Text preview & study summary
Microsoft SC-900 SC-200 SC-300 MS-900 MS-700 MD-102 PL-900 - Security M365 Teams Endpoint Power Platform
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
An endpoint administrator uses Microsoft Intune to manage Windows 11 devices. A new security policy requires that BitLocker encryption is enabled on all company-owned devices. Which Intune feature configures this?
Explanation
Intune Device Configuration Profiles (Endpoint Security: Disk Encryption) configure BitLocker settings: enable BitLocker, require startup PIN, encryption method, recovery key backup to Azure AD. The profile is assigned to device groups and enforced on all enrolled Windows devices. Enrollment Restriction policies control which devices can enroll. Defender for Endpoint baselines configure security settings for the EDR. App Protection Policies (without enrollment) manage apps on personal devices without device management.
Question 2
An Intune administrator needs to configure Windows Autopilot for deploying new Windows 11 devices. The company wants devices to be automatically joined to Azure AD and enrolled in Intune when users first sign in. Which deployment profile mode achieves this?
Explanation
Windows Autopilot User-Driven mode (Azure AD Join): (1) IT pre-registers device hardware hash in Autopilot. (2) User receives the device and turns it on. (3) OOBE detects Autopilot profile, skips setup steps. (4) User signs in with Azure AD credentials. (5) Device automatically joins Azure AD, enrolls in Intune, and applies configuration policies and apps. Self-Deploying mode is for shared/kiosk devices (no user interaction/credentials needed). White Glove/Pre-Provisioned allows IT to pre-provision devices before giving to users (technician flow). ESP controls the deployment experience (shown to users during provisioning).
Question 3
An identity administrator needs to ensure that users with Azure AD Global Administrator role are assigned the role only temporarily and must provide justification. Which Azure AD feature provides this just-in-time privileged access?
Explanation
Azure AD PIM enables: (1) Eligible role assignments — users are eligible for privileged roles but not permanently active. (2) Just-in-time activation — users activate the role on-demand, provide justification, and optionally go through approval. (3) Time-limited access — roles expire after a configured duration (e.g., 8 hours). (4) Audit trail of all activations. Conditional Access enforces access policies at sign-in. Access Reviews periodically review and certify role memberships. Identity Protection detects and responds to risky sign-ins.
Question 4
An SC-300 administrator needs to implement a B2B collaboration scenario where external partners from partner.com can access specific SharePoint sites using their own corporate identities. Which Azure AD feature enables this?
Explanation
Azure AD B2B Collaboration allows external users (partners, vendors) to access your organization's resources using their own identity provider (Microsoft, Google, SAML/WS-Fed federated IdP). External users receive guest invitations and authenticate with their own credentials. Access is controlled via Azure AD conditional access, group membership, and entitlement management. B2C is for customer-facing applications (external users create accounts). Domain Services provides managed AD DS for legacy apps. Application Proxy publishes on-premises apps to external users.
Question 5
An organization enables Microsoft Defender for Identity (MDI). Which identity-based attack does MDI specifically detect on-premises?
Explanation
Microsoft Defender for Identity (MDI) monitors on-premises Active Directory Domain Controllers by analyzing AD authentication traffic (Kerberos, NTLM, LDAP). It detects: Pass-the-Hash (using NTLM hash without password), Pass-the-Ticket (using stolen Kerberos tickets), Golden Ticket attacks (forged TGTs using krbtgt hash), Silver Ticket, DCSync (dumping credentials from DC), lateral movement, reconnaissance (LDAP/SMB enumeration). Password spray and OAuth attacks target Azure AD (detected by Azure AD Identity Protection). BEC via phishing is detected by Defender for Office 365.
