According to Microsoft’s Security, Compliance, and Identity (SCI) documentation and learning paths (specifically SC-900, SC-300, and Azure AD Identity Protection modules):

“Conditional Access policies in Azure AD are the primary method for enforcing access controls based on specific conditions such as user, group, location, device compliance, and application.”

In this case, the organization can configure a Conditional Access policy that targets a specific Azure AD group and requires MFA as a condition before access is granted. The typical policy setup includes:

Assignments: Target users or groups (e.g., “Finance Department Users”).

Cloud apps or actions: Specify which applications or services are protected (e.g., Microsoft 365).

Access controls: Set the control to “Require multi-factor authentication.”

Microsoft’s SCI training materials further state:

“Conditional Access enables administrators to enforce MFA for specific users, groups, or scenarios. It provides flexibility to protect access without enabling MFA globally for all users.”

Other options explained:

Azure Policy (A) applies to Azure resources, not user authentication.

Communication compliance policy (B) monitors message content for compliance violations.

User risk policy (D) is part of Azure AD Identity Protection, enforcing MFA based on detected user risk levels, not group membership.

Therefore, the verified and correct answer is: ✅ C. a Conditional Access policy.

In Microsoft Purview, Sensitivity labels are the feature designed to let users identify and classify content that should be protected. Microsoft’s guidance explains that sensitivity labels “enable you to classify and protect your organization ' s data while ensuring that user productivity and collaboration aren ' t hindered.” Users can manually choose a label in Office apps and services to indicate the data’s sensitivity; as Microsoft notes, labels “can be applied by users or automatically,” and the label “persists with the content in its metadata.” Once identified with a label, protection settings can be enforced, including “encryption, content marking (headers, footers, watermarks), and access restrictions based on the label.”

By comparison, Data Loss Prevention (DLP) focuses on “monitoring and blocking the unintentional sharing of sensitive information” based on policy—DLP enforces handling rules after data is identified, rather than providing the user-centric classification mechanism. Insider Risk addresses “risky user activities and insider data security scenarios,” and eDiscovery is used to “find, preserve, collect, and review content for investigations or litigation.” Therefore, the feature that explicitly allows users to identify content that should be protected—by selecting and applying a classification that then drives protection—is Sensitivity labels.

Microsoft Purview Data Loss Prevention (DLP) defines supported service locations for policy enforcement. The Microsoft Learn/SCI materials state that DLP policies “help protect sensitive information across Microsoft 365 services” and can be scoped to common workloads. In the DLP overview, Microsoft explicitly lists the core cloud locations: “You can create DLP policies that protect content in Exchange Online, SharePoint Online, and OneDrive for Business.” The Teams workload is also included: “DLP can monitor and take protective actions on Microsoft Teams chat and channel messages.” These statements confirm that applying a DLP policy to Exchange Online email (A), OneDrive accounts (B), and Teams chat and channel messages (D) is supported.

By contrast, Exchange Online public folders (C) are not listed among supported DLP locations in the SCI documentation, and Viva Engage (formerly Yammer) (E) is not a standard Microsoft Purview DLP location in the core list above (Viva Engage has separate governance and communication compliance controls). Therefore, from the supported locations enumerated in Microsoft’s DLP guidance, the correct answers are Exchange Online email, OneDrive accounts, and Teams chat and channel messages.

Microsoft Purview Data Loss Prevention (DLP) is designed to “detect and protect sensitive items” across Microsoft 365 locations, endpoints, and cloud apps. Microsoft explains that Purview DLP policies use sensitive information types, exact data match (EDM), and machine learning–based trainable classifiers to identify content, and then automatically apply protective actions such as blocking or restricting sharing, notifying users with policy tips, auditing, or auto- quarantining/justifying activities. This fulfills the description “use machine learning algorithms to detect and automatically protect sensitive items.” While eDiscovery focuses on legal hold and content discovery, and Communication compliance monitors communications for policy violations (ethics/regulatory scenarios), they are not positioned to broadly and automatically protect sensitive data across services. “Information risks” is not a distinct Purview solution category. Therefore, the Purview capability that leverages machine learning classifiers and automatically enforces protections on sensitive data is Data loss prevention (DLP).

Microsoft describes Identity Protection as a capability that “detects risky users and risky sign-ins using real-time and offline detections and allows you to configure automated responses.” Microsoft is explicit that detections aren’t limited to after authentication; rather, signals are evaluated during sign-in and also by offline analytics, where “some detections are offline and can take up to 48 hours to appear.” Therefore, saying it only “generates risk detections once a user is authenticated” is incorrect.

For risk scoring, Microsoft states that Identity Protection “assigns a risk level to each detection,” and that “risk levels are Low, Medium, or High,” which are then used by user-risk and sign-in-risk policies to drive remediation (for example, requiring password change or MFA).

Microsoft also defines the two core risk concepts: “User risk represents the probability that a given identity or account is compromised,” while “Sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.” These definitions underpin Conditional Access and Identity Protection policies that can require additional verification or block access based on the assessed risk.

Taken together, the documentation confirms: detections are not restricted to post-authentication (No), detections carry Low/Medium/High levels (Yes), and user risk is the probability the identity is compromised (Yes).

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

Watch the video below to learn how Compliance Manager can help simplify how your organization manages compliance:

Compliance Manager helps simplify compliance and reduce risk by providing:

Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet your unique compliance needs (available assessments depend on your licensing agreement; learn more).

Workflow capabilities to help you efficiently complete your risk assessments through a single tool.

Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organization. For actions that are managed by Microsoft, you’ll see implementation details and audit results.

A risk-based compliance score to help you understand your compliance posture by measuring your progress in completing improvement actions.

In Microsoft identity and access scenarios, federation is explicitly defined as a mechanism to create trust between autonomous organizations so that identities authenticated in one can be accepted by another. Microsoft describes this as: “Federation is a collection of domains that have established trust.” In a federation, “this trust relationship lets each organization accept the other’s user authentication” and enables access to resources without the need to duplicate user accounts or require separate credentials. Within Azure AD/Microsoft Entra and AD FS guidance, Microsoft further explains that federation enables “claims-based access across security boundaries” and “allows users to access applications in a partner organization using their existing credentials.” These statements underline that the purpose of federation is to establish a trust relationship across identity providers or directories, not to provide multi-factor authentication, synchronize accounts, or build network tunnels. MFA is an authentication strength that can be applied on top of federated sign-in, user account synchronization is handled by services like Microsoft Entra Connect (Azure AD Connect), and VPNs provide network connectivity, not identity trust. Therefore, the completion that aligns with Microsoft SCI documentation is that federation establishes a trust relationship between organizations.

Microsoft positions Compliance Manager as a capability available inside the Microsoft 365 Compliance Center (now Microsoft Purview compliance portal). In Microsoft’s SCI learning content, Compliance Manager is described as the centralized workspace in the compliance portal that “helps you manage your organization’s compliance requirements,” providing a compliance score, pre-built and custom assessments, and improvement actions you track and assign. The documentation explains that admins “use the Microsoft 365 Compliance Center to access Compliance Manager,” where they can review the score, map controls to regulations and standards, and manage evidence and testing of controls. It also clarifies that Compliance Manager is surfaced directly in the compliance portal navigation, enabling authorized roles (such as Compliance Administrator, Global Administrator, or Compliance Data Administrator) to open the Compliance Manager blade to create or view assessments, assign actions, and review detailed guidance. By contrast, the Microsoft 365 admin center focuses on tenant, billing, and user management; the Microsoft 365 Defender portal focuses on security operations and threat protection; and the Microsoft Support portal is for service requests. Therefore, the direct and intended entry point for Compliance Manager is the Microsoft 365 Compliance Center.

In Microsoft’s SCI guidance, encryption at rest is defined as protecting data when it is stored on a disk or other persistent media. Microsoft describes it as controls that “help safeguard your data to meet your organizational security and compliance commitments by encrypting data when it is persisted,” distinguishing it from protections for data in transit. Within Azure and Microsoft 365, examples include Azure Disk Encryption for IaaS VMs (using BitLocker for Windows and DM-Crypt for Linux), server-side encryption for storage accounts, and Transparent Data Encryption for databases. A virtual machine’s OS and data disks encrypted with BitLocker or DM-Crypt are canonical cases of at-rest encryption because the encryption keys protect the physical media; the data becomes unreadable if the disks are accessed outside the authorized context. By contrast, site-to-site VPN, HTTPS web sessions, and encrypted email protect data in transit—they secure network communications but do not encrypt the data where it is stored. Therefore, among the options provided, encrypting a virtual machine disk is the correct example of encryption at rest in Microsoft’s security model.