Microsoft MS-102 Microsoft 365 Administrator Exam Dumps and Practice Test Questions Set 12 Q166-180

Visit here for our full Microsoft MS-102 exam dumps and practice test questions.

Question 166

A company wants to block access to Microsoft 365 apps from unmanaged devices, ensuring that users can only view content in a browser without downloading or printing files. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Identity Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution, Conditional Access App Control, allows administrators to enforce session-level restrictions based on device compliance and user status. For unmanaged devices, policies can be configured to allow web-only access, preventing users from downloading, printing, or copying content. This ensures secure access while maintaining productivity, as users can view documents in the browser without compromising sensitive data. Session policies are dynamic, evaluating each access attempt in real time and enforcing restrictions automatically. Logging and auditing features allow organizations to monitor activity and ensure compliance with internal security policies.

The second solution, Intune Device Compliance Policies, enforces that devices meet security standards before granting access to Microsoft 365 apps. While important for protecting managed devices, compliance policies do not provide web-only access controls for unmanaged devices. Users on personal devices could still download or copy content without restrictions, so this approach cannot fully satisfy the requirement.

The third solution, Azure AD Identity Protection, detects risky sign-ins and mitigates compromised accounts. While it improves account security, it does not control session behavior or restrict downloads and printing. Identity Protection cannot enforce web-only access for unmanaged devices, making it insufficient for this scenario.

The fourth solution, OneDrive Storage Quotas, limits the amount of data a user can store but does not control how files are accessed or whether they can be downloaded. Storage quotas do not enforce session restrictions or device compliance and are unrelated to preventing data exfiltration from unmanaged devices.

Conditional Access App Control is the only solution capable of enforcing web-only access and preventing downloads and printing from unmanaged devices. It ensures sensitive data remains protected while allowing secure, browser-based access to Microsoft 365 applications, fully satisfying the organization’s requirements.

Question 167

A company wants to ensure that all Teams chat messages containing personally identifiable information (PII) are automatically flagged and restricted from external sharing. Users must not be able to bypass this restriction. Which solution should the administrator configure?

A) Microsoft Purview Data Loss Prevention (DLP) Policies
B) Teams Messaging Policies
C) Exchange Mail Flow Rules
D) Intune Device Compliance Policies

Answer: Microsoft Purview Data Loss Prevention (DLP) Policies

Explanation:

The first solution allows organizations to automatically detect sensitive data, including personally identifiable information (PII), in Teams chat messages. Microsoft Purview DLP policies can identify predefined sensitive information types, such as social security numbers, government-issued IDs, and other personally identifiable data. Once detected, the policies can block external sharing, restrict message visibility, or apply additional protective measures such as user notifications or encryption. Enforcement occurs in real time at the messaging layer, ensuring users cannot bypass restrictions or inadvertently expose sensitive information. DLP policies also provide logging, auditing, and reporting capabilities to track policy violations and demonstrate regulatory compliance. This solution integrates seamlessly with Microsoft Teams, providing consistent protection across all chat sessions, group messages, and channel conversations. Administrators can customize DLP rules to define thresholds for different types of PII, specify which users or groups the policy applies to, and determine what enforcement actions occur when sensitive content is detected. This automation reduces human error and ensures that critical data is protected without relying on user behavior.

The second solution, Teams Messaging Policies, controls user capabilities such as whether users can delete messages, create new channels, or use chat features. While these policies are valuable for managing functionality and maintaining organizational standards, they do not detect sensitive content or prevent its sharing. Users could still send PII externally if messaging policies alone were implemented, leaving critical data unprotected. Messaging policies provide control over behavior but lack content awareness, making them insufficient to meet the organization’s requirement for automated PII protection.

The third solution, Exchange Mail Flow Rules, is effective for detecting sensitive content in email messages. Mail flow rules can identify specific types of sensitive data and apply actions like encryption or notifications. However, these rules operate solely within Exchange Online and do not extend to Teams chat messages or channel conversations. Because the requirement is to protect PII in Teams, mail flow rules cannot fulfill this scenario. They are effective for email compliance but provide no real-time enforcement or restriction for messaging platforms outside of email.

The fourth solution, Intune Device Compliance Policies, ensures that devices accessing corporate resources meet security standards, such as encryption, OS updates, or antivirus presence. While compliance policies help secure endpoints and prevent risky devices from accessing resources, they do not inspect the content of chat messages or restrict PII sharing. They cannot prevent a compliant device from sending sensitive information externally, meaning they do not address the requirement for content-level protection.

Using Microsoft Purview DLP Policies is the only solution that provides automated detection, real-time enforcement, and prevention of PII exposure within Teams. It ensures that sensitive data is protected regardless of user behavior and integrates with reporting and compliance monitoring. This approach meets regulatory requirements, reduces the risk of data leakage, and maintains the confidentiality of sensitive information across Teams communications.

Question 168

A company wants to prevent external sharing of documents stored in SharePoint Online and OneDrive unless the recipient authenticates using a one-time passcode (OTP). Which solution should the administrator configure?

A) SharePoint and OneDrive External Sharing Settings
B) Conditional Access App Control
C) Azure AD Identity Protection
D) Microsoft Purview Information Rights Management (IRM)

Answer: SharePoint and OneDrive External Sharing Settings

Explanation:

The first solution allows administrators to configure tenant-wide external sharing settings for SharePoint Online and OneDrive for Business. Administrators can specify that only guests who authenticate with a one-time passcode (OTP) are permitted access to shared documents. When a user attempts to share a file, the system automatically requires the external recipient to receive an OTP via email and enter it before gaining access. This ensures that only intended recipients can view the content, even if the link is forwarded or exposed. It also provides auditing and monitoring capabilities, allowing administrators to track sharing activity and maintain compliance. OTP authentication protects against unauthorized access without requiring external users to have Azure AD accounts. The solution is effective for both OneDrive personal files and SharePoint team documents, ensuring consistent enforcement across collaboration environments.

The second solution, Conditional Access App Control, provides session-level restrictions for Microsoft 365 applications, including blocking downloads or monitoring activity in real time. While it can restrict session behavior, it does not control the authentication method for external users or enforce OTP-based access. Conditional Access is reactive to user sessions rather than proactive content-level authentication, making it insufficient for enforcing OTP requirements.

The third solution, Azure AD Identity Protection, detects risky sign-ins and mitigates compromised accounts. While important for identity security, it does not control external sharing or enforce authentication methods for guest users. Identity Protection cannot prevent unauthorized access to shared files via OTP enforcement.

The fourth solution, Microsoft Purview Information Rights Management (IRM), applies encryption and usage restrictions to files and documents. IRM can prevent copying, printing, or forwarding but does not control the sharing authentication method. IRM does not generate OTP codes or restrict external sharing based on authentication, so it cannot meet the requirement for OTP-based external access.

Using SharePoint and OneDrive External Sharing Settings is the only solution capable of enforcing OTP authentication for external recipients. It ensures secure, auditable sharing while maintaining user productivity, protecting sensitive content, and meeting organizational compliance requirements.

Question 169

A company wants to block access to Microsoft 365 apps from unmanaged devices while allowing web-only access. Users should not be able to download, print, or copy files when using personal devices. Which solution should the administrator deploy?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution provides real-time session management for Microsoft 365 applications. Conditional Access App Control can detect whether a device is managed or unmanaged and enforce web-only access for unmanaged devices. When users access resources from personal devices, session policies can block downloads, printing, or copying of files while allowing browser-based viewing. The enforcement is dynamic, evaluating each session in real time, which ensures that corporate data remains secure regardless of device type. Logging and auditing features provide administrators with detailed activity reports, helping enforce compliance policies and monitor data access patterns. This approach protects sensitive files from being exfiltrated while maintaining productivity for users on unmanaged devices.

The second solution, Intune Device Compliance Policies, evaluates whether a device meets security standards, such as encryption, antivirus, or OS updates. While important for securing managed devices, compliance policies do not enforce web-only access or prevent downloads and printing for unmanaged devices. Users on personal devices could bypass controls if only compliance policies were applied.

The third solution, Azure AD Password Protection, prevents users from setting weak or compromised passwords. Although this enhances account security, it does not restrict access modes, session behavior, or file downloads. It cannot enforce web-only access for unmanaged devices.

The fourth solution, OneDrive Storage Quotas, limits the storage a user can consume but does not control access, session behavior, or downloads. Storage quotas cannot prevent data exfiltration or enforce browser-only access, making this solution insufficient.

Conditional Access App Control is the only solution capable of enforcing real-time, web-only access for unmanaged devices. It prevents downloading, printing, and copying while allowing secure access in a browser, ensuring corporate data is protected while enabling productivity.

Question 170

A company wants to ensure that all sensitive documents uploaded to SharePoint Online automatically receive a classification label and encryption based on content, such as HR or financial data. Users must not be able to bypass these protections. Which solution should the administrator configure?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) SharePoint Site Sharing Settings
C) Intune Device Compliance Policies
D) Microsoft Defender for Cloud Apps Session Policies

Answer: Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation:

Microsoft Purview Sensitivity Labels with auto-labeling policies provide a comprehensive and automated approach for protecting sensitive content in SharePoint Online. In modern organizations, the volume of digital information is rapidly increasing, and much of this content contains confidential or regulated data. Documents such as employee records, payroll files, financial statements, legal agreements, or personally identifiable information are frequently stored in collaborative platforms like SharePoint Online. Protecting this information is critical for maintaining regulatory compliance, safeguarding privacy, and preventing accidental or intentional data breaches. The first solution addresses these challenges by automatically classifying and securing documents based on their content, without relying on manual intervention from users.

Auto-labeling works by analyzing document content against predefined sensitive information types or custom patterns created by administrators. Prebuilt types include categories such as social security numbers, credit card information, health records, or financial account numbers. Administrators can also define custom patterns tailored to the organization’s specific data handling requirements. Once the system detects sensitive content in a file or document, the appropriate sensitivity label is applied automatically. These labels enforce encryption, restrict access to specific users or groups, and prevent actions such as copying, downloading, or sharing outside authorized channels. Because enforcement occurs at the moment content is uploaded or modified, it ensures that protections are applied consistently and cannot be bypassed by end users, which is a key factor for organizations with strict regulatory obligations or high volumes of sensitive information.

The automation provided by Microsoft Purview Sensitivity Labels significantly reduces reliance on user compliance. Manual classification of content often results in inconsistent protection because users may forget to apply labels, misclassify information, or fail to follow organizational policies due to oversight or lack of training. With auto-labeling, the responsibility of detecting and protecting sensitive content shifts from the user to the system, resulting in a more reliable and uniform application of security measures. This is particularly important for large organizations where employees frequently create, upload, or modify content across multiple departments, increasing the risk of accidental data exposure.

Logging and reporting are integral components of this solution, providing visibility into the application of sensitivity labels. Compliance teams can monitor which files have been labeled, track any attempted policy violations, and generate audit reports to demonstrate adherence to regulatory standards. These capabilities support ongoing compliance efforts with frameworks such as GDPR, HIPAA, PCI DSS, or industry-specific privacy and security standards. Audit logs also help organizations identify potential gaps in labeling policies or unusual access patterns, allowing proactive adjustments to security controls.

Alternative solutions, such as SharePoint Site Sharing Settings, offer some level of access control but lack content awareness. Site-level permissions can restrict who can view or edit files within a site or library, but they do not automatically detect or classify sensitive information. Users could still upload confidential documents without encryption or protection unless permissions are manually adjusted. This approach relies heavily on administrative oversight and does not provide the proactive content-level security required for organizations handling regulated data. While site-level sharing settings are useful for coarse-grained access control, they are insufficient for ensuring that sensitive content is consistently protected across the platform.

Intune Device Compliance Policies focus on securing devices rather than content. They evaluate whether devices accessing corporate resources meet security requirements such as encryption, operating system updates, antivirus protection, and other compliance standards. While device compliance policies are important for protecting the environment, they do not inspect the content stored in SharePoint or automatically apply classification and encryption to documents. A compliant device does not guarantee that uploaded content is adequately protected, making device compliance alone inadequate for organizations aiming to prevent accidental exposure of sensitive information.

Microsoft Defender for Cloud Apps Session Policies provide session-level monitoring and controls. These policies can restrict downloads, block risky actions, or monitor user activity in real time. Although they are valuable for detecting and preventing certain types of data exfiltration, session policies are reactive rather than proactive. They do not automatically classify or encrypt files based on sensitive content, and the protections are limited to the session in which they are applied. Once content leaves the controlled session environment, the protections may no longer be in effect, making this approach insufficient as a comprehensive content security solution.

By leveraging Microsoft Purview Sensitivity Labels with auto-labeling, organizations ensure that sensitive documents in SharePoint Online are consistently identified, classified, and protected without relying on end-user actions. This solution provides persistent, content-level security that aligns with compliance requirements, mitigates the risk of accidental data exposure, and supports secure collaboration across the organization. Unlike site-sharing settings, device compliance policies, or session-based controls, auto-labeling combines automated detection, enforcement, auditing, and reporting to create a proactive and comprehensive data protection strategy. It enables organizations to protect confidential information effectively while maintaining productivity and compliance across their SharePoint Online environment.

Question 171

A company wants to prevent external sharing of Teams files unless the recipient authenticates with a one-time passcode (OTP). Guests should not require an Azure AD account, but unauthorized users must be blocked. Which solution should the administrator configure?

A) SharePoint and OneDrive External Sharing Settings
B) Conditional Access App Control
C) Azure AD Identity Protection
D) Microsoft Purview Information Rights Management (IRM)

Answer: SharePoint and OneDrive External Sharing Settings

Explanation:

SharePoint and OneDrive External Sharing Settings provide a robust framework for managing and securing collaboration with external users, particularly in scenarios where organizations need to share sensitive content with partners, vendors, or clients who may not have Azure Active Directory (Azure AD) accounts. By configuring external sharing policies at both the tenant and site level, administrators can exert granular control over who can access organizational content and under what conditions. One of the most effective mechanisms for secure external collaboration is the use of one-time passcodes (OTP), which allows external recipients to authenticate without requiring a full Azure AD account. When a file or folder is shared externally, the system automatically sends a one-time passcode to the recipient via email. The user must enter this code to access the shared content, ensuring that only the intended recipient can open the document, thereby reducing the risk of unauthorized access or accidental data exposure.

This approach allows organizations to collaborate securely with external parties while maintaining high levels of user productivity. OTP authentication removes the barrier of requiring an Azure AD account for every guest user, which can be cumbersome and time-consuming for one-off collaborations or interactions with external vendors. By allowing secure access through OTPs, organizations can streamline workflows and ensure that collaboration remains efficient. The external sharing settings in SharePoint and OneDrive are enforced at the platform level, meaning that these policies are automatically applied and cannot be bypassed by individual users. This consistency is crucial for protecting sensitive information, as it ensures that all externally shared content adheres to organizational security standards and compliance requirements.

Another significant benefit of SharePoint and OneDrive external sharing configurations is the detailed auditing and logging capabilities that are built into the system. Every external sharing event is recorded, providing administrators with visibility into which documents were shared, who accessed them, and when the activity occurred. This audit trail is critical for compliance and governance purposes, allowing organizations to monitor sharing practices, identify anomalies, and respond quickly to potential security incidents. Detailed logs support regulatory compliance for standards such as GDPR, HIPAA, and other industry-specific data protection frameworks by demonstrating that proper controls were in place and consistently enforced when sensitive information was shared externally.

While Conditional Access App Control is a valuable tool for session-based security, its capabilities differ from those of SharePoint and OneDrive external sharing settings. Conditional Access App Control can enforce restrictions such as blocking downloads, limiting printing, or monitoring session activity in real time, which is highly effective for managing internal or authenticated external sessions. However, it does not provide the ability to enforce OTP-based authentication for guest users. It also does not control access at the content-sharing level, which means it cannot satisfy the requirement to allow external users to authenticate using a one-time passcode before gaining access to shared files. As a result, while it enhances session security, Conditional Access App Control is insufficient on its own for scenarios that require secure OTP-based guest collaboration.

Similarly, Azure AD Identity Protection focuses on protecting user accounts by detecting risky sign-ins, compromised credentials, and other potential identity-based threats. While it strengthens the security posture of an organization by reducing account-related risks, it does not provide mechanisms to manage document sharing or enforce authentication for external recipients. Identity Protection cannot control who receives shared files in SharePoint or OneDrive, nor can it ensure that a guest user entering a one-time passcode is the intended recipient of the content. Its primary purpose is identity security rather than document-level access management, making it an incomplete solution for secure external collaboration.

Microsoft Purview Information Rights Management (IRM) offers encryption and usage restrictions on documents and emails, preventing actions such as copying, printing, or forwarding. While IRM provides robust protection for the content itself, it does not manage external authentication processes. IRM cannot enforce that an external user must enter a one-time passcode to gain access to a document, and it does not provide the guest access controls required to prevent unauthorized sharing. It is effective for controlling document usage but cannot address the specific requirement of OTP-based authentication for external collaboration.

By contrast, SharePoint and OneDrive External Sharing Settings are purpose-built to address this precise need. They combine secure access management, auditing, and productivity considerations in a single solution. Organizations can configure policies at the tenant level to set default behaviors for external sharing, such as limiting sharing to authenticated users, enabling OTP verification, or restricting sharing with specific domains. At the site level, administrators can fine-tune access to sensitive libraries or folders, ensuring that only intended external users can view or interact with critical content. This layered approach allows organizations to balance security, compliance, and usability effectively, without requiring every external collaborator to have an Azure AD account.

In conclusion, SharePoint and OneDrive External Sharing Settings with OTP authentication provide a complete, auditable, and secure method for enabling external collaboration. They ensure that sensitive content is protected, allow external users to authenticate seamlessly, and maintain compliance through detailed logging and enforceable platform-level policies. Unlike Conditional Access App Control, Azure AD Identity Protection, or Microsoft Purview IRM, this solution directly addresses the requirement to authenticate external users with one-time passcodes while maintaining productivity and security across the organization.

Question 172

A company wants to block access to Microsoft 365 apps from unmanaged devices while allowing web-only access. Users should not be able to download, print, or copy files from personal devices. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

Conditional Access App Control provides organizations with a comprehensive framework for managing and securing access to Microsoft 365 applications in real time. Unlike traditional access management tools that rely solely on pre-configured permissions, Conditional Access App Control evaluates each user session dynamically, considering factors such as device compliance, location, risk level, and whether the device is managed or unmanaged. This session-level evaluation is critical in modern work environments where employees often access corporate data from personal or non-corporate devices, sometimes outside of the secure perimeter of the corporate network. By differentiating between managed and unmanaged devices, organizations can enforce appropriate security policies without unnecessarily restricting user productivity.

For unmanaged devices, Conditional Access App Control can enforce web-only access policies. These policies allow users to view content within a browser but prevent them from performing actions that could compromise sensitive corporate data, such as downloading files, copying content, or printing documents. This approach is particularly important for organizations that share critical resources through SharePoint, OneDrive, or Teams, as it mitigates the risk of data exfiltration when employees access files from personal laptops, tablets, or other unmanaged endpoints. By limiting the ability to extract data while still permitting necessary access, Conditional Access App Control strikes a balance between security and usability, ensuring that users can remain productive even when working outside of fully managed environments.

The enforcement of these policies is dynamic and occurs in real time as users initiate sessions. Policies can be tailored to respond to a variety of contextual conditions, including the type of device being used, the network location, and the user’s risk profile based on behavior analytics or identity threat intelligence. This dynamic approach ensures that security measures are always relevant and responsive, rather than static rules that may become outdated or circumvented. In addition to preventing risky actions, the solution provides detailed logging and auditing features. Administrators and security teams can monitor session activity, identify attempts to bypass controls, and generate reports that support compliance with regulatory frameworks or internal security standards. This level of visibility enables organizations to detect unusual activity quickly, investigate potential incidents, and ensure consistent policy enforcement across the enterprise.

Intune Device Compliance Policies complement Conditional Access App Control by ensuring that corporate devices meet baseline security requirements. These policies evaluate whether devices are encrypted, running supported operating systems, have up-to-date antivirus software, and meet other organizational security standards. While these measures are critical for maintaining a secure fleet of managed devices, they do not address the unique challenges posed by unmanaged endpoints. Device compliance policies alone cannot prevent an employee from downloading or printing sensitive information when using a personal device. Therefore, while Intune is an important component of endpoint security, it is insufficient on its own to enforce web-only access or protect corporate data on unmanaged devices.

Azure AD Password Protection is another layer of security focused on identity protection. By preventing the use of weak or compromised passwords, it strengthens user accounts against credential-based attacks. However, it does not provide session-level control over file access or restrict the ability to download or copy content from unmanaged devices. Password protection improves authentication security but cannot enforce web-only access or prevent data exfiltration, making it unsuitable for scenarios where controlling how content is accessed is critical.

OneDrive Storage Quotas, while useful for managing storage resources and preventing users from exceeding allocated limits, also fail to address the security challenge posed by unmanaged devices. Storage quotas do not limit user actions such as downloading, printing, or copying content. They do not differentiate between managed and unmanaged devices, nor do they provide real-time session controls. As a result, storage quotas are incapable of preventing unauthorized access or ensuring that sensitive corporate information remains secure when accessed from personal endpoints.

Conditional Access App Control is the only solution that effectively meets the requirement to secure corporate data on unmanaged devices while maintaining user productivity. It enables organizations to enforce web-only access policies, prevent downloads, printing, and copying, and apply these controls dynamically based on real-time session evaluation. Additionally, it provides comprehensive auditing and monitoring capabilities, allowing compliance teams to track activity and respond to potential violations proactively. By combining these features, Conditional Access App Control ensures that sensitive corporate data remains protected without disrupting business operations, addressing the complete set of security and productivity requirements in modern hybrid and remote work environments.

Question 173

A company wants to ensure that all emails containing sensitive customer data sent from the Sales department are encrypted automatically and cannot be forwarded externally. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution establishes a structured and automated approach for securing outgoing email communication by inspecting message content and applying encryption whenever sensitive customer information is detected. Exchange Mail Flow Rules operate at the transport layer of Exchange Online, which means that every outgoing message is evaluated before it leaves the organization. These rules can scan the email body, subject line, headers, and all attachments in real time. When integrated with Microsoft Purview Sensitivity Labels, the system gains the ability to identify sensitive information types such as customer addresses, payment card data, account numbers, loan or financial documents, proprietary datasets, or confidential correspondence. The detection is based on predefined classifiers as well as custom patterns that organizations can configure to align with their regulatory and operational needs.

Once a message meets the criteria defined in the policy, the configured sensitivity label is automatically applied. Sensitivity labels allow administrators to enforce powerful protections including encryption, watermarking, access restrictions, and rights management. Encryption ensures that only intended recipients with authenticated access can open the message. Rights management policies restrict actions such as copying, printing, forwarding, or saving an unprotected version of the email. Because these controls are enforced at the moment the message is sent and handled by the Exchange transport pipeline, users cannot bypass or disable them. This ensures consistent protection regardless of user awareness, technical expertise, or intent.

Administrators can configure these rules to apply only to specific teams or departments, such as Sales, Customer Support, Finance, or Legal. This allows the organization to enforce more stringent controls on groups that routinely handle sensitive customer data. Mail Flow Rules also generate detailed reports and logs, enabling compliance teams to track policy enforcement, review which messages were protected, and investigate any potential anomalies or violations. This visibility is essential for maintaining compliance with GDPR, PCI-DSS, HIPAA, and other regulatory frameworks that require strong data protection measures and demonstrable oversight.

The automation provided by this approach significantly reduces the dependency on individual users to manually classify emails or remember to apply encryption. Human error remains one of the leading causes of accidental data breaches, especially in fast-paced environments where employees may be sending dozens or hundreds of messages daily. Automation ensures that sensitive information is consistently identified and protected without disrupting user productivity. It also supports organizational policies that mandate encryption of regulated data but must be implemented without creating unnecessary friction for employees.

The second solution, Microsoft Defender Safe Links Policies, plays an important role in enhancing email and collaboration security by scanning URLs at the time of click to prevent phishing attacks or malware infections. While it strengthens user protection against malicious links, Safe Links does not evaluate content for sensitive information. It cannot identify customer data, does not apply encryption, and provides no mechanism for restricting forwarding or copying. As such, Safe Links cannot satisfy the requirement for protecting sensitive outbound messages. Safe Links is an excellent layer of security for threat protection, but it is unrelated to content classification or rights-based email encryption.

The third solution, Exchange Online Journaling Rules, is designed to support compliance, auditing, and long-term retention requirements. Journaling captures a copy of every message and sends it to a specified archive or external compliance storage system. While this is valuable for maintaining records, ensuring eDiscovery readiness, or meeting legal hold requirements, journaling does not apply protection to the message itself. It does not identify sensitive content, nor does it block forwarding or restrict printing. The primary purpose of journaling is to preserve communications, not to secure them during transmission.

The fourth solution, Microsoft Purview Data Loss Prevention (DLP) Policies, can detect sensitive information across email, SharePoint, Teams, and other Microsoft 365 services. DLP can block messages, notify users, or require justification before sending. However, DLP is not optimized for automatically applying encryption with forwarding restrictions in every scenario. In many cases, DLP prompts users to take action or displays policy tips, which still relies partly on user behavior. Although DLP can complement encryption policies, it does not independently fulfill the requirement for automatic encryption and rights protection without user involvement.

By combining Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels, organizations achieve a robust and automated email protection system. Sensitive customer data is identified reliably, encryption is applied consistently, forwarding and copying are restricted, and compliance is maintained without requiring end-user intervention. This solution delivers comprehensive, proactive, and enforceable protection aligned with both organizational needs and regulatory obligations.

Question 174

A company wants to prevent the accidental sharing of Social Security numbers and other PII in Teams messages and SharePoint documents. Users must be notified when they attempt to share this information. Which solution should the administrator configure?

A) Microsoft Purview Data Loss Prevention (DLP) Policies
B) Teams Messaging Policies
C) Exchange Mail Flow Rules
D) Intune Device Compliance Policies

Answer: Microsoft Purview Data Loss Prevention (DLP) Policies

Explanation:

The first solution allows organizations to automatically detect sensitive data, such as Social Security numbers, in Teams messages and SharePoint documents. Microsoft Purview DLP policies can be configured to identify predefined sensitive information types, including personally identifiable information (PII). When users attempt to send messages or share documents containing this data, the DLP policies can block the action or alert users in real time, notifying them of the policy violation. This proactive notification educates users about compliance requirements and reduces accidental exposure of sensitive data. Enforcement occurs at the content layer across multiple platforms, including Teams, SharePoint, OneDrive, and Exchange, ensuring consistent protection across the organization. DLP also provides auditing and reporting capabilities, enabling compliance teams to track policy violations, generate reports, and monitor attempts to share sensitive information. By automating detection and enforcement, organizations can maintain regulatory compliance while reducing reliance on user awareness or manual intervention.

Teams Messaging Policies primarily manage user capabilities within Teams, such as allowing or preventing message deletion, creating channels, or using chat features. While useful for controlling functionality and behavior, these policies cannot detect or restrict the sharing of sensitive content, nor can they notify users when PII is shared. Therefore, messaging policies alone cannot satisfy the requirement.

Exchange Mail Flow Rules are effective for email content, allowing administrators to detect sensitive information and apply encryption, block delivery, or notify senders. However, they do not extend to Teams messages or SharePoint documents. Because the requirement is to protect PII in real-time collaboration and document sharing, mail flow rules are insufficient.

Intune Device Compliance Policies enforce security standards on devices, ensuring encryption, updates, and antivirus presence. Although compliance policies secure devices, they do not monitor or prevent the sharing of sensitive content within Teams or SharePoint. Users could still attempt to share Social Security numbers or other PII from compliant devices, making this solution ineffective for content protection.

Using Microsoft Purview DLP Policies is the only approach that can automatically detect sensitive content, block unauthorized sharing, notify users, and provide reporting for compliance teams. This ensures PII remains protected, reduces accidental data exposure, and maintains consistent enforcement across Teams and SharePoint.

Question 175

A company wants to prevent external users from downloading or printing documents stored in SharePoint Online or OneDrive, while still allowing internal users full access. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Microsoft Purview Sensitivity Labels
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation 

Conditional Access App Control offers a dynamic and highly adaptable method for securing corporate data, particularly in scenarios where an organization needs to collaborate with external partners while preventing data leakage. This solution enables administrators to implement session-level controls for cloud applications such as SharePoint Online and OneDrive for Business. These controls operate in real time and evaluate each session individually, allowing organizations to enforce different security rules depending on whether a user is internal, external, or identified as high-risk. When external users access shared documents, Conditional Access App Control can restrict their ability to download, print, or copy files while still permitting them to view the content in their browser. This balanced approach ensures that collaboration remains possible without giving external individuals the ability to extract or misuse sensitive data.

One of the strengths of Conditional Access App Control is its capability to detect and classify user contexts during each session. Organizations can define detailed rules based on factors such as user identity, device type, IP address, geographic location, and sign-in risk level. For example, employees using corporate devices from approved networks may be given full access, while external contractors or guest users may be limited to web-only viewing. This nuanced method allows organizations to maintain productivity internally while maintaining stringent safeguards when interacting with outside entities. Because these policies operate at the session level, they can adapt instantly as conditions change, offering a layer of protection that remains consistent and responsive to emerging risks.

Beyond its protective features, Conditional Access App Control also provides extensive monitoring capabilities. Administrators can view real-time activity logs, track which documents have been accessed, and observe any attempts to bypass restrictions. This level of visibility supports compliance initiatives and strengthens the organization’s ability to detect potentially risky behavior early. The logging capabilities are valuable for audit trails, internal investigations, and regulatory reporting, making the solution suitable for industries where accountability and transparency are essential.

Intune Device Compliance Policies, while highly important for securing the devices used to access corporate resources, do not offer the same level of control over session behavior. Compliance policies focus on whether a device meets specific security standards, such as encryption, OS version, antivirus status, or password requirements. Although these measures reduce the likelihood that compromised or unsafe devices will access corporate systems, they do not prevent downloads, printing, or copying during a session. Even if a device is fully compliant, a user could still extract sensitive data unless additional controls are in place. Because external users typically use their own personal devices, Intune compliance requirements often cannot be enforced for them. This limitation makes device compliance insufficient as a standalone solution for protecting data in external collaboration scenarios.

Microsoft Purview Sensitivity Labels are another strong security tool, designed to classify and protect content at the file level. They can encrypt documents and restrict actions, including editing, printing, and copying. While these capabilities offer persistent protection regardless of where the file travels, sensitivity labels are not inherently adaptive based on the user’s identity or context. Applying strict labels to all content may hinder internal users who legitimately need full access. To differentiate between internal and external users, additional configuration would be required, and even then, sensitivity labels do not enable the dynamic, session-based controls that Conditional Access App Control provides. Sensitivity labels ensure long-term data security, but they do not replace the need for real-time access restrictions during active collaboration.

OneDrive Storage Quotas focus on limiting how much data a user can store in their OneDrive account. While useful for managing storage resources and preventing hoarding of unnecessary files, storage quotas have no relation to session control or data protection. They do not prevent downloading, printing, or copying of files, nor do they distinguish whether a user is internal or external. Storage quotas also do not provide any mechanisms for preventing data exfiltration or securing sensitive information during file access. As such, they are entirely unrelated to the organization’s requirement to restrict external users from downloading or printing shared files.

Given these distinctions, Conditional Access App Control stands out as the only solution capable of enforcing session-level restrictions specifically for external users while allowing internal users to work without limitations. It offers a flexible, real-time protection strategy that ensures corporate data remains safeguarded during external collaboration. This approach supports both operational efficiency and security, enabling organizations to maintain open communication with partners and clients without risking unauthorized data exposure.

Question 176

A company wants to ensure that all emails containing credit card information are automatically encrypted when sent externally, and that users cannot bypass this encryption. Which solution should the administrator implement?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution provides a mechanism to automatically inspect emails for sensitive financial information such as credit card numbers and apply encryption before the messages leave the organization. Exchange Mail Flow Rules evaluate message metadata, body content, and attachments in real time. When combined with Microsoft Purview Sensitivity Labels, the system can detect credit card numbers and automatically apply encryption with rights management restrictions. These restrictions can prevent recipients from forwarding, copying, or printing the email. Enforcement at the transport level ensures that users cannot bypass the policy, providing a robust safeguard for sensitive data. Administrators can target specific departments or users, such as Finance, ensuring that the rule applies only to relevant personnel. Detailed auditing and reporting allow compliance teams to track policy enforcement and demonstrate adherence to regulatory standards like PCI DSS or GDPR. This automated approach reduces reliance on user behavior, minimizes human error, and ensures that sensitive financial data is protected consistently.

The second solution, Microsoft Defender Safe Links Policies, is designed to protect users from malicious URLs by scanning links in emails and documents. While critical for phishing protection, it does not analyze email content for sensitive financial information, nor does it enforce encryption or prevent forwarding. Safe Links alone cannot ensure compliance or protect credit card data.

The third solution, Exchange Online Journaling Rules, captures copies of email messages for retention or auditing purposes. While useful for post-event monitoring, journaling does not prevent emails containing sensitive data from being sent externally, nor does it apply encryption automatically. This approach is reactive rather than proactive and cannot meet the requirement.

The fourth solution, Microsoft Purview Data Loss Prevention (DLP) Policies, detects sensitive content and can restrict actions, but enforcement often depends on user interaction or may block delivery instead of applying encryption with rights management. DLP alone may not guarantee that emails containing credit card information are automatically encrypted and protected from forwarding.

Combining Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels is the only solution that satisfies all requirements. It automatically detects sensitive content, applies encryption, prevents forwarding, and provides auditing capabilities, ensuring regulatory compliance and safeguarding financial data consistently.

Question 177

A company wants to prevent the accidental sharing of Social Security numbers in Teams messages and SharePoint documents. Users should receive a notification when attempting to share such information. Which solution should the administrator configure?

A) Microsoft Purview Data Loss Prevention (DLP) Policies
B) Teams Messaging Policies
C) Exchange Mail Flow Rules
D) Intune Device Compliance Policies

Answer: Microsoft Purview Data Loss Prevention (DLP) Policies

Explanation:

The first solution allows organizations to detect sensitive content such as Social Security numbers in Teams messages and SharePoint documents automatically. Microsoft Purview DLP policies can identify predefined sensitive information types including personally identifiable information (PII). When a user attempts to share content containing PII, the system can block the action or notify the user in real time. This proactive notification helps users understand compliance requirements and reduces accidental data exposure. Enforcement occurs across multiple Microsoft 365 services, including Teams, SharePoint, OneDrive, and Exchange, ensuring consistent protection across collaboration and communication platforms. DLP policies also provide auditing and reporting features, allowing compliance teams to track violations, review attempted sharing, and maintain regulatory compliance. Automating the detection and enforcement of PII reduces human error and ensures that sensitive information is consistently protected.

Teams Messaging Policies control capabilities such as creating channels, deleting messages, or using chat features. While useful for managing user behavior, messaging policies cannot detect sensitive content, block its sharing, or notify users. They provide functional controls but lack content-level awareness.

Exchange Mail Flow Rules inspect email content, apply encryption, or block messages based on sensitive data detection. They do not extend to Teams messages or SharePoint documents. Because the requirement involves collaboration tools and file sharing, mail flow rules alone cannot meet the need.

Intune Device Compliance Policies enforce device-level security such as encryption, antivirus, or updates. While important for endpoint security, they do not monitor content or prevent accidental sharing of PII. Users on compliant devices could still share sensitive information, making this solution insufficient.

Microsoft Purview DLP Policies are the only solution that provides automated detection, user notifications, content blocking, and auditing for sensitive information. They ensure Social Security numbers are protected in real time, reduce accidental exposure, and maintain consistent regulatory compliance across Microsoft 365 platforms.

Question 178

A company wants to block access to Microsoft 365 apps from unmanaged devices while allowing users to view content in a web browser. Users should not be able to download, print, or copy files on personal devices. Which solution should the administrator deploy?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution enables organizations to enforce session-level restrictions for Microsoft 365 applications. Conditional Access App Control evaluates whether a device is managed or unmanaged and applies restrictions accordingly. For unmanaged devices, administrators can enforce web-only access, preventing users from downloading, printing, or copying files while allowing them to view content in a browser. This ensures that corporate data remains secure while maintaining productivity for users on personal devices. The enforcement is dynamic and occurs in real time, with policies applied at each session. Logging and auditing features provide detailed records of user activity, allowing administrators to monitor access, detect policy violations, and ensure regulatory compliance. By differentiating between managed and unmanaged devices, organizations can maintain full productivity internally while preventing data exfiltration externally.

Intune Device Compliance Policies ensure devices meet security requirements such as encryption, antivirus, or OS updates. While important for securing endpoints, compliance policies do not enforce web-only access or prevent downloads and printing for unmanaged devices. Users could still access content and copy sensitive information if only device compliance policies were implemented.

Azure AD Password Protection strengthens account security by preventing weak or compromised passwords. While it improves identity protection, it does not restrict access, enforce session-level controls, or prevent copying and printing. It cannot satisfy the requirement for web-only access for unmanaged devices.

OneDrive Storage Quotas limit the amount of storage a user can consume but do not restrict access methods or session behavior. Quotas cannot prevent downloads or printing and do not differentiate between managed and unmanaged devices.

Conditional Access App Control is the only solution capable of enforcing real-time, web-only access for unmanaged devices, preventing downloading, printing, and copying. It protects corporate data while enabling secure access, provides auditing capabilities, and enforces organizational policies consistently.

Question 179

A company wants to ensure that all emails containing health-related information are automatically encrypted when sent externally. Users must not be able to bypass the encryption. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution allows administrators to automatically inspect outgoing emails and detect sensitive health-related information, such as medical records or health identifiers. Exchange Mail Flow Rules can evaluate email headers, body content, and attachments in real time. When combined with Microsoft Purview Sensitivity Labels, emails containing health information can be automatically encrypted and protected with rights management restrictions. These restrictions prevent recipients from forwarding, copying, or printing the email. Enforcement occurs at the transport level, ensuring that users cannot bypass the encryption. Administrators can configure rules to apply specifically to departments handling sensitive health information, ensuring consistent enforcement across the organization. Logging and reporting features provide visibility into policy enforcement and potential violations, allowing compliance teams to demonstrate adherence to regulations such as HIPAA. By automating detection and protection, organizations reduce the risk of accidental data leaks and ensure regulatory compliance while maintaining user productivity.

The second solution, Microsoft Defender Safe Links Policies, protects users from malicious URLs in emails and documents by scanning links in real time. While important for phishing prevention, Safe Links does not detect sensitive health information, encrypt emails, or prevent forwarding. Using Safe Links alone would not satisfy the requirement.

The third solution, Exchange Online Journaling Rules, captures copies of email messages for auditing or compliance purposes. While journaling allows post-event analysis, it does not encrypt emails or prevent unauthorized sharing. This approach is reactive rather than proactive and cannot meet the requirement for automatic protection.

The fourth solution, Microsoft Purview Data Loss Prevention (DLP) Policies, can detect sensitive content and restrict actions such as sending or sharing. However, DLP alone may not automatically apply encryption with rights management or prevent forwarding. DLP often relies on user intervention, which may not satisfy the requirement that encryption cannot be bypassed.

Combining Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels is the only solution that ensures sensitive health-related emails are automatically encrypted, protected from forwarding, and fully compliant with regulatory standards.

Question 180

A company wants to prevent accidental sharing of sensitive customer information, such as Social Security numbers and financial data, in Teams messages and SharePoint documents. Users should be notified when they attempt to share this information. Which solution should the administrator configure?

A) Microsoft Purview Data Loss Prevention (DLP) Policies
B) Teams Messaging Policies
C) Exchange Mail Flow Rules
D) Intune Device Compliance Policies

Answer: Microsoft Purview Data Loss Prevention (DLP) Policies

Explanation:

The first solution allows organizations to detect and protect sensitive content automatically across multiple Microsoft 365 services, including Teams and SharePoint. Microsoft Purview DLP policies can identify personally identifiable information (PII) such as Social Security numbers, financial account numbers, and other regulated data. When a user attempts to share content containing sensitive information, the DLP policy can either block the action or notify the user in real time, explaining the policy violation. This ensures users are educated about compliance requirements while preventing accidental data leaks. DLP policies operate across Teams messages, channels, files shared in SharePoint Online, and OneDrive for Business. The system continuously scans messages, documents, and attachments for sensitive information based on predefined or custom sensitive information types. Administrators can configure DLP to apply to specific departments, roles, or locations, ensuring precise and granular enforcement. Logging and reporting capabilities provide visibility into attempted violations, allowing compliance teams to track patterns, identify risk, and generate audit reports.

Teams Messaging Policies primarily manage functional features within Teams, such as chat creation, message deletion, and channel management. While these policies are essential for governing platform usage, they do not provide content-level inspection or notifications for sensitive data. Messaging policies cannot prevent users from sharing PII accidentally or enforce compliance requirements at the message or file level.

Exchange Mail Flow Rules are designed to inspect email messages, apply encryption, or restrict delivery based on content. They do not extend to Teams messages or SharePoint documents. As such, they are not suitable for environments where real-time collaboration and document sharing occur outside of email.

Intune Device Compliance Policies enforce endpoint security standards, including encryption, antivirus presence, and OS updates. While these policies are crucial for protecting devices, they do not provide content inspection or real-time notifications for sensitive information. Users could still share sensitive data through Teams or SharePoint from compliant devices, making this solution insufficient for content protection.

Using Microsoft Purview DLP Policies is the only solution that provides automated detection, real-time user notifications, content blocking, and detailed reporting. It ensures sensitive customer information is protected in Teams and SharePoint, reduces accidental data exposure, and maintains compliance with regulations such as GDPR, HIPAA, and financial data protection laws. The automation reduces reliance on end users to identify sensitive information manually, providing consistent and enforceable organizational protection. By configuring DLP policies, administrators can balance productivity and security, allowing collaboration to continue safely while enforcing strict safeguards for sensitive data.