Which Microsoft 365 feature can you use to restrict users from sending email messages that contain lists of customers and their associated credit card numbers?
Answer : B
In Microsoft 365, Data Loss Prevention (DLP) policies are designed to ''help you identify, monitor, and automatically protect sensitive information'' across services such as Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams. Microsoft's guidance explains that DLP uses sensitive information types---including built-in classifiers like Credit Card Number---to detect when content matches a defined pattern and then enforce protective actions. With DLP, you can create rules that trigger when email messages contain customer lists with credit card numbers, and choose actions to block the message, restrict access, or notify and educate users via policy tips and incident reports. Microsoft further notes that DLP ''prevents the accidental sharing of sensitive information,'' can require user justification to override, and supports granular conditions (e.g., number of matches, recipients internal vs. external) to ensure that only risky transmissions are stopped. By applying a DLP policy to Exchange with the Credit Card Number sensitive info type, an organization can block or quarantine outbound mail that includes those numbers, thereby reducing regulatory and data-exposure risk. Other options listed---retention policies, conditional access, and information barriers---serve different purposes (data lifecycle, access/authentication conditions, and restricting communication between groups) and do not inspect message contents for sensitive data. Hence, DLP policies are the correct control to restrict sending emails that contain customer lists and associated credit card numbers.
What is the purpose of Azure Active Directory (Azure AD) Password Protection?
Answer : D
Explanation
Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization.
With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
Which three tasks can be performed by using Azure Active Directory (Azure AD) Identity Protection? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Answer : B, C, D
Microsoft Entra ID Identity Protection is a risk-based conditional access capability that ''automates the detection and remediation of identity-based risks'' and enables admins to investigate risky users and sign-ins. SCI guidance explains that Identity Protection evaluates signals such as user risk and sign-in risk, raises risk detections, and can automatically remediate by enforcing actions like password reset or blocking access via risk-based policies. The portal provides rich investigation experiences for risky users, risky sign-ins, and risk detections, allowing security teams to review evidence and confirm/dismiss risks. In addition, identity risk data can be exported through Azure Monitor/diagnostic settings and integrated with SIEM/SOAR tools, enabling ''export of risk detections and security alerts to third-party solutions'' for correlation and response. Tasks such as configuring external access for partner organizations are handled by B2B collaboration features, and creating/assigning sensitivity labels belongs to Microsoft Purview Information Protection---not Identity Protection. Therefore, the tasks Identity Protection supports are: export risk detection (B), automate detection and remediation of identity-based risks (C), and investigate risks related to user authentication (D).
Which statement represents a Microsoft privacy principle?
Answer : D
Microsoft's privacy commitments are framed as principles that include Control, Transparency, Security, Strong legal protections, No content-based targeting, and Benefits to you. Under these commitments, Microsoft emphasizes compliance with regional and sectoral laws: it provides ''strong legal protections'' for data and commits to handling data ''in accordance with applicable laws,'' including respecting local privacy and data-protection requirements and supporting cross-border transfers only as permitted by law. The principles also state Microsoft does not use customer content for advertising, and it enables customers to manage their own privacy settings and choices. Therefore:
A is false (Microsoft does collect data but minimizes and protects it).
B is false (Microsoft states no content-based targeting for customer email/chat).
C is false (Microsoft provides settings; customers control them).
D aligns with Microsoft's principle to respect and comply with applicable local privacy laws.
You have an Azure subscription that contains a virtual network named Vnet1. VNet1 contains a virtual machine named VM1 that runs Windows Server and is publicly accessible.
You suspect that VM1 has been the target of a malicious network attack.
You need to monitor network traffic to VM1, collect attack metrics, such as the SYN packet count, and automatically generate alerts if another attack begins. The solution must minimize administrative effort.
What should you use?
Answer : C
You plan to implement a security strategy and place multiple layers of defense throughout a network infrastructure.
Which security methodology does this represent?
Answer : C
Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft's security guidance, defense in depth is described as employing ''a series of mechanisms across multiple layers'' to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By ''placing multiple layers of defense throughout a network infrastructure,'' an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft's defense in depth methodology.
Which three statements accurately describe the guiding principles of Zero Trust? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Answer : B, C, D
Microsoft's Zero Trust guidance in the Security, Compliance, and Identity (SCI) materials frames three core principles: ''Verify explicitly,'' ''Use least-privilege access,'' and ''Assume breach.'' The guidance explains that identity is the new control plane in cloud-based environments: identity becomes the primary security boundary, with access decisions evaluated continuously using signals such as user identity, device health, location, and risk. In Zero Trust, organizations must ''verify explicitly''---that is, require strong authentication and explicit authorization for every access request, not just initial logon, and base decisions on the permissions and context presented. The model also directs organizations to ''assume breach'', operating with the expectation that an attacker may already be inside the environment and therefore applying containment practices such as micro-segmentation, telemetry, and rapid detection and response. Conversely, the traditional notion of defining the perimeter by physical locations or network boundaries is explicitly rejected; the documentation emphasizes that network location is no longer a reliable trust signal and should not be treated as the primary boundary. Therefore, the statements that align with Microsoft's Zero Trust principles are: Use identity as the primary security boundary (B), Always verify user permissions explicitly (C), and Always assume the user/system can be breached (D).