SC-900 Security Fundamentals
This practice exam is designed to assess your readiness for the SC-900 Security Compliance, and Identity Fundamentals exam. This quiz is NOT intended to simulate the actual exam. It is intended to test your knowledge of the concepts covered on the exam.
1 / 84
Microsoft’s six core privacy principles are:
See “Zero-trust guiding principles” on MS Learn https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/2-describe-zero-trust-methodology?ns-enrollment-type=LearningPath&ns-enrollment-id=learn.wwl.describe-concepts-of-security-compliance-identity
2 / 84
Which of the following encryption types uses a public and private key pair for encrypting and decrypting data?
Asymmetric encryption uses a public key and private key pair. Symmetric encryption uses a single shared key for bulk data encryption. Hashing is a one-way function that does not require a key.
3 / 84
______________ is/are used to implement encryption in transit, such as with HTTPS protocol for secure browsing, or certificate-based authentication on secure wi-fi networks.
TLS, which facilitates HTTPS, uses asymmetric encryption to first establish the identity of one or both parties. Then, it uses asymmetric encryption to exchange a key to a symmetric cipher. However, asymmetric is only used during the initial setup of communication.
4 / 84
Which of the following cyber-attacks aims to exhaust an application's resources, making the application unavailable to legitimate users?
A distributed denial of service (DDoS) attack is a disruptive attack that attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can target at any endpoint or service reachable on Internet.
5 / 84
To implement a defense in-depth security methodology, which of the given measures will an organization implement?
Distributing the physical location of servers provides added security at the physical layer by mitigating the risk that may come from outages caused by fire, hurricanes, and other disasters. Splitting a network up into multiple sub-networks provides better layered security and is an example of defense in depth at the network layer.
6 / 84
According to the shared responsibility model, which of the following computing models places the most responsibility on the cloud service provider (CSP)?
The SaaS model, implemented by services such as Office 365, the cloud service provider takes on service management responsibilities beyond configuring the customers desired user data and device configuration settings.
7 / 84
Which principle of Zero Trust is demonstrated by these services or features?
Just-In-Time and Just-Enough Access (JIT/JEA), Azure AD RBAC and conditional access implement least privilege access. See https://www.microsoft.com/en-us/security/business/zero-trust.
8 / 84
The probability that a given authentication request is not a request by the identity owner is referred to as "user risk".
The two types of risk defined in the Identity Protection feature are user risk and sign-in risk. User risk represents the probability that a given identity or account is compromised. Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.
9 / 84
With Privileged Identity Management, users can not only activate their own eligible roles, but if desired, can also self-review their eligible roles during scheduled access reviews.
Privileged Identity Management (PIM) allows users to activate eligible roles themselves, while offering notification of role activation to other admins, as well as optional manager approval. If desired, PIM access reviews can be configured to allow users to self-review, and then automatically apply changes based on user response.
10 / 84
Contoso IT needs to streamline resource provisioning for new employees and new project team members. Which of the following features should they use?
Azure Active Directory (Azure AD) entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle by streamlining and automating access request workflows to a single request, grouping resources in a single access package. Entitlement management also enables access reviews, request approval, and expiration. See “What is entitlement management?” https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview
11 / 84
Which of the following is not a question answered by Azure AD Identity Governance?
The questions addressed by identity governance are: 1) Which users have access to which resources? 2) What are users doing with access? 3)Are there effective organizational controls for managing that access? and 4) Can auditors verify those controls are working.
12 / 84
Which of the following is not a benefit of Azure AD roles?
While Azure AD roles ease role assignments in delegation scenarios and implementation of least privilege, it is Azure AD Identity Protection that supports detection of user risk and sign-in risk.
13 / 84
Which of the following is not a benefit of Azure AD Conditional Access policies?
While the first three items are benefits of conditional access policies, device compliance policies are implemented through Microsoft Intune.
14 / 84
You need to implement multi-factor authentication for your Azure Active Directory users. However, you only want to prompt for an additional authentication factor when users are not in a trusted location on an unmanaged device. Which feature should you implement? (choose the best answer)
Conditional access policies bring several benefits to authentication and authorization, including enabling selectively prompting users for a secondary authentication factor based on user location, app selection, device compliance or management state, and sign-in risk.
15 / 84
Which of the following statements accurately depicts a difference between Windows Hello and Windows Hello for Business?
Windows Hello is for personal devices, while Windows Hello for Business is for managed devices. Windows Hello for Business can uses a key-based or certificate-based authentication factor, where Windows Hello uses a pin or biometric authentication.
16 / 84
Which of the following is discouraged as a secondary authentication factor due to known vulnerabilities?
Due to vulnerabilities, such as SIM swap attacks. SMS(text) message is considered relatively weak as a second factor, and therefore is discouraged. Voice call is the one secondary method that cannot be disabled.
17 / 84
Which of the following Azure AD features protects users from password spray attacks, and bans them from using weak passwords in a global list of banned passwords when setting or resetting their password?
Azure AD Password Protection reduces the risk of users setting weak passwords by detecting and blocking known weak passwords from a global banned password list, or also from a customer-maintained custom banned password list.
18 / 84
Which of the following is NOT a feature of Azure AD Self-Service Password Reset (SSPR)?
A user cannot set or reset their password when their account is not enabled.
19 / 84
Which of the following is an advantage of single sign-on?
With single sign-on, a user signs in once and can then access multiple applications or resources. Although a central identity provider can be used by an organization, it isn't a benefit of single sign-on.
20 / 84
The two types of external identities are:
Azure AD B2B allows secure collaboration between organizations leveraging their work accounts. Azure AD B2C is a customer identity access management solution enabling customers to login to your directory with their social identity (like Google or Facebook).
21 / 84
Which of the following services performs the following functions leveraging event data from your on-premises Active Directory?
See “What is Microsoft Defender for Identity?”See "What is Microsoft Defender for Identity?" https://docs.microsoft.com/en-us/defender-for-identity/what-is
22 / 84
Which of the following is not an Azure AD identity type?
A security principal is not an identity type available in Azure AD. Valid types are user, group, service principal, and management identities. Security principal more broadly describes any entity that can be authenticated by the Windows OS.
23 / 84
Which of the following cloud solutions provides capabilities such as multifactor authentication (MFA), identity protection, and role-based access control?
Cloud solutions such as Azure Active Directory (Azure AD) provide capabilities such as multifactor authentication, identity protection, and robust role-based access control. Azure Active Directory also provides the ability to provision on-premises and third-party applications such as Box, Concur, Google Apps, Salesforce, and more.
24 / 84
Which of the following types of attack uses a formal email to convince users to sign in and change their password?
A phishing attack is when a hacker sends an email that appears to come from a reputable source. The email contains a credible story, such as a security breach, instructing the user to sign in and change their password. Instead of going to a legitimate website, the user is directed to the scammer’s website where they enter their username and password. A spear phishing attack is a more sophisticated attack designed to target a specific user or group of users.
25 / 84
Which of the following identity attacks attempts to match a username against a list of weak passwords?
A password spray attack attempts to match a username against a list of weak passwords. See “Describe identity principles” on MS Learn: https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/2-describe-common-identity-attacks
26 / 84
What is the relationship type that allows federated services to access resources?
Federation relies on a trust relationship to allow access to resources for authenticating entities.
27 / 84
Which of the following is not a service provided by on-premises Active Directory Domain Services (AD DS)?
Active Directory (AD) is a set of directory services developed by Microsoft as part of Windows 2000 for on-premises domain-based networks. It stores information about members of the domain, including devices and users, verifies their credentials, and defines their access rights. However, it does not natively support mobile devices, SaaS, and line of business (LOB) apps that require modern authentication methods. See “Describe the concept of directory services and active directory” https://docs.microsoft.com/en-us/learn/modules/describe-identity-principles-concepts/6-describe-concept-of-directory-services-active-directory.
28 / 84
Azure AD can be configured to allow users to authenticate with their social identities, such as Facebook or Google. In this scenario, Facebook and Google are serving as: (choose the best answer)
In Azure AD, an identity provider maintains and manages identity information while providing authentication services to applications. See “Add an identity provider to your Azure Active Directory B2C tenant” https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-identity-provider
29 / 84
The act of granting an authenticated party permission to do something is:
30 / 84
The process of proving you are who you say you are is:
31 / 84
Which of the following services helps to implement identity as the primary security perimeter? (choose the best answer)
Azure AD Conditional Access policies ensure users meet our requirements for authentication, including MFA. When coupled with Azure AD Identity Protection to ensure acceptable user and sign-in risk, and Intune endpoint protection policies to secure devices, we have a solid layered defense.
32 / 84
The Microsoft Endpoint Manager Admin Center, which combines services into a single portal, including Intune, Configuration Manager, Desktop Analytics, and Windows Autopilot. You can find this portal at:
You will find the Microsoft Endpoint Manager Admin Center at https://endpoint.microsoft.com.
33 / 84
_________________ policies are designed to enable easy configuration targeting a specific aspect of device security to manage security tasks for devices when those devices are at risk.
Endpoint security policies are designed to enable easy configuration targeting a specific aspect of device security to manage security tasks for devices when those devices are at risk. They are located under the ‘Endpoint security’ node of the Microsoft Endpoint Manager Admin Center. Because they are more narrowly focused than security baselines and configuration profiles, they tend to be easier for novice administrators to manage. See “Manage endpoint security in Microsoft Intune” https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security.
34 / 84
Microsoft _____ is a cloud-based service that focuses on mobile device management, mobile application management, and endpoint security.
Microsoft Intune is a cloud-based service that focuses on mobile device management, mobile application management, and endpoint security.
35 / 84
_____ are a collection of correlated _____ created when a suspicious _____ is found.
Incidents are a collection of correlated alerts created when a suspicious event is found. Alerts are generated from different types of entities, like devices, users, and mailboxes, and can come from many different domains. See “Incidents in Microsoft 365 Defender” https://docs.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide.
36 / 84
What are the categories shown on the Microsoft 365 security dashboard?
Microsoft 365 security dashboard shows cars with these categories: identities, data, devices, and apps.
37 / 84
Which secure score focuses on security across identities, apps, and data?
Microsoft Secure Score is a measurement of an organization's security posture across identities, endpoints, and apps. Currently there are recommendations for Microsoft 365 (including Exchange Online), Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Cloud App Security, and Microsoft Teams See “Microsoft Secure Score” https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide
38 / 84
Which portal brings Defender for Endpoint, Defender for Office 365, and Microsoft Cloud App Security data together in consolidated a unified view and user experience?
Microsoft 365 Security Center is the new home for monitoring and managing security across your Microsoft identities, data, devices, and apps at https://security.microsoft.com.
39 / 84
Which of the following services ingests network traffic logs to dynamically discover and analyze the cloud apps in use within your organization?
The cloud discovery feature in Microsoft Cloud App Security uses your traffic logs to dynamically discover and analyze the cloud apps that your organization is using. To create a snapshot report of your organization's cloud use, you can manually upload log files from your firewalls or proxies for analysis. Or, to set up continuous reports, use Cloud App Security log collectors to periodically forward syslog data from your perimeter network devices, such as firewalls and proxies. See “What is Cloud App Security?” https://docs.m icrosoft.com/en-us/cloud-app-security/what-is-cloud-app-security
40 / 84
Contoso IT recently implemented Microsoft Defender for Endpoint to better protect its Windows 10 endpoints. Which of the following is a feature of Endpoint behavioral sensors technology?
Microsoft Defender for Endpoint detects advanced threats on your Windows 10. and other endpoints and automates investigation and threat response. See “Microsoft Defender for Endpoint” https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide
41 / 84
Which of these Azure services enables you to run realistic simulated phishing and password attack campaigns in your organization, and train users to raise their awareness of these attacks ?
Attack Simulation Training in MS Defender for Office 365 lets you run realistic, but simulated phishing and password attack campaigns in your organization. You can create and run a campaign against some or all users.
42 / 84
Which of the following Azure services monitor users, entity behavior, and activities with learning-based analytics to help protect user identities and credentials stored in on-premises Active Directory?
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. See “What is Microsoft Defender for Identity?” https://docs.microsoft.com/en-us/defender-for-identity/what-is
43 / 84
Which of the following is not an advantage of Azure Sentinel in providing integrated threat protection to your environment?
App discovery on endpoints to help identify unsanctioned apps is a core function of Microsoft Cloud App Discovery (MCAS), but not a feature of Azure Sentinel.
44 / 84
Which of the following tools help to deliver intelligent, automated, and integrated security across an organization’s domains, such as identities, endpoints, applications, and email?
An XDR system is designed to deliver intelligent, automated, and integrated security across an organization’s domain. It helps prevent, detect, and respond to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.
45 / 84
Which of the following tools is used to collect and analyze large amounts of data from across your entire estate, including identity, endpoints, infrastructure, apps, and data to identify and alert on potential security threats?
A security information event management (SIEM), such as Azure Sentinel, is a tool that an organization uses to collect large amounts of data from across your environment to correlate anomalous and potentially malicious activity to identify security threats.
46 / 84
A security __________ is the implementation of a security benchmark for the specific Azure service.
A baseline is the implementation of a security benchmark for the specific Azure service. A control is a high-level description of the feature or activity and is not specific to a technology. A configuration item exists within a baseline. An access package is an element of entitlement management, and not related to baselines.
47 / 84
The cloud security posture management (CSPM) functionality in Azure Security Center includes:
Cloud security posture management (CSPM) includes foundational (think “Free tier”) features like secure score, detection of security misconfigurations in your Azure workloads, and asset inventory.
48 / 84
You need to provide the following functionality for infrastructure across your on-premises and Azure infrastructure.
Which solution should you recommend?
Azure Defender, when integrated with Azure Security Center, provides a single portal for monitoring Azure and hybrid cloud workload protection and security. Azure Defender includes extended detection and response (X DR) capabilities, and intelligent protection for VMs, web app instances, cloud databases, cloud storage, and more. See “What resource types can Azure Defender secure?”
49 / 84
Which secure score provides visualization of the current security posture of your cloud infrastructure, such as VMs, web app instances, and Azure SQL databases?
See “Secure score in Azure Security Center” https://docs.microsoft.com/en-us/azure/security-center/secure-score-security-controls
50 / 84
Which of the following is NOT a function of Azure Security Center?
Azure Security Center helps you prevent, detect, and respond to threats. It provides increased visibility into and control over the security of your Azure resources. Application Gateway is integrated with Security Center. Security Center scans your environment to detect unprotected web applications. It can recommend Application Gateway WAF to protect these vulnerable resources. However, it is not responsible for storage and retention diagnostic and audit log data.
51 / 84
Transparent data encryption (TDE) encrypts data in which of the following scenarios?
Learn more in “Describe ways Azure encrypts data” on MS Learn at https://docs.microsoft.com/en-us/learn/modules/describe-basic-security-capabilities-azure/7-describe-ways-azure-encrypts-data
52 / 84
Which of the following Azure services offers protection from the following common attacks cataloged by OWASP?
1. SQL-injection attack
2. Cross-site scripting attack.
3. Cross-origin resource sharing (CORS) attacks.
4. Man-in-the-middle (MITM) attacks.
See “What is Azure Web Application Firewall?” https://docs.microsoft.com/en-us/azure/web-application-firewall/overview
53 / 84
What is the core value proposition of Azure Bastion?
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS in a web browser. Azure VMs do not need a public IP address to allow RDP/SSH access via Azure Bastion. See “What is Azure Bastion?” https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
54 / 84
Azure Firewall is a fully stateful firewall that offers high availability. High availability must be enabled, and the number of scale instances selected at deployment time.
High availability and unrestricted scalability is built into the solution. There is no need to select and configure scale instances.
55 / 84
The Basic tier of Azure DDoS is free but must be enabled on each subscription.
The Basic tier of Azure DDoS is automatically enabled and protecting all Azure subscriptions by default. See “Azure DDoS protection overview” https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview.
56 / 84
Your security admin needs to protect Azure resources from DDoS attacks, which of the given Azure DDoS Protection tiers will help your admin to enhance protection from attacks targeting Azure virtual network resources?
The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources.
57 / 84
A network security group (NSG) is comprised of inbound and outbound security rules. Rules are processed in priority order, with lower numbered rules processed _____________ higher numbers.
NSG rules are processed in priority order, with lower numbers processed before higher numbers. When traffic matches a rule, processing stops. This means that any other rules with a lower priority (higher numbers) won't be processed.
58 / 84
_______ is a collection of documentation, implementation guidance, best practices, and tools that are proven guidance from Microsoft designed to accelerate your cloud adoption journey.
The Microsoft Cloud Adoption Framework includes strategy and planning resources, migration guides, a cloud journey tracker, and many other resources to support a strong security posture in all phases of Azure migration and adoption. See “Microsoft Cloud Adoption Framework for Azure” https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/
59 / 84
Which of the following Azure services is used to monitor Azure resources to ensure new and existing deployments are in compliance with the organization’s standards and regulatory requirements?
Azure Policy continuously monitors Azure resources to ensure compliance. The evaluation and reporting cycle is every 24 hours. See “What is Azure Policy?” https://docs.microsoft.com/en-us/azure/governance/policy/overview
60 / 84
The Contoso Cloud Architecture team needs to simplify deployments of new environments in Azure, including Azure Resource Manager (ARM) templates, role-based access, and policies. Which Azure service enables delivery of templates for repeatable deployment and configuration of new subscriptions and environments? (choose the best answer)
Azure Blueprints enables cloud architects to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they're building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery. See “What is Azure Blueprints” https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
61 / 84
You need to prevent accidental deletion of Azure resources in your subscription. Which feature will meet this requirements? (choose the best answer)
Resource locks can prevent unwanted changes or accidental deletion at the subscription, resource group, or even the resource level. See “Lock resources to prevent unexpected changes” https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
62 / 84
Which of the following is a feature of advanced auditing in Microsoft 365?
Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention required to conduct an investigation, providing access to crucial events that help determine scope of compromise, and faster access to Office 365 Management Activity API. See “Advanced audit in Microsoft 365” https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide.
63 / 84
The core audit capabilities of Microsoft 365 enable search across Microsoft 365 services through:
You can use the Microsoft 365 compliance center to search the unified audit log to view user and administrator activity in your organization. See “Search the audit log in the compliance center” https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide.
64 / 84
What is the name of the unified data governance service that enables end-to-end data lineage?
Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. See “What is Azure Purview?” https://docs.microsoft.com/en-us/azure/purview/overview.
65 / 84
Which of the following is not a feature available only in Advanced eDiscovery workflow?
Advanced eDiscovery workflow builds on the existing core eDiscovery and analytics capabilities. Advanced eDiscovery provides an end-to-end workflow to preserve, collect, analyze, review, and export content that's responsive to your organization's internal and external investigations. You can create a legal hold in core eDiscovery. See “Overview of Microsoft 365 Advanced eDiscovery” https://docs.microsoft.com/en-us/microsoft-365/compliance/overview-ediscovery-20?view=o365-worldwide.
66 / 84
Which of the following is not a feature of core eDiscovery workflow?
Adding data custodians, automating notifications, and jobs are features of advanced eDiscovery. See “Get started with Core eDiscovery in Microsoft 365” https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-core-ediscovery?view=o365-worldwide
67 / 84
The content search tool enables in-place content search across all of the following EXCEPT
You can use the Content search tool in the Microsoft 365 compliance center to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. Searching Azure AD audit logs is most often performed directly in Azure AD within the Azure Portal. See “Search for content using the Content search tool” https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-content?view=o365-worldwide.
68 / 84
What is the core function of eDiscovery feature in Microsoft 365?
eDiscovery is the process of identifying and delivering electronic information that can be used as evidence in legal cases. See “eDiscovery solutions in Microsoft 365” https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide.
69 / 84
What is the purpose of the Customer Lockbox feature of Office 365?
Customer Lockbox ensures that Microsoft cannot access your content to perform a service operation without your explicit approval. See “Customer Lockbox in Office 365” https://docs.microsoft.com/en-us/microsoft-365/compliance/customer-lockbox-requests?view=o365-worldwide.
70 / 84
Which of the following Microsoft 365 compliance features provides granular access control over privileged admin tasks in Microsoft 365?
Privileged access management (PAM) allows granular access control over privileged admin tasks in Office 365. Privileged Identity Management is a feature of Azure AD Identity Governance that manages privileged role access. See “Learn about privileged access management” https://docs.microsoft.com/en-us/microsoft-365/compliance/privileged-access-management-overview?view=o365-worldwide.
71 / 84
Which Microsoft 365 feature enables administrators to define policies to explicitly prevent communication between group or users within the organization to avoid regulatory breaches and conflict of interest issues?
Information barriers in Microsoft 365 is designed to prevent communication between groups, business units, or individuals that may results in a conflict of interest or regulatory breach. See “Learn about information barriers in Microsoft 365” https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers?view=o365-worldwide
72 / 84
Which Microsoft 365 feature is designed to monitor internal user communication for both inadvertent and malicious content that conflicts with corporate policies and standards, such as in appropriate and objectionable language, such as obscenities or harassment?
Communication compliance in Microsoft 365 is designed to identify helps minimize communication risks by helping you detect, capture, and act on inappropriate messages in your organization. See “Learn about communication compliance in Microsoft 365” https://docs.microsoft.com/en-us/microsoft-365/compliance/communication-compliance?view=o365-worldwide
73 / 84
Which of the following Microsoft 365 compliance solutions is focused on detecting and acting on unethical, illegal, and malicious behaviors?
Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft Advanced eDiscovery if needed. See “Learn about insider risk management in Microsoft 365”: https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management?view=o365-worldwide
74 / 84
Data loss prevention is a way to ensure sensitive information:
Data loss prevention helps protect this sensitive data and reduce risk; they need a way to prevent their users from inappropriately sharing it with people who should not see it. See “Learn about data loss prevention ” https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide
75 / 84
What is the difference between a document and a record?
Records management in Microsoft 365 helps an organization manage their legal obligations, provides the ability to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be retained, no longer of value, or no longer required for business purposes. Records management in Microsoft 365 includes notifications, reminders, and disposition reviews so you can ensure deletion is appropriate. See “Learn about records management in Microsoft 365” https://docs.microsoft.com/en-us/microsoft-365/compliance/records-management?view=o365-worldwide
76 / 84
Retention labels are used to assign retention settings at an item level, such as folder, document, or email.
Use a retention policy to assign the same retention settings for content at a site or mailbox level and use a retention label to assign retention settings at an item level (folder, document, email). See “Retention policies and retention labels” https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide
77 / 84
Retention policies are used to assign the same retention settings to content at a __________ level or __________ level.
78 / 84
You use __________ implement data __________.
Sensitivity labels are used for data classification. Label policies are used for data protection and/or retention. See “Learn about sensitivity labels” https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide.
79 / 84
Which of the following contains a snapshot of items (emails, files) that have a sensitivity or retention label applied or have been classified as a sensitive information type?
All data files and email messages associated with alert activities are automatically captured and displayed in the Content Explorer. Activity Explorer allows you to monitor what is being done with labeled content. See “Get started with content explorer” https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-content-explorer?view=o365-worldwide
80 / 84
_______ use machine learning to intelligently classify your data.
A Microsoft 365 trainable classifier is a tool you can train to recognize various types of content by giving it samples to look at. Once trained, you can use it to identify item for application of Office sensitivity labels, Communications compliance policies, and retention label policies. To learn more about the different types of classifiers, see Learn about trainable classifiers.
81 / 84
Which of the following statements describes the difference between Compliance Manager and compliance score?
Compliance Manager provides admins with the capabilities to understand and improve their compliance score so that they can ultimately improve the organization’s compliance posture and help it to stay in line with its compliance requirements
82 / 84
_____________ measures the progress in completing recommended improvement actions within Compliance Manager.
Compliance score shows the compliance score and will forward admins to the Compliance Manager where they can see a breakdown of the compliance score. Compliance score measures the progress in completing recommended improvement actions within controls. The score helps an organization to understand its current compliance posture and prioritize actions based on their potential to reduce risk. See “Compliance score calculation” https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365-worldwide
83 / 84
Which of the following is an end-to-end solution in Microsoft 365 Compliance Center that enables admins to manage and track compliance activities.?
Compliance Manager is an end-to-end solution in Microsoft 365 Compliance Center to enable admins to manage and track compliance activities. Compliance score is a calculation of the overall compliance posture across the organization.
84 / 84
What the name of the unified portal that provides easy access to the data and tools you need to manage to your organization's compliance needs and track progress?
Microsoft 365 Compliance Center provides centralized access to the tools and other resources admins need to manage and track compliance activities. Compliance score is a calculation of the overall compliance posture across the organization. Compliance Manager is an end-to-end solution in Microsoft 365 Compliance Center to enable admins to manage and track compliance activities.
Your score is