Microsoft Entra Conditional Access (CA) evaluates signals from the user, device, location, and risk to make access decisions. The platform explicitly notes that CA decisions occur after primary sign-in: “Conditional Access policies are enforced after the first-factor authentication has been completed.” This means a user must successfully present their initial credentials (e.g., password, Windows Hello, FIDO2) before the CA engine evaluates policy logic. Therefore, the statement that CA is evaluated before a user is authenticated is not correct.

Regarding scoping, CA can target ordinary and privileged identities. The assignment options allow administrators to aim policies at users, groups, and directory roles: “You can include or exclude users and groups… [and] include or exclude specific Azure AD directory roles from a Conditional Access policy.” Because Global Administrator is a directory role, policies can be applied to those accounts (with Microsoft’s best-practice guidance to maintain at least one excluded break-glass account to prevent lockout).

For signals/conditions, CA supports device platform filtering. The documented device platform condition states: “This condition is based on the operating system platform of the device… iOS, Android, Windows, macOS (and others).” Administrators commonly use this to require different controls (like MFA or compliant device) based on Android or iOS.

Putting these together:

CA can apply to Global Administrators (Yes).

CA is evaluated after first-factor authentication (No to “before”).

Device platform (e.g., Android/iOS) is a valid CA signal (Yes).

Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) extends DLP controls directly to supported desktops. Microsoft states: “Endpoint DLP extends the activity monitoring and protection capabilities of DLP to Windows 10 (and later) devices.” The platform coverage is explicitly broadened to Apple desktops: “Endpoint DLP for macOS enables the same set of DLP capabilities on macOS devices (supported versions) so you can monitor and protect sensitive items across Windows and Mac endpoints.” At the same time, Microsoft clarifies the mobile scope: “Endpoint DLP is supported on Windows and macOS devices.” This means Android is not a supported operating system for Endpoint DLP (mobile data protection on Android uses different controls such as app protection policies via Microsoft Intune and conditional access). Therefore, the correct pairing of operating systems for Endpoint DLP support is Windows 10 and newer, and macOS—not Android. This aligns with Microsoft’s Endpoint DLP platform support guidance and the intended desktop-focused endpoint protections for activities such as file copy, print, upload, and removable media interactions.

Microsoft defines defense in depth as a security strategy that uses multiple, reinforcing layers of protection to reduce the chance that a single failure leads to compromise. In Microsoft’s security guidance, defense in depth is described as employing “a series of mechanisms across multiple layers” to protect identities, endpoints, applications, data, and the network. The model spans layers such as identity, perimeter, network, compute, application, and data, with controls at each layer designed to detect, prevent, and contain attacks. Typical Azure/Microsoft 365 implementations include identity protections (MFA, Conditional Access), network controls (Azure Firewall, NSGs), perimeter filtering (WAF, DDoS Protection), endpoint safeguards (Defender for Endpoint), application security (code and runtime controls), and data protection (encryption, DLP, Purview Information Protection). By “placing multiple layers of defense throughout a network infrastructure,” an organization limits blast radius and increases resilience if one layer is bypassed. This contrasts with threat modeling (a design-time analysis technique), identity as the security perimeter (a principle of Zero Trust), and the shared responsibility model (a cloud governance concept). The scenario in the question precisely matches Microsoft’s defense in depth methodology.

Microsoft defines Microsoft Entra ID Governance as the capability to manage “the identity lifecycle, access lifecycle, and privileged access” so organizations can ensure “the right people have the right access to the right resources at the right time.” The product family explicitly lists the following core features: “Lifecycle workflows, Entitlement management, Access reviews, and Privileged Identity Management (PIM).” Microsoft further explains that PIM helps you “manage, control, and monitor access within your organization,” enabling just-in-time elevation, approval workflows, MFA/justification on activation, and detailed auditing for privileged roles. By contrast, the other options are separate Microsoft Entra offerings outside ID Governance: Verifiable credentials (Microsoft Entra Verified ID) issues and validates digital credentials; Permissions Management (Microsoft Entra Permissions Management) provides CIEM for multi-cloud permissions; and Identity Protection offers risk-based detection and policies for sign-ins and users. Therefore, among the choices, the feature that is included in Microsoft Entra ID Governance is Privileged Identity Management (PIM), which is specifically called out by Microsoft as a pillar of ID Governance and is used to govern privileged access with policy-based controls, time-bound assignments, approvals, and comprehensive auditability.

Microsoft’s privacy commitments are framed as principles that include Control, Transparency, Security, Strong legal protections, No content-based targeting, and Benefits to you. Under these commitments, Microsoft emphasizes compliance with regional and sectoral laws: it provides “strong legal protections” for data and commits to handling data “in accordance with applicable laws,” including respecting local privacy and data-protection requirements and supporting cross-border transfers only as permitted by law. The principles also state Microsoft does not use customer content for advertising, and it enables customers to manage their own privacy settings and choices. Therefore:

A is false (Microsoft does collect data but minimizes and protects it).

B is false (Microsoft states no content-based targeting for customer email/chat).

C is false (Microsoft provides settings; customers control them).

D aligns with Microsoft’s principle to respect and comply with applicable local privacy laws.

Microsoft Entra self-service password reset (SSPR) supports multiple verification methods that users can register and use to prove their identity during a reset. Microsoft’s documentation lists the SSPR methods as: “Mobile app notification,” “Mobile app code,” “Email,” “Mobile phone (text message or call),” “Office phone,” and “Security questions.” Administrators choose which of these are allowed and how many methods are required. During the reset flow, SSPR “prompts the user to verify with the registered methods” before permitting a password change. Notably, certificates and picture passwords are not SSPR verification methods in Microsoft Entra ID. Therefore, among the options provided: a text message to a phone (mobile phone), a mobile app notification (Microsoft Authenticator), and security questions are valid SSPR authentication methods; certificate and picture password are not supported for SSPR. This aligns with SCI learning content that positions SSPR as a user-empowering capability to securely restore access using admin-approved methods without help-desk intervention.

Azure AD Identity Protection (now part of Microsoft Entra ID) is the Microsoft service that “automates the detection and remediation of identity-based risks.” It continuously evaluates user risk and sign-in risk using signals such as leaked credentials, atypical travel, unfamiliar sign-in properties, and malware-linked IPs. Microsoft documentation clarifies that Identity Protection “uses adaptive machine learning and heuristics to detect risky behaviors and sign-ins” and enables administrators to configure risk-based policies (for example, require MFA or block access) to automatically respond. It also provides rich investigations through risk reports so security teams can triage and remediate compromised identities. This distinctly differs from other Entra capabilities: Privileged Identity Management (PIM) governs just-in-time privileged access and role activation, while MFA is an authentication method enforced by policies. Because the service that specifically detects risk and applies automated protection based on risk is Azure AD Identity Protection, it is the correct completion for the sentence about identity risk detection and remediation.QUESTION NO: 148 HOTSPOT

Select the answer that correctly completes the sentence.

Answer: < map > < m x1= " 491 " x2= " 699 " y1= " 63 " y2= " 79 " ss= " 0 " a= " 0 " / > < /map >

In Microsoft’s SCI guidance, Insider risk management is a Microsoft Purview capability surfaced and administered from the Microsoft Purview compliance portal. The official description states that Insider risk management “helps you minimize internal risks by enabling you to detect, investigate, and act on risky activities in your organization.” Microsoft further clarifies access and configuration by directing admins to “use the Microsoft Purview compliance portal to configure and manage insider risk policies, alerts, and investigations,” and that you can “go to the Microsoft Purview compliance portal and select Insider risk management” to start. These statements place the feature squarely in the compliance plane—not the Microsoft 365 admin center (tenant-wide service management), not the Microsoft 365 Defender portal (threat protection and incident response), and not Microsoft Defender for Cloud Apps (app discovery and cloud app protection). In the SCI learning path, Insider risk is consistently grouped with Microsoft Purview solutions (Information Protection, DLP, eDiscovery, and Audit), emphasizing compliance workflows, risk indicators, policy tuning, and case management. Therefore, the correct completion of the sentence “Insider risk management is configured from the” is the Microsoft Purview compliance portal, where administrators create policies, review alerts, investigate user activity timelines, and take appropriate remediation actions within a compliance-centric experience.

The recommended way to enable and use Azure AD Multi-Factor Authentication is with Conditional Access policies. Conditional Access lets you create and define policies that react to sign-in events and that request additional actions before a user is granted access to an application or service.

Security defaults make it easy to protect your organization with the following preconfigured security settings:

Requiring all users to register for Azure AD Multi-Factor Authentication.

Requiring administrators to do multi-factor authentication.

Blocking legacy authentication protocols.

Requiring users to do multi-factor authentication when necessary.

Protecting privileged activities like access to the Azure portal.