Microsoft Microsoft Certifications MS-101 Questions & Answers

• Question 31:

  You plan to use Microsoft Sentinel and Microsoft Defender for Cloud Apps.

  You need to connect Microsoft Defender for Cloud Apps to Microsoft Sentinel.

  What should you do in the Microsoft Defender for Cloud Apps portal?

  A. From Automatic log upload, add a data source.

  B. From Automatic log upload, add a log collector.

  C. From Connected apps, add an app connector.

  D. From Security extensions, add a SIEM agent.

  Correct Answer: D

  Explanation:

  Integrating with Microsoft Sentinel

  In the Defender for Cloud Apps portal, under the Settings cog, select Security extensions.

  On the SIEM agents tab, select add (+), and then choose Microsoft Sentinel.

  In the wizard, select the data types you want to forward to Microsoft Sentinel. Etc

  Reference:

  https://learn.microsoft.com/en-us/defender-cloud-apps/siem-sentinel

• Question 32:

  You have a Microsoft 365 E5 subscription.

  You plan to deploy Microsoft Defender for Cloud Apps.

  You need to ensure that Microsoft Defender for Cloud Apps can differentiate between internal and external users.

  What should you do?

  A. From the Microsoft 365 admin center, configure the Org settings.

  B. From the Microsoft 365 admin center, configure the default domain.

  C. From the Microsoft Defender for Cloud Apps portal, add a list of managed domains.

  D. From the Microsoft Defender for Cloud Apps portal, configure the Organization details.

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/defender-cloud-apps/general-setup

• Question 33:

  You have a Microsoft 365 E5 subscription.

  You need to be alerted when Microsoft 365 Defender detects high-severity incidents.

  What should you use?

  A. a threat policy

  B. a custom detection rule

  C. an alert policy

  D. a notification rule

  Correct Answer: C

  Explanation:

  Alert policy settings

  An alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to

  occur before an alert is triggered. You also categorize the policy and assign it a severity level.

  Note:

  You can also define user tags as a condition of an alert policy. This results in the alerts triggered by the policy to include the context of the impacted user. You can use system user tags or custom user tags.

  *

  When the alert is triggered.

  *

  Alert category.

  *

  Alert severity. Similar to the alert category, you assign a severity attribute (Low, Medium, High, or Informational) to alert policies.

  Reference: https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies

• Question 34:

  You have a Microsoft 365 tenant.

  You plan to implement Endpoint Protection device configuration profiles.

  Which platform can you manage by using the profiles?

  A. Android

  B. Android Enterprise

  C. CentOS Linux

  D. macOS

  Correct Answer: D

  Explanation:

  Create a device profile containing Endpoint protection settings

  1.

  Sign in to the Microsoft Endpoint Manager admin center.

  2.

  Select Devices > Configuration profiles > Create profile.

  3.

  Enter the following properties:

  Platform: Choose the platform of your devices. Your options:

  macOS Windows 10 and later Profile: Select Templates > Endpoint protection.

  4. Etc.

  Reference: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure

• Question 35:

  You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.

  A Built-in protection preset security policy is applied to the subscription.

  Which two policy types will be applied by the Built-in protection policy? Each correct answer presents a complete solution.

  NOTE: Each correct selection is worth one point.

  A. Safe Links

  B. Anti-malware

  C. Anti-phishing

  D. Anti-spam

  E. Safe Attachments

  Correct Answer: AE

  Explanation:

  Policies in preset security policies

  Preset security policies use the corresponding policies from the various protection features in EOP and Microsoft Defender for Office 365.

  Microsoft Defender for Office 365 policies: These policies are in organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:

  Safe Links policies named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy.

  Safe Attachments policies named Standard Preset Security Policy, Strict Preset Security Policy, and Built-in Protection Policy.

  (incorrect) Anti-phishing policies in Defender for Office 365 named Standard Preset Security Policy and Strict Preset Security Policy.

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?

• Question 36:

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365.

  You have the policies shown in the following table.

  

  All the policies are configured to send malicious email messages to quarantine. Which policies support a customized quarantine retention period?

  A. Policy1 and Policy3 only

  B. Policy2 and Policy4 only

  C. Policy1 and Policy2 only

  D. Policy3 and Policy4 only

  Correct Answer: C

  Explanation:

  Quarantined email messages in EOP and Defender for Office 365

  How long quarantined messages are held in quarantine before they expire varies based on why the message was quarantined. The features that quarantine messages and their corresponding retention periods are described in the following

  table:

  *

  Messages quarantined by anti-phishing policies. Customizable retention period: Yes

  *

  Messages quarantined by anti-spam policies Customizable retention period: Yes

  *

  Messages quarantined by anti-malware policies (malware messages). Customizable retention period: No

  *

  Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages). Customizable retention period: No

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-email-messages

• Question 37:

  You have a Microsoft 365 tenant.

  You plan to manage incidents in the tenant by using the Microsoft 365 Defender.

  Which Microsoft service source will appear on the Incidents page of the Microsoft 365 Defender portal?

  A. Azure Information Protection

  B. Azure Arc

  C. Microsoft Sentinel

  D. Microsoft Defender for Identity

  Correct Answer: D

  Explanation:

  Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services Microsoft Defender for Endpoint,

  Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps, as well as alerts from other services such as Microsoft Purview Data Loss Prevention (DLP).

  Incorrect:

  Not B: Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform.

  Not C: Microsoft Sentinel's Microsoft 365 Defender connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals.

  Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services Microsoft Defender for Endpoint,

  Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps, as well as alerts from other services such as Microsoft Purview Data Loss Prevention (DLP).

  The connector also lets you stream advanced hunting events from all of the above components into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts

  with the Defender components' raw event data to provide additional insights, and store the logs with increased retention in Log Analytics.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender

• Question 38:

  You have a Microsoft 365 E5 tenant.

  You need to create a policy that will trigger an alert when unusual Microsoft Office 365 usage patterns are detected.

  What should you use to create the policy?

  A. the Microsoft 365 admin center

  B. the Microsoft 365 compliance center

  C. the Microsoft Defender for Cloud Apps portal

  D. the Microsoft Apps admin center

  Correct Answer: B

  Explanation:

  Real-Time Alerting with Microsoft 365 Alert Policies

  Microsoft 365 suite comes with a large set of apps and services, with most of them having a user-friendly interface. However, Microsoft 365 suite is very vast and includes an extensive list of audit logs of all actions performed in an

  organization. Thus, it has become difficult and time-consuming for the administrators to monitor the suspicious activities and unauthorized actions that are taking place. This is where Microsoft 365 Alert Policies come in.

  Using the Alert Policies feature available in the Compliance Center and Microsoft 365 Defender/Security admin center, you can combat this problem. With the help of alert policies, you can monitor user activities and security incidents, such as

  phishing, unusual external user activities, suspicious massive file or folder deletions, and more.

  Reference: https://o365reports.com/2022/03/10/real-time-alerting-with-microsoft-365-alert-policies/

• Question 39:

  You have a Microsoft 365 E5 tenant that contains two groups named Group1 and Group2.

  You need to prevent the members of Group1 from communicating with the members of Group2 by using Microsoft Teams. The solution must comply with regulatory requirements and must not affect other users in the tenant.

  What should you use?

  A. administrative units in Azure Active Directory (Azure AD)

  B. information barriers

  C. moderated distribution groups

  D. communication compliance policies

  Correct Answer: B

  Explanation:

  Microsoft Purview Information Barriers (IBs) are policies that an admin can configure to prevent individuals or groups from communicating with each other.

  Reference: https://docs.microsoft.com/en-us/microsoftteams/information-barriers-in-teams

• Question 40:

  You have a Microsoft 365 subscription.

  You discover that some external users accessed content on a Microsoft SharePoint site. You modify the SharePoint sharing policy to prevent sharing outside your organization.

  You need to be notified if the SharePoint sharing policy is modified in the future.

  Solution: From Microsoft 365 Defender, you create a Threat policy.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Explanation:

  From the Security and Compliance admin center, Alerts, you create a new alert policy.

  Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies