Microsoft MS-102 Microsoft 365 Administrator Exam Dumps and Practice Test Questions Set 11 Q151-165

Visit here for our full Microsoft MS-102 exam dumps and practice test questions.

Question 151

A company wants to require global administrators to use phishing-resistant authentication methods, such as FIDO2 security keys, while standard users continue using conventional multi-factor authentication (MFA). Which Microsoft 365 solution allows selective enforcement based on user roles?

A) Conditional Access with Authentication Strengths
B) Microsoft Purview Sensitivity Labels
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Conditional Access with Authentication Strengths

Explanation:

Global administrator accounts have elevated privileges and access to all Microsoft 365 resources, making them high-value targets for attackers. Compromise of these accounts can result in unauthorized access, configuration changes, and significant security breaches. Conditional Access with Authentication Strengths enables selective enforcement of phishing-resistant authentication methods such as FIDO2 security keys for global administrators, while standard users continue using conventional MFA like authenticator app notifications or SMS codes. This approach ensures high-risk accounts have enhanced security without impacting usability for standard users.

Microsoft Purview Sensitivity Labels focus on content classification, encryption, and access restriction, but they do not enforce authentication methods or role-specific MFA.

Intune App Protection Policies secure data at the application or device level by restricting copy-paste, printing, or saving to unmanaged storage. APP does not provide authentication enforcement for privileged accounts.

Exchange Online Retention Policies manage content lifecycle by specifying retention and deletion rules. They do not enforce MFA or authentication methods for specific roles.

Conditional Access with Authentication Strengths automates role-based enforcement of strong authentication aligned with zero-trust principles. Policies are evaluated during sign-in, ensuring compliance for high-risk accounts. Administrators can monitor adherence, detect anomalies, and adjust policies as needed. Automated enforcement reduces the risk of compromise for global administrator accounts, protecting critical systems and sensitive data while maintaining usability for standard users. Integration with Azure AD provides scalable protection for privileged accounts. Organizations maintain regulatory compliance, mitigate phishing and credential theft risks, and safeguard administrative resources. Role-based enforcement ensures consistent security for high-value accounts, strengthening identity protection and operational security across Microsoft 365 services.

Question 152

A company wants to automatically classify and encrypt all OneDrive documents containing payroll information. Users should not have to manually apply labels. Which Microsoft 365 solution should the administrator implement?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) Conditional Access Policies
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation

Payroll information includes salaries, bonuses, tax information, and bank account details. This type of data is highly sensitive and subject to strict regulatory compliance, including GDPR, HIPAA, and local labor laws. Protecting payroll data is crucial to prevent identity theft, financial fraud, and legal consequences. Microsoft Purview Sensitivity Labels with Auto-Labeling provides an automated solution to classify and encrypt OneDrive documents containing payroll information. Administrators can define rules to detect keywords, document types, or metadata associated with payroll data. When a document matches these criteria, a sensitivity label is automatically applied, enforcing encryption and access restrictions for authorized personnel only.

Conditional Access Policies control access to Microsoft 365 applications based on identity, device compliance, and risk signals. While important for securing access, they do not inspect content or enforce encryption based on payroll sensitivity.

Intune App Protection Policies secure corporate data on devices or applications by restricting actions such as copy-paste, printing, or saving to unmanaged storage. While APP strengthens device-level security, it does not provide content-based classification or encryption for OneDrive documents.

Exchange Online Retention Policies manage content lifecycle by specifying retention and deletion schedules. These policies focus on preservation or disposal rather than proactive protection of sensitive payroll data.

Implementing Microsoft Purview Sensitivity Labels with Auto-Labeling ensures all OneDrive documents containing payroll information are consistently protected without user intervention. Administrators can monitor labeling activity, refine rules, and generate compliance reports. Users benefit from seamless protection, reducing accidental exposure while maintaining productivity. Auto-labeling aligns with zero-trust principles and regulatory compliance, safeguarding sensitive content while enabling secure collaboration. Automated enforcement reduces operational risk, strengthens governance, and ensures encryption and access restrictions are consistently applied. Organizations protect payroll data, mitigate leakage risk, and maintain operational integrity by automating classification and protection across Microsoft 365 services.

Question 153

A company wants to prevent users from sharing emails or documents containing strategic marketing plans externally via Exchange Online, SharePoint, or OneDrive. If a user attempts to share such content, the sharing must be blocked automatically, and the user must be notified. Which Microsoft 365 solution should the administrator implement?

A) Microsoft 365 Data Loss Prevention (DLP) Policies
B) Exchange Online Retention Policies
C) Intune App Protection Policies
D) Conditional Access with Authentication Strengths

Answer: A) Microsoft 365 Data Loss Prevention (DLP) Policies

Explanation

Strategic marketing plans include campaign strategies, target demographics, budgets, and promotional tactics. Unauthorized disclosure can result in competitive disadvantages, reputational damage, and financial losses. Microsoft 365 Data Loss Prevention (DLP) Policies provide automated content inspection and enforcement across Exchange Online, SharePoint, and OneDrive. DLP policies can identify marketing plan content using keywords, patterns, or custom sensitive information types. When sensitive content is detected, external sharing is blocked automatically, and users are notified of the policy violation. Notifications educate users about proper handling of sensitive data, promoting awareness and compliance.

Exchange Online Retention Policies manage the lifecycle of emails and documents by defining retention and deletion schedules. While important for compliance, they do not detect or block external sharing of sensitive marketing content. Their focus is on preservation or disposal rather than proactive protection.

Intune App Protection Policies secure corporate data at the device level by controlling actions such as copy-paste, printing, or saving to unmanaged storage. While APP enhances endpoint security, it does not inspect Exchange Online, SharePoint, or OneDrive content for sensitive marketing plans.

Conditional Access with Authentication Strengths enforces phishing-resistant MFA and strong authentication methods. While important for identity protection, it does not prevent unauthorized sharing of sensitive marketing content.

Implementing Microsoft 365 DLP Policies ensures that strategic marketing plan content is automatically protected across Microsoft 365 services. Policies can be scoped to specific users, groups, or content locations. Real-time notifications help educate users while reinforcing security policies. Administrators can monitor incidents, refine detection rules, and generate detailed compliance reports. Integration with sensitivity labels and encryption allows for layered protection. Automated enforcement reduces human error, mitigates data leakage risks, and strengthens governance. Organizations maintain compliance, protect intellectual property, and reduce operational and reputational risks. DLP policies enable secure collaboration while safeguarding high-value content from unauthorized access, ensuring sensitive marketing information remains protected across Exchange Online, SharePoint, and OneDrive.

Question 154

A company wants to require global administrators to use phishing-resistant authentication methods, such as FIDO2 security keys, while standard users continue using conventional multi-factor authentication (MFA). Which Microsoft 365 solution allows selective enforcement based on user roles?

A) Conditional Access with Authentication Strengths
B) Microsoft Purview Sensitivity Labels
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Conditional Access with Authentication Strengths

Explanation

Global administrator accounts hold elevated privileges and access to all Microsoft 365 resources, making them prime targets for attackers. Compromise of these accounts can lead to unauthorized access, configuration changes, data breaches, and significant operational risks. Conditional Access with Authentication Strengths enables selective enforcement of phishing-resistant authentication methods such as FIDO2 security keys for global administrators, while standard users continue using conventional MFA like authenticator app notifications or SMS codes. This ensures that high-risk accounts have enhanced security without impacting usability for standard users.

Microsoft Purview Sensitivity Labels focus on content classification, encryption, and access restriction, but they do not enforce role-based MFA or authentication.

Intune App Protection Policies secure corporate data at the application or device level by restricting actions such as copy-paste, printing, or saving to unmanaged storage. APP does not enforce authentication for privileged accounts.

Exchange Online Retention Policies manage content lifecycle by specifying retention and deletion rules. They do not enforce MFA or authentication based on user roles.

Conditional Access with Authentication Strengths automates role-based enforcement of strong authentication, aligned with zero-trust principles. Policies are evaluated at sign-in to ensure compliance for high-risk accounts. Administrators can monitor adherence, detect anomalies, and adjust policies as needed. Automated enforcement reduces the risk of compromise for global administrator accounts, protecting critical systems and sensitive data while maintaining usability for standard users. Integration with Azure AD provides scalable protection for privileged accounts. Organizations maintain regulatory compliance, mitigate phishing and credential theft risks, and safeguard administrative resources. Role-based enforcement ensures consistent security for high-value accounts, strengthening identity protection and operational security across Microsoft 365 services.

Question 155

A company needs to automatically encrypt all SharePoint Online documents that contain confidential legal agreements. The encryption must occur without user action and must ensure that documents remain protected even if downloaded. Which Microsoft 365 solution should the administrator implement?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) Exchange Online Mail Flow Rules
C) Microsoft Defender for Office 365 Safe Attachments
D) Intune Device Compliance Policies

Answer: A) Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation:

The first choice provides the exact combination needed to detect, classify, and automatically encrypt documents containing legal agreements stored in SharePoint Online. This solution works by defining classification rules that identify specific keywords, sensitive data types, or metadata patterns related to legal agreements. Once identified, a sensitivity label is applied without requiring users to take any manual action. Because the sensitivity label uses encryption at the file level, the protection remains active even after the file is downloaded, shared, or stored outside Microsoft 365. This is critical because legal documents often circulate among internal and external parties, and persistent encryption ensures complete lifecycle protection. Sensitivity labels also allow administrators to enforce granular permissions such as blocking unauthorized users, preventing printing, disabling copy/paste, or marking the document as read-only. Additionally, the auto-labeling engine ensures large-scale coverage, which is essential for enterprises managing thousands of documents. The automation also solves the challenge of user inconsistency, as many users fail to classify files properly due to lack of awareness. This makes the first choice the only one capable of fulfilling all technical requirements: automatic detection, automatic classification, automatic encryption, and persistent protection.

The second choice involves mechanisms designed for email security rather than SharePoint content. These rules apply only to messages passing through Exchange Online transport. While they can detect sensitive content within email bodies and attachments, they do not manage or classify files stored in SharePoint Online libraries. These rules also do not apply persistent encryption that remains with a file outside email. Even if a legal document is attached to an email, the rule does nothing to protect the original document stored in SharePoint. Thus, this choice cannot satisfy the requirement for automatic encryption of stored documents.

The third choice focuses on scanning files for malware before they are opened or delivered. This solution protects against malicious attachments, unsafe files, and exploitation attempts. However, malware prevention has no relationship to automatic classification or encryption of content. Safe Attachments cannot identify legal terminology or detect contractual language. It also does not apply any form of labeling or encryption to documents. While effective for security hygiene, it simply cannot address the need for automated protection of confidential legal agreements.

The fourth choice addresses device-level compliance rather than document-level security. These policies ensure that enrolled devices meet security standards such as encryption requirements, OS version minimums, or password policies. However, they do not classify, label, or encrypt files stored in SharePoint. They also do not apply any controls to files once they are downloaded or emailed from a compliant device. Furthermore, they only work for devices enrolled into the management system. The requirement explicitly needs protection that persists regardless of device state. This makes device compliance policies irrelevant to the scenario.

Because the requirement demands automated detection, classification, and lifecycle encryption of SharePoint legal documents without depending on user intervention, the only suitable solution among the available choices is the first one. Its ability to apply persistent encryption sets it apart as the correct answer.

Question 156

An organization needs to ensure that any OneDrive files containing financial forecasts are automatically labeled and restricted from external sharing. The process must run silently without user involvement. What should the administrator configure?

A) Microsoft Purview Auto-Labeling Policies
B) SharePoint Site Sharing Settings
C) Microsoft Entra ID Conditional Access
D) Microsoft Defender Antivirus Policies

Answer: A) Microsoft Purview Auto-Labeling Policies

Explanation:

The first choice provides the automated detection and application of sensitivity labels needed to protect financial forecast files stored in OneDrive. Auto-labeling policies allow administrators to define detection rules for specific data patterns such as forecast terminology, financial projections, revenue models, and spreadsheet structures. Once a file matches a rule, the system automatically applies the correct sensitivity label without notifying or involving the user. This ensures consistent and reliable protection that is immune to human error. Sensitivity labels configured for financial forecast protection can block external sharing, disable downloads, and enforce encryption. Because these settings persist with the document across its lifetime, the protection remains active even if files leave the Microsoft 365 environment. This persistent, silent enforcement is exactly what the requirement describes, making this the appropriate solution.

The second choice controls whether site members or owners can share content externally, but it operates at a site or tenant scope rather than based on content. These settings do not detect financial forecasts or apply any protective label. They merely limit or allow sharing. They cannot selectively block sharing only for files containing financial forecasts while leaving other documents unaffected. Therefore, site sharing settings cannot enforce content-based external sharing restrictions.

The third choice enables enforcement of authentication, device compliance, and location-based access requirements. Conditional Access policies regulate who can access OneDrive but not how individual documents may be shared externally. They do not classify files or apply restrictions based on content. Even with Conditional Access in place, users could still share files externally unless another content-centric control is active. This makes Conditional Access unsuitable for the need.

The fourth choice relates to device-level threat protection, scanning devices for malware or unsafe behavior. These protections do not classify files, restrict sharing, or detect financial data. Antivirus policies operate at the operating system level, not within OneDrive or Microsoft 365 file repositories. As such, they are entirely unrelated to the requirement.

Because the organization needs an automatic, content-based, label-driven restriction system that operates without user involvement, the only solution meeting all elements of the requirement is the first one.

Question 157

A company wants to detect sensitive HR data stored in SharePoint Online and automatically apply restrictions preventing unauthorized viewing. The system must identify personal employee details and enforce encryption without relying on manual labeling. What should the administrator implement?

A) Purview Auto-Labeling with Sensitive Information Types
B) SharePoint Access Requests
C) Multi-Factor Authentication
D) Office Scripts

Answer: A) Purview Auto-Labeling with Sensitive Information Types

Explanation:

The first choice provides automated detection and protection for sensitive HR information in SharePoint Online using built-in or custom sensitive information types. These include identifiers such as names, addresses, employee numbers, government identification formats, or payroll details. Auto-labeling analyzes content across SharePoint sites and applies a sensitivity label when a match is detected. This label can enforce encryption, restrict access to only HR personnel, and block unauthorized users from opening files. Because the protection is embedded within the file, the rules persist even if the file is downloaded or emailed. This meets the full requirement: detecting HR data, automating classification, enforcing protection, and requiring no user action. The automation ensures consistent adherence to HR confidentiality protocols, which is especially important for regulatory compliance and privacy laws.

The second choice manages requests from users who attempt to access restricted documents. While it helps site owners approve or deny access, it does not detect sensitive data or apply labels. It only reacts after an unauthorized access attempt, offering no automated classification or encryption. Therefore, it does not fulfill the proactive protection requirement.

The third choice improves authentication security by requiring users to verify their identity using multiple factors. Although essential for account protection, it does not classify content or apply protection based on HR data. Even with strong authentication, files containing HR information could still be accessed by unauthorized internal users unless labeling is applied. This makes it insufficient.

The fourth choice relates to automating Excel and Office tasks, which has no connection to data classification or content protection. Office Scripts do not monitor SharePoint content or apply restrictions, making them irrelevant to the scenario.

Because the requirement demands automated detection, classification, and encryption of HR data within SharePoint, only the first choice provides the necessary capabilities.

Question 158

A company wants to prevent external sharing of sensitive marketing presentations stored in SharePoint Online unless the content is explicitly labeled as “Approved for External Sharing.” Users should not be able to bypass this restriction. Which solution should the administrator implement?

A) Sensitivity Label–based Sharing Restrictions
B) SharePoint Site Sharing Settings
C) Conditional Access Policies
D) Microsoft Defender for Cloud Apps Session Policies

Answer: Sensitivity Label–based Sharing Restrictions

Explanation:

The first choice allows organizations to create sensitivity labels that enforce sharing restrictions at the content level. These labels can explicitly prevent external sharing unless a specific label, such as “Approved for External Sharing,” is applied. The labeling mechanism integrates with SharePoint Online and OneDrive, ensuring that labeled documents automatically enforce restrictions regardless of user actions. When applied, the label not only restricts sharing but also optionally enforces encryption, prevents downloading, or blocks printing. Because the solution is content-based, it provides granular control over individual files or folders and operates silently without requiring user intervention. This aligns directly with the requirement to block external sharing unless the content is explicitly approved, maintaining compliance and reducing the risk of accidental data leakage. Administrators can monitor label enforcement and generate compliance reports to track incidents where users attempted to share restricted content.

The second choice involves configuring site-level sharing settings. This approach controls external sharing permissions for an entire site but cannot apply rules based on content classification. All documents within the site are subject to the same sharing policy, which means it is impossible to allow only specific approved files while blocking others. Users may bypass restrictions for individual files if the site-level policy allows sharing. Therefore, site-level sharing settings lack the granularity required for sensitive marketing content and cannot meet the requirement.

The third choice, Conditional Access Policies, regulates access to Microsoft 365 services based on conditions such as device compliance, location, or user risk. While useful for securing access, these policies do not manage content-level sharing permissions. Conditional Access cannot enforce restrictions on specific documents or enforce approval workflows based on labels. Consequently, it cannot prevent the sharing of unapproved marketing presentations, making it unsuitable for this scenario.

The fourth choice, Microsoft Defender for Cloud Apps Session Policies, can monitor and restrict user sessions in real time, such as blocking downloads or restricting editing of sensitive files. While powerful for controlling behavior during sessions, session policies are reactive rather than proactive. They do not automatically detect content labels or prevent sharing at the point of creation. Users could still inadvertently share files externally before a session policy is applied, leaving gaps in compliance.

Implementing sensitivity label–based sharing restrictions provides precise control over which files can be shared externally, enforcing organizational policies without relying on user decisions. It integrates seamlessly with SharePoint Online, OneDrive, and Teams files, ensuring consistent protection across collaboration environments. This solution also supports reporting, auditing, and automated enforcement, making it the most effective method to satisfy the requirement.

Question 159

A company wants to automatically detect and encrypt emails in Exchange Online that contain personally identifiable information (PII) related to employees. Users should not be able to bypass this encryption. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Journaling Rules in Exchange Online
C) Microsoft Defender Safe Links Policies
D) Exchange Online Archive Mailboxes

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first choice provides a combined approach to automatically detect sensitive content in emails and enforce encryption. Exchange Mail Flow Rules allow administrators to examine message content, attachments, and metadata in real time. When paired with Microsoft Purview Sensitivity Labels, emails containing PII such as social security numbers, employee IDs, or financial data can be automatically classified and encrypted before leaving the organization. This ensures that users cannot bypass protection because the rule enforcement occurs at the transport level. Sensitivity labels define the protection parameters, including who can access, edit, forward, or print the email. Automated application of these labels guarantees consistent enforcement and reduces the risk of accidental data leaks. Organizations also benefit from auditing and reporting capabilities, allowing monitoring of sensitive email traffic and policy effectiveness.

The second choice, Journaling Rules, is primarily used to capture copies of all emails for compliance, archiving, or eDiscovery purposes. While journaling ensures that a copy of messages is retained, it does not classify, encrypt, or prevent the delivery of sensitive content. It does not enforce any user-level restrictions or encryption policies and therefore cannot satisfy the requirement for proactive protection.

The third choice, Safe Links Policies, is designed to protect users from malicious URLs in email and documents. While important for phishing protection, Safe Links does not detect PII, classify content, or enforce encryption. It operates at the security level for links rather than content governance, so it is insufficient for automatically protecting sensitive employee data.

The fourth choice, Exchange Online Archive Mailboxes, provides users with additional mailbox storage for archiving old messages. Archives are useful for compliance retention but do not encrypt messages or apply content classification. They do not prevent delivery of sensitive messages to external recipients and cannot enforce policy-based protection.

Combining Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels is the only solution that proactively detects PII in emails, automatically applies encryption, prevents user bypass, and allows auditing. This satisfies the organization’s requirement for consistent, automated email protection.

Question 160

Your organization wants to block access to Microsoft 365 resources from unmanaged devices, ensuring that users can only view content in a web browser without downloading files. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first choice leverages Conditional Access App Control to enforce real-time session restrictions for Microsoft 365 applications. This solution is capable of detecting whether a user is on a managed or unmanaged device and can enforce web-only access for unmanaged devices. It prevents downloading, printing, and copying of sensitive documents while allowing users to work in the browser. The session policies act dynamically, evaluating each access attempt and applying restrictions automatically. This ensures that users on unmanaged devices cannot compromise organizational data while still maintaining productivity. The control extends across OneDrive, SharePoint, and Teams files, and administrators can generate activity reports and enforce audit trails.

The second choice, Intune Device Compliance Policies, ensures that devices meet organizational security requirements before granting access to Microsoft 365 resources. While important for device security, compliance policies only apply to enrolled or managed devices. They cannot enforce web-only access for users on unmanaged devices, and they do not control download permissions within applications. Therefore, this approach does not meet the requirement.

The third choice, Azure AD Password Protection, prevents the use of weak or compromised passwords. Although it strengthens account security, it does not influence access modes, download restrictions, or device compliance. It cannot enforce web-only access or prevent file downloads for unmanaged devices.

The fourth choice, OneDrive Storage Quotas, limits the amount of storage a user can consume but does not control how files are accessed or whether they can be downloaded. Storage quotas do not provide conditional access or session control features.

Conditional Access App Control is the only solution that enforces web-only access for unmanaged devices and prevents downloads while maintaining usability in the browser. It directly addresses the organization’s security requirement and ensures sensitive data is protected across Microsoft 365 services.

Question 161

Your organization wants to ensure that Teams meeting recordings are retained for five years for compliance purposes. Users should not be able to delete or modify the recordings during that period. Which Microsoft 365 feature should the administrator configure?

A) Microsoft Purview Retention Policies
B) Teams Meeting Policies
C) OneDrive Storage Quotas
D) Stream (Classic) Content Expiration

Answer: Microsoft Purview Retention Policies

Explanation:

The first choice provides a centralized, compliance-grade solution to enforce long-term retention of Teams meeting recordings. Retention policies can be applied to Microsoft Teams content, including channel meetings stored in SharePoint Online and private meetings stored in OneDrive for Business. These policies allow administrators to specify a retention period—in this case, five years—and prevent deletion or modification of content during that period. The protection is enforced at the system level, meaning users cannot override or bypass it. Even if a user attempts to delete a recording, the system preserves the content in a secure location until the retention period expires. Retention policies can also include rules to automatically delete content after the retention period if desired, but the critical requirement here is preservation for compliance purposes. The solution integrates seamlessly with Microsoft 365 compliance tools, allowing monitoring, auditing, and reporting to ensure regulatory adherence. Automated enforcement reduces the risk of human error, ensuring that all relevant meeting recordings are preserved consistently across the organization.

The second choice, Teams Meeting Policies, primarily governs user experience during meetings, such as allowing recordings, enabling transcription, or controlling lobby settings. While meeting policies can influence whether meetings are recorded, they do not enforce long-term retention or prevent users from deleting content. Users could still delete their recordings manually if a meeting policy allowed recording. Therefore, meeting policies do not satisfy compliance requirements that mandate controlled retention of recorded content.

The third choice, OneDrive Storage Quotas, controls how much data a user can store but has no effect on retention or deletion prevention. Even if quotas are applied, users could still delete or modify recordings. Storage quotas regulate volume, not compliance or data lifecycle management.

The fourth choice, Stream (Classic) Content Expiration, applies only to the deprecated Stream (Classic) service, which is no longer used for new Teams meeting recordings. Stream content expiration settings control automated deletion but do not provide retention enforcement for a compliance period. Implementing expiration would be counterproductive in this scenario, as the requirement is to prevent deletion for five years, not to remove content automatically.

Retention policies are the only solution capable of enforcing multi-year preservation, preventing deletion or modification, and providing compliance auditing for Teams recordings. This ensures that the organization meets regulatory obligations while maintaining control over sensitive content.

Question 162

A company wants to require all users accessing Microsoft 365 apps from unmanaged devices to use web-only access. Users should be prevented from downloading files when using personal devices. Which solution should the administrator configure?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Limits

Answer: Conditional Access App Control

Explanation:

The first choice, Conditional Access App Control, enables real-time session management for Microsoft 365 applications. Administrators can enforce web-only access for unmanaged devices by creating policies that detect device compliance status and redirect sessions through Microsoft Defender for Cloud Apps. Once a session is detected as originating from an unmanaged device, restrictions can be applied to block downloads, printing, or copying of sensitive files. This ensures that users can still view content securely in a browser without introducing risk to corporate data. Session policies are dynamic, enforcing controls as users access resources, and provide audit logs and monitoring capabilities. Because web-only access is applied at the session level, users cannot bypass the restriction even if they attempt to access content from unmanaged or personal devices. This feature directly addresses the requirement to prevent downloads and enforce safe web-only access for unmanaged users.

The second choice, Intune Device Compliance Policies, enforces that devices meet organizational security standards, such as encryption, OS version, or antivirus requirements. However, these policies only apply to enrolled devices. Unmanaged personal devices cannot be evaluated or controlled using Intune compliance policies, and therefore, they cannot enforce web-only access or prevent file downloads. This makes it unsuitable for scenarios involving unmanaged devices.

The third choice, Azure AD Password Protection, improves security by preventing the use of weak or compromised passwords. While it helps protect accounts from compromise, it does not control access mode, downloads, or session behavior. It is unrelated to the requirement of web-only access for unmanaged devices.

The fourth choice, OneDrive Storage Limits, restricts the amount of storage available to users but does not control how users access files or whether they can download content. Storage quotas cannot enforce session-based restrictions or prevent data exfiltration from unmanaged devices.

Conditional Access App Control is the only solution that enforces real-time web-only access and prevents downloads for unmanaged devices while allowing secure access to Microsoft 365 applications. It ensures that organizational data is protected across devices and meets the stated compliance requirement.

Question 163

A company wants to restrict external sharing of OneDrive for Business documents. Administrators want to allow sharing only with guests who authenticate using a one-time passcode (OTP). Which solution should the administrator configure?

A) SharePoint and OneDrive External Sharing Settings
B) Conditional Access App Control
C) Azure AD Identity Protection
D) Information Rights Management (IRM)

Answer: SharePoint and OneDrive External Sharing Settings

Explanation:

The first choice allows organizations to configure external sharing settings for OneDrive for Business and SharePoint Online. Administrators can specify that only authenticated guests can access shared content. One-time passcode (OTP) authentication ensures that external users receive a temporary code via email, which must be entered before they can access the document. This provides secure guest access without requiring an Azure AD account and prevents unauthorized access. The configuration can enforce restrictions across the tenant, enabling administrators to allow external sharing only when OTP authentication is used. These settings integrate with OneDrive and SharePoint seamlessly, and they are applied automatically whenever external sharing is attempted. Because the control is tenant-wide and persistent, users cannot bypass the OTP requirement, ensuring secure and compliant external collaboration.

The second choice, Conditional Access App Control, provides session-level restrictions such as blocking downloads or monitoring risky activity. While effective for enforcing session security, it does not control external sharing authentication methods. Conditional Access cannot enforce OTP-based guest access directly, so it cannot fulfill the requirement by itself.

The third choice, Azure AD Identity Protection, is designed to detect and mitigate risky sign-ins and compromised accounts. While useful for account security, it does not manage external sharing behavior or OTP authentication for guest users. It cannot prevent unauthorized sharing of documents.

The fourth choice, Information Rights Management (IRM), protects documents by enforcing encryption and usage restrictions. While IRM prevents printing, copying, or forwarding, it does not control how documents are shared externally or enforce OTP authentication. It can complement external sharing settings but cannot independently achieve the requirement.

Using SharePoint and OneDrive External Sharing Settings is the only solution that allows administrators to enforce OTP authentication for guest users, ensuring secure external access while preventing unauthorized sharing.

Question 164

A company wants to automatically apply encryption to all emails sent from the Finance department that contain bank account or credit card information. Users must not be able to bypass this encryption. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Exchange Online Archive Mailboxes

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution allows organizations to automatically detect sensitive financial information in emails and apply encryption before messages leave the tenant. Exchange Mail Flow Rules analyze email content, including attachments, subject lines, and metadata, in real time. By combining these rules with Microsoft Purview Sensitivity Labels, administrators can configure detection for patterns such as credit card numbers, bank account information, or custom financial data types. Once a match is found, the sensitivity label automatically applies encryption and access restrictions, ensuring only authorized recipients can open or view the content. This mechanism is enforced at the transport level, meaning users cannot bypass it.

This solution also supports automated policy enforcement across multiple mailboxes in the Finance department, eliminating the risk of human error. Employees do not need to remember to encrypt messages manually, which ensures consistent compliance with regulations such as PCI DSS, SOX, and GDPR. Additionally, this approach allows administrators to generate detailed auditing and reporting logs for all emails that match the criteria, helping compliance teams monitor enforcement and verify policy effectiveness. Administrators can also configure notifications or alerts to detect attempted policy violations.

The second solution focuses on scanning links within emails to protect users from malicious URLs and phishing attacks. While it is essential for email security, it does not inspect content for sensitive financial data, nor does it enforce encryption or access restrictions. Therefore, it cannot prevent the unauthorized sending of bank account or credit card information. Using Safe Links alone would leave the organization noncompliant with regulatory requirements for protecting sensitive financial data.

The third solution involves journaling rules, which capture copies of emails for compliance or archiving purposes. While journaling preserves copies of messages, it does not encrypt emails or enforce access controls before delivery. Journaling provides post-event retention but does not proactively prevent sensitive information from leaving the organization. Consequently, it cannot meet the requirement for automated encryption and enforcement.

The fourth solution, Exchange Online Archive Mailboxes, allows organizations to retain older messages for long-term storage. While useful for retention and compliance, archive mailboxes do not analyze content, enforce encryption, or prevent sensitive emails from being sent. Therefore, this option cannot address the organization’s need for proactive protection.

Combining Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels is the only approach that satisfies all requirements: automated detection of sensitive financial information, automatic encryption, prevention of user bypass, and auditing capabilities. This ensures that the organization consistently protects its financial data, reduces compliance risk, and maintains regulatory adherence.

Question 165

A company wants to automatically detect and restrict sharing of sensitive HR documents stored in SharePoint Online. Only HR department users should have access, and all other users must be prevented from viewing or downloading these files. Which solution should the administrator configure?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) SharePoint Site Sharing Settings
C) Intune Device Compliance Policies
D) Microsoft Defender for Cloud Apps Session Policies

Answer: Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation:

The first solution enables automated detection of sensitive HR content and applies protective labeAuto-labeling in Microsoft Purview provides a powerful and proactive method for protecting sensitive data, particularly in environments where confidential information is frequently handled, such as Human Resources. HR departments routinely store and process documents containing employee names, social security numbers, compensation details, medical information, performance reviews, and other data types subject to strict privacy regulations. Relying on users to manually identify and label these documents leaves substantial room for oversight, inconsistency, and accidental exposure. Auto-labeling policies address this risk by scanning content across SharePoint, OneDrive, and Exchange, detecting predefined sensitive information types, and applying sensitivity labels automatically without requiring any user intervention.

When an auto-labeling policy identifies sensitive HR content, the associated sensitivity label can enforce multiple layers of protection. These protections often include encryption at the file level, access restrictions that limit visibility solely to authorized HR personnel, prevention of sharing with external users, and limitations on actions such as downloading, copying, or printing. Because protection is applied directly to the content, the safeguards remain in place even if the file is moved to another folder, emailed outside the organization, or downloaded to a personal device. This persistent protection model is critical for organizations that must maintain strict compliance with regulations such as GDPR, HIPAA, or national labor privacy laws. Auto-labeling also supports auditability, allowing organizations to generate reports that show how sensitive information is handled and whether policies are being consistently applied across all repositories.

In contrast, relying only on site-level sharing settings in SharePoint is insufficient for securing confidential HR information. Site-level settings determine whether a SharePoint site permits internal access only, limited external sharing, or full external collaboration. While these settings play an important role in restricting broad access, they do not evaluate the content stored within the site. This means that every user who has access to the site automatically gains access to all documents unless permissions are manually adjusted for each file or library. Such a structure makes it easy for sensitive content to be accidentally stored in a location accessible to non-HR staff. Moreover, site-level configuration lacks the intelligence to detect when a document contains sensitive identifiers or private employee data. Therefore, even if external sharing is blocked, internal exposure remains a serious concern. HR departments require content-level granularity that site-wide settings cannot provide.

Intune Device Compliance Policies serve another important but distinct role in organizational security. These policies help ensure that only devices meeting specific security criteria—such as encryption, up-to-date operating systems, password protection, and antivirus presence—are allowed to access corporate resources. Although this strengthens device-level security and reduces the likelihood of breaches through compromised hardware, it does nothing to classify sensitive documents or enforce access controls based on content. If an employee’s device is considered compliant, the user could still access HR documents unless separate content-level protection measures are in place. Device compliance does not recognize whether a file contains payroll data or medical records; it simply ensures that the device accessing the content is considered secure. As such, it cannot fulfill the requirement for automated detection and classification of HR materials.

Microsoft Defender for Cloud Apps Session Policies offer real-time monitoring and control over user activities within cloud applications. These policies can block downloads, restrict cut-and-paste operations, apply read-only access, and monitor suspicious behavior during user sessions. However, while session controls can be an effective supplement to content protection strategies, they do not apply persistent labels or identify sensitive content on their own. Their restrictions apply only during active sessions and do not secure the file after the session ends. This means that once the session-level policy has expired or the user’s actions fall outside the monitored scenario, the content may no longer be protected. Cloud Apps is best used to complement, not replace, structured data classification and encryption tools.

In contrast, Microsoft Purview Sensitivity Labels with Auto-Labeling provide a holistic and content-aware solution that meets all requirements for safeguarding HR documents. With auto-labeling, organizations can ensure that sensitive HR data is consistently identified and protected without depending on the judgment or diligence of end users. Labels enforce encryption, limit access to authorized personnel, and ensure that all copies of the document remain protected everywhere they go. This reduces compliance risk, strengthens data governance, and provides peace of mind that sensitive HR files will not be accidentally shared, accessed, or exposed.

By implementing this approach, organizations create a controlled environment in which sensitive data is systematically classified, monitored, and protected at the file level. Auto-labeling supports accuracy, consistency, and regulatory readiness, making it the most effective solution for protecting HR information.