Microsoft 365 Administrator · Domain 3 · 33% of exam

Manage security and threats by using Microsoft Defender XDR

Drill 20 practice questions focused entirely on Manage security and threats by using Microsoft Defender XDR for the Microsoft MS-102 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A security analyst at Contoso wrote a KQL query in Microsoft Defender XDR advanced hunting that identifies devices where a suspicious PowerShell command downloads content from a known-bad domain. The query returns accurate results when run manually. The analyst wants Defender XDR to automatically run this query on a recurring schedule and generate an alert (and optionally take response actions) whenever the pattern is detected. What should the analyst do?

Reviewed for accuracy · Report an issue
Question 2 of 20

You are a Microsoft 365 administrator using Attack Simulation Training in Microsoft Defender for Office 365. After running a credential-harvest phishing simulation, leadership asks you to identify users who have been compromised in multiple past simulations so you can automatically assign them additional training. Which feature within Attack Simulation Training should you use to identify these users based on their history across simulations?

Reviewed for accuracy · Report an issue
Question 3 of 20

Your organization uses Microsoft Defender for Cloud Apps. The security team suspects employees are using unsanctioned cloud storage services. You need to generate a report that identifies which cloud apps are being used across the organization based on firewall and proxy traffic logs, and assess each discovered app's risk score. Which Defender for Cloud Apps capability should you use?

Reviewed for accuracy · Report an issue
Question 4 of 20

Your organization uses Microsoft Defender for Cloud Apps with the Microsoft 365 app connector enabled. The security team wants to be automatically alerted whenever a single user account signs in from two geographically distant locations within a time frame that makes physical travel between them impossible, which may indicate compromised credentials. You need to implement this detection with the least administrative effort. What should you configure?

Reviewed for accuracy · Report an issue
Question 5 of 20

Your organization uses Microsoft 365 with Defender for Cloud Apps. Security requires the ability to detect and revoke risky OAuth application grants in Exchange Online, SharePoint, and Teams, and to suspend a specific user account directly from a Cloud Apps alert. Currently, only Cloud App Discovery is configured using firewall log uploads. What must you do first to enable these governance actions on Microsoft 365 data?

Reviewed for accuracy · Report an issue
Question 6 of 20

Your organization uses Defender for Cloud Apps with the Microsoft 365 app connector fully connected. The compliance team reports that files containing credit card numbers are being shared externally through SharePoint Online. They want Defender for Cloud Apps to automatically detect these files at rest and place any matching file into administrative quarantine. Which type of policy should you create?

Reviewed for accuracy · Report an issue
Question 7 of 20

Your organization uses Microsoft Defender for Cloud Apps with the Microsoft 365 app connector enabled. Users have been consenting to third-party OAuth applications that request high-privilege permissions such as Mail.ReadWrite and full mailbox access. Security wants to be automatically alerted and have such risky OAuth apps revoked when an app with more than 50 user consents requests high-severity permissions. Which Defender for Cloud Apps capability should you configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your organization uses Microsoft Defender for Cloud Apps integrated with Conditional Access. Users can access SharePoint Online and Exchange Online from personal, unmanaged devices, but the security team requires that these users be prevented from downloading files to unmanaged devices while still allowing them to view and edit content in the browser. Which Defender for Cloud Apps configuration should you implement to meet this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 20

Your organization plans to deploy an attack surface reduction (ASR) rule that blocks Office applications from creating child processes across 2,000 Windows devices managed by Microsoft Defender for Endpoint. The security team is concerned that a line-of-business Excel macro may break if the rule immediately blocks activity. You need to measure the potential impact of the rule before enforcing it, without preventing any legitimate business processes. What should you do first?

Reviewed for accuracy · Report an issue
Question 10 of 20

Your organization has onboarded all Windows 11 devices to Microsoft Defender for Endpoint. A recent incident revealed that malware attempted to disable real-time protection and modify Defender registry keys before being blocked. The security team wants to ensure that no local process, user, or third-party tool can turn off or reconfigure Defender antivirus settings on managed endpoints. Which endpoint setting should you enable to meet this requirement?

Reviewed for accuracy · Report an issue
Question 11 of 20

You have onboarded 200 Windows 11 devices to Microsoft Defender for Endpoint by using a local script. A security analyst reports that one device does not appear in the Microsoft Defender portal device inventory, even though the onboarding script reportedly ran successfully. You need to confirm on the affected device whether the Defender for Endpoint sensor is actually reporting to the service before escalating the issue. What should you do on the device?

Reviewed for accuracy · Report an issue
Question 12 of 20

During an active investigation, your SOC analyst identifies a suspicious executable running on an onboarded Windows workstation in Microsoft Defender for Endpoint. The analyst needs to remotely connect to the device to collect the file for forensic analysis and run commands to inspect running processes, without physically accessing the machine or waiting for the user. Which Defender for Endpoint capability should the analyst use?

Reviewed for accuracy · Report an issue
Question 13 of 20

Your organization has fully onboarded all Windows servers and workstations to Microsoft Defender for Endpoint. Leadership is concerned about unmanaged network devices such as routers, switches, and printers that cannot have the Defender sensor installed. You need to gain visibility into these unmanaged network devices and assess them for vulnerabilities without deploying an agent to each device. What should you do?

Reviewed for accuracy · Report an issue
Question 14 of 20

You are the Microsoft 365 administrator for Contoso. You need to onboard 400 domain-joined Windows 11 corporate devices to Microsoft Defender for Endpoint. The devices are managed with on-premises Active Directory and Group Policy, and Contoso does not use Microsoft Intune. You want an onboarding method that scales to all devices without touching each machine individually. Which onboarding package and deployment method should you use?

Reviewed for accuracy · Report an issue
Question 15 of 20

Your organization uses Microsoft Intune for device management. The security team wants to onboard 200 corporate macOS devices to Microsoft Defender for Endpoint with the least administrative effort and no manual per-device configuration. What should you do?

Reviewed for accuracy · Report an issue
Question 16 of 20

Your organization runs several Windows Server 2022 machines hosted in Azure. Security leadership wants these servers protected by Microsoft Defender for Endpoint so they appear in the Microsoft Defender portal device inventory alongside your onboarded Windows 11 clients. You want the onboarding to be automatic and centrally managed with the least ongoing administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 17 of 20

A security analyst at Contoso reviews Defender Vulnerability Management and finds a security recommendation flagging an outdated version of a line-of-business application on 40 servers. The vendor has confirmed the vulnerability does not apply because the affected component is not installed in Contoso's deployment, but the recommendation keeps lowering the exposure score. The analyst wants to stop this recommendation from affecting the exposure score for these devices while documenting the business reason, without removing the recommendation permanently. What should the analyst do?

Reviewed for accuracy · Report an issue
Question 18 of 20

You are a security administrator using Microsoft Defender for Endpoint. Leadership asks you to report on how susceptible your organization's onboarded devices are to active threats and vulnerabilities based on current device configuration and unpatched CVEs. They specifically want a single metric that reflects the organization's device threat exposure, where a lower value is better. Which Defender Vulnerability Management metric should you report?

Reviewed for accuracy · Report an issue
Question 19 of 20

Your organization uses Microsoft Defender for Endpoint with Defender Vulnerability Management enabled. A new critical CVE affecting a widely deployed browser is announced. Your security manager asks you to quickly determine how many onboarded devices in your environment are affected by this specific CVE and whether it is being actively exploited in the wild. Which Defender Vulnerability Management area should you use to get this information most directly?

Reviewed for accuracy · Report an issue
Question 20 of 20

You are a security administrator using Microsoft Defender Vulnerability Management. Leadership requests a report identifying every managed device that has a specific version of a third-party PDF reader installed, because a critical zero-day was just published for that exact version. You need the fastest way to list all affected devices without writing custom code. What should you do in the Microsoft Defender portal?

Reviewed for accuracy · Report an issue

More MS-102 practice

Keep going with the other Microsoft 365 Administrator domains, or take a full timed mock exam.

← Back to MS-102 overview