Microsoft 365 Identity and Services 試験
Question No : 1
A user receives the following message when attempting to sign in to https://myapps.microsoft.com:
"Your sign-in was blocked. We've detected something unusual about this sign-in. For example, you might be signing in from a new location, device, or app. Before you can continue, we need to verify your identity. Please contact your admin."
Which configuration prevents the users from signing in?
The user is being blocked due to a ‘risky sign-in’. This can be caused by the user logging in from a device that hasn’t been used to sign in before or from an unknown location.
Integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to perform password changes or multi-factor authentication to reduce their risk level or be blocked from access until an administrator takes manual action.
Question No : 2
You have a Microsoft Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
Your company uses Windows Defender Advanced Threat Protection (ATP).
Windows Defender ATP contains the roles shown in the following table.
Windows Defender ATP contains the device groups shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Box 1: Yes.
User1 is in Group1 which is assigned to Role1. Device1 is in the device group named ATP1 which Group1 has access to. Role1 gives Group1 (and User1) View Data Permission. This is enough to view Device1 in Windows Security Center.
Box 2: Yes.
User2 is in Group2 which is assigned to Role2. Role2 gives Group2 (and User2) View Data
Permission. This is enough to sign in to Windows Security Center.
Box 3: Yes.
User3 is in Group3 which is assigned the Windows ATP Administrator role. Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments.
Question No : 3
Your company has a Microsoft 365 E5 subscription.
Users in the research department work with sensitive data.
You need to prevent the research department users from accessing potentially unsafe websites by using hyperlinks embedded in email messages and documents. Users in other departments must not be restricted.
What should you do from the Security & Compliance admin center?
ATP Safe Links, a feature of Office 365 Advanced Threat Protection (ATP), can help protect your organization from malicious links used in phishing and other attacks. If you have the necessary permissions for the Office 365 Security & Compliance Center, you can set up ATP Safe Links policies to help ensure that when people click web addresses (URLs), your organization is protected. Your ATP Safe Links policies can be configured to scan URLs in email and URLs in Office documents.
Question No : 4
You have a Microsoft 365 subscription.
You are configuring permissions for Security & Compliance.
You need to ensure that the users can perform the tasks shown in the following table.
The solution must use the principle of least privilege.
To which role should you assign each user? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Security Reader: Members can manage security alerts (view only), and also view reports and settings of security features.
Security Administrator, Compliance Administrator and Organization Management can manage alerts.
However, Security Administrator has the least privilege.
Question No : 5
You have a Microsoft 365 subscription that contains a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.
In the tenant, you create a user named User1.
You need to ensure that User1 can publish retention labels from the Security & Compliance admin center.
The solution must use the principle of least privilege.
To which role group should you add User1?
Members of your compliance team who will create retention labels need permissions to the Security & Compliance Center. By default, your tenant admin has access to this location and can give compliance officers and other people access to the Security & Compliance Center, without giving them all of the permissions of a tenant admin. To do this, we recommend that you go to the Permissions page of the Security & Compliance Center, edit the Compliance Administrator role group, and add members to that role group.
Question No : 6
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.
You sign up for Microsoft Store for Business.
The tenant contains the users shown in the following table.
Microsoft Store for Business has the following Shopping behavior settings:
- Allow users to shop is set to On.
- Make everyone a Basic Purchaser is set to Off.
You need to identify which users can install apps from the Microsoft for Business private store.
Which users should you identify?
A. A. user1, User2, User3, User4, and User5
B. User1 only
C. User1 and User2 only
D. User3 and User4 only
E. User1, User2, User3, and User4 only
Allow users to shop controls the shopping experience in Microsoft Store for Education. When this setting is on, Purchasers and Basic Purchasers can purchase products and services from Microsoft Store for Education.
Question No : 7
You have a new Microsoft 365 subscription.
A user named User1 has a mailbox in Microsoft Exchange Online.
You need to log any changes to the mailbox folder permissions of User1.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
To enable auditing for a single mailbox use this PowerShell command: Set-Mailbox username - AuditEnabled $true
Question No : 8
You have a Microsoft 365 subscription. You have a user named User1.
You need to ensure that User1 can place a hold on all mailbox content.
What permission should you assign to User1?
To create a query-based In-Place Hold, a user requires both the Mailbox Search and Legal Hold roles to be assigned directly or via membership in a role group that has both roles assigned. To create an In-Place Hold without using a query, which places all mailbox items on hold, you must have the Legal Hold role assigned. The Discovery Management role group is assigned both roles.
Explanation: https://docs.microsoft.com/en-us/Exchange/permissions/feature-permissions/policy-and-compliance- permissions?view=exchserver-2019
Question No : 9
Your company has a Microsoft 365 subscription.
You need to identify which users performed the following privileged administration tasks:
- Deleted a folder from the second-stage Recycle Bin if Microsoft SharePoint
- Opened a mailbox of which the user was not the owner
- Reset a user password
What should you use?
You can view the required information in the audit logs. The Azure AD audit logs provide records of system activities for compliance. To access the audit report, select Audit logs in the Activity section of Azure Active Directory.
Question No : 10
You have a Microsoft 365 subscription.
You plan to enable Microsoft Azure Information Protection.
You need to ensure that only the members of a group named PilotUsers can protect content.
What should you do?
If you don’t want all users to be able to protect documents and emails immediately by using Azure Rights Management, you can configure user onboarding controls by using the Set-AadrmOnboardingControlPolicy
Question No : 11
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains five domain controllers.
Your company purchases Microsoft 365 and creates a Microsoft Azure Directory (Azure AD) tenant named contoso.onmicrosoft,com.
You plan to establish federation authentication between on-premises Active Directory and the Azure AD tenant by using Active Directory Federation Services (AD FS).
You need to establish the federation.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
The on-premises Active Directory domain is named contoso.com. Before you can configure federation authentication between on-premises Active Directory and the Azure AD tenant, you need to add the domain contoso.com to Microsoft 365. You do this by adding a custom domain name.
The next step is to establish the federation. You can configure AD FS by using Azure AD Connect.
Question No : 12
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains a user named User1.
You suspect that an imposter is signing in to Azure AD by using the credentials of User1.
You need to ensure that an administrator named Admin1 can view all the sign in details of User1 from the past 24 hours.
To which three roles should you add Admin1? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles can view the sign in details.
Question No : 13
Your company has a hybrid deployment of Microsoft 365.
An on-premises user named User1 is synced to Microsoft Azure Active Directory (Azure AD).
Azure AD Connect is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
User1 cannot change her password from any Microsoft portals because Password Writeback is disabled in the Azure AD Connect configuration.
If the password for User1 is changed in Active Directory, the password will be synchronized to Azure AD because Password Synchronization is enabled in the Azure AD Connect configuration.
Question No : 14
Your network contains a single Active Directory domain and two Microsoft Azure Active Directory (Azure AD) tenants.
You plan to implement directory synchronization for both Azure AD tenants. Each tenant will contain some of the Active Directory users.
You need to recommend a solution for the planned directory synchronization.
What should you include in the recommendation?
There's a 1:1 relationship between an Azure AD Connect sync server and an Azure AD tenant. For each Azure AD tenant, you need one Azure AD Connect sync server installation.
Therefore, we need to deploy two servers that run Azure AD Connect for the two Azure AD tenants.
Each user account can only be synchronized to one Azure AD tenant. Therefore, we need a way of splitting the users between the two Azure AD tenants. Azure AD Connect offers three ways to filter which users get synchronized to an Azure AD tenant. You can use domain-based filtering if you have multiple domains in a forest, attribute-based filtering or OU-based filtering.
Other incorrect answers for this question include:
Question No : 15
You are evaluating the required processes for Project1.
You need to recommend which DNS record must be created before adding a domain name for the project.
Which DNS record should you recommend?
When you add a custom domain to Office 365, you need to verify that you own the domain. You can do this by adding either an MX record or a TXT record to the DNS for that domain.
There are several versions of this question in the exam.
The question has two possible correct answers: