Question 1

Where can region specific Microsoft penetration test results and security assessment documents be accessed?

Question 2

Which product in the Microsoft 365 suite includes the components Connections, Insights, Learning, and Topics?

Question 3

Which Microsoft 365 features can be used to protect corporate data on employees personal mobile devices? (Choose 3)

Question 4

Which cloud service model offers a managed environment for developing, deploying, and running web applications?

Question 5

Can store apps be installed in the hub so they run inside team chats and channels?

Question 6

Which migration approach should you use to move to Microsoft 365 while preserving a SharePoint site that is protected by third party encryption?

Question 7

Which Microsoft 365 application requires installation on a Windows desktop in order to run locally?

Question 8

Which Microsoft 365 workload is designed to host stream and manage an organization’s training videos?

Question 9

In what ways does Endpoint Manager support a Zero Trust approach for ensuring device compliance and enforcing access control?

Question 10

Which Microsoft Sentinel integrated tool provides an interactive canvas in the Azure portal for exploring telemetry data and building visual reports?

Question 11

Which dashboard widget helps plan and monitor the assigned capacity of team members during a sprint?

Question 12

Which Microsoft 365 service provides reports for device compliance, device health, and fleet trend metrics?

Question 13

Within a tenant how is the term “Directory” used in the context of identity and access resources?

Question 14

What is the best way to prevent all users except the IT team from receiving Microsoft 365 feature updates until those updates are approved by IT?

Question 15

Does Conditional Access App Control enforce policies in both Microsoft and third party cloud applications and does Microsoft Secure Score provide direct control over access and user activities in cloud applications?

Question 16

Can an organization purchase subscription licenses through the Cloud Solution Provider program to run software on its own servers?

Question 17

Can third party applications be added to Microsoft Teams and can applications from the Microsoft Store be installed directly within Teams?

Question 18

Can Microsoft 365 data loss prevention policies locate sensitive content in Teams and SharePoint and support exporting the discovered items for review?

Question 19

Is each Windows 365 Cloud PC assigned to a single user and does it retain that user’s personal settings across sessions?

Question 20

Which Microsoft platform is specifically designed for customer relationship management applications?

Question 21

Which Microsoft Sentinel feature displays an interactive graph that lets you explore entities and visualize their relationships during an incident?

Question 22

Which capability is available only in Microsoft 365 Cloud PCs and not in Azure Virtual Desktop?

Question 23

Which release type provides preview quality updates so organizations can validate non security fixes before those fixes are included in the next monthly cumulative update?

Question 24

What is the primary role of Defender Vulnerability Management within an organization’s cybersecurity program?

Question 25

If Microsoft 365 Apps for Enterprise is deactivated on a device, what action can still be performed on that device?

Question 26

Which Microsoft 365 service is specifically built to store and stream corporate training videos?

Question 27

Which Microsoft 365 features let you apply confidentiality labels to files and prevent them from being shared externally? (Choose 2)

Question 28

How does Microsoft Copilot for Microsoft 365 help users while they work within Microsoft 365 apps?

Question 29

Do Platform as a Service offerings include end-user applications such as office suites, endpoint management tools, and CRM applications?

Question 30

Which solution allows users to sign in to cloud applications using their on premises Active Directory credentials?

Question 1

The correct option is Regional Compliance page of the Microsoft Trust Center.

The Regional Compliance page of the Microsoft Trust Center is where Microsoft publishes region specific compliance artifacts and guidance, and it links to provider level security assessment documents and penetration test summaries that vary by country or region. This page serves as the official hub for customers to find region specific evidence and directions for requesting additional materials.

Microsoft 365 security center is a tenant level console for managing and monitoring security settings and incidents for your organization, and it does not host Microsoft published, region specific penetration test reports or provider security assessment publications.

Service Trust Portal does provide access to many compliance reports and some audit artifacts and it can be used to request certain documents, but Microsoft organizes region specific penetration test results and security assessments through the Trust Center regional compliance pages as the primary public index for regional materials.

Microsoft Purview compliance portal is focused on managing tenant level compliance, data governance, and information protection for customers, and it is not the central public repository for Microsoft’s region specific penetration test results or provider security assessment documents.

Question 2

The correct option is Microsoft Viva.

Microsoft Viva is Microsoft’s employee experience platform and it is explicitly composed of modules called Connections, Insights, Learning, and Topics which provide integrated experiences for employee engagement, wellbeing, learning, and knowledge discovery across Microsoft 365 and Teams.

Microsoft Viva is delivered as a set of services that integrate with SharePoint and Teams so that organizations can surface portals, learning content, analytics, and topic pages within the tools people already use.

Microsoft SharePoint is primarily a content management and intranet platform and it can host pages and integrate with Viva Connections, but it is not the offering that bundles Connections, Insights, Learning, and Topics as a single employee experience suite.

Microsoft 365 is the broader subscription that contains Office apps and cloud services and it provides the platform on which Viva runs, but it is not the named product that specifically contains Connections, Insights, Learning, and Topics.

Question 3

The correct options are Require device PIN, Remote lock or disable device and Selective wipe of corporate data.

Require device PIN is a device compliance control you can enforce with Microsoft Intune or another mobile device management solution and it ensures that a user must authenticate locally before corporate resources can be accessed.

Remote lock or disable device allows administrators to lock or disable a lost or stolen device remotely so corporate accounts and data are not exposed while the device is out of custody.

Selective wipe of corporate data removes only corporate apps and data while leaving personal content intact and it is implemented through app protection policies or selective wipe and retire actions in device management.

Enabling Microsoft Defender for Office 365 is incorrect because that service protects email and collaboration tools from phishing and malware and it does not by itself enforce device PINs or perform remote locks or selective wipes on mobile devices.

Question 4

The correct answer is Platform as a Service.

Platform as a Service provides a managed runtime environment and application services so developers can build deploy and run web applications without managing the underlying servers operating system or runtime updates. The cloud provider handles scaling load balancing and many operational tasks which aligns with the phrase managed environment in the question.

Infrastructure as a Service is incorrect because it delivers virtual machines networking and storage that you must configure and maintain. That model leaves you responsible for operating system and runtime management so it does not match a fully managed application environment.

Managed Kubernetes is incorrect because it offers managed container orchestration rather than a full application platform. You still need to package applications into containers manage deployments and handle cluster configuration so it is closer to a container or infrastructure service than a classic platform service.

Question 5

No is correct because apps from the store are not placed into a general hub as a container that automatically runs inside team chats and channels.

Store apps must be installed or added with a specific scope and capability to operate in a chat or channel. An app must include supported components such as a tab, bot, or messaging extension and it must be installed to the team or chat where it is intended to run. Simply being available in the store does not mean the app is installed into a hub and running automatically inside chats and channels.

Yes is incorrect because it implies that a store app can be dropped into a hub to run across chats and channels by default. That is not how app installation and scope work and an app must be explicitly installed with the appropriate scopes and permissions to operate in those contexts.

Question 6

The correct answer is Retain the accounting department SharePoint site on-premises and migrate all other SharePoint sites and all Exchange mailboxes to Microsoft 365.

This option is correct because retaining the accounting department SharePoint site on-premises and migrating all other SharePoint sites and all Exchange mailboxes to Microsoft 365 preserves the third party encryption where it exists while allowing you to move mailboxes and other SharePoint sites into the cloud for centralized management and modern services.

Third party encryption is typically bound to keys and to on-premises infrastructure that are not transferable to SharePoint Online. Keeping the encrypted site on-premises avoids forced decryption and re encryption and helps maintain compliance and access controls while you migrate other workloads.

Migrate all content to Microsoft 365 and replace the third-party encryption with Microsoft Purview Customer Key is incorrect because you cannot simply replace third party encryption on existing files after migration. Microsoft Purview Customer Key does not give you the original third party keys so you would need to decrypt the data before migration or risk losing access.

Keep both the accounting SharePoint site and accounting mailboxes on-premises while migrating all other workloads to Microsoft 365 is incorrect because the accounting mailboxes can usually be migrated independently of the encrypted SharePoint site. Keeping the mailboxes on-premises adds operational overhead and prevents you from using cloud email features without delivering any benefit for the encrypted site.

Question 7

The correct answer is Access.

Access is a Windows desktop database application and the full client is provided only for Windows. The rich desktop features and the Access runtime depend on Windows components and there is no full equivalent desktop client for Mac, so Access requires a Windows installation to run locally.

Visio is not correct because Visio is available as a web app called Visio for the web and users can view and perform basic edits without a Windows desktop install.

Outlook is not correct because Outlook is available on Windows and Mac and it also exists as Outlook on the web and as mobile apps so it does not strictly require a Windows desktop installation.

Word is not correct because Word runs on Windows and Mac and it is available as Word for the web and as mobile apps so a Windows desktop install is not strictly required to use Word.

Question 8

The correct answer is Microsoft Stream.

Microsoft Stream provides enterprise video services focused on uploading, streaming, managing, and securing training and organizational videos. It includes features such as adaptive playback, captions, permissions, and integration with Microsoft 365 so it is the product designed to handle organizational training content.

Microsoft Teams is primarily a collaboration and communication platform for chat, meetings, and calls. It can store meeting recordings and run live events but it does not offer the centralized video library, streaming optimization, and dedicated video management features that Microsoft Stream provides.

SharePoint Online is a content management and intranet platform that can store video files and host pages. Microsoft uses SharePoint and OneDrive as the storage layer for the modern Stream experience, but SharePoint by itself does not provide the specialized playback, permissions model, and video management features that the Stream service adds.

Microsoft has retired the classic Stream experience and migrated capabilities into the modern Stream experience built on SharePoint and OneDrive. Exams may still refer to Microsoft Stream conceptually so you should be aware of both the historical Stream service and the current Stream on SharePoint architecture when studying.

Question 9

The correct option is Device compliance reporting and remediation.

The Device compliance reporting and remediation capability enables Endpoint Manager to continuously evaluate device posture against configured policies and report the compliance state. It can trigger remediation actions such as requiring OS updates, enforcing configuration changes, quarantining the device, or blocking access until the device meets the policy.

This continuous monitoring and automated remediation supports a Zero Trust approach because access decisions are based on the current device state rather than on network location. By enforcing compliance before granting access the service ensures that only devices that meet policy requirements can reach protected resources.

Azure Active Directory Conditional Access is a Microsoft Azure feature for conditional access and is not a component of Google Endpoint Manager. It is therefore not the correct answer for how Google Endpoint Manager implements Zero Trust device compliance.

Security analytics and telemetry can provide useful signals about device behavior and risks but it is a broader capability and not the specific enforcement mechanism that provides compliance checks and automated remediation. Analytics alone do not implement the enforcement and remediation described in the correct option.

Question 10

The correct answer is Azure Monitor Workbooks.

Azure Monitor Workbooks provides an interactive canvas in the Azure portal where you can combine queries, visualizations, and narrative into interactive reports and investigations. The feature can pull telemetry from the Log Analytics workspace that stores Sentinel data and from other sources, and it supports charts, grids, parameters, and linked queries which match the description in the question.

The Log Analytics workspace is where telemetry is collected and where you run Kusto queries to analyze data. It is the data store and query environment rather than the interactive reporting canvas, so it does not itself provide the assembled visual report experience described in the question.

The Azure Notebooks service was a hosted Jupyter notebooks offering and it has been retired. It was never the integrated interactive reporting canvas inside the Azure portal for Sentinel workbooks, and because it is deprecated it is less likely to appear as the correct choice on newer exams.

Question 11

The correct option is Sprint capacity.

The Sprint capacity widget shows each team member’s available hours and assigned work so you can plan and monitor capacity across the sprint. It lets you set individual capacity values and compare assigned tasks to available time which helps spot over allocation before or during the sprint.

Burndown chart tracks remaining work over the sprint and is useful to monitor overall progress toward completing the sprint scope. It does not provide per person capacity planning or assigned hours so it is not the right tool for managing individual team capacity.

Query tile displays the results of a work item query on a dashboard and can show counts or lists of items. It does not calculate or manage per person sprint capacity and therefore cannot be used to plan assigned capacity for team members.

Question 12

Endpoint Manager with Microsoft Intune is correct.

Endpoint Manager with Microsoft Intune provides device compliance policies and device health monitoring and it includes built in reporting and analytics for fleet trends. The service surfaces compliance status, noncompliant reasons, and device health metrics in the Microsoft Endpoint Manager admin center and in Intune reports. You can also export data through Microsoft Graph or to Power BI for deeper trend analysis and long term reporting.

Microsoft 365 Defender is focused on threat protection and endpoint detection and response. It provides security alerts and incident investigation but it does not provide fleet wide device compliance and routine device health trend reporting in the way that Intune does.

Microsoft Purview focuses on data governance and information protection and compliance of data and records. It is not the primary service for device compliance status or device health and fleet trend metrics.

Question 13

A logical container inside the tenant that holds users groups devices applications and other identity related objects is correct.

The term directory describes a logical scope inside a tenant that organizes identity resources so administrators can manage users groups devices and applications together.

As a logical container the directory defines the boundary for policies access control and collaboration settings and it is the unit that provisioning and authentication target rather than a separate storage artifact.

A separate database for guest and external users is incorrect because guest and external accounts are represented as objects within the same directory and they are not kept in a distinct database separate from regular user objects.

The physical data store that contains every file of the identity service for the tenant is incorrect because a directory is an abstract identity construct and not a literal file system and the underlying data storage is an implementation detail of the identity service.

Question 14

The correct answer is Assign non-IT staff to Standard release and give IT Targeted release.

This approach uses Microsoft 365 release options so IT receives feature updates early while other users stay on the later release. By placing IT users in Targeted release they get preview updates and can validate new features. By placing everyone else in Standard release those users do not get the features until IT approves them and the update reaches the broader audience.

Manage updates centrally with Microsoft Endpoint Configuration Manager is not the best choice for this question because the requirement is about controlling Microsoft 365 feature release timing by user group. Configuration Manager can deploy and manage updates but it does not provide the same built in targeted versus standard release gating that Microsoft 365 release options provide.

Place every user on the Monthly Enterprise Channel is incorrect because putting all users on the same channel gives them the same update timing. The Monthly Enterprise Channel still delivers feature updates to everyone on that channel so it would not let IT receive updates first while delaying them for non IT staff.

Question 15

The correct option is Yes for statement one and No for statement two.

Statement one is correct because Conditional Access App Control is a capability of Microsoft Defender for Cloud Apps that integrates with Microsoft Entra Conditional Access and can monitor and enforce session controls for supported Microsoft and many third party cloud apps. It can apply real time session policies to block actions or limit activities when a supported app is in use.

Statement two is incorrect because Microsoft Secure Score is a measurement and advisory tool that assesses your security posture and recommends improvements. Secure Score does not itself directly control access or user activities and you must implement security controls or conditional access policies to enforce changes.

The option No for statement one and Yes for statement two is incorrect because it denies the enforcement capability of Conditional Access App Control and it wrongly attributes direct enforcement to Microsoft Secure Score.

The option No for statement one and No for statement two is incorrect because it incorrectly states that Conditional Access App Control does not enforce policies while Secure Score also does not provide direct control.

Question 16

The correct answer is No.

The Cloud Solution Provider program is focused on selling cloud subscriptions and those subscriptions typically cover hosted services rather than on-premises installation. If an organization needs rights to run software on its own servers it should look to licensing channels that provide on-premises rights such as Volume Licensing or bring your own license programs and Software Assurance.

Volume Licensing is not correct for this question because the question asks whether subscription licenses bought through the Cloud Solution Provider program can be used to run software on the customer servers. Volume Licensing is a separate licensing channel that commonly provides on-premises license rights but it is not the CSP subscription channel referenced in the question.

Yes is incorrect because CSP subscriptions are intended for cloud service usage and do not generally grant the right to run the licensed software on the customer owned physical servers. The program and partner contracts control use rights and those are different from on-premises perpetual licensing.