Question 1. A user on a compliant device with valid MFA emails a spreadsheet containing 200 customer credit card numbers to an external vendor. No DLP policies are configured. What happens?
MFA blocks the email — MFA authenticates identity, not email content.
Safe Attachments blocks the email — Safe Attachments scans for malware, not sensitive data.
Device compliance blocks the email — Compliance checks device health, not email content.
The email is delivered — no control inspects content for sensitive data without DLP — Correct. Layers 1-3 protect access. Layer 4 (DLP) protects content. Without DLP, credit card data flows freely through email.
Question 2. You're designing a sensitivity label taxonomy. How many labels should you create?
As many as needed to cover every data type — 8-12 labels with sub-categories — Too many choices. Users hesitate, pick randomly, or stop labeling.
Four: Public, Internal (default), Confidential (encrypted), Highly Confidential (encrypted + restricted) — any user can choose in 2 seconds — Correct. Four labels cover the full sensitivity spectrum. Default labeling handles 80%+ without user action. Users reclassify the minority of documents that need higher or lower sensitivity.
Two: Sensitive and Not Sensitive — Too coarse. No distinction between internal-only and truly confidential content.
One per department — HR, Finance, Engineering, Marketing, Legal — Sensitivity is about content, not department. A client contract is Confidential whether it's in Sales or Legal.
Question 3. A document labeled "Confidential" is encrypted to internal users only. A user shares it via OneDrive with an external vendor's email address. What happens when the vendor tries to open the document?
The vendor opens it normally because they have the sharing link — The link provides the URL. Encryption is a separate layer that requires authentication.
The vendor sees a watermark but can read the content — Watermarks are visual markings inside the document. The vendor can't open the document at all because decryption fails.
The vendor cannot open the document — encryption requires authentication against your Entra ID tenant, and the vendor's account is external — Correct. The sharing link exists but the document is encrypted. The vendor's authentication doesn't have decryption rights. The document is unreadable outside your tenant. This is encryption working as designed.
SharePoint blocks the share before it's created — Depends on SharePoint sharing settings. The share may succeed at the platform level, but encryption prevents the external user from reading the content.
Question 4. You've deployed DLP policies in simulation mode for 2 weeks. The Activity Explorer shows 47 matches: 38 genuine sensitive data shares and 9 false positives (equipment serial numbers flagged as credit card numbers). What do you do before enabling enforcement?
Increase the credit card minimum match count from 1 to 3 and add a high-confidence condition to reduce false positives, then transition to "test with notifications" for 1 week before enforcement — Correct. A 19% false positive rate generates user frustration. Tuning the detection threshold eliminates the serial number false positives while maintaining detection for genuine credit card data. The "test with notifications" phase verifies the tuning before blocking.
Enable enforcement immediately — 38 true positives justify the 9 false positives — 9 false positives per 2 weeks means ~5 per week. Users seeing erroneous blocks weekly lose trust in the system.
Remove the credit card detection entirely since it generates false positives — Removes detection for genuine credit card data to fix a tuning problem.
Keep simulation running indefinitely until false positives reach zero — Simulation provides no user protection. Some false positives are inevitable — the goal is an acceptable rate, not zero.
Question 5. Anonymous sharing links ("Anyone with the link") are enabled by default in SharePoint. What is the recommended tenant-level setting?
Keep anonymous links — users need to share quickly — Anonymous links have no audit trail, no authentication, and no expiration by default.
"New and existing guests" — external users must authenticate, creating an identity-linked audit trail while still allowing external collaboration — Correct. Authenticated sharing provides the same collaboration functionality as anonymous links but adds identity verification, audit logging, and the ability to revoke individual access. The external user's experience adds one authentication step — a minor friction for significant security improvement.
"Only people in your organization" — no external sharing at all — Too restrictive for most organizations. Legitimate external collaboration (vendors, clients, partners) requires some external sharing.
"Existing guests only" — only pre-approved externals — Viable for high-security environments but too restrictive for most. Users can't invite new external collaborators without admin intervention.
Question 6. Default labeling is set to "Internal" and mandatory labeling is enabled. A user creates 20 documents in Word over a week without ever interacting with the sensitivity label. How many documents are labeled?
Zero — the user never chose a label — Default labeling applies "Internal" automatically without user action.
Some — only documents the user explicitly saved — All documents saved to OneDrive or SharePoint receive the default label.
All 20 — every document receives "Internal" automatically at creation. Mandatory labeling ensures the label can't be removed — Correct. Default + mandatory = 100% coverage without user effort.
20, but they're classified as "Unclassified" — "Unclassified" is not one of the four labels. The default label is "Internal."
Question 7. A user in HR overrides a DLP block to email employee NINOs to HMRC for annual tax filing. The justification reads "Annual PAYE submission." Is this a problem?
No — this is a legitimate override with a valid justification. The DLP log creates a GDPR-compliant audit trail of the data sharing decision. Review it during the weekly DLP check and confirm it's appropriate — Correct. The override system is working as designed: blocking by default, allowing with justification, logging everything. The audit trail demonstrates controlled, documented data sharing.
Yes — NINOs should never be emailed externally — HMRC submission is a legal obligation. The data needs to reach HMRC somehow.
Yes — the HR user should use a different channel for HMRC submissions — Valid recommendation for future process improvement, but the current override is legitimate.
No — but remove the DLP policy for the HR mailbox — Removing the policy removes protection for ALL HR external sharing, not just HMRC.
Question 8. After completing Modules AD1-AD4, what does your complete security improvement program cover?
Identity protection only — MFA and conditional access — That's Module AD1 only. Three more layers are deployed.
Identity + email — the two most common attack vectors — Modules AD1 + AD2 only. Missing device and data layers.
Identity + email + devices — the three access control layers — Modules AD1-AD3. Missing the data protection layer.
All four layers: Identity (MFA + CA), Email (Safe Links + Safe Attachments + anti-phishing + SPF/DKIM/DMARC), Devices (compliance + CA enforcement + encryption), Data (sensitivity labels + DLP + sharing controls) — protecting who signs in, what arrives, which devices access data, and what happens to the data itself — all on E3 at zero additional cost — Correct. Four complete security layers, deployed in 8 weeks, maintained in 30-45 minutes per week, at zero additional licensing cost. This is the complete M365 security program for an IT administrator who is also responsible for security.
💬
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
