Microsoft MS-102 Microsoft 365 Administrator Exam Dumps and Practice Test Questions Set 6 Q76-90

Visit here for our full Microsoft MS-102 exam dumps and practice test questions.

Question 76

A company wants to ensure that all documents containing financial information stored in SharePoint Online are automatically encrypted and access-restricted. Users should not have to manually classify content. Which Microsoft 365 solution should the administrator implement?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) Conditional Access Policies
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation:

Organizations handling sensitive financial information need automated mechanisms to protect documents stored in SharePoint Online. Microsoft Purview Sensitivity Labels with Auto-Labeling provide a solution that automatically detects sensitive content and applies protection measures without user intervention. Administrators can define rules to detect financial information patterns, such as account numbers, transaction data, or credit card information. When a document matches a predefined pattern, the label is automatically applied, enforcing encryption and access restrictions based on organizational policies. This ensures that only authorized personnel can access the document, and usage restrictions can prevent actions such as copying, printing, or forwarding.

Conditional Access Policies control access to Microsoft 365 applications based on conditions like user identity, device compliance, location, and risk signals. While essential for secure sign-in, Conditional Access does not classify or encrypt content in SharePoint, and cannot apply automated protection to documents based on content.

Intune App Protection Policies focus on securing corporate data within managed applications, restricting actions like copy-paste, saving to personal storage, or printing. While effective for app-level protection, APP does not scan content or automatically apply encryption and access restrictions in SharePoint documents.

Exchange Online Retention Policies manage content lifecycle, defining retention and deletion schedules for emails and documents. Retention policies do not inspect content for sensitive financial information and cannot enforce encryption or access restrictions.

By implementing Microsoft Purview Sensitivity Labels with Auto-Labeling, organizations achieve automated, scalable protection for sensitive financial content in SharePoint Online. Administrators gain visibility into labeling activities and can refine auto-labeling rules to enhance accuracy. Users benefit from seamless protection without manual intervention, reducing the risk of accidental exposure or policy violations. Integrating sensitivity labels with Microsoft 365 workloads ensures compliance with regulations such as SOX, PCI DSS, or GDPR, while maintaining collaboration productivity. Automated enforcement strengthens data governance, minimizes human error, and aligns with zero-trust security principles, ensuring financial documents are consistently protected across the organization.

Question 77

A company wants to prevent users from sharing documents containing personally identifiable information (PII) externally via OneDrive, SharePoint, or Teams. If a user attempts to share such documents, sharing must be blocked automatically, and the user should receive a notification explaining the policy. Which Microsoft 365 solution should the administrator implement?

A) Microsoft 365 Data Loss Prevention (DLP) Policies
B) Exchange Online Retention Policies
C) Intune App Protection Policies
D) Conditional Access with Authentication Strengths

Answer: A) Microsoft 365 Data Loss Prevention (DLP) Policies

Explanation:

Protecting PII is critical for regulatory compliance and preventing data breaches. Microsoft 365 Data Loss Prevention (DLP) Policies provide automated detection and enforcement mechanisms across Microsoft 365 services such as OneDrive, SharePoint, and Teams. DLP policies scan files for predefined sensitive information types, including social security numbers, passport numbers, and other PII. When a policy detects sensitive content, sharing can be automatically blocked, and the user receives a notification explaining why the action is restricted.

Exchange Online Retention Policies govern the lifecycle of emails and documents, determining how long content should be preserved or deleted. While essential for compliance, retention policies do not analyze content for PII and cannot prevent external sharing based on content detection.

Intune App Protection Policies protect data within applications by controlling actions such as copy-paste, saving to personal storage, or printing. Although useful for endpoint security, APP does not analyze content in OneDrive, SharePoint, or Teams and cannot block sharing of sensitive data.

Conditional Access with Authentication Strengths enforces secure authentication methods, such as phishing-resistant MFA, for selected users. While it enhances identity security, it does not inspect content or prevent sharing of PII.

Implementing Microsoft 365 DLP Policies ensures sensitive content is automatically protected. Policies can target specific users, groups, or workloads for granular control. Real-time notifications educate users about policy violations, promoting secure behavior. Administrators can monitor incidents, refine rules, and generate reports for compliance purposes. DLP integrates with sensitivity labels and encryption for multi-layered protection. Automated enforcement reduces human error, mitigates data leakage risks, and ensures regulatory compliance with frameworks such as GDPR, HIPAA, or CCPA. Organizations maintain productivity while preventing unauthorized sharing, and administrators gain actionable insights into data protection activities.

Question 78

A company wants to require global administrators to use phishing-resistant authentication methods such as FIDO2 security keys, while standard users continue using standard multi-factor authentication (MFA). Which Microsoft 365 solution allows selective enforcement based on user roles?

A) Conditional Access with Authentication Strengths
B) Microsoft Purview Sensitivity Labels
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Conditional Access with Authentication Strengths

Explanation:

Protecting high-privilege accounts is essential because these accounts have broad access to organizational resources and are primary targets for attacks. Conditional Access with Authentication Strengths in Azure Active Directory enables selective, role-based enforcement of authentication requirements. Administrators can require global administrators to use phishing-resistant methods such as FIDO2 security keys, while standard users continue using traditional MFA methods like authenticator app notifications or SMS codes.

Microsoft Purview Sensitivity Labels classify and protect content through encryption and access restrictions, but they do not enforce authentication or MFA policies and cannot target users based on roles.

Intune App Protection Policies manage data security within applications by restricting copy-paste, saving files to unmanaged apps, and printing. APP is critical for endpoint data protection but does not enforce authentication or MFA.

Exchange Online Retention Policies manage email and document lifecycles, specifying retention or deletion timelines. Retention policies do not affect authentication or role-based security measures.

Conditional Access with Authentication Strengths provides automated, role-based enforcement, ensuring high-risk accounts like global administrators are protected with phishing-resistant authentication while maintaining usability for standard users. Policies are applied at sign-in and integrated with risk-based adaptive access controls. Real-time monitoring allows administrators to track compliance, detect anomalies, and adjust policies. This zero-trust approach reduces the risk of account compromise, protects critical resources, and aligns with identity security best practices. Organizations benefit from stronger security for privileged accounts without disrupting standard users, achieving scalable, automated protection against phishing and credential attacks while ensuring compliance with regulatory and security frameworks.

Question 79

A company wants to ensure that Teams meeting recordings containing sensitive project information are automatically encrypted, labeled, and access-restricted. Users should not have to manually apply labels. Which Microsoft 365 solution should the administrator implement?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) Conditional Access Policies
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation:

Organizations that conduct sensitive project discussions in Teams must ensure that recorded content is protected against unauthorized access. Microsoft Purview Sensitivity Labels with Auto-Labeling provide automated classification and protection for Teams meeting recordings. Administrators can define rules that detect sensitive content within recordings, automatically applying labels that enforce encryption and access restrictions. This ensures that only authorized personnel can access the content, and usage restrictions can prevent actions such as downloading, copying, or sharing the recordings externally. Users do not need to manually classify content, reducing the risk of human error and ensuring consistent application of security policies.

Conditional Access Policies focus on controlling access to Microsoft 365 applications based on conditions like user identity, device compliance, location, or risk signals. While critical for protecting sign-in processes, Conditional Access does not classify or encrypt Teams recordings based on content. Its primary role is access control rather than content protection.

Intune App Protection Policies protect organizational data within managed applications, restricting actions such as copy-paste, printing, or saving data to personal storage. While useful for endpoint data protection, APP does not automatically classify or label Teams recordings or enforce content-specific restrictions.

Exchange Online Retention Policies manage the lifecycle of emails and documents by specifying retention and deletion schedules. Retention policies do not classify or encrypt Teams recordings and cannot enforce access restrictions based on content.

Implementing Microsoft Purview Sensitivity Labels with Auto-Labeling ensures that Teams meeting recordings containing sensitive project information are automatically protected. Auto-labeling rules can be based on keywords, patterns, or metadata associated with sensitive content. Once applied, labels enforce encryption and restrict access to authorized users, supporting regulatory compliance and data governance. Administrators can monitor labeling activity, generate reports, and refine rules for better accuracy. Users benefit from seamless protection without needing to manually classify content, reducing policy violations and data leakage risks. Integrating sensitivity labels with Microsoft 365 workloads ensures organization-wide security, consistent policy enforcement, and compliance with data protection standards. Automated classification and labeling align with zero-trust principles, safeguarding sensitive information while maintaining collaboration productivity. This approach enhances governance, mitigates risks, and supports secure information sharing across the organization.

Question 80

A company wants to prevent users from sharing files containing personally identifiable information (PII) externally via OneDrive, SharePoint, or Teams. If a user attempts to share such files, sharing must be blocked automatically, and the user must receive a notification explaining the policy violation. Which Microsoft 365 solution should the administrator configure?

A) Microsoft 365 Data Loss Prevention (DLP) Policies
B) Exchange Online Retention Policies
C) Intune App Protection Policies
D) Conditional Access with Authentication Strengths

Answer: A) Microsoft 365 Data Loss Prevention (DLP) Policies

Explanation:

Organizations that handle PII must protect data from unauthorized sharing to maintain compliance with regulations like GDPR, CCPA, and HIPAA. Microsoft 365 Data Loss Prevention (DLP) Policies provide automated content inspection, enforcement, and user notification across Microsoft 365 services, including OneDrive, SharePoint, and Teams. DLP policies can detect predefined sensitive information types, such as social security numbers, passport numbers, or employee IDs, and automatically block external sharing of files containing such information. Users receive a policy tip notification explaining why sharing was blocked, promoting awareness and encouraging secure data handling practices.

Exchange Online Retention Policies define how long emails or documents should be retained or deleted. While important for compliance, retention policies do not inspect file content for PII and cannot prevent sharing of sensitive files externally. Retention focuses on the lifecycle of content, not real-time protection or policy enforcement.

Intune App Protection Policies secure corporate data within applications by restricting actions such as copy-paste, printing, or saving to unmanaged storage. While APP helps protect data on endpoints, it does not analyze content within OneDrive, SharePoint, or Teams, and cannot automatically block sharing of PII.

Conditional Access with Authentication Strengths enforces strong authentication methods, such as phishing-resistant MFA, for selected users or groups. While it enhances identity security, it does not inspect content or prevent users from sharing sensitive information externally.

Implementing Microsoft 365 DLP Policies ensures sensitive PII is automatically protected across collaboration platforms. Policies can be targeted to specific users, groups, or workloads to provide granular control. Real-time notifications educate users about policy violations, reducing the risk of repeated mistakes. Administrators gain real-time monitoring and reporting capabilities to detect potential data leaks, refine detection rules, and generate compliance reports. DLP can integrate with sensitivity labels and encryption to provide multi-layered protection for sensitive content. Automated enforcement minimizes human error, mitigates risks of unauthorized data exposure, and ensures organizational compliance. By implementing DLP, companies can maintain secure collaboration, protect sensitive data from accidental or intentional sharing, and provide administrators with visibility into policy enforcement activities.

Question 81

A company wants to require global administrators to use phishing-resistant authentication methods, such as FIDO2 security keys, while standard users continue using conventional multi-factor authentication (MFA). Which Microsoft 365 solution allows selective enforcement based on user roles?

A) Conditional Access with Authentication Strengths
B) Microsoft Purview Sensitivity Labels
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Conditional Access with Authentication Strengths

Explanation:

High-privilege accounts, including global administrators, are frequent targets for phishing and credential-based attacks. Conditional Access with Authentication Strengths in Azure Active Directory allows organizations to enforce role-based authentication policies selectively. Global administrators can be required to use phishing-resistant methods like FIDO2 security keys, while standard users continue authenticating with conventional MFA methods, such as authenticator app notifications or SMS codes. This selective enforcement strengthens security for high-risk accounts without introducing unnecessary friction for regular users.

Microsoft Purview Sensitivity Labels classify and protect content through encryption and access restrictions but do not enforce authentication policies or MFA. They are content-focused and cannot implement role-based authentication requirements.

Intune App Protection Policies govern data handling within applications, controlling actions like copy-paste, saving to unmanaged storage, or printing. While important for securing corporate data, APP does not enforce authentication methods or differentiate requirements based on user roles.

Exchange Online Retention Policies manage the lifecycle of emails and documents by defining retention and deletion schedules. Retention policies do not enforce authentication or MFA requirements and are unrelated to access control.

Conditional Access with Authentication Strengths enables automated, role-based enforcement, ensuring high-privilege accounts are protected with phishing-resistant methods. Policies are evaluated during sign-in and can incorporate additional factors such as risk signals or location to provide adaptive protection. Administrators gain real-time monitoring and reporting to track compliance, detect anomalies, and adjust policies as necessary. This approach aligns with zero-trust principles, minimizing the risk of compromise for critical accounts while maintaining usability for standard users. Organizations benefit from scalable, automated security that reduces attack surfaces, enhances compliance, and protects critical resources against phishing and credential theft. Integrating Conditional Access with Authentication Strengths provides a reliable, automated framework to safeguard high-risk accounts without disrupting organizational productivity.

Question 82

A company wants to automatically apply encryption and access restrictions to all documents stored in SharePoint Online that contain personally identifiable information (PII). Users should not have to manually label content. Which Microsoft 365 solution should the administrator implement?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) Conditional Access Policies
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation:

Protecting personally identifiable information (PII) is crucial for compliance with regulations such as GDPR, CCPA, and HIPAA. Microsoft Purview Sensitivity Labels with Auto-Labeling provide automated detection and protection for documents stored in SharePoint Online. Administrators can configure rules that detect sensitive information patterns, such as social security numbers, driver’s license numbers, or employee IDs. When a document matches the rule, a sensitivity label is automatically applied. The label enforces encryption and access restrictions, ensuring only authorized users can access the document. Usage restrictions can prevent copying, printing, or forwarding, reducing the risk of data leakage.

Conditional Access Policies enforce access control based on conditions such as user identity, device compliance, or location. While Conditional Access is effective for managing who can sign in or access resources, it does not classify content or apply encryption based on the presence of PII. Its primary function is to secure access rather than protect data content.

Intune App Protection Policies focus on securing corporate data within managed applications, restricting actions like copy-paste, printing, or saving to personal storage. While effective for endpoint-level protection, APP does not scan content or automatically apply labels to documents in SharePoint Online, making it unsuitable for automated content protection.

Exchange Online Retention Policies manage the lifecycle of emails and documents, determining how long content should be preserved or deleted. Retention policies do not analyze content for sensitive data and cannot automatically apply encryption or access restrictions.

Implementing Microsoft Purview Sensitivity Labels with Auto-Labeling ensures consistent, automated protection for PII across SharePoint Online. Users benefit from seamless enforcement, reducing the chance of accidental exposure. Administrators can monitor labeling activity, adjust auto-labeling rules, and generate reports for compliance auditing. Integration with Microsoft 365 workloads creates an organization-wide protection strategy, aligning with zero-trust principles. Automated labeling reduces human error, strengthens governance, and ensures compliance while allowing collaboration to continue securely. Sensitivity labels enhance visibility into how sensitive content is used and accessed, enabling organizations to refine policies over time and maintain strong data protection practices. By automatically encrypting and restricting access, organizations reduce risk, support regulatory requirements, and provide a reliable mechanism to safeguard PII without disrupting user productivity.

Question 83

A company wants to prevent users from sharing emails or documents containing credit card information externally via Exchange Online, SharePoint, or OneDrive. If a user attempts to share such content, the action must be blocked automatically, and the user should be notified. Which Microsoft 365 solution should the administrator implement?

A) Microsoft 365 Data Loss Prevention (DLP) Policies
B) Exchange Online Retention Policies
C) Intune App Protection Policies
D) Conditional Access with Authentication Strengths

Answer: A) Microsoft 365 Data Loss Prevention (DLP) Policies

Explanation:

Organizations that handle financial information such as credit card numbers must implement automated controls to prevent accidental or unauthorized sharing. Microsoft 365 Data Loss Prevention (DLP) Policies provide content inspection, enforcement, and user notification across Microsoft 365 services including Exchange Online, SharePoint, and OneDrive. DLP policies can detect predefined sensitive information types, including credit card numbers, and block emails or document sharing that violates policy. Users receive a notification explaining why the sharing was blocked, promoting awareness and adherence to organizational data protection policies.

Exchange Online Retention Policies manage the lifecycle of emails and documents, including retention and deletion schedules. While important for compliance, retention policies do not inspect content in real time and cannot prevent sensitive information from being shared externally. Retention focuses on content preservation, not proactive protection.

Intune App Protection Policies secure corporate data within applications, restricting actions such as copy-paste, printing, or saving to personal storage. While APP is effective for endpoint-level data protection, it does not analyze content within emails or documents, and cannot block sharing of credit card information automatically.

Conditional Access with Authentication Strengths enforces secure authentication methods such as phishing-resistant MFA for specific users. Although it strengthens identity security, it does not inspect content for sensitive information or block sharing.

By implementing Microsoft 365 DLP Policies, organizations can automatically enforce protection for credit card information across multiple workloads. Policies can be targeted to users, groups, or locations for granular control. Real-time notifications educate users about policy violations, reducing repeat mistakes. Administrators gain reporting and monitoring capabilities to track attempted policy breaches, refine rules, and ensure compliance with regulations such as PCI DSS. Integration with sensitivity labels and encryption further strengthens content protection. Automated enforcement reduces human error, mitigates data leakage risks, and maintains productivity by allowing secure collaboration. Organizations benefit from consistent application of security policies, enhanced governance, and robust data protection mechanisms.

Question 84

A company wants to require global administrators to use phishing-resistant authentication methods, such as FIDO2 security keys, while standard users continue using traditional multi-factor authentication (MFA). Which Microsoft 365 solution allows selective enforcement based on user roles?

A) Conditional Access with Authentication Strengths
B) Microsoft Purview Sensitivity Labels
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Conditional Access with Authentication Strengths

Explanation:

High-privilege accounts like global administrators are prime targets for phishing and credential-based attacks. Conditional Access with Authentication Strengths in Azure Active Directory allows organizations to enforce selective authentication policies based on user roles or groups. Global administrators can be required to use phishing-resistant methods, such as FIDO2 security keys, while standard users continue to use conventional MFA methods like authenticator app notifications or SMS codes. This ensures stronger protection for high-risk accounts without introducing friction for regular users.

Microsoft Purview Sensitivity Labels focus on classifying and protecting content through encryption and access restrictions. They do not enforce authentication or MFA policies and cannot selectively target user roles for different authentication requirements.

Intune App Protection Policies manage corporate data within applications, restricting copy-paste, printing, and saving to unmanaged locations. While important for data protection on devices, APP does not control authentication methods or enforce role-based MFA.

Exchange Online Retention Policies manage email and document lifecycles but do not impact authentication or access control. Retention policies are unrelated to securing high-privilege accounts.

Conditional Access with Authentication Strengths enables organizations to implement a zero-trust model by applying role-based authentication policies automatically. Policies evaluate user sign-ins in real time, ensuring compliance for high-privilege accounts. Administrators can monitor usage, track compliance, and detect anomalies. This approach reduces the risk of compromised global administrator accounts, protecting critical resources while maintaining usability for standard users. Real-time enforcement and reporting provide visibility into policy adherence, allowing organizations to adjust security settings as needed. Conditional Access with Authentication Strengths provides scalable, automated, and role-based protection, ensuring critical accounts are secured against phishing and credential attacks without disrupting productivity for regular users. Integrating this solution aligns with security best practices and regulatory requirements for high-risk accounts, creating a robust identity protection strategy.

Question 85

A company wants to prevent users from sharing documents containing sensitive health information externally via OneDrive, SharePoint, or Teams. If a user attempts to share such content, sharing must be blocked automatically, and the user must be notified. Which Microsoft 365 solution should the administrator implement?

A) Microsoft 365 Data Loss Prevention (DLP) Policies
B) Exchange Online Retention Policies
C) Intune App Protection Policies
D) Conditional Access with Authentication Strengths

Answer: A) Microsoft 365 Data Loss Prevention (DLP) Policies

Explanation:

Organizations that handle sensitive health information, such as patient records or medical data, must protect it from unauthorized sharing to comply with regulations like HIPAA. Microsoft 365 Data Loss Prevention (DLP) Policies provide automated detection, enforcement, and notification capabilities across Microsoft 365 services, including OneDrive, SharePoint, and Teams. DLP policies can identify sensitive information types such as medical record numbers, health insurance IDs, or personal health details. When such content is detected, sharing is blocked automatically, and users receive a notification explaining the policy violation, promoting awareness and compliance with organizational standards.

Exchange Online Retention Policies manage the lifecycle of emails and documents, including retention and deletion schedules. While essential for compliance, retention policies do not inspect content for sensitive health information and cannot block sharing of sensitive documents externally. Retention focuses on the lifecycle of content rather than real-time data protection.

Intune App Protection Policies secure corporate data within managed applications by restricting actions like copy-paste, printing, or saving to personal storage. While effective for endpoint-level protection, APP does not scan content in OneDrive, SharePoint, or Teams, and cannot automatically block sharing of sensitive health data.

Conditional Access with Authentication Strengths enforces secure authentication methods, such as phishing-resistant MFA, for selected users or groups. Although it strengthens identity security, it does not inspect content or prevent the external sharing of sensitive health information.

By implementing Microsoft 365 DLP Policies, organizations can ensure that sensitive health information is automatically protected across multiple workloads. Policies can be targeted at specific users, groups, or content locations for granular control. Real-time notifications educate users about policy violations, reducing repeated mistakes and encouraging secure data handling practices. Administrators gain monitoring and reporting capabilities to track potential policy breaches, refine detection rules, and generate compliance reports. Integration with sensitivity labels and encryption provides an additional layer of protection. Automated enforcement reduces human error, mitigates risks of data leakage, and ensures regulatory compliance while allowing users to collaborate securely. DLP policies provide visibility into attempted sharing activities, allowing organizations to maintain strong governance and data protection across all Microsoft 365 services.

Question 86

A company wants to automatically apply encryption and access restrictions to all Teams meeting recordings that contain sensitive financial data. Users should not have to manually apply labels. Which Microsoft 365 solution should the administrator implement?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) Conditional Access Policies
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation

Protecting financial information captured in Teams meetings is critical for compliance and risk management. Microsoft Purview Sensitivity Labels with Auto-Labeling provides automated mechanisms to classify, encrypt, and apply access restrictions to content. Administrators can define rules that detect sensitive financial data in meeting recordings, such as bank account numbers, credit card information, or financial statements. Once detected, labels are automatically applied, enforcing encryption and restricting access to authorized users. Usage restrictions prevent actions such as downloading, copying, or sharing recordings externally, reducing the risk of data leakage. Users benefit from seamless protection without needing to manually classify content, ensuring consistent enforcement of organizational policies.

Conditional Access Policies enforce access control to Microsoft 365 applications based on conditions such as user identity, device compliance, location, and risk signals. Although Conditional Access strengthens access security, it does not classify or encrypt content within Teams recordings. Its focus is controlling access rather than protecting content.

Intune App Protection Policies control the use of corporate data within managed applications by restricting copy-paste, printing, and local storage. While APP helps protect data at the endpoint, it does not automatically label, encrypt, or restrict access to Teams recordings based on content detection.

Exchange Online Retention Policies manage the lifecycle of emails and documents, determining how long content should be preserved or deleted. Retention policies do not detect content for sensitive financial information or apply automatic protection.

Implementing Microsoft Purview Sensitivity Labels with Auto-Labeling ensures consistent, automated protection of Teams meeting recordings containing financial data. Auto-labeling rules scan content for keywords, metadata, or patterns associated with sensitive information. Once labeled, encryption and access restrictions are enforced automatically, ensuring only authorized users can view the recordings. Administrators can monitor labeling activity, adjust auto-labeling rules, and generate compliance reports. This automated enforcement minimizes human error, mitigates risk, and supports regulatory compliance, including SOX and PCI DSS. Users experience a seamless workflow, reducing friction while maintaining productivity. Integrating sensitivity labels with Microsoft 365 workloads ensures organization-wide protection, strengthens governance, and aligns with zero-trust principles. The approach enables secure collaboration, protects sensitive financial data, and provides administrators with visibility and control over content access and usage.

Question 87

A company wants to require global administrators to use phishing-resistant authentication methods, such as FIDO2 security keys, while standard users continue using conventional multi-factor authentication (MFA). Which Microsoft 365 solution allows selective enforcement based on user roles?

A) Conditional Access with Authentication Strengths
B) Microsoft Purview Sensitivity Labels
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Conditional Access with Authentication Strengths

Explanation:

Global administrator accounts are highly targeted by attackers due to their broad privileges. Conditional Access with Authentication Strengths in Azure Active Directory allows selective enforcement of strong authentication requirements based on user roles. Global administrators can be required to use phishing-resistant methods like FIDO2 security keys, while standard users continue to authenticate using conventional MFA methods such as authenticator app notifications or SMS codes. This selective enforcement strengthens the security of high-risk accounts without disrupting productivity for standard users.

Microsoft Purview Sensitivity Labels focus on classifying and protecting content through encryption and access restrictions. While effective for securing documents and emails, sensitivity labels do not enforce authentication methods or differentiate between user roles.

Intune App Protection Policies secure corporate data within managed applications by restricting copy-paste, printing, and saving to personal storage. APP protects data but does not enforce authentication or MFA policies based on roles.

Exchange Online Retention Policies manage the lifecycle of emails and documents, defining retention or deletion schedules. Retention policies do not enforce authentication or MFA requirements and cannot selectively protect high-privilege accounts.

Conditional Access with Authentication Strengths provides automated, role-based enforcement of strong authentication, aligning with zero-trust security principles. Policies are evaluated at sign-in, ensuring high-risk accounts comply with phishing-resistant authentication requirements. Administrators can monitor compliance, detect anomalies, and adjust policies in real time. This approach reduces the risk of compromised global administrator accounts, protecting critical organizational resources while maintaining usability for standard users. Automated enforcement ensures that high-privilege accounts are consistently secured, supporting regulatory compliance and best practices in identity and access management. By integrating Conditional Access with Authentication Strengths, organizations achieve scalable, automated protection for privileged accounts, minimize attack surfaces, and provide strong identity security without impeding standard user workflows.

Question 88

A company wants to ensure that all documents containing sensitive intellectual property stored in SharePoint Online are automatically encrypted and access-restricted. Users should not have to manually label content. Which Microsoft 365 solution should the administrator implement?

A) Microsoft Purview Sensitivity Labels with Auto-Labeling
B) Conditional Access Policies
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Microsoft Purview Sensitivity Labels with Auto-Labeling

Explanation

Protecting sensitive intellectual property (IP) is critical for organizations to maintain competitive advantage and comply with regulatory requirements. Microsoft Purview Sensitivity Labels with Auto-Labeling provides an automated mechanism to classify, encrypt, and restrict access to documents stored in SharePoint Online. Administrators can configure rules that detect sensitive content based on patterns, keywords, or metadata associated with intellectual property. Once a document meets the criteria, the sensitivity label is automatically applied, enforcing encryption and restricting access to authorized users. Usage restrictions can prevent copying, printing, or sharing externally, reducing the risk of data leakage.

Conditional Access Policies focus on controlling access to Microsoft 365 applications based on user identity, device compliance, location, or risk level. While essential for protecting sign-in processes and access, Conditional Access does not classify content or automatically apply encryption to sensitive documents. Its primary function is access management, not content protection.

Intune App Protection Policies secure corporate data within managed applications by restricting actions such as copy-paste, printing, or saving to personal storage. APP provides endpoint-level protection but does not scan content in SharePoint Online or automatically apply labels to enforce encryption and access restrictions.

Exchange Online Retention Policies manage the lifecycle of emails and documents, specifying retention and deletion schedules. Retention policies do not inspect content or apply protection to intellectual property; they are primarily designed to ensure compliance with content preservation requirements.

Implementing Microsoft Purview Sensitivity Labels with Auto-Labeling ensures that sensitive intellectual property is consistently protected without relying on manual user action. Administrators can monitor labeling activity, adjust rules to improve accuracy, and generate compliance reports. Auto-labeling supports organization-wide governance by ensuring that sensitive content is encrypted and access-restricted automatically. This approach aligns with zero-trust principles, reducing human error and mitigating the risk of data leakage. Users experience seamless protection without disruption to productivity, allowing collaboration to continue securely. By integrating sensitivity labels with Microsoft 365 workloads, organizations strengthen data governance, maintain compliance with IP protection standards, and ensure that sensitive content remains secure against unauthorized access. The automated application of encryption and access restrictions enhances visibility, reduces operational risk, and supports regulatory compliance, providing a robust framework for protecting organizational intellectual property.

Question 89

A company wants to prevent users from sharing emails or documents containing personally identifiable information (PII) externally via Exchange Online, SharePoint, or OneDrive. If a user attempts to share such content, sharing must be blocked automatically, and the user must be notified. Which Microsoft 365 solution should the administrator implement?

A) Microsoft 365 Data Loss Prevention (DLP) Policies
B) Exchange Online Retention Policies
C) Intune App Protection Policies
D) Conditional Access with Authentication Strengths

Answer: A) Microsoft 365 Data Loss Prevention (DLP) Policies

Explanation:

Protecting personally identifiable information (PII) is essential for regulatory compliance and maintaining trust with customers and employees. Microsoft 365 Data Loss Prevention (DLP) Policies provide automated inspection, enforcement, and notification across Microsoft 365 services, including Exchange Online, SharePoint, and OneDrive. DLP policies can detect sensitive information types such as social security numbers, passport numbers, and other PII. When such content is detected, external sharing is automatically blocked, and the user receives a notification explaining the violation. This ensures compliance and educates users on proper data handling practices.

Exchange Online Retention Policies manage the lifecycle of emails and documents, defining retention and deletion periods. While essential for long-term compliance, retention policies do not inspect content for sensitive data and cannot prevent sharing of PII. Retention focuses on preservation, not real-time protection.

Intune App Protection Policies provide security for corporate data within managed applications by restricting copy-paste, printing, or saving data to unmanaged locations. While effective for endpoint-level protection, APP does not analyze content in Exchange Online, SharePoint, or OneDrive and cannot automatically block sharing of sensitive PII.

Conditional Access with Authentication Strengths enforces secure authentication, such as phishing-resistant MFA, for selected users. While important for identity security, it does not inspect content or prevent sharing of sensitive information externally.

Implementing Microsoft 365 DLP Policies ensures that PII is automatically protected across collaboration platforms. Policies can target specific users, groups, or workloads for granular control. Real-time notifications educate users about violations, encouraging secure behavior and reducing repeated mistakes. Administrators gain visibility into attempted policy breaches, can refine rules, and generate compliance reports. DLP can integrate with sensitivity labels and encryption to provide multi-layered protection. Automated enforcement reduces human error, mitigates the risk of data leakage, and ensures regulatory compliance with frameworks such as GDPR, HIPAA, or CCPA. Organizations benefit from secure collaboration, consistent application of policies, and visibility into data protection activities, maintaining governance while enabling productivity.

Question 90

A company wants to require global administrators to use phishing-resistant authentication methods, such as FIDO2 security keys, while standard users continue using conventional multi-factor authentication (MFA). Which Microsoft 365 solution allows selective enforcement based on user roles?

A) Conditional Access with Authentication Strengths
B) Microsoft Purview Sensitivity Labels
C) Intune App Protection Policies
D) Exchange Online Retention Policies

Answer: A) Conditional Access with Authentication Strengths

Explanation:

High-privilege accounts, such as global administrators, tenant administrators, and other elevated roles, are among the most valuable targets for attackers in any cloud environment. Because these accounts hold broad and often unrestricted access to organizational resources, compromising them can lead to catastrophic consequences, including data breaches, service disruption, privilege escalation, and loss of governance. As a result, organizations must implement stronger and more adaptive security controls for these critical accounts. Conditional Access combined with Authentication Strengths in Azure Active Directory provides a highly effective and flexible method to achieve this level of protection.

Conditional Access enables organizations to apply identity-driven policies that determine how and when users can access cloud applications and services. The addition of Authentication Strengths allows administrators to specify the category or level of authentication that must be used in different scenarios. This combination makes it possible to require stronger, phishing-resistant authentication methods for high-privilege users while allowing standard users to continue using more common MFA methods. For example, global administrators can be required to use FIDO2 security keys, certificate-based authentication, or Windows Hello for Business, all of which are considered highly secure and resistant to phishing attacks. Meanwhile, regular users can authenticate using familiar methods such as authenticator app notifications, SMS codes, or voice calls, ensuring minimal disruption to daily workflows.

One of the core advantages of using Conditional Access with Authentication Strengths is the ability to apply differentiated security based on user roles, group memberships, application sensitivity, device conditions, locations, and risk levels. This aligns closely with zero-trust principles, which emphasize verifying explicitly, enforcing least privilege, and continually evaluating trust before granting access. Conditional Access policies evaluate sign-in attempts in real time, considering user identity signals, device compliance states, session risk, and sign-in risk. When privileged users attempt access, the system automatically enforces the predefined stronger authentication methods, preventing sign-in unless the stringent criteria are met. This automated enforcement significantly reduces risk, ensuring that no privileged account can bypass security requirements or fall back to weaker MFA methods.

Microsoft Purview Sensitivity Labels, while extremely valuable for protecting and classifying content, do not play a role in controlling authentication flows. Sensitivity Labels are used to encrypt data, enforce usage restrictions, apply visual markings, and govern data access. They serve as a content-level protection layer but do not impose MFA or authentication requirements. A label cannot differentiate the authentication requirements of a global administrator versus a standard user, so it cannot address the need for role-based authentication enforcement.

Similarly, Intune App Protection Policies (APP) focus on protecting data within applications on managed and unmanaged devices. These policies can enforce restrictions like preventing data from being copied to personal apps or blocking the saving of corporate files to unauthorized locations. However, APP policies do not govern authentication methods. They cannot require privileged users to use phishing-resistant authentication or enforce role-based MFA requirements. Their purpose is to secure data within app boundaries, not to control how identities are authenticated.

Exchange Online Retention Policies also fall outside the scope of authentication controls. These policies define how long emails and other mailbox items are retained and when they should be deleted. Their role is to satisfy regulatory, legal, or business record-keeping requirements. Retention settings do not influence authentication methods, user role assignments, or sign-in flows. Therefore, they cannot support selective MFA enforcement or provide added protection for global administrator accounts.

Conditional Access with Authentication Strengths stands out because it offers a holistic, automated, and scalable method to secure privileged identities without undermining productivity for standard users. Administrators can easily monitor policy effectiveness, track sign-in attempts, and review risk detections through built-in Azure AD reporting and Microsoft Entra ID security tools. If anomalies are detected—such as repeated failed sign-ins, unfamiliar locations, or risky behaviors—organizations can adjust policies or increase authentication requirements as needed.

By enforcing phishing-resistant authentication for privileged accounts, organizations dramatically reduce the likelihood of social engineering attacks, MFA fatigue attacks, password spraying, or credential replay attacks succeeding against their most critical identities. This is essential for maintaining compliance with cybersecurity standards, protecting sensitive administrative functions, and ensuring that attackers cannot gain control of high-impact systems. Meanwhile, everyday users are not burdened by unnecessarily strict authentication requirements, which helps maintain user satisfaction and prevents security fatigue.

Integrating Conditional Access with Authentication Strengths creates a powerful, adaptive, and identity-focused framework. It strengthens identity protection, safeguards privileged users, enhances compliance posture, and provides a scalable and automated approach to enforcing secure authentication methods. By adopting this strategy, organizations can significantly reduce their exposure to advanced identity threats while supporting a productive and user-friendly authentication experience for all users.