Describe security, compliance, privacy, and trust in Microsoft 365 for Microsoft 365 Fundamentals (MS-900)

Sample Practice Questions

1. Question 1

   Your company has a Microsoft Office 365 subscription. As an administrator for this subscription, you are educating users on which component to use to register their personal home device with the company. Which of the following is the component that should be used?
   1. A. Microsoft Azure AD Identity Protection
   2. B. Enterprise Mobility + Security
   3. C. Microsoft Teams
   4. D. Microsoft Yammer
   Explanation

   The correct answer is: B. Enterprise Mobility + Security.

   Enterprise Mobility + Security (EMS) is the suite that lets users register personal home devices with the company so the organisation can apply policies and protect corporate data on them. EMS bundles Microsoft Intune for device and app management, Microsoft Entra ID P1/P2 for identity, Microsoft Defender for Cloud Apps, and Azure Information Protection; Intune in particular handles the device-registration workflow whether the device is corporate-owned or BYOD. Microsoft Entra ID Identity Protection focuses on risky-sign-in and risky-user detection and is not a registration component. Microsoft Teams is a collaboration product for chat, meetings, and channels, not a device-management tool. Microsoft Yammer (now Viva Engage) is an enterprise social network and is unrelated to device registration. EMS is therefore the correct component for onboarding personal devices into the management plane.

2. Question 2

   Your company has a Microsoft Office 365 subscription. As an administrator for this subscription, you have been tasked with recommending a solution that will allow users to make use of unsuited applications on their Windows 10 devices. Which of the following should you recommend?
   1. A. Azure AD Connect.
   2. B. Configuration Manager.
   3. C. Windows AutoPilot.
   4. D. Windows Virtual Desktop.
   Explanation

   The correct answer is: D. Windows Virtual Desktop..

   Windows Virtual Desktop (now Azure Virtual Desktop) is the right recommendation because it streams a Windows session and applications from Azure to the user's Windows 10 device, allowing legacy or otherwise unsupported applications to run in a hosted, controlled environment rather than directly on the endpoint. Azure AD Connect synchronizes on-premises directories to Azure AD to provide unified identity; it does not deliver applications to devices. Configuration Manager (now part of Microsoft Endpoint Manager) deploys software packages and updates to Windows clients but cannot make incompatible applications run on Windows 10 itself, it only installs them. Windows AutoPilot provisions and configures new Windows devices during initial setup; it streamlines deployment but does not host or virtualize applications. Windows Virtual Desktop is the only option that hosts and delivers the applications, addressing the compatibility need described.

3. Question 3

   Your company has a Microsoft Office 365 subscription. As an administrator for this subscription, you have been tasked with recommending a solution that forces cloud-based applications to use the same credentials as on-premises applications. Which of the following should you recommend?
   1. A. Azure AD Connect.
   2. B. Configuration Manager.
   3. C. Windows AutoPilot.
   4. D. Azure AD Application Proxy.
   Explanation

   The correct answer is: A. Azure AD Connect..

   Azure AD Connect is the correct recommendation because it synchronizes on-premises Active Directory identities and password hashes into Azure AD, so cloud applications and on-premises applications share the same user principal and credential, producing a single sign-on experience across both environments. Configuration Manager deploys software, patches, and OS configuration to Windows endpoints; it does not federate or synchronize identities. Windows AutoPilot provisions new Windows devices during initial setup but does not unify on-premises and cloud credentials. Azure AD Application Proxy publishes on-premises web apps to the internet through Azure AD pre-authentication; while it allows external access to internal apps using Azure AD identity, it does not by itself bring on-premises credentials into the cloud directory the way Azure AD Connect does. Azure AD Connect is the foundational hybrid-identity tool that satisfies the requirement.

4. Question 4

   Your company has a Microsoft Office 365 subscription. As an administrator for this subscription, you have been tasked with recommending a solution that prohibits users from copying corporate information from managed applications installed on unmanaged devices. Which of the following should you recommend?
   1. A. Windows Virtual Desktop.
   2. B. Microsoft Intune.
   3. C. Windows AutoPilot.
   4. D. Azure AD Application Proxy.
   Explanation

   The correct answer is: B. Microsoft Intune..

   Microsoft Intune is the right recommendation because it provides mobile application management (MAM) policies that govern data inside managed apps even when the underlying device is not enrolled. App protection policies can disable copy, cut, paste, save-as, and screen capture for corporate data within Outlook, Word, Excel, and other Intune-aware apps, which directly satisfies the requirement to stop users from copying corporate information from managed apps on unmanaged hardware. Windows Virtual Desktop (now Azure Virtual Desktop) hosts full Windows sessions in Azure but does not by itself prevent clipboard data flow without additional policy work. Windows Autopilot provisions and configures new corporate devices and does nothing for unmanaged personal hardware. Azure AD Application Proxy publishes on-premises web applications through Entra ID for remote access but provides no data-protection or copy-prevention controls on the client side, so only Intune meets the scenario.

5. Question 5

   Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements. You have recently made use of Windows Autopilot to deploy Windows 10 devices in your company's environment. You have been asked to make sure that data that stored in OneDrive for Business is available to users from remote locations. Solution: You enable Microsoft Azure AD multi-factor authentication for the users. Does the solution meet the goal?
   1. A. Yes
   2. B. No
   Explanation

   The correct answer is: B. No.

   The stated goal is to make OneDrive for Business data available to users from remote locations, which is fundamentally a connectivity and synchronisation requirement. Enabling Microsoft Entra ID multi-factor authentication strengthens identity verification by requiring a second factor at sign-in, but it does not in any way change whether files can be reached remotely. OneDrive for Business is a cloud service that is already reachable from anywhere on the public internet for any licensed user, so the appropriate solution would involve installing and configuring the OneDrive sync client, granting the appropriate licences, or ensuring conditional access does not block off-network access. MFA without those other steps neither enables nor obstructs the goal in a meaningful way; it simply hardens the sign-in. Because the proposed solution targets authentication rather than data availability, it does not satisfy the requirement and the correct answer is No.

Other Microsoft 365 Fundamentals (MS-900) domains

• Describe cloud concepts (24 questions)
• Describe Microsoft 365 apps and services (291 questions)
• Describe Microsoft 365 pricing, licensing, and support (69 questions)