Microsoft MS-102 Microsoft 365 Administrator Exam Dumps and Practice Test Questions Set 13 Q181-195

Visit here for our full Microsoft MS-102 exam dumps and practice test questions.

Question 181

A company wants to block access to Microsoft 365 apps from unmanaged devices while allowing users to view content in a web browser. Users must not be able to download, print, or copy files on these devices. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution allows organizations to enforce session-level access restrictions for Microsoft 365 applications. Conditional Access App Control evaluates whether a device is managed or unmanaged and dynamically applies policies based on this assessment. For unmanaged devices, administrators can enforce web-only access to apps such as SharePoint Online, OneDrive, and Teams. Users can view content in a browser but cannot download, print, or copy files, which prevents data exfiltration from personal or unmanaged devices. These session controls are applied in real time, ensuring that each access attempt is evaluated for compliance with organizational policies. Conditional Access App Control also provides detailed audit logs and reports, giving administrators visibility into policy enforcement, attempted violations, and user activity. This enables organizations to maintain compliance with internal security policies and regulatory requirements. By differentiating between managed and unmanaged devices, companies can maintain full access for internal users while restricting potentially risky external devices.

Intune Device Compliance Policies enforce endpoint security requirements such as encryption, antivirus, and OS updates. While these policies ensure device-level security, they do not enforce web-only access or prevent downloading, printing, or copying of content. Users on unmanaged devices could still potentially exfiltrate data if only compliance policies were applied.

Azure AD Password Protection enhances account security by preventing the use of weak or compromised passwords. While this improves identity protection, it does not control access to Microsoft 365 apps, enforce web-only sessions, or restrict downloading and printing. Therefore, it does not satisfy the requirement.

OneDrive Storage Quotas limit the amount of data a user can store but do not restrict access methods or control session behavior. Quotas do not prevent data exfiltration and cannot enforce web-only access for unmanaged devices.

Conditional Access App Control is the only solution that meets all requirements. It provides dynamic session enforcement, prevents downloading, printing, and copying on unmanaged devices, allows safe web-only access, maintains productivity for legitimate users, and ensures corporate data is protected. The combination of real-time control, auditing, and policy enforcement makes it the ideal solution for securing Microsoft 365 apps on unmanaged devices while maintaining regulatory compliance.

Question 182

A company wants to prevent external users from downloading, printing, or copying documents stored in SharePoint Online or OneDrive, while allowing internal users full access. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Microsoft Purview Sensitivity Labels
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution allows administrators to enforce session-level access controls for Microsoft 365 applications such as SharePoint Online and OneDrive for Business. Conditional Access App Control evaluates user sessions in real time to determine whether a device is internal, external, or unmanaged, and applies access policies accordingly. For external users, policies can block downloading, printing, and copying of documents while still allowing web-based viewing. This ensures corporate data remains secure while enabling collaboration with vendors, clients, or partners. Internal users retain full access, ensuring productivity is not compromised.

The enforcement is dynamic, applied at the moment of access, and cannot be bypassed by the user. Session controls include restrictions on copy-paste, printing, and offline synchronization, making it highly effective in preventing unauthorized data exfiltration. Auditing and logging features provide administrators with detailed insights into user activity, attempted violations, and policy effectiveness. Reports can be used for compliance purposes or to adjust policies for specific user groups or document libraries.

Intune Device Compliance Policies enforce endpoint security such as encryption, antivirus, and OS patch levels. While important for securing devices, they do not control real-time session access or prevent downloads, printing, or copying for external users. Users on unmanaged devices could still exfiltrate data despite being compliant, making this approach insufficient alone.

Microsoft Purview Sensitivity Labels can encrypt documents and restrict actions like copy or print. However, sensitivity labels often apply at the file level and do not dynamically differentiate between internal and external users without additional configuration. They do not provide session-level enforcement as effectively as Conditional Access App Control.

OneDrive Storage Quotas restrict the total storage a user can consume. While this limits the volume of data stored, it does not control access, downloads, printing, or copying. Quotas are unrelated to securing external access, making them ineffective for this scenario.

Conditional Access App Control is the only solution that provides dynamic, session-level control over document access for external users while maintaining full access for internal users. It ensures corporate data is protected, enforces security policies in real time, and provides auditing and reporting for compliance, making it the ideal solution for managing sensitive data in SharePoint and OneDrive.

Question 183

A company wants to block access to Microsoft 365 apps from unmanaged devices but allow users to access content via a web browser. Users must not be able to download, print, or copy files on personal devices. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution allows organizations to enforce session-based access restrictions for Microsoft 365 applications such as Teams, SharePoint, OneDrive, and Exchange Online. Conditional Access App Control evaluates each session to determine whether a device is managed, unmanaged, or external. For unmanaged devices, administrators can enforce web-only access policies, allowing users to view content in the browser without being able to download, print, or copy files. This prevents data exfiltration while maintaining productivity for employees using personal devices.

Session policies are enforced in real time and cannot be bypassed, ensuring consistent application of security controls. Administrators can monitor and audit all user activity through detailed logging, providing insights into policy effectiveness, potential violations, and access patterns. Conditional Access App Control is configurable by user groups, application, location, or device type, allowing organizations to tailor policies to their specific security needs. By distinguishing between managed and unmanaged devices, organizations can protect sensitive data while enabling safe collaboration.

Intune Device Compliance Policies enforce device-level security settings like encryption, antivirus, and OS updates. While essential for ensuring endpoint security, compliance policies alone do not restrict downloads, printing, or copy operations. Users on unmanaged but compliant devices could still access sensitive data improperly, so this solution alone does not meet the requirements.

Azure AD Password Protection strengthens account security by preventing weak or compromised passwords. While important for identity protection, it does not restrict session behavior, enforce web-only access, or prevent unauthorized copying or printing.

OneDrive Storage Quotas limit the total storage a user can consume but do not affect access methods or session restrictions. Quotas are unrelated to controlling access on unmanaged devices and cannot prevent data exfiltration.

Conditional Access App Control is the only solution capable of enforcing web-only access for unmanaged devices, preventing downloads, printing, and copying, and ensuring corporate data security while maintaining compliance and productivity.

Question 184

A company wants to ensure that all emails containing credit card information sent externally are automatically encrypted and protected from forwarding. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution allows administrators to automatically detect sensitive credit card information in email messages and apply encryption with rights management restrictions. Exchange Mail Flow Rules evaluate outgoing email metadata, body content, and attachments in real time. When combined with Microsoft Purview Sensitivity Labels, emails containing credit card information are automatically encrypted, preventing recipients from forwarding, copying, or printing the content. This enforcement occurs at the transport level, ensuring users cannot bypass the policy. Administrators can target specific departments, such as Finance, to ensure consistent enforcement and compliance.

The solution includes logging and reporting features, which allow compliance teams to monitor all outgoing emails containing sensitive financial data. These logs provide evidence of enforcement and can be used to meet regulatory requirements such as PCI DSS. Automating encryption reduces the risk of accidental data exposure, eliminates reliance on user behavior, and ensures that sensitive information is protected consistently across the organization.

Microsoft Defender Safe Links Policies protect users from malicious URLs in email and documents. While valuable for phishing protection, Safe Links does not detect credit card information, encrypt messages, or prevent forwarding.

Exchange Online Journaling Rules capture copies of email messages for retention and auditing but do not prevent unauthorized sharing or automatically encrypt messages. Journaling is reactive and cannot enforce encryption in real time.

Microsoft Purview Data Loss Prevention (DLP) Policies can detect sensitive content and restrict sending but often requires user interaction or blocks delivery instead of automatically applying encryption with rights management. DLP alone may not fully prevent forwarding or copying, so it does not fully meet the requirement.

Using Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels ensures that emails containing credit card information are automatically encrypted, protected from forwarding, auditable, and compliant with financial regulations. This combination provides the strongest protection for sensitive financial data sent via email.

Question 185

A company wants to prevent users from sharing documents containing personally identifiable information (PII) in Teams chats and SharePoint, while notifying them when they attempt to do so. Which solution should the administrator implement?

A) Microsoft Purview Data Loss Prevention (DLP) Policies
B) Teams Messaging Policies
C) Exchange Mail Flow Rules
D) Intune Device Compliance Policies

Answer: Microsoft Purview Data Loss Prevention (DLP) Policies

Explanation:

The first solution allows administrators to automatically detect and protect sensitive content, including personally identifiable information (PII), across Microsoft 365 services. Microsoft Purview DLP policies can identify predefined sensitive information types, such as Social Security numbers, credit card numbers, and financial identifiers, in Teams messages, channel conversations, and SharePoint documents. When a user attempts to share a document or message containing PII, the policy can trigger a real-time notification or block the action, educating the user and reducing accidental data exposure. Enforcement occurs across Teams, SharePoint, OneDrive, and Exchange, providing consistent protection across all collaboration and communication platforms. Administrators can configure policies based on departments, user groups, or geographic regions, ensuring granular control while maintaining organizational compliance. Logging and reporting allow compliance teams to monitor attempted policy violations, track trends, and generate audit reports to meet regulatory standards such as GDPR or HIPAA. Automating detection reduces reliance on user awareness, minimizes human error, and ensures consistent enforcement, balancing productivity with data security.

Teams Messaging Policies primarily manage platform functionality, such as channel creation, message deletion, or chat permissions. While these policies control user behavior, they cannot inspect message content or prevent sharing of sensitive information. Therefore, messaging policies alone are insufficient for protecting PII.

Exchange Mail Flow Rules evaluate email content and can restrict delivery or apply encryption. However, they do not extend to Teams messages or SharePoint documents, limiting their effectiveness for real-time collaboration scenarios. Relying solely on mail flow rules would not satisfy the requirement.

Intune Device Compliance Policies enforce device-level security such as encryption, antivirus presence, or OS updates. While essential for endpoint protection, compliance policies do not inspect or restrict sensitive content sharing within Microsoft 365 applications. Users on compliant devices could still inadvertently share PII, making this solution inadequate.

Microsoft Purview DLP Policies provide a comprehensive, automated solution for detecting, restricting, and reporting the sharing of PII across Teams and SharePoint. Real-time notifications educate users, reduce accidental data exposure, and maintain compliance with regulatory requirements. This solution ensures sensitive data remains protected while supporting secure collaboration.

Question 186

A company wants to enforce web-only access for Microsoft 365 apps on unmanaged devices. Users must not be able to download, print, or copy files from personal devices. Which solution should the administrator configure?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution allows organizations to apply session-level controls for Microsoft 365 applications such as SharePoint, OneDrive, Teams, and Exchange Online. Conditional Access App Control evaluates whether a device is managed, unmanaged, or external and enforces policies accordingly. For unmanaged devices, administrators can require web-only access, preventing users from downloading, printing, or copying files while allowing secure viewing in a browser. This approach ensures corporate data remains protected without restricting legitimate access for internal users on managed devices.

The solution provides real-time enforcement and cannot be bypassed by end users. It also offers detailed auditing and reporting capabilities, giving administrators visibility into policy enforcement, attempted violations, and usage patterns. Conditional Access App Control can be tailored by user groups, applications, device types, and locations, allowing granular control over access and data protection. By differentiating between managed and unmanaged devices, organizations maintain secure collaboration while minimizing the risk of data exfiltration.

Intune Device Compliance Policies ensure devices meet security requirements such as encryption, antivirus presence, and operating system updates. However, compliance policies alone do not prevent downloads, printing, or copying of files on unmanaged devices. Users could still access and exfiltrate sensitive information if only compliance policies were used.

Azure AD Password Protection enhances account security by preventing weak or compromised passwords. While valuable for identity security, it does not control session behavior or enforce restrictions on downloading, printing, or copying files.

OneDrive Storage Quotas limit the storage capacity for users but do not control access methods, downloads, printing, or copying. Quotas are unrelated to enforcing session-level security.

Conditional Access App Control is the only solution that provides real-time, web-only access enforcement, preventing data exfiltration from unmanaged devices while allowing secure viewing, auditing, and compliance with organizational policies.

Question 187

A company wants to ensure that all emails containing health-related information are automatically encrypted before being sent externally. Users must not be able to bypass the encryption. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution allows administrators to automatically detect emails containing health-related information, such as medical records or health identifiers, and apply encryption with rights management restrictions. Exchange Mail Flow Rules can inspect email headers, body content, and attachments in real time. When combined with Microsoft Purview Sensitivity Labels, emails are automatically encrypted before leaving the organization. Recipients cannot forward, copy, or print the content, and users cannot bypass these restrictions. This ensures sensitive health information is protected and compliant with regulatory standards such as HIPAA.

Administrators can configure rules for specific departments, such as Health or HR, ensuring consistent application. Detailed logging and reporting allow compliance teams to track email traffic, monitor enforcement, and generate audit reports demonstrating adherence to organizational and regulatory requirements. Automating detection and encryption minimizes the risk of accidental data exposure and reduces reliance on user behavior.

Microsoft Defender Safe Links Policies protect users from malicious URLs in email and documents but do not detect sensitive health information, encrypt messages, or prevent forwarding.

Exchange Online Journaling Rules capture copies of emails for retention and auditing but do not prevent external sharing or enforce encryption automatically. Journaling is reactive rather than proactive.

Microsoft Purview Data Loss Prevention (DLP) Policies detect sensitive content and restrict sending, but often require user interaction and may not automatically apply encryption with rights management. DLP alone may not fully prevent forwarding or printing.

Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels provide automated encryption, rights management enforcement, auditing, and reporting. This ensures all health-related emails sent externally are protected, compliant, and safeguarded against accidental or unauthorized disclosure.

Question 188

A company wants to block access to Microsoft 365 apps from unmanaged devices but allow users to view content via a web browser. Users must not be able to download, print, or copy files. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution provides real-time session control for Microsoft 365 applications including SharePoint Online, OneDrive, Teams, and Exchange Online. Conditional Access App Control evaluates each user session to determine whether the device is managed or unmanaged and applies policies accordingly. For unmanaged devices, it can enforce web-only access, allowing users to view content in a browser without the ability to download, print, or copy files. This approach prevents unauthorized data exfiltration while maintaining productivity for legitimate users on personal devices.

Session policies are enforced dynamically and cannot be bypassed, ensuring consistent protection across all unmanaged devices. Administrators can configure rules by user group, application, device type, or location, giving precise control over who can access corporate data and how. Auditing and logging features provide insights into attempted policy violations, user activity, and compliance adherence. These reports enable organizations to monitor risks, adjust policies as necessary, and maintain regulatory compliance.

Intune Device Compliance Policies ensure that devices meet baseline security requirements, including encryption, antivirus, and OS updates. While essential for endpoint security, these policies do not provide session-level controls for web-only access or prevent copying, printing, or downloading. Users could still access sensitive content on unmanaged devices if only compliance policies were applied.

Azure AD Password Protection enhances account security by preventing weak or compromised passwords. Although valuable for identity protection, it does not control session behavior or prevent unauthorized data extraction on unmanaged devices.

OneDrive Storage Quotas limit the amount of storage a user can consume but do not enforce access controls, session restrictions, or data protection on unmanaged devices. Quotas are unrelated to security enforcement for web-only sessions.

Conditional Access App Control is the only solution capable of enforcing web-only access while preventing data exfiltration. It ensures that corporate data is secure on unmanaged devices, provides auditing for compliance, and balances security with user productivity.

Question 189

A company wants to ensure that emails containing credit card information are automatically encrypted and protected from forwarding when sent externally. Users must not be able to bypass the encryption. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution allows administrators to automatically detect sensitive financial content in emails and apply encryption with rights management protections. Exchange Mail Flow Rules evaluate outgoing email messages, including headers, body content, and attachments. When combined with Microsoft Purview Sensitivity Labels, emails containing credit card information are automatically encrypted. Rights management restrictions prevent recipients from forwarding, copying, or printing the email, and enforcement occurs at the transport level, ensuring users cannot bypass the encryption.

Administrators can target specific departments, such as Finance, to enforce policies selectively, providing granular control. Logging and reporting features allow compliance teams to monitor email activity, review attempted violations, and generate audit reports. This ensures compliance with regulations like PCI DSS. Automated detection and encryption reduce the risk of accidental data exposure, minimize reliance on user behavior, and ensure consistent protection of sensitive financial data.

Microsoft Defender Safe Links Policies protect users from malicious URLs in emails and documents. While important for phishing protection, Safe Links does not detect financial content, apply encryption, or prevent forwarding.

Exchange Online Journaling Rules capture copies of email messages for auditing or retention purposes but do not prevent external sharing or enforce encryption automatically. Journaling is reactive rather than proactive.

Microsoft Purview Data Loss Prevention (DLP) Policies can detect sensitive information and restrict sending, but they may require user intervention or block delivery rather than automatically applying encryption with rights management. DLP alone may not fully prevent forwarding or copying of sensitive content.

Combining Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels is the only solution that ensures emails containing credit card information are automatically encrypted, protected from forwarding, auditable, and compliant with financial regulations.

Question 190

A company wants to prevent users from sharing documents containing health information in Teams and SharePoint, while notifying them if they attempt to do so. Which solution should the administrator implement?

A) Microsoft Purview Data Loss Prevention (DLP) Policies
B) Teams Messaging Policies
C) Exchange Mail Flow Rules
D) Intune Device Compliance Policies

Answer: Microsoft Purview Data Loss Prevention (DLP) Policies

Explanation:

Microsoft Purview Data Loss Prevention (DLP) policies provide organizations with a comprehensive and automated solution to protect sensitive health information across collaboration platforms like Microsoft Teams, SharePoint Online, and OneDrive for Business. In today’s digital workplace, organizations increasingly rely on these tools to share and collaborate on critical data, including patient records, medical identifiers, and other types of health information that fall under strict regulatory frameworks such as HIPAA. The automatic detection and protection of this information is essential because accidental sharing or improper handling of sensitive health data can result in significant legal, financial, and reputational consequences. Microsoft Purview DLP policies are designed to identify predefined sensitive information types and enforce rules that help prevent accidental or unauthorized data exposure while educating users about proper data handling practices.

DLP policies operate by continuously scanning content across multiple services within Microsoft 365. In Teams, they monitor chat messages, channel conversations, and file attachments to detect sensitive health information. When a user attempts to share or upload content that contains protected health data, the policy can automatically block the action or provide real-time notifications to the user. For example, if a message in Teams contains a patient’s medical record, the user may receive an immediate alert explaining that sharing this information is restricted under organizational policies and applicable regulations. This approach not only prevents accidental exposure but also educates employees, reinforcing compliance best practices and creating a culture of accountability around handling sensitive information.

Beyond Teams, DLP policies extend protection to SharePoint Online document libraries and OneDrive for Business accounts. Any document uploaded, shared, or modified that contains sensitive health data is automatically scanned. Based on the policy configuration, actions can include blocking sharing with external users, restricting downloads, applying encryption, or notifying the user of a potential compliance violation. The ability to enforce these protections across multiple platforms ensures that sensitive health information is consistently safeguarded, regardless of whether it resides in chat conversations, files stored in SharePoint libraries, or individual user OneDrive accounts.

Administrators have granular control over DLP policies, allowing them to tailor rules according to department, location, or specific user groups. For instance, a healthcare organization may enforce stricter DLP rules for the human resources and patient care departments, where sensitive medical data is frequently handled, while applying less restrictive policies for other departments with lower exposure risks. This flexibility ensures that policies are precise and effective without unnecessarily hindering productivity or collaboration. By targeting policies to specific roles or departments, organizations can maintain a balance between data protection and operational efficiency, which is critical in environments where timely information sharing is essential for patient care and business continuity.

Another critical feature of DLP policies is detailed logging and reporting. Every policy violation or attempt to share sensitive content is logged, and administrators can generate comprehensive audit reports that provide visibility into user activity, attempted policy violations, and trends over time. This information is invaluable for compliance teams who must demonstrate adherence to regulations such as HIPAA or other health information protection standards. Logs also help organizations identify areas of risk, refine policies, and provide targeted training to employees to reduce future violations.

When compared to alternative solutions, Microsoft Purview DLP policies offer unique advantages. Teams Messaging Policies, for example, allow administrators to control platform features such as chat creation or channel management, but they do not inspect the content of messages or prevent the sharing of sensitive health information. Exchange Mail Flow Rules can evaluate email content, restrict delivery, or apply encryption, but these rules are limited to email and do not extend protection to collaboration tools like Teams or SharePoint. Intune Device Compliance Policies focus on device-level security, ensuring that devices accessing organizational data meet requirements for encryption, antivirus presence, or operating system updates, but they cannot inspect the content being shared or block sensitive health information. None of these alternatives provide the combination of automated detection, content blocking, user notification, and auditing that DLP policies offer.

By implementing Microsoft Purview DLP policies, organizations achieve automated, real-time protection for sensitive health information across all key collaboration platforms. The solution reduces reliance on user behavior, which is a common source of accidental data exposure, and minimizes the risk of noncompliance with regulatory requirements. Users are educated through real-time notifications, fostering awareness of organizational policies and regulatory obligations. Compliance teams gain visibility into activity across Teams, SharePoint, and OneDrive, enabling them to monitor enforcement, generate audit reports, and refine policies as needed. This proactive, content-aware approach ensures that sensitive health information is consistently protected while allowing employees to collaborate effectively, maintaining both security and productivity. DLP policies provide a critical layer of defense in a healthcare or regulated environment, aligning technology enforcement with organizational governance and compliance objectives.

Question 191

A company wants to prevent accidental sharing of financial data in Teams messages and SharePoint documents. Users should be notified when they attempt to share sensitive content. Which solution should the administrator implement?

A) Microsoft Purview Data Loss Prevention (DLP) Policies
B) Teams Messaging Policies
C) Exchange Mail Flow Rules
D) Intune Device Compliance Policies

Answer: Microsoft Purview Data Loss Prevention (DLP) Policies

Explanation:

The first solution provides automated detection and protection of sensitive content across Microsoft 365 services. Microsoft Purview DLP policies can identify financial data such as credit card numbers, account numbers, and other sensitive identifiers in Teams messages, SharePoint documents, OneDrive files, and email. When a user attempts to share a document or message containing sensitive information, the DLP policy can trigger a notification or block the action, educating the user and preventing accidental exposure. Enforcement occurs in real time, ensuring consistency and compliance across communication and collaboration platforms. Administrators can configure DLP policies by department, user group, or location, offering granular control. Logging and reporting features enable compliance teams to monitor attempted violations, track patterns, and generate audit reports to meet regulatory requirements such as PCI DSS. By automating detection, organizations reduce reliance on user vigilance, minimize human error, and maintain a balance between productivity and security.

Teams Messaging Policies primarily control platform features like creating or deleting messages, managing channels, and governing chat permissions. While important for user management, they do not inspect content or prevent sharing of sensitive financial information, making them insufficient for the stated requirement.

Exchange Mail Flow Rules are designed to evaluate and manage email content, applying restrictions or encryption as needed. However, they do not extend to Teams messages or SharePoint documents, limiting their applicability for collaborative content shared outside of email.

Intune Device Compliance Policies enforce endpoint security such as encryption, antivirus presence, and operating system updates. While essential for device security, they do not inspect content or enforce sharing restrictions within Teams or SharePoint. Users on compliant devices could still inadvertently share sensitive financial data, leaving the organization exposed.

Microsoft Purview DLP Policies are the only solution that ensures automated detection, real-time notifications, content blocking, and detailed auditing. This approach protects financial data, educates users, prevents accidental disclosure, and supports regulatory compliance, providing organizations with both security and operational efficiency.

Question 192

A company wants to enforce web-only access to Microsoft 365 apps on unmanaged devices. Users must not be able to download, print, or copy files while accessing corporate data. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution provides session-level enforcement for Microsoft 365 applications such as SharePoint Online, OneDrive, Teams, and Exchange Online. Conditional Access App Control evaluates each access attempt in real time to determine if the device is managed, unmanaged, or external. For unmanaged devices, the solution can enforce web-only access policies, preventing downloads, printing, and copying while allowing secure viewing in a browser. This protects sensitive corporate data from exfiltration while still enabling productivity for employees accessing Microsoft 365 from personal devices.

The enforcement occurs dynamically and cannot be bypassed by users. Administrators can tailor policies based on user groups, applications, device types, and locations, providing precise control over data access. Logging and reporting allow visibility into policy enforcement, user activity, and attempted violations, ensuring compliance and enabling organizations to fine-tune access controls as needed.

Intune Device Compliance Policies ensure that devices meet security baselines such as encryption, antivirus, and OS updates. However, compliance alone does not restrict session behavior. Users on unmanaged but compliant devices could still download, copy, or print corporate data, leaving sensitive information vulnerable.

Azure AD Password Protection strengthens account security by preventing weak or compromised passwords. While it is important for identity protection, it does not control session behavior or prevent data exfiltration.

OneDrive Storage Quotas limit the storage available to users but do not enforce access controls or restrict downloads, printing, or copying. Quotas cannot prevent unauthorized access or exfiltration on unmanaged devices.

Conditional Access App Control is the only solution that provides web-only access, session-level restrictions, auditing, and compliance enforcement. It effectively protects corporate data on unmanaged devices while maintaining secure, productive collaboration for legitimate users.

Question 193

A company wants to ensure that all emails containing health-related information are automatically encrypted when sent externally. Users must not be able to bypass the encryption. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution allows administrators to automatically detect emails containing health-related information, such as medical records, patient identifiers, or other sensitive health data. Exchange Mail Flow Rules evaluate outgoing messages, including headers, body content, and attachments, in real time. When combined with Microsoft Purview Sensitivity Labels, emails containing sensitive health information are automatically encrypted. Rights management restrictions prevent forwarding, copying, or printing, and enforcement occurs at the transport level, ensuring users cannot bypass the policy.

Administrators can configure rules for specific departments, such as Health, HR, or Legal, ensuring targeted enforcement. Detailed logging and reporting provide visibility into email activity, policy enforcement, and attempted violations. These features allow compliance teams to generate audit reports demonstrating adherence to regulatory standards such as HIPAA or other healthcare regulations. Automated detection and encryption reduce reliance on user vigilance, minimize the risk of accidental data exposure, and provide consistent protection across the organization.

Microsoft Defender Safe Links Policies focus on protecting users from malicious URLs in emails and documents. While critical for phishing protection, Safe Links cannot detect sensitive health information, encrypt emails, or enforce forwarding restrictions, making it unsuitable for this scenario.

Exchange Online Journaling Rules capture copies of emails for auditing and retention but do not prevent external sharing or automatically encrypt messages. Journaling is reactive rather than proactive and does not meet the requirement for automatic protection.

Microsoft Purview Data Loss Prevention (DLP) Policies detect sensitive content and may block delivery or notify users. However, DLP alone may not automatically enforce encryption with rights management restrictions or fully prevent forwarding and printing, making it less effective for ensuring sensitive health information remains protected.

Using Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels is the only solution that guarantees automated encryption, rights management enforcement, auditing, and compliance. This ensures that sensitive health-related emails sent externally remain secure, cannot be bypassed, and meet regulatory and organizational requirements.

Question 194

A company wants to block access to Microsoft 365 apps from unmanaged devices while allowing users to access content via a web browser. Users must not be able to download, print, or copy files. Which solution should the administrator implement?

A) Conditional Access App Control
B) Intune Device Compliance Policies
C) Azure AD Password Protection
D) OneDrive Storage Quotas

Answer: Conditional Access App Control

Explanation:

The first solution provides real-time session-level controls for Microsoft 365 applications, including SharePoint Online, OneDrive, Teams, and Exchange Online. Conditional Access App Control evaluates each access attempt to determine whether the device is managed, unmanaged, or external, and applies appropriate restrictions. For unmanaged devices, it can enforce web-only access policies, allowing users to view content in the browser but preventing downloading, printing, or copying of files. This ensures corporate data is protected from exfiltration while still enabling users to access content securely.

The solution applies enforcement dynamically and cannot be bypassed by end users, guaranteeing consistent application of policies. Administrators can customize rules based on user groups, application types, device categories, and geographic locations, providing granular control over corporate data access. Auditing and logging features offer detailed insights into attempted violations, user activity, and policy effectiveness. These reports support compliance monitoring, risk assessment, and policy optimization. By differentiating between managed and unmanaged devices, organizations maintain productivity while mitigating the risk of data leakage.

Intune Device Compliance Policies ensure devices meet baseline security requirements, including encryption, antivirus protection, and operating system updates. While critical for endpoint security, these policies alone cannot enforce web-only access or prevent users from downloading, copying, or printing content on unmanaged devices. Users could still exfiltrate sensitive data despite device compliance, making this solution insufficient.

Azure AD Password Protection strengthens account security by preventing weak or compromised passwords. While valuable for identity security, it does not provide session-level access control or prevent data exfiltration from unmanaged devices.

OneDrive Storage Quotas limit the total storage available to users but do not restrict access methods or control the ability to copy, print, or download content. Quotas are unrelated to real-time access enforcement and data protection.

Conditional Access App Control is the only solution that enforces web-only access while preventing downloads, printing, and copying on unmanaged devices. It provides auditing, compliance, and granular policy control, effectively securing corporate data while allowing secure productivity on personal or unmanaged devices.

Question 195

A company wants to automatically detect emails containing credit card information and ensure they are encrypted before being sent externally. Users must not be able to bypass the encryption. Which solution should the administrator deploy?

A) Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels
B) Microsoft Defender Safe Links Policies
C) Exchange Online Journaling Rules
D) Microsoft Purview Data Loss Prevention (DLP) Policies

Answer: Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels

Explanation:

The first solution enables automatic detection of sensitive financial information in outgoing emails and applies encryption with rights management restrictions. Exchange Mail Flow Rules evaluate email content, including headers, body, and attachments, to identify credit card numbers and other financial data. When combined with Microsoft Purview Sensitivity Labels, emails containing sensitive financial information are automatically encrypted. Rights management prevents recipients from forwarding, copying, or printing the email content, and enforcement occurs at the transport level, ensuring users cannot bypass the encryption.

Administrators can target specific departments such as Finance, Accounting, or Sales to ensure consistent policy enforcement. Detailed logging and reporting allow compliance teams to monitor email traffic, review policy enforcement, and generate audit reports. This ensures adherence to regulatory requirements such as PCI DSS. Automating detection and encryption reduces reliance on user awareness, prevents accidental exposure, and provides consistent protection for sensitive financial data.

Microsoft Defender Safe Links Policies are focused on protecting users from malicious URLs in email or documents. While important for security, Safe Links does not detect credit card information, apply encryption, or prevent forwarding.

Exchange Online Journaling Rules capture copies of emails for retention or auditing purposes but do not prevent external sharing or automatically encrypt messages. Journaling is reactive and does not provide real-time protection.

Microsoft Purview Data Loss Prevention (DLP) Policies can detect sensitive content and block sending or alert users. However, DLP alone may not automatically enforce encryption with rights management restrictions or prevent forwarding, printing, or copying, making it insufficient for automatic protection of sensitive financial emails.

Combining Exchange Mail Flow Rules with Microsoft Purview Sensitivity Labels provides real-time detection, automatic encryption, rights management enforcement, auditing, and compliance reporting. This ensures that all emails containing credit card information are protected, cannot be bypassed, and adhere to organizational and regulatory requirements.