answer 144

Data security

Question 145

True/False: A system-assigned managed identity is created as a standalone Azure resource?

Answer 145

False

USER-assigned is stand-alone, system assigned is created as part of a VM or App Service.

Question 146

True/False: Responsibility for Network controls & Host infrastructure is SHARED between MS and users for IaaS solutions?

Answer 146

True

Question 147

What is a message digest?

Answer 147

An alternative term for a Hash value

Question 148

What are the most common hash lengths in use?
- 256-288
- 128-160
- 512-1024
- 96-1016

Answer 148

128-160

Question 149

What feature allows use of the same security key across multiple services?
- Hmac-secret
- Resident key
- Multiple accounts per RP
- Client PIN

Answer 149

Multiple accounts per RP (RelyingParty)

Question 150

Which of the following is NOT an identity?
- Services
- Users
- Networks
- Devices

Answer 150

Networks

Question 151

True/False: You can only add one resource lock to an Azure resource?

Answer 151

False.

You can have ReadOnly & CanNotDelete locks on one resource and resources can inherit locks from parent objects. The most restrictive lock takes precedence.

Question 152

Which of the following is a feature of Defender for Endpoint’s behavioral sensors technology?
- Behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- It collects and processes behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
- It generate alerts when they are observed in collected sensor data.
- It ensures configuration settings are properly set and exploit mitigation techniques are applied

Answer 152

2 It collects and processes behavioral signals from the operating system.