Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 tenant. You create a label named CompanyConfidential in Microsoft Azure Information Protection.
You add CompanyConfidential to a global policy.
A user protects an email message by using CompanyConfidential and sends the label to several external recipients. The external recipients report that they cannot open the email message.
You need to ensure that the external recipients can open protected email messages sent to them.
You create a new label in the global policy and instruct the user to resend the email message.
Does that meet the goal?
Answer:
A
HOTSPOT -
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the groups shown in the following table.
The domain is synced to a Microsoft Azure Active Directory (Azure AD) tenant that contains the groups shown in the following table.
You create a sensitivity label named Label1.
You need to publish Label1.
To which groups can you publish Label1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
The groups must be mail-enabled.
Labels can be published to any specific user or email-enabled security group, distribution group, or Microsoft 365 group (which can have dynamic membership) in
Azure AD.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide
HOTSPOT -
You have a Microsoft 365 subscription.
You identify the following data loss prevention (DLP) requirements:
✑ Send notifications to users if they attempt to send attachments that contain an EU Social Security Number (SSN) or Equivalent ID.
✑ Prevent any email messages that contain credit card numbers from being sent outside your organization.
✑ Block the external sharing of Microsoft OneDrive content that contains EU passport numbers.
✑ Send administrators email alerts if any rule matches occur.
What is the minimum number of DLP policies and rules you must create to meet the requirements? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
You have a Microsoft 365 subscription.
Some users access Microsoft SharePoint Online from unmanaged devices.
You create a conditional access policy in Azure Active Directory.
You need to prevent the users from downloading, printing, and syncing files.
What should you do?
Answer:
C
As a SharePoint or global admin in Microsoft 365, you can use the Access control page of the SharePoint admin center or the Set-SPOTenant -
ConditionalAccessPolicy cmdlet to block or limit access to SharePoint and OneDrive content from unmanaged devices.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Run the Set-SPOTenant cmdlet and specify the -ConditionalAccessPolicy parameter.
2. From the SharePoint admin center, configure the Access control settings.
Other incorrect answer options you may see on the exam include the following:
1. From the SharePoint admin center, configure the secure store settings.
2. From the Microsoft Azure portal, create an Azure AD Identity Protection user risk policy.
3. From the Microsoft 365 Compliance center, create a data loss prevention (DLP) policy.
Reference:
https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
You have a Microsoft 365 tenant.
You have a database that stores customer details. Each customer has a unique 13-digit identifier that consists of a fixed pattern of numbers and letters.
You need to implement a data loss prevention (DLP) solution that meets the following requirements:
✑ Email messages that contain a single customer identifier can be sent outside your company.
✑ Email messages that contain two or more customer identifiers must be approved by the company's data privacy team.
Which two components should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
AD
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-entity-definitions?view=o365-worldwide
You create a data loss prevention (DLP) policy as shown in the following exhibit:
What is the effect of the policy when a user attempts to send an email message that contains sensitive information?
Answer:
A
Reference:
https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies
You have a Microsoft 365 subscription.
You need to create data loss prevention (DLP) queries in Microsoft SharePoint Online to find sensitive data stored in sites.
Which type of site collection should you create first?
Answer:
B
Reference:
https://support.office.com/en-us/article/overview-of-data-loss-prevention-in-sharepoint-server-2016-80f907bb-b944-448d-b83d-8fec4abcc24c
HOTSPOT -
You have a Microsoft 365 subscription that contains a Microsoft SharePoint Online site named Site1. Site1 contains the folders shown in the following table.
At 09:00, you create a Microsoft Cloud App Security policy named Policy1 as shown in the following exhibit.
After you create Policy1, you upload files to Site1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policies
You have a Microsoft 365 subscription that includes a user named User1.
You have a conditional access policy that applies to Microsoft Exchange Online. The conditional access policy is configured to use Conditional Access App
Control.
You need to create a Microsoft Cloud App Security policy that blocks User1 from printing from Exchange Online.
Which type of Cloud App Security policy should you create?
Answer:
D
References:
https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad
HOTSPOT -
You have a Microsoft 365 E5 subscription.
From Microsoft Azure Active Directory (Azure AD), you create a security group named Group1. You add 10 users to Group1.
You need to apply app enforced restrictions to the members of Group1 when they connect to Microsoft Exchange Online from non-compliant devices, regardless of their location.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-conditional-access
