MS-900 Sample Questions for Microsoft 365 Fundamentals

Where can region specific Microsoft penetration test results and security assessment documents be accessed?

• ❏ A. Microsoft 365 security center

• ❏ B. Regional Compliance page of the Microsoft Trust Center

• ❏ C. Service Trust Portal

• ❏ D. Microsoft Purview compliance portal

Which product in the Microsoft 365 suite includes the components Connections, Insights, Learning, and Topics?

• ❏ A. Microsoft SharePoint

• ❏ B. Microsoft Viva

• ❏ C. Microsoft 365

Which Microsoft 365 features can be used to protect corporate data on employees personal mobile devices? (Choose 3)

• ❏ A. Require device PIN

• ❏ B. Enabling Microsoft Defender for Office 365

• ❏ C. Remote lock or disable device

• ❏ D. Selective wipe of corporate data

Which cloud service model offers a managed environment for developing, deploying, and running web applications?

• ❏ A. Infrastructure as a Service

• ❏ B. Platform as a Service

• ❏ C. Managed Kubernetes

Can store apps be installed in the hub so they run inside team chats and channels?

• ❏ A. No

• ❏ B. Yes

Which migration approach should you use to move to Microsoft 365 while preserving a SharePoint site that is protected by third party encryption?

• ❏ A. Migrate all content to Microsoft 365 and replace the third-party encryption with Microsoft Purview Customer Key

• ❏ B. Retain the accounting department SharePoint site on-premises and migrate all other SharePoint sites and all Exchange mailboxes to Microsoft 365

• ❏ C. Keep both the accounting SharePoint site and accounting mailboxes on-premises while migrating all other workloads to Microsoft 365

Which Microsoft 365 application requires installation on a Windows desktop in order to run locally?

• ❏ A. Visio

• ❏ B. Outlook

• ❏ C. Access

• ❏ D. Word

Which Microsoft 365 workload is designed to host stream and manage an organization’s training videos?

• ❏ A. Microsoft Teams

• ❏ B. Microsoft Stream

• ❏ C. SharePoint Online

In what ways does Endpoint Manager support a Zero Trust approach for ensuring device compliance and enforcing access control?

• ❏ A. Azure Active Directory Conditional Access

• ❏ B. Device compliance reporting and remediation

• ❏ C. Security analytics and telemetry

Which Microsoft Sentinel integrated tool provides an interactive canvas in the Azure portal for exploring telemetry data and building visual reports?

• ❏ A. Log Analytics workspace

• ❏ B. Azure Monitor Workbooks

• ❏ C. Azure Notebooks

All Azure questions come from my MS-900 Udemy course and certificationexams.pro

Which dashboard widget helps plan and monitor the assigned capacity of team members during a sprint?

• ❏ A. Burndown chart

• ❏ B. Sprint capacity

• ❏ C. Query tile

Which Microsoft 365 service provides reports for device compliance, device health, and fleet trend metrics?

• ❏ A. Microsoft 365 Defender

• ❏ B. Endpoint Manager with Microsoft Intune

• ❏ C. Microsoft Purview

Within a tenant how is the term “Directory” used in the context of identity and access resources?

• ❏ A. A separate database for guest and external users

• ❏ B. A logical container inside the tenant that holds users groups devices applications and other identity related objects

• ❏ C. The physical data store that contains every file of the identity service for the tenant

What is the best way to prevent all users except the IT team from receiving Microsoft 365 feature updates until those updates are approved by IT?

• ❏ A. Manage updates centrally with Microsoft Endpoint Configuration Manager

• ❏ B. Assign non-IT staff to Standard release and give IT Targeted release

• ❏ C. Place every user on the Monthly Enterprise Channel

Does Conditional Access App Control enforce policies in both Microsoft and third party cloud applications and does Microsoft Secure Score provide direct control over access and user activities in cloud applications?

• ❏ A. No for statement one and Yes for statement two

• ❏ B. Yes for statement one and No for statement two

• ❏ C. No for statement one and No for statement two

Can an organization purchase subscription licenses through the Cloud Solution Provider program to run software on its own servers?

• ❏ A. Volume Licensing

• ❏ B. No

• ❏ C. Yes

Can third party applications be added to Microsoft Teams and can applications from the Microsoft Store be installed directly within Teams?

• ❏ A. True for both statements

• ❏ B. True for the first and False for the second

• ❏ C. False for both statements

Can Microsoft 365 data loss prevention policies locate sensitive content in Teams and SharePoint and support exporting the discovered items for review?

• ❏ A. No only eDiscovery can export discovered content

• ❏ B. Yes DLP can locate and export items from Teams and SharePoint

• ❏ C. DLP can locate content but cannot export it

Is each Windows 365 Cloud PC assigned to a single user and does it retain that user’s personal settings across sessions?

• ❏ A. No it is false

• ❏ B. Yes it is true

Which Microsoft platform is specifically designed for customer relationship management applications?

• ❏ A. Power Apps

• ❏ B. SharePoint

• ❏ C. Dynamics 365

• ❏ D. Microsoft Azure

All Azure questions come from my MS-900 Udemy course and certificationexams.pro

Which Microsoft Sentinel feature displays an interactive graph that lets you explore entities and visualize their relationships during an incident?

• ❏ A. Workbooks

• ❏ B. Analytics

• ❏ C. Investigation

• ❏ D. Hunting

Which capability is available only in Microsoft 365 Cloud PCs and not in Azure Virtual Desktop?

• ❏ A. Administrators can manage VMs with Microsoft Endpoint Manager

• ❏ B. Users can sign into dedicated personal virtual machines

• ❏ C. Users can rename their assigned Cloud PC

Which release type provides preview quality updates so organizations can validate non security fixes before those fixes are included in the next monthly cumulative update?

• ❏ A. B releases

• ❏ B. C releases

• ❏ C. Out of band releases

What is the primary role of Defender Vulnerability Management within an organization’s cybersecurity program?

• ❏ A. Protecting email platforms from phishing and malware

• ❏ B. Continuous asset discovery and prioritized vulnerability remediation

• ❏ C. Detecting and investigating compromised user accounts

If Microsoft 365 Apps for Enterprise is deactivated on a device, what action can still be performed on that device?

• ❏ A. Create a new document from a template

• ❏ B. Print a document

• ❏ C. Edit documents

Which Microsoft 365 service is specifically built to store and stream corporate training videos?

• ❏ A. SharePoint Online

• ❏ B. OneDrive for Business

• ❏ C. Microsoft Stream

Which Microsoft 365 features let you apply confidentiality labels to files and prevent them from being shared externally? (Choose 2)

• ❏ A. Create retention labels

• ❏ B. Apply sensitivity labels to files

• ❏ C. Create a data-loss prevention policy

• ❏ D. Configure S/MIME for Outlook

How does Microsoft Copilot for Microsoft 365 help users while they work within Microsoft 365 apps?

• ❏ A. It requires no administrative controls for data and privacy

• ❏ B. It fully automates tasks without user approval

• ❏ C. It integrates into Microsoft 365 apps to generate drafts summarize content and surface relevant information to boost productivity

• ❏ D. It only provides spelling and grammar suggestions

Do Platform as a Service offerings include end-user applications such as office suites, endpoint management tools, and CRM applications?

• ❏ A. No

• ❏ B. Yes

Which solution allows users to sign in to cloud applications using their on premises Active Directory credentials?

• ❏ A. Active Directory Federation Services

• ❏ B. Azure AD Connect

• ❏ C. Azure AD Application Proxy

The correct option is Regional Compliance page of the Microsoft Trust Center.

The Regional Compliance page of the Microsoft Trust Center is where Microsoft publishes region specific compliance artifacts and guidance, and it links to provider level security assessment documents and penetration test summaries that vary by country or region. This page serves as the official hub for customers to find region specific evidence and directions for requesting additional materials.

Microsoft 365 security center is a tenant level console for managing and monitoring security settings and incidents for your organization, and it does not host Microsoft published, region specific penetration test reports or provider security assessment publications.

Service Trust Portal does provide access to many compliance reports and some audit artifacts and it can be used to request certain documents, but Microsoft organizes region specific penetration test results and security assessments through the Trust Center regional compliance pages as the primary public index for regional materials.

Microsoft Purview compliance portal is focused on managing tenant level compliance, data governance, and information protection for customers, and it is not the central public repository for Microsoft’s region specific penetration test results or provider security assessment documents.

The correct option is Microsoft Viva.

Microsoft Viva is Microsoft’s employee experience platform and it is explicitly composed of modules called Connections, Insights, Learning, and Topics which provide integrated experiences for employee engagement, wellbeing, learning, and knowledge discovery across Microsoft 365 and Teams.

Microsoft Viva is delivered as a set of services that integrate with SharePoint and Teams so that organizations can surface portals, learning content, analytics, and topic pages within the tools people already use.

Microsoft SharePoint is primarily a content management and intranet platform and it can host pages and integrate with Viva Connections, but it is not the offering that bundles Connections, Insights, Learning, and Topics as a single employee experience suite.

Microsoft 365 is the broader subscription that contains Office apps and cloud services and it provides the platform on which Viva runs, but it is not the named product that specifically contains Connections, Insights, Learning, and Topics.

The correct options are Require device PIN, Remote lock or disable device and Selective wipe of corporate data.

Require device PIN is a device compliance control you can enforce with Microsoft Intune or another mobile device management solution and it ensures that a user must authenticate locally before corporate resources can be accessed.

Remote lock or disable device allows administrators to lock or disable a lost or stolen device remotely so corporate accounts and data are not exposed while the device is out of custody.

Selective wipe of corporate data removes only corporate apps and data while leaving personal content intact and it is implemented through app protection policies or selective wipe and retire actions in device management.

Enabling Microsoft Defender for Office 365 is incorrect because that service protects email and collaboration tools from phishing and malware and it does not by itself enforce device PINs or perform remote locks or selective wipes on mobile devices.

The correct answer is Platform as a Service.

Platform as a Service provides a managed runtime environment and application services so developers can build deploy and run web applications without managing the underlying servers operating system or runtime updates. The cloud provider handles scaling load balancing and many operational tasks which aligns with the phrase managed environment in the question.

Infrastructure as a Service is incorrect because it delivers virtual machines networking and storage that you must configure and maintain. That model leaves you responsible for operating system and runtime management so it does not match a fully managed application environment.

Managed Kubernetes is incorrect because it offers managed container orchestration rather than a full application platform. You still need to package applications into containers manage deployments and handle cluster configuration so it is closer to a container or infrastructure service than a classic platform service.

No is correct because apps from the store are not placed into a general hub as a container that automatically runs inside team chats and channels.

Store apps must be installed or added with a specific scope and capability to operate in a chat or channel. An app must include supported components such as a tab, bot, or messaging extension and it must be installed to the team or chat where it is intended to run. Simply being available in the store does not mean the app is installed into a hub and running automatically inside chats and channels.

Yes is incorrect because it implies that a store app can be dropped into a hub to run across chats and channels by default. That is not how app installation and scope work and an app must be explicitly installed with the appropriate scopes and permissions to operate in those contexts.

The correct answer is Retain the accounting department SharePoint site on-premises and migrate all other SharePoint sites and all Exchange mailboxes to Microsoft 365.

This option is correct because retaining the accounting department SharePoint site on-premises and migrating all other SharePoint sites and all Exchange mailboxes to Microsoft 365 preserves the third party encryption where it exists while allowing you to move mailboxes and other SharePoint sites into the cloud for centralized management and modern services.

Third party encryption is typically bound to keys and to on-premises infrastructure that are not transferable to SharePoint Online. Keeping the encrypted site on-premises avoids forced decryption and re encryption and helps maintain compliance and access controls while you migrate other workloads.

Migrate all content to Microsoft 365 and replace the third-party encryption with Microsoft Purview Customer Key is incorrect because you cannot simply replace third party encryption on existing files after migration. Microsoft Purview Customer Key does not give you the original third party keys so you would need to decrypt the data before migration or risk losing access.

Keep both the accounting SharePoint site and accounting mailboxes on-premises while migrating all other workloads to Microsoft 365 is incorrect because the accounting mailboxes can usually be migrated independently of the encrypted SharePoint site. Keeping the mailboxes on-premises adds operational overhead and prevents you from using cloud email features without delivering any benefit for the encrypted site.

The correct answer is Access.

Access is a Windows desktop database application and the full client is provided only for Windows. The rich desktop features and the Access runtime depend on Windows components and there is no full equivalent desktop client for Mac, so Access requires a Windows installation to run locally.

Visio is not correct because Visio is available as a web app called Visio for the web and users can view and perform basic edits without a Windows desktop install.

Outlook is not correct because Outlook is available on Windows and Mac and it also exists as Outlook on the web and as mobile apps so it does not strictly require a Windows desktop installation.

Word is not correct because Word runs on Windows and Mac and it is available as Word for the web and as mobile apps so a Windows desktop install is not strictly required to use Word.

The correct answer is Microsoft Stream.

Microsoft Stream provides enterprise video services focused on uploading, streaming, managing, and securing training and organizational videos. It includes features such as adaptive playback, captions, permissions, and integration with Microsoft 365 so it is the product designed to handle organizational training content.

Microsoft Teams is primarily a collaboration and communication platform for chat, meetings, and calls. It can store meeting recordings and run live events but it does not offer the centralized video library, streaming optimization, and dedicated video management features that Microsoft Stream provides.

SharePoint Online is a content management and intranet platform that can store video files and host pages. Microsoft uses SharePoint and OneDrive as the storage layer for the modern Stream experience, but SharePoint by itself does not provide the specialized playback, permissions model, and video management features that the Stream service adds.

Microsoft has retired the classic Stream experience and migrated capabilities into the modern Stream experience built on SharePoint and OneDrive. Exams may still refer to Microsoft Stream conceptually so you should be aware of both the historical Stream service and the current Stream on SharePoint architecture when studying.

The correct option is Device compliance reporting and remediation.

The Device compliance reporting and remediation capability enables Endpoint Manager to continuously evaluate device posture against configured policies and report the compliance state. It can trigger remediation actions such as requiring OS updates, enforcing configuration changes, quarantining the device, or blocking access until the device meets the policy.

This continuous monitoring and automated remediation supports a Zero Trust approach because access decisions are based on the current device state rather than on network location. By enforcing compliance before granting access the service ensures that only devices that meet policy requirements can reach protected resources.

Azure Active Directory Conditional Access is a Microsoft Azure feature for conditional access and is not a component of Google Endpoint Manager. It is therefore not the correct answer for how Google Endpoint Manager implements Zero Trust device compliance.

Security analytics and telemetry can provide useful signals about device behavior and risks but it is a broader capability and not the specific enforcement mechanism that provides compliance checks and automated remediation. Analytics alone do not implement the enforcement and remediation described in the correct option.

The correct answer is Azure Monitor Workbooks.

Azure Monitor Workbooks provides an interactive canvas in the Azure portal where you can combine queries, visualizations, and narrative into interactive reports and investigations. The feature can pull telemetry from the Log Analytics workspace that stores Sentinel data and from other sources, and it supports charts, grids, parameters, and linked queries which match the description in the question.

The Log Analytics workspace is where telemetry is collected and where you run Kusto queries to analyze data. It is the data store and query environment rather than the interactive reporting canvas, so it does not itself provide the assembled visual report experience described in the question.

The Azure Notebooks service was a hosted Jupyter notebooks offering and it has been retired. It was never the integrated interactive reporting canvas inside the Azure portal for Sentinel workbooks, and because it is deprecated it is less likely to appear as the correct choice on newer exams.

The correct option is Sprint capacity.

The Sprint capacity widget shows each team member’s available hours and assigned work so you can plan and monitor capacity across the sprint. It lets you set individual capacity values and compare assigned tasks to available time which helps spot over allocation before or during the sprint.

Burndown chart tracks remaining work over the sprint and is useful to monitor overall progress toward completing the sprint scope. It does not provide per person capacity planning or assigned hours so it is not the right tool for managing individual team capacity.

Query tile displays the results of a work item query on a dashboard and can show counts or lists of items. It does not calculate or manage per person sprint capacity and therefore cannot be used to plan assigned capacity for team members.

Endpoint Manager with Microsoft Intune is correct.

Endpoint Manager with Microsoft Intune provides device compliance policies and device health monitoring and it includes built in reporting and analytics for fleet trends. The service surfaces compliance status, noncompliant reasons, and device health metrics in the Microsoft Endpoint Manager admin center and in Intune reports. You can also export data through Microsoft Graph or to Power BI for deeper trend analysis and long term reporting.

Microsoft 365 Defender is focused on threat protection and endpoint detection and response. It provides security alerts and incident investigation but it does not provide fleet wide device compliance and routine device health trend reporting in the way that Intune does.

Microsoft Purview focuses on data governance and information protection and compliance of data and records. It is not the primary service for device compliance status or device health and fleet trend metrics.

A logical container inside the tenant that holds users groups devices applications and other identity related objects is correct.

The term directory describes a logical scope inside a tenant that organizes identity resources so administrators can manage users groups devices and applications together.

As a logical container the directory defines the boundary for policies access control and collaboration settings and it is the unit that provisioning and authentication target rather than a separate storage artifact.

A separate database for guest and external users is incorrect because guest and external accounts are represented as objects within the same directory and they are not kept in a distinct database separate from regular user objects.

The physical data store that contains every file of the identity service for the tenant is incorrect because a directory is an abstract identity construct and not a literal file system and the underlying data storage is an implementation detail of the identity service.

The correct answer is Assign non-IT staff to Standard release and give IT Targeted release.

This approach uses Microsoft 365 release options so IT receives feature updates early while other users stay on the later release. By placing IT users in Targeted release they get preview updates and can validate new features. By placing everyone else in Standard release those users do not get the features until IT approves them and the update reaches the broader audience.

Manage updates centrally with Microsoft Endpoint Configuration Manager is not the best choice for this question because the requirement is about controlling Microsoft 365 feature release timing by user group. Configuration Manager can deploy and manage updates but it does not provide the same built in targeted versus standard release gating that Microsoft 365 release options provide.

Place every user on the Monthly Enterprise Channel is incorrect because putting all users on the same channel gives them the same update timing. The Monthly Enterprise Channel still delivers feature updates to everyone on that channel so it would not let IT receive updates first while delaying them for non IT staff.

The correct option is Yes for statement one and No for statement two.

Statement one is correct because Conditional Access App Control is a capability of Microsoft Defender for Cloud Apps that integrates with Microsoft Entra Conditional Access and can monitor and enforce session controls for supported Microsoft and many third party cloud apps. It can apply real time session policies to block actions or limit activities when a supported app is in use.

Statement two is incorrect because Microsoft Secure Score is a measurement and advisory tool that assesses your security posture and recommends improvements. Secure Score does not itself directly control access or user activities and you must implement security controls or conditional access policies to enforce changes.

The option No for statement one and Yes for statement two is incorrect because it denies the enforcement capability of Conditional Access App Control and it wrongly attributes direct enforcement to Microsoft Secure Score.

The option No for statement one and No for statement two is incorrect because it incorrectly states that Conditional Access App Control does not enforce policies while Secure Score also does not provide direct control.

The correct answer is No.

The Cloud Solution Provider program is focused on selling cloud subscriptions and those subscriptions typically cover hosted services rather than on-premises installation. If an organization needs rights to run software on its own servers it should look to licensing channels that provide on-premises rights such as Volume Licensing or bring your own license programs and Software Assurance.

Volume Licensing is not correct for this question because the question asks whether subscription licenses bought through the Cloud Solution Provider program can be used to run software on the customer servers. Volume Licensing is a separate licensing channel that commonly provides on-premises license rights but it is not the CSP subscription channel referenced in the question.

Yes is incorrect because CSP subscriptions are intended for cloud service usage and do not generally grant the right to run the licensed software on the customer owned physical servers. The program and partner contracts control use rights and those are different from on-premises perpetual licensing.

True for the first and False for the second is correct. The first statement is true because third party applications can be added to Microsoft Teams and the second statement is false because Microsoft Store applications are not installed directly inside Teams.

Microsoft Teams supports third party applications through the Teams app store or by uploading custom apps. Developers can provide bots, tabs, messaging extensions and connectors that users or administrators can add to Teams and organizations can control which apps are allowed.

Microsoft Store applications are distributed for Windows and install to the operating system rather than inside the Teams client. Some vendors publish separate Teams apps via the Teams app store or AppSource but that is different from installing a Microsoft Store app directly inside Teams.

True for both statements is incorrect because the second part is false and Microsoft Store apps are not installed directly in Teams.

False for both statements is incorrect because third party applications can in fact be added to Teams through its app store or by uploading custom apps.

The correct answer is Yes DLP can locate and export items from Teams and SharePoint.

This is correct because Yes DLP can locate and export items from Teams and SharePoint refers to Microsoft 365 Data Loss Prevention capabilities that can discover sensitive content in Teams chats and files stored in SharePoint and OneDrive and that provide exportable findings for review. The DLP Content Explorer and DLP reporting let administrators view matches and export the results for further analysis or reviewer workflows.

No only eDiscovery can export discovered content is incorrect because eDiscovery is not the only mechanism to export items that match policy findings. eDiscovery is designed for legal case workflows and complete content exports, but DLP also includes tools to export matched items or reports for review.

DLP can locate content but cannot export it is incorrect because DLP does include export capabilities. Administrators can use the DLP Content Explorer and reporting features to export lists or summaries of matched items, which supports review processes even though eDiscovery remains the recommended option for full legal exports.

Yes it is true is the correct answer because each Windows 365 Cloud PC is assigned to a single user and it retains that user�s personal settings between sessions.

A Cloud PC is provisioned for an individual user and that virtual machine is persistent so installed applications, user profile settings, and desktop customizations remain across sign-ins. Microsoft uses profile technologies such as FSLogix together with OneDrive and Microsoft Endpoint Manager to ensure a user�s data and settings are available on the same Cloud PC on subsequent sessions.

This is different from pooled or multiuser virtual desktop models where compute is shared and user profiles are handled differently. Azure Virtual Desktop, for example, can be configured as pooled session hosts where desktops are not dedicated to a single user in the same way.

No it is false is incorrect because it asserts the opposite of how Windows 365 Cloud PCs operate. Cloud PCs are designed to be user-assigned and persistent so the statement that they are not is not accurate.

The correct option is Dynamics 365. Dynamics 365 is the Microsoft platform designed specifically for customer relationship management applications.

Dynamics 365 provides integrated applications for sales, customer service, marketing, and field service that are built to manage customer interactions and relationships. The platform includes built in analytics, workflows, and connectors to Microsoft 365 and the Power Platform to support end to end CRM scenarios.

Power Apps is a low code application development service for building custom business apps and user interfaces. It is not a full CRM suite by itself, so it is not the platform designed specifically for customer relationship management.

SharePoint is focused on content management, document collaboration, and intranet sites rather than on managing customer relationships. It is not a dedicated CRM product, so it is not the correct choice.

Microsoft Azure is the cloud infrastructure and platform for hosting and running applications and services, including CRM systems. It provides the underlying compute, storage, and platform services but it is not a packaged CRM application, so it is not the correct answer.

The correct answer is Investigation.

Investigation in Microsoft Sentinel provides an interactive investigation graph that lets analysts explore entities such as hosts users and IP addresses and it visually maps relationships between them during an incident. The graph lets you pivot from alerts to related entities and events and it helps you triage and contain incidents by revealing connected artifacts and timelines.

Workbooks are customizable dashboards and reporting tools that are designed for visualizing logs and metrics and they do not provide the interactive incident entity graph used for investigations.

Analytics refers to the detection and rule engine that generates alerts from ingested data and it is focused on identifying potential threats rather than providing an interactive relationship graph for incident exploration.

Hunting provides proactive search capabilities with queries and notebooks to find malicious activity and it supports investigation workflows but it does not itself present the built in interactive entity relationship graph used inside incidents.

Users can rename their assigned Cloud PC is correct.

Windows 365 Cloud PC provides a user facing rename capability so end users can change the name shown for their assigned Cloud PC without needing administrator intervention. This is a built in, user oriented feature of the Cloud PC service and it is presented in the Windows 365 experience rather than being an admin only operation.

Administrators can manage VMs with Microsoft Endpoint Manager is not unique because administrators can also manage Azure Virtual Desktop session hosts with Microsoft Endpoint Manager when those VMs are Azure AD joined and enrolled in Intune. Management via Endpoint Manager is available for both services and so it does not distinguish Cloud PCs from AVD.

Users can sign into dedicated personal virtual machines is not unique because both Windows 365 and Azure Virtual Desktop support dedicated personal desktops. Windows 365 offers per user Cloud PCs and Azure Virtual Desktop supports personal host pools that assign dedicated VMs to individual users.

The correct answer is C releases.

C releases are preview quality updates that Microsoft provides so organizations can validate non security fixes before those fixes are included in the next monthly cumulative update. These previews let administrators test compatibility and confirm that fixes behave as expected without waiting for the full monthly rollup.

B releases are not the preview quality updates described in the question and they do not serve as the staged previews for non security fixes, so they are not the correct choice.

Out of band releases are updates issued outside the normal release cadence to address urgent or critical issues. They are used for immediate fixes rather than for previewing routine non security changes, so they are not correct.

Continuous asset discovery and prioritized vulnerability remediation is the correct answer because Defender Vulnerability Management focuses on finding assets and prioritizing fixes to reduce risk.

The Continuous asset discovery and prioritized vulnerability remediation capability continuously inventories endpoints and other assets, identifies vulnerabilities and misconfigurations, and applies risk based scoring to highlight the most important remediation actions. This helps security teams allocate effort to the highest impact issues and track remediation progress over time.

Protecting email platforms from phishing and malware is incorrect because email protection and anti phish capabilities are provided by email security solutions such as Defender for Office 365 rather than the vulnerability management feature.

Detecting and investigating compromised user accounts is incorrect because account compromise detection and investigation belong to identity protection and detection tools and to endpoint detection and response, not to the vulnerability discovery and prioritization functions.

The correct option is Print a document.

When you deactivate Microsoft 365 Apps for Enterprise on a device the apps enter a reduced functionality state and users can still open files and Print a document even though the subscription or license is no longer active. Printing and viewing remain available to allow access to content after deactivation.

Create a new document from a template is incorrect because creating new files requires the full authoring features which are disabled when the apps are deactivated and placed into reduced functionality mode.

Edit documents is incorrect because editing is part of the licensed authoring capabilities and those capabilities are blocked once the software has been deactivated so users cannot modify existing documents.

The correct answer is Microsoft Stream.

Microsoft Stream is purpose built for enterprise video storage and streaming. It integrates with Microsoft 365 and provides secure access controls, channels and groups to organize training content, automatic captions and transcripts, and analytics to track who watched which videos. Those capabilities make it the right choice for corporate training video delivery rather than a general file store.

SharePoint Online can host video files and it is useful for intranet pages and document management. It is not primarily designed as an enterprise video streaming service and it lacks the dedicated video management features that Stream provides.

OneDrive for Business is intended for personal file storage and file sharing and not for organization wide video streaming. It can share video files but it does not offer the centralized video channels, built in transcription, or analytics features needed for corporate training programs.

The correct answers are Apply sensitivity labels to files and Create a data-loss prevention policy.

Apply sensitivity labels to files lets organizations classify and protect content by marking files as confidential and applying protections such as encryption and access restrictions. Labels integrate with Microsoft Information Protection and can persist protection when files are shared outside the organization.

Create a data-loss prevention policy lets administrators detect sensitive information and block or restrict sharing with external recipients across services like Exchange, SharePoint, OneDrive, and Teams. DLP policies can stop external sharing, present user warnings, or automatically apply protections and they often work together with sensitivity labels for stronger enforcement.

Create retention labels is focused on keeping or deleting content to meet retention and compliance requirements and it does not inherently prevent external sharing or apply protective encryption to files.

Configure S/MIME for Outlook provides message level email signing and encryption and it does not label files in Office apps or block file sharing across OneDrive or SharePoint.

The correct answer is It integrates into Microsoft 365 apps to generate drafts summarize content and surface relevant information to boost productivity.

It integrates into Microsoft 365 apps to generate drafts summarize content and surface relevant information to boost productivity is accurate because Microsoft Copilot appears inside apps such as Word Excel Outlook and Teams and it helps users by producing draft text summarizing long threads extracting key points and surfacing relevant files and data to speed up work and decision making.

It integrates into Microsoft 365 apps to generate drafts summarize content and surface relevant information to boost productivity delivers suggestions and generated content that users can edit accept or discard and it complements existing editing and search features while fitting into an organization level governance model for data and privacy.

It requires no administrative controls for data and privacy is incorrect because administrators have controls and policies to manage Copilot usage data handling and privacy settings within Microsoft 365.

It fully automates tasks without user approval is incorrect because Copilot provides suggestions and drafts that require user review and acceptance and it does not perform broad automated actions without user consent.

It only provides spelling and grammar suggestions is incorrect because Copilot goes beyond basic editing and it can generate new content summarize documents analyze data and surface contextual insights across apps.

The correct answer is No. Platform as a Service offerings provide managed runtimes, middleware, developer tools and the underlying platform so teams can build and run applications, and they do not include end user applications such as office suites, endpoint management or CRM because those are delivered as application level services.

PaaS focuses on abstracting infrastructure and platform responsibilities so the cloud provider manages the operating system, runtime, scaling and underlying patching while the customer is responsible for their application code and data.

Yes is incorrect because it confuses PaaS with Software as a Service. End user applications like office suites and CRM are hosted and managed by providers and presented directly to users, so they fall under the SaaS model rather than PaaS.

The correct option is Azure AD Connect.

Azure AD Connect synchronizes on premises Active Directory objects to Azure AD and can enable password hash synchronization or pass through authentication so users can sign in to cloud applications with their existing Active Directory credentials without creating separate cloud accounts.

Active Directory Federation Services is an on premises federation solution that can delegate authentication for single sign on, but it does not perform directory synchronization and it requires additional federation infrastructure, so it is not the synchronization solution the question asks for.

Azure AD Application Proxy publishes on premises web applications for remote access, but it does not synchronize user accounts or provide the primary mechanism for signing in to cloud applications with on premises Active Directory credentials.