General

Question 1

Identity Protection Permission Groups

Answer 1

Security Admin
Security Operator
Security Reader

Question 2

Security Admin

Answer 2

Can:
Full access to Identity Protection
Cant:
Reset password for a user

Question 3

Security Operator

Answer 3

Can:
View all Identity Protection reports and Overview screen, Dismiss user risk, confirm safe sign-in, confirm compromise
Cant:
Configure or change policies, Reset password for a user, Configure alerts

Question 4

Security Reader

Answer 4

Can:
View all Identity Protection reports and Overview screen
Cant:
Configure or change policies, Reset password for a user, Configure alerts, Give feedback on detections

Question 5

Enforcing information protection w Defender for Cloud Apps

Answer 5

Phase 1: Discover data, make sure apps arec onnected to defender so you can scan data with either an app connector or use Conditional access app
Phase 2: Classify data, default labels personal, public, general, confidential, highly confidential
Phase 3: Protect Data, create file policy to scan files in real time, or apply governance actions.
Phase 4: Monitor and report,

Question 6

UEBA

Answer 6

User and entity behavioral analytics (out of the box anomaly detection)

Question 7

How many days does Microsoft Defender for cloud apps spend learning your enviorment?

Answer 7

Seven Days
It looks at the IP addresses, devices, and locations your users access, identifies which apps and services they use, and calculates the risk score of all of these activities.

Question 8

Where do DLP alert show up?

Answer 8

Microsoft Defender XDR
Microsoft Purview (used for compliance focuses on the policy itself)

Question 9

DLP alert lifecycle

Answer 9

Trigger - action meets condition on DLP policy
Notify - if alert is generated, it goes to Defender portal & Purview alert dashboard, email can also be setup
Triage - reviewing new alerts, false positive?
Investigate - after assigning the owner, next step is to investigate further
Remediate - the alert owner decides what actions to take
Tune - tune DLP policy

Question 10

Types of DLP alerts within Purview

Answer 10

Single event - alert everytime a policy rule matches
Aggregate event - alert when threshold is met, ex: 10 matching events within 24 hours (can set by number of matches or volume of data

Question 11

Licensing requirments for DLP policy

Answer 11

Single event alert - E1, F1, G1, E3, or G3
Aggregate event alert - Requires an E5 license or one of the following add-ons for E3/G3:
Office 365 Advanced Threat Protection Plan 2
Microsoft 365 E5 Compliance
Microsoft 365 eDiscovery and Audit add-on

Question 12

Roles required to configure dlp alerts

Answer 12

Compliance Administrator
Information Protection Admin
Security Operator
Security Reader
Information Protection Investigator

Question 13

How long do DLP alerts remain in the Purview alerts dashboard?

Answer 13

30 days

Question 14

DLP Emails might be unavailable to download

Answer 14

An internal sender deleted the message sent to an external recipient
An external sender’s message was deleted by the internal recipient
Both internal sender and recipient deleted the message

Question 15

DLP Response actions in Purview

Answer 15

Set alert status to track progress, such as Investigating or Resolved
Assign the alert to a reviewer for accountability
Add comments to capture internal notes or observations
Share alert details using a generated read-only link
View user activity summary (if Insider Risk Management is integrated)

Question 16

DLP Response actions in Defender XDR

Answer 16

Update the incident status, assign it to a team member, and add notes
Apply classifications like True Positive or False Positive and specify a reason
Take remediation actions directly, such as:
Disabling a user account
Removing file access
Applying a sensitivity or retention label

Question 17

Alert Generation process

Answer 17

Settings configured - configure policy settings to align with their insider risk management strategy.
policy Created - Policies define whose activity to evaluate, what activity to detect, and which events should trigger active monitoring.
Triggered event occurs - triggering event activates the policy for a specific user
user activity evaluated and scored - The system begins monitoring the user’s actions. Activities are assigned risk scores based on the type of activity, configured thresholds, and the user’s history.
Alert generation - An alert is generated if the user’s risk score exceeds the policy-defined threshold.

Question 18

Microsoft Purview Insider Risk Managment

Answer 18

helps investigators and analysts view, prioritize, and take action on potentially risky user activity. Each alert is based on policy-defined conditions

Question 19

Microsoft Purview Insider Risk Managment Alert Details Retention

Answer 19

Alerts in “Needs Review” are retained for 120 days, after that they will be deleted unless linked to an active case.

Question 20

All risk factors tab in Microsoft Purview Insider Risk Management

Answer 20

provides a summary of potentially risky activity associated with an alert.

Question 21

All risk factors shown in Purview Insider Risk Managment

Answer 21

Top exfiltration activities: Lists the most frequent exfiltration actions, such as archiving or uploading files.
Cumulative exfiltration: Shows whether repeated actions build over time to indicate rising risk.
Sequences of activities: Highlights related activities that form a recognizable risk sequence.
Priority content: Indicates whether the user interacted with files marked as sensitive or business-critical.
Unallowed domains: Flags any file or data transfers to domains that aren’t permitted by policy.
Unusual behavior or high-impact user status: Detects abnormal patterns or identifies users whose role or access level contributes to elevated risk.

Question 22

Content Detected within Purview

Answer 22

shows specific items involved in each risk activity.

Question 23

Activity Explorer tab in Purview Insider Risk Managment

Answer 23

investigate the full context of potentially risky behavior. This tab shows a timeline of user activity that contributes to the alert, with detailed metadata to support investigation, filtering, and review.
Use this tab to confirm what triggered the alert and identify patterns or supporting evidence that indicate whether further action is needed.

Question 24

Activity Explorer tab in Purview Insider Risk Managment Filters

Answer 24

Activity scope: Show all scored activity for the user or only activity associated with this specific alert
Risk factor: Focus on specific indicators like sequences, cumulative exfiltration, unallowed domains, or priority content
Review status: Hide previously reviewed items to focus on new activity

Question 25

User Activity tab in Purview Insider Risk Managment

Answer 25

shows a visual timeline of potentially risky behavior over time. This view helps investigators assess whether a user’s activity is ongoing, escalating, or part of a broader pattern. Use this tab to evaluate risk across multiple alerts and understand how individual actions fit into a larger risk profile.

Question 26

Does alert status and classification sync between Purview and Defender?

Answer 26

Yes Defender status (New, In progress) vs Insider Risk Management status (Needs review) Defender status(Resolved) vs Insider status (Dismissed or Confirmred (based on classification)) Defender classification (True positive) vs insider classification (Confirmed) Defender class (Information expected activity, False positive) Insider classification (Dismissed)

Question 27

KQL

Answer 27

Kusto Query Language

Question 28

Before alerts appear in Microsoft Defender what setting needs to be enabled?

Answer 28

The setting Share user risk details with other security solutions must be enabled in the Microsoft Purview portal

Question 29

Cases in Microsoft Purview Insider Risk Management

Answer 29

Use the Cases dashboard to view all active and closed cases, assign ownership, and manage follow-up actions such as escalation, communication, and resolution.

Question 30

True or false all alerts require a case?

Answer 30

False, you dont have to create a case from an alert, you can dismiss or confirm from the alerts dahsboard

Question 31

Actions on a case

Answer 31

Send email notice Escalate for investigation Run Power Automate flows Create or view Teams team Resolve a case - Benign (low risk or false positive) Conirmed policy violation

Question 32

Microsoft Purview > insider Risk Managment > Alerts > All risk factors, Activity Explorer, User activity

Question 33

Microsoft Purview Audit

Answer 33

provides tools to log user and administrator activities, helping organizations protect their data and meet compliance standards. Consider a network of healthcare facilities that manages a large amount of sensitive patient data daily. After noticing unusual access patterns to their electronic health records (EHR), they need to confirm all access is authorized and aligns with health data protection regulations. The compliance team turns to Microsoft Purview Audit to strengthen oversight, investigate activity, and support regulatory requirements.

Question 34

Microsoft Purview Audit Solutions

Answer 34

Standard and Premium Standard - default, API access, 180 day retention Premium - Audit log retention configure for up to a year or 10 years with add on license retention is default to 1 year, intelligent insights, higher API bandwidth, can also record more granual activities in Exchange Online and teams

Question 35

Suubscription needed for Audit standard and premium

Answer 35

Audit (Standard) is included in: Microsoft 365: E3, E5, F1, F3 Office 365: E1, E3, E5, F3 Audit (Premium) requires: Microsoft 365: E5, E5 Compliance, F5 Compliance, F5 Security + Compliance Office 365: E5

Question 36

Audit permissions needed

Answer 36

Assign the Audit Logs or View-Only Audit Logs roles in the Microsoft Purview portal. These roles are included in the Audit Reader and Audit Manager role groups. Audit Manager: This role lets you search and export audit logs, and manage audit settings, including enabling or disabling logging. Audit Reader: This role lets you search and export audit logs but doesn't allow changes to audit settings.

Question 37

What is the maximum number of search jobs a user can run at the same time in the Microsoft Purview compliance portal?

Answer 37

up to 10

Question 38

Audit Premium how to access compromised accounts

Answer 38

MailItemsAccessed provides detailed records of how and when emails are accessed, making it a critical event type for investigations involving sensitive communications.

Question 39

Audit sync vs bind access

Answer 39

Sync access: Logs a single event when multiple emails are downloaded during a session, like when using Outlook. Bind access: Logs each time an individual email is opened or interacted with.

Question 40

Manage audit log volume, when is it throttled?

Answer 40

Exchange Online throttles MailItemsAccessed logging if a mailbox logs more than 1,000 bind events in 24 hours. Throttling: Affects less than 1% of mailboxes Only pauses logging for MailItemsAccessed events, not other activities Applies to bind operations only; sync activities are unaffected Might result in gaps where bind events weren't recorded

Question 41

Duplicate audit records with premium

Answer 41

Sync operations are filtered at one-hour intervals unless distinct changes in key properties are detected. Bind operations generate a new audit record only if certain properties differ from previously logged operations within the same hour. These properties include: ClientIPAddress: The IP address from where the mailbox was accessed. ClientInfoString: Details about the client and protocol used. ParentFolder: Location within the mailbox. Logon_type: Distinguishes between owner, admin, or delegate access. MailAccessType: Specifies if the operation was a bind or sync. MailboxUPN and User: Identity of the mailbox and the user accessing it. SessionId: Helps in distinguishing between different sessions of access, providing a clear timeline of actions.

Question 42

Exporting Audit log data

Answer 42

Both standard and premium allows downloading a CSV file You can export 50,000 entries from a single search

Question 43

What is eDiscovery?

Answer 43

feature in the Microsoft Purview portal that enables authorized users to create cases, search for content, place holds to preserve data, and export results. It's designed to support internal investigations, legal obligations, regulatory audits, and incident response.

Question 44

Licensing for eDiscovery

Answer 44

Core eDiscovery features are included in Microsoft 365 E3 and E5 plans. Advanced features might require separate licensing.

Question 45

Role needed for eDiscovery

Answer 45

eDiscovery Manager: Allows users to create and manage eDiscovery cases, run content searches, and export results. eDiscovery Administrator: Includes all eDiscovery Manager permissions, plus the ability to manage role assignments and settings across all cases.

Question 46

Does eDiscovery search require a case?

Answer 46

Every search must be associated with a case. The case model provides: Controlled access to investigation data An auditable trail of search and export actions A consistent structure for managing investigation tasks

Question 47

eDiscovery Phases

Answer 47

Phase 1: Define Search criteria - (search name, data source, a KQL query) Phase 2: Identify data sources - Phase 3: build the query - Phase 4: Run and review the results - Statistics: View summary data about the search, including the number of items found, size of the results, and breakdown by location. Sample: View a random sample of the search results to validate your query before proceeding.

Question 48

eDiscovery exporting

Answer 48

You can export: Only indexed items that matched your search query Indexed items and partially indexed items Only partially indexed items Additional ways: Mailboxes and Teams Thread conversations into HTML transcripts (especially useful for chat review) Include contextual Teams and Viva Engage messages (up to 12 hours of related conversation) Include cloud attachments from SharePoint or OneDrive, and choose the version range to include Export mailbox content: PST or MSG file Access export in Process manager