Describe the capabilities of Microsoft Entra (25–30%)

🎓 Don't Forget Your Learning Badge!

Congratulations on completing your study! You can redeem your learning badge here to showcase your achievement.

Describe function and identity types of Microsoft Entra ID

Describe Microsoft Entra ID

Microsoft Entra ID is a cloud-based identity and access management (IAM) service from Microsoft that allows organizations to control who can access resources like apps, services, and data, both in the cloud and on-premises.
It enables single sign-on (SSO), meaning users can sign in with their organizational account once and then access multiple applications without needing to remember different usernames and passwords.
Entra ID enhances security by providing features like multifactor authentication (MFA), conditional access policies, and security monitoring, helping protect organizational data from unauthorized access and suspicious activities.
Administrators can easily add or remove user access to resources, automate user provisioning and de-provisioning based on roles or group membership, and get detailed reports on user activities and security events.
Microsoft Entra ID supports integration with thousands of SaaS applications and works alongside on-premises Active Directory, making it suitable for hybrid or fully cloud-based organizations.

Example: A small IT company using Microsoft Entra ID allows its employees to use their work email and one password to sign in to Microsoft 365, the company HR portal, and various cloud-based project management tools. If someone leaves the company, their access to all systems can be revoked centrally by the IT admin, increasing security and saving time.

Use Case: An IT support technician helps a new employee get started quickly by adding them to the appropriate groups in Entra ID. Once added, the employee automatically gains access to all tools they need—like email, file storage, and developer resources—without submitting multiple requests or receiving separate login credentials for each app. This speeds up onboarding and ensures secure, managed access from day one.

For more information see these links:

Describe types of identities

Human identities represent real people, such as employees, contractors, or external users. These identities are typically associated with a username and password used to sign in and access organizational resources.
Workload identities are for applications or services, like automated scripts or containers, that need to authenticate and access resources independently of a human user. Common examples include service principals and managed identities in Microsoft Entra ID.
Device identities refer to physical devices, such as laptops, smartphones, or IoT sensors, that are registered and managed by the organization. Device identities help ensure only trusted hardware can access corporate data and systems.
Hybrid identities combine on-premises and cloud identities, allowing organizations to synchronize users and devices from their local Active Directory to Microsoft Entra ID for seamless, secure access across environments.
Federated and external identities enable users from outside the organization or from third-party identity providers to access organizational resources through secure identity federation or invitation processes.

Example: A company’s employee, Jane, logs into her work laptop using her Microsoft Entra ID credentials. Jane’s human identity allows her to access files and applications, while her laptop’s device identity ensures only authorized devices are permitted on the network.

Use Case: An IT administrator needs to set up single sign-on for a cloud application. They use workload identities (service principal) so the application can securely access resources without storing user credentials. At the same time, the admin ensures only approved devices (device identities) and verified employees (human identities) can sign in.

For more information see these links:

Describe hybrid identity

Hybrid identity is a setup where user identities exist both on-premises (for example, in Active Directory) and in the cloud (in Microsoft Entra ID). This allows organizations to manage users and provide access to resources regardless of where those resources are hosted.
It is achieved through directory synchronization—user accounts and groups from the on-premises directory are synchronized with Microsoft Entra ID in the cloud. This ensures users have a consistent identity for accessing both on-premises and cloud applications.
Hybrid identity supports secure, unified sign-on experiences, making it easier for users to access services like Microsoft 365, Azure resources, and internal company apps without juggling multiple passwords or accounts.
Organizations use hybrid identity when they need to transition gradually to the cloud or continue using both on-premises and cloud resources. Hybrid identity enables flexibility and supports staged migrations.
Managing hybrid identity often involves tools like Microsoft Entra Connect, which automates directory synchronization and helps maintain up-to-date user info across both environments.

Example: A medium-sized business uses Active Directory on their office servers to manage user logins for computers and internal apps. They start using Microsoft 365 for email and file sharing. With hybrid identity, employees can use the same username and password to log in both to their office computers and Microsoft 365, making access seamless.

Use Case: An IT administrator at a company wants to move some applications to the cloud but still relies on critical apps hosted on their local servers. By setting up hybrid identity with Microsoft Entra ID, the admin ensures employees can securely and conveniently access both cloud and on-premises apps using the same credentials. This simplifies management and improves security by allowing centralized control over user access.

For more information see these links:

Describe authentication capabilities of Microsoft Entra ID

Describe the authentication methods

Password-based authentication is the traditional method where users enter a username and password to access their account. This method relies on something the user knows, but passwords can be weak or reused, making them vulnerable to attacks.
Passwordless authentication methods, like the Microsoft Authenticator app, use something the user has (such as a smartphone) and/or something the user is (such as a fingerprint or facial recognition). These methods often use notifications, passkeys, or biometric verification for sign-in, making the process more secure and convenient.
Multifactor authentication (MFA) adds an extra layer of security by requiring two or more authentication methods. For example, users might enter a password and then approve a notification on their phone using the Microsoft Authenticator app.
Biometric authentication, such as facial recognition or fingerprint scanning (e.g., Windows Hello for Business), identifies users based on unique physical traits. This reduces reliance on passwords and helps prevent unauthorized access.
Hardware-based authentication, like FIDO2 security keys, allows users to sign in without entering a password or even a username. The security key physically plugs into a device or communicates wirelessly, adding strong protection against phishing.

Example: A company employee signs in to their Microsoft Entra ID account by entering their username. Instead of typing a password, they receive a notification on the Microsoft Authenticator app on their phone. The app asks them to match a number displayed on their work computer and then verify their identity using a fingerprint. This allows them to securely access company resources without needing to remember a password.

Use Case: An IT support technician at a mid-sized company sets up passwordless authentication for all employees using the Microsoft Authenticator app. Staff can now sign in to work accounts from both their PCs and mobile devices by approving notifications on their phones and providing a PIN or biometric verification, making logins faster and reducing the risk of password theft.

For more information see these links:

Describe multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a security process that requires users to provide two or more forms of identification before gaining access to an account or system. This makes it much harder for unauthorized people to break in, even if they have your password.
MFA typically involves a combination of factors: something you know (like a password), something you have (such as your smartphone or a hardware token), or something you are (such as a fingerprint or face scan). By using more than one factor, MFA significantly reduces the chance of unauthorized access.
With Microsoft Entra ID, MFA is integrated directly into the sign-in process for cloud services like Azure and Microsoft 365. Users may be prompted to enter a verification code from an authenticator app, approve a sign-in on their phone, or use biometrics, depending on what’s been set up.
Enabling MFA strengthens account security with minimal disruption to the user. Organizations can use built-in policies to require MFA for all users or customize it for specific groups and scenarios. This is especially important in protecting sensitive data and administrative accounts.

Example: Suppose you log in to your Microsoft 365 work account with your password (something you know). After entering your password, you receive a prompt on your smartphone (something you have) to approve the sign-in or enter a code from the Microsoft Authenticator app. This second step prevents attackers from accessing your account—even if they know your password—because they also need your phone.

Use Case: An IT administrator at a company enables MFA for all employees using Microsoft Entra ID. Now, every time employees sign in to Office 365 or connect to an Azure SQL Database, they must enter their password and confirm a prompt on their registered phone or use biometric authentication. This setup helps prevent common cyberattacks, like phishing, that target weak or stolen passwords.

For more information see these links:

Describe password protection and management capabilities

Password protection in Microsoft Entra ID helps prevent the use of weak or commonly used passwords by blocking them during creation or reset. This reduces the risk of attackers guessing easy passwords.
Password policies can be managed centrally and customized to set requirements like minimum length, complexity, and account lockout rules, making password management consistent across the organization.
Users can reset their own passwords securely using Self-Service Password Reset (SSPR), which reduces help desk calls and allows users to regain access quickly if they forget their password.
Entra ID supports monitoring for leaked or compromised passwords. If a user’s password is found on a list of known breaches, the user can be forced to change it, helping protect accounts against external threats.
Password management can be combined with multifactor authentication (MFA) for stronger protection, requiring users to verify their identity with something more than just a password.

Example: Imagine an employee tries to change their password to ‘Password123’. With Microsoft Entra ID password protection enabled, the system blocks this choice because it’s a commonly used and easily guessed password, prompting the employee to choose a stronger one.

Use Case: A small IT company uses Microsoft Entra ID to manage employees’ access. An employee forgets their password and uses the self-service password reset feature to securely regain access without waiting for IT support. This keeps work moving smoothly and reduces workload for the help desk.

For more information see these links:

Describe access management capabilities of Microsoft Entra ID

Describe Conditional Access

Conditional Access in Microsoft Entra ID is a security feature that allows organizations to control how and when users can access resources based on specific conditions, such as user identity, device status, location, or risk level.
Policies are created using ‘if-then’ statements, meaning administrators can specify actions — for example, if a user signs in from an unfamiliar location, then they must complete multifactor authentication (MFA) before gaining access.
Conditional Access uses signals from various sources, including user roles, device state, IP location, and risk detection, to determine whether access should be granted, require additional actions, or be blocked altogether.
This helps organizations balance security and productivity by enforcing the right level of protection only when necessary, allowing users to work flexibly while keeping sensitive data secure.
Administrators manage these policies via the Entra admin center, where they can monitor sign-ins, optimize access rules, and quickly respond to emerging threats or changes in user behavior.

Example: Imagine an employee trying to access Microsoft 365 from home. Even after entering their usual password, they’re asked to enter a code sent to their phone (MFA). This extra step only happens if they’re not on the company network, making access both convenient and secure.

Use Case: A small IT firm uses Conditional Access to require multifactor authentication for all remote employees accessing company applications. If an employee travels and tries to log in from a new country, the system automatically enforces MFA, helping prevent unauthorized access even if a password is stolen.

For more information see these links:

Describe Microsoft Entra roles and role-based access control (RBAC)

Microsoft Entra roles are predefined sets of permissions that control what tasks users can perform and what resources they can access within Microsoft Entra ID. Roles can be assigned to individual users, groups, or even specific applications.
Role-Based Access Control (RBAC) is a security system that ensures users receive only the access they need based on their role in the organization. This approach supports the principle of least privilege, which helps reduce the risk of unauthorized access or accidental changes.
There are two types of roles in Microsoft Entra ID: built-in roles (with predefined permissions, such as Global Administrator or User Administrator) and custom roles (which administrators can define to meet specific organizational needs). Roles can be assigned at different scopes, like for the entire organization or specific resources, making access management more tailored and secure.

Example: Suppose a company has an IT administrator responsible for managing user accounts but not for managing billing information. In Microsoft Entra ID, the administrator is assigned the ‘User Administrator’ role, which allows them to create and manage user accounts while restricting access to other sensitive settings like billing or global configurations.

Use Case: A new employee joins the IT support team in a medium-sized business. To ensure the employee can reset passwords and help users access resources without being able to change critical company policies, the IT manager assigns the ‘Helpdesk Administrator’ built-in role to the new team member through RBAC in Microsoft Entra ID. This setup ensures that permissions strictly match job requirements and keeps the system secure.

For more information see these links:

Describe identity protection and governance capabilities of Microsoft Entra

Describe Microsoft Entra ID Governance

Microsoft Entra ID Governance helps organizations control who can access which resources, ensuring that only the right people have the right permissions for sensitive data and applications.
It automates identity and access processes—such as creating, updating, or removing user accounts when employees join or leave—so permissions stay up to date and security risks are minimized.
Entra ID Governance enables regular reviews of user access and activity, making it easier to detect and remove unnecessary or risky access, and helps meet compliance requirements through detailed auditing and reporting.

Example: Imagine a company where employees need access to different business apps based on their roles. When someone gets promoted, Microsoft Entra ID Governance automatically updates their access, ensuring they gain new permissions for their job but lose access they no longer need from their previous role.

Use Case: An IT team in a small business uses Microsoft Entra ID Governance to automatically deactivate former employees’ accounts and remove their access to company files, reducing the risk of unauthorized access and simplifying user management as people join, move, or leave the company.

For more information see these links:

Describe access reviews

Access reviews in Microsoft Entra help organizations regularly check and confirm that only the right people have access to resources like groups, applications, or roles. This helps reduce the risk of unauthorized access.
Access reviews can be set up to have users review their own access, or have designated reviewers (like managers or administrators) check the access of others. Reviewers receive email notifications prompting them to complete the review.
When an access review is finished, the organization’s administrators can remove access from users who no longer need it. This keeps resources secure by ensuring that permissions are kept up-to-date and only active users retain access.

Example: An IT company has a Microsoft 365 group for a project that ended months ago. The company starts an access review using Microsoft Entra, asking project managers to confirm who still needs access. After the review, users who no longer work on the project have their access removed to protect sensitive information.

Use Case: A beginner IT administrator notices that several guest users have access to a company application, but is unsure who still needs it. By creating an access review with Microsoft Entra, the administrator can periodically prompt team leads to verify guest user access and easily remove unnecessary permissions, improving security and compliance.

For more information see these links:

Describe the capabilities of Microsoft Entra Privileged Identity Management

Just-in-time (JIT) privileged access: Microsoft Entra Privileged Identity Management (PIM) allows you to assign temporary administrative permissions only when they are needed. Instead of granting users permanent admin rights, you make them ‘eligible’ to activate privileges for a limited time. This reduces the security risk if an account is compromised.
Approval, notifications, and auditing: PIM can be configured so that admin access requires approval from another administrator. It also sends notifications whenever privileged roles are activated and keeps audit logs, making it easy to track who did what and when.
Stronger security with multifactor authentication: Before a user can activate a privileged role using PIM, you can require them to use multifactor authentication (MFA). This significantly lowers the risk that an attacker could use a stolen password to gain admin access.
Access reviews and role management: PIM helps you regularly review who has privileged access, so you can remove unnecessary permissions. This supports the ‘principle of least privilege,’ ensuring users have only the access they need.
Protection for critical admin roles: PIM prevents you from accidentally removing the last active Global Administrator or Privileged Role Administrator, helping avoid being locked out of vital administrative access.

Example: Imagine your IT helpdesk team needs to reset user passwords but doesn’t need admin rights all the time. With PIM, you make them ‘eligible’ for the Password Administrator role. When someone needs to help a user, they can request access and receive it only for a short period. Afterward, their admin permissions are removed automatically.

Use Case: A small IT company uses Microsoft Entra PIM to manage its cloud administrators. Instead of giving permanent admin access, IT managers set team members as ‘eligible admins.’ When a server update is required, a technician activates their admin role just for the duration of the maintenance window. This way, the risk from long-term admin privileges is minimized, and the company can see exactly who made changes and when, helping with compliance and security auditing.

For more information see these links:

Describe Microsoft Entra ID Protection

Microsoft Entra ID Protection is a cloud-based tool that helps organizations automatically detect and protect against identity risks, like compromised accounts or suspicious sign-ins.
It uses machine learning and data from trillions of signals to analyze user activity, detect vulnerabilities, and classify risks for users, sign-ins, and workload identities in real time.
Admins can set up automated responses, such as requiring multifactor authentication (MFA), blocking risky sign-ins, or forcing password resets, making protection easy and less reliant on manual actions.
The system provides easy-to-understand reports and alerts, helping IT teams investigate incidents quickly and take corrective action to secure user accounts.
Deployment is straightforward: once licensed, features are enabled for all users in the organization, and admins can further tailor protection using risk policies and conditional access rules.

Example: A company employee tries to sign in from an unusual location, such as a different country than they usually work from. Microsoft Entra ID Protection detects this abnormal sign-in, automatically flags it as risky, and requires the employee to complete multifactor authentication before granting access.

Use Case: An IT administrator at a mid-sized tech firm receives an alert that a user account has been flagged for leaked credentials. Using Entra ID Protection, they see details of the incident and configure the system to automatically require a password reset for any account detected with leaked credentials, ensuring the threat is remediated quickly without manual intervention.

For more information see these links:

Describe Microsoft Entra Permissions Management

Microsoft Entra Permissions Management is a tool that helps organizations see and control who has access to resources in their cloud environments, including Azure, AWS, and Google Cloud Platform.
It improves security by automatically detecting users or programs with more permissions than they actually need (called ‘over-privileged identities’) and can reduce unnecessary access to lower the risk of security breaches.
Permissions Management makes it easier to manage and monitor access across different cloud providers, helping IT teams ensure that permissions are up-to-date, only given as needed, and aligned with the principle of least privilege.

Example: Imagine an IT team at a company uses Azure, AWS, and GCP for different projects. Over time, many employees and services get permissions added—sometimes more than needed. With Microsoft Entra Permissions Management, the team can quickly see a list of people and services with overly broad access. The tool can suggest and make changes to ensure each person only has the permissions they need, helping the company stay safe and organized.

Use Case: A small IT department uses Permissions Management to regularly review permissions for staff and automated workloads. They discover that several temporary contractors still have active permissions long after their project ended. By using Permissions Management, the team automatically removes unused permissions, reducing the company’s exposure to security risks and improving compliance with data protection policies.

For more information see these links:

Describe the capabilities of Microsoft security solutions (35–40%)

Describe core infrastructure security services in Azure

Describe Azure distributed denial-of-service (DDoS) Protection

Azure DDoS Protection is a security service that automatically detects and mitigates distributed denial-of-service (DDoS) attacks targeting applications and resources hosted in Azure. It works by monitoring traffic 24/7 and instantly applying countermeasures when unusual or malicious traffic is detected.
The service is easy to enable on any new or existing virtual network in Azure, with no need for changes to your applications or resources. Once enabled, it continuously protects all exposed resources, such as virtual machines, web apps, and databases, against a wide range of attack types.
Azure DDoS Protection offers both network-level (Layer 3/4) and, when used with a Web Application Firewall, application-level (Layer 7) protection. It automatically adapts to your application’s normal traffic patterns, ensuring that only genuine threats trigger a response.
Users receive detailed attack reports and real-time alerts when attacks occur, allowing for better visibility and quicker response. Azure also provides a cost guarantee and access to a Rapid Response team to help with investigation and recovery during major attacks.

Example: Imagine an organization hosting a public website on Azure. One day, attackers flood the website with fake traffic, trying to overwhelm the site’s resources and make it unavailable to real visitors. With Azure DDoS Protection enabled, Azure automatically spots the unusual traffic surge and blocks the fake requests, letting real users continue to access the website without interruption.

Use Case: A small IT company sets up a virtual machine in Azure to host their business website and enable remote access for employees. To ensure their site stays up and available even if targeted by a DDoS attack, they enable Azure DDoS Protection on their virtual network. This gives them peace of mind, knowing that attacks will be automatically detected, blocked, and reported, with no extra configuration needed.

For more information see these links:

Describe Azure Firewall

Azure Firewall is a cloud-based, fully managed network security service designed to protect your Azure resources. It lets you centrally create and enforce security policies across multiple Azure subscriptions and virtual networks.
It acts as a barrier between your cloud resources and potential threats from the internet or other networks by filtering both incoming and outgoing network traffic based on customizable rules. These rules can control traffic by IP address, port, protocol, or application.
Azure Firewall is fully stateful, which means it can track and manage sessions over time, ensuring only legitimate and expected connections are allowed. It includes features like network and application filtering, support for FQDN and service tags, and threat intelligence to block known dangerous IPs or domains.

Example: Imagine a company that hosts its website and databases on Azure. By implementing Azure Firewall, they can enforce rules that only allow web traffic (like HTTP and HTTPS) to their web servers and block all other traffic. This helps prevent unauthorized access, so hackers cannot connect to their databases directly from the internet.

Use Case: A small IT firm sets up Azure Firewall to automatically block network traffic from known malicious IP addresses by leveraging threat intelligence feeds. This allows them to safeguard their cloud-based services from cyberattacks without manually updating security rules, making their environment much safer with little effort.

For more information see these links:

Describe Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a security service that protects web applications from common threats and vulnerabilities like SQL injection and cross-site scripting (XSS). It acts as a shield between the internet and your web application, watching and filtering incoming and outgoing web traffic.
Azure WAF works by using security rules and policies to monitor HTTP requests and responses. It can automatically block or allow certain types of traffic based on these rules, helping to stop attacks before they reach your application.
WAF in Azure can be deployed with services like Application Gateway and Front Door. This allows you to manage security centrally for multiple web applications and take advantage of features like bot protection, custom security rules, and real-time monitoring of security events.
Using Azure WAF means you don’t have to constantly change or update your application’s code to defend against new threats; instead, you update rules and policies centrally. This makes maintaining security much simpler and more efficient.
Azure WAF is especially useful for anyone hosting web apps on Azure, as it easily integrates with other Azure services, provides easy logging and monitoring, and offers protection against latest threats recognized by organizations such as OWASP.

Example: Imagine you have an online store hosted on Azure. A hacker tries to steal customer data using a technique called SQL injection. With Azure WAF in place, the firewall detects the attack and automatically blocks the malicious request, keeping your customers’ data safe without you needing to change anything in your website’s code.

Use Case: A small IT company hosts several client websites on Azure Application Gateway. By enabling Azure Web Application Firewall, they protect all their clients’ sites centrally against common web attacks, reduce maintenance costs, and have easy access to logs showing attempted security breaches. This setup also lets them create custom rules for specific clients without needing separate security tools for each website.

For more information see these links:

Describe network segmentation with Azure virtual networks

Network segmentation in Azure involves dividing your virtual network (VNet) into smaller sections called subnets. Each subnet can contain different types of resources, such as virtual machines (VMs) or databases, helping to organize and secure your infrastructure.
By using Azure Network Security Groups (NSGs), you can control which devices or users are allowed to communicate between subnets. NSGs let you create rules to allow or deny traffic based on IP addresses, ports, and protocols—reducing risks and preventing unauthorized access.
Segmenting your network helps apply the principle of least privilege and Zero Trust security. In practice, this means only letting the necessary resources communicate with each other, minimizing the chances of a security breach spreading across your environment.

Example: Imagine an IT department building an app on Azure. They set up a VNet and create two subnets—one for front-end web servers, and another for a backend database server. Using NSGs, only the web server subnet can talk to the database subnet on a specific port; other traffic is blocked. This setup ensures that even if a web server gets hacked, the attacker cannot easily access sensitive data on the backend.

Use Case: A small business creates separate subnets for its HR and Finance departments within a single Azure VNet. With network segmentation and NSGs, HR can access its applications and files, but has no network access to Finance resources, and vice versa. This prevents accidental data leaks and makes the network easier to manage securely.

For more information see these links:

Describe network security groups (NSGs)

Network Security Groups (NSGs) are a key Azure feature used to control network traffic to and from Azure resources, such as virtual machines (VMs) or subnets, by allowing or denying inbound and outbound network traffic based on customizable security rules.
NSGs can be attached to individual network interfaces or to whole subnets, meaning you can apply security settings to a single VM or to all resources within a subnet, offering flexible protection.
Security rules in an NSG define which network traffic is allowed or blocked. Each rule specifies details such as the protocol (TCP/UDP), source and destination IP addresses, port ranges, direction (inbound or outbound), access type (allow or deny), and priority. Rules are processed in order of priority.
Every NSG contains default rules that permit basic connectivity (like communication within a virtual network) and block potentially unsafe traffic by default (for example, blocking inbound traffic from the internet). Custom rules with higher priority can override these defaults.

Example: Imagine you have a virtual machine in Azure that runs a web app. To keep it secure, you use an NSG to only allow inbound traffic on port 80 (HTTP) and port 443 (HTTPS), blocking other ports. This setup limits exposure and only lets users access your web app, not other services running on the VM.

Use Case: An IT beginner deploying their first Windows virtual machine in Azure can use an NSG to restrict external internet access. For instance, they allow remote desktop connections (port 3389) only from their office’s public IP address and block all other inbound traffic, helping protect the VM from unauthorized access.

For more information see these links:

Describe Azure Bastion

Azure Bastion is a fully managed service that allows you to securely connect to your virtual machines (VMs) in Azure using remote desktop (RDP) or SSH protocols, without exposing those VMs to the public internet.
It works directly through the Azure portal or using the native RDP/SSH clients on your computer, connecting to VMs using their private IP addresses. This means you don’t need a public IP or additional client software for your VMs.
Azure Bastion helps improve security by eliminating the need to open RDP or SSH ports to the internet, significantly reducing the attack surface for your cloud infrastructure.
The service is easy to set up: you deploy Azure Bastion inside your virtual network, assign it a dedicated subnet called AzureBastionSubnet, and then access your VMs through the portal.
Because it’s a platform as a service (PaaS), Azure Bastion manages network and session security automatically, so you don’t need to manage jump servers or maintain extra security appliances.

Example: Imagine you’re an IT administrator who needs to manage virtual machines in Azure for your company. Instead of having to assign public IP addresses to your VMs and expose management ports to the internet (which can be risky), you use Azure Bastion. This lets you log into your VMs securely via the Azure portal, using only private network connections.

Use Case: A small business runs several Windows and Linux VMs in Azure for web hosting and internal applications. Their IT staff needs to perform updates and troubleshooting on these VMs. By deploying Azure Bastion, they provide secure RDP and SSH access for administrators without opening any public ports, reducing the risk of cyberattacks on their cloud resources.

For more information see these links:

Describe Azure Key Vault

Azure Key Vault is a cloud service that securely stores and manages sensitive information like passwords, API keys, certificates, and encryption keys. This keeps secrets out of your application code and configuration files.
It helps you control who can access or manage these secrets by using role-based access control (RBAC). You can grant permissions to users or applications only as needed, following security best practices.
Key Vault streamlines operations such as creating, importing, managing, and rotating cryptographic keys and certificates, making it easier to implement and maintain strong data protection for applications running in Azure.

Example: A company develops a web application that connects to a database. Instead of saving the database password directly in the app or configuration file, they store the password in Azure Key Vault. The app retrieves the password securely from Key Vault only when needed.

Use Case: An IT administrator in a small business uses Azure Key Vault to store API keys and certificates for different cloud apps. They set up permissions so that developers can only access the secrets related to their respective environments (development, testing, or production), reducing the risk of sensitive information being accessed by unauthorized people.

For more information see these links:

Describe security management capabilities of Azure

Describe Microsoft Defender for Cloud

Microsoft Defender for Cloud is a security management tool designed to help organizations protect their resources in Azure, as well as across other cloud platforms like AWS and Google Cloud Platform (GCP), and even on-premises systems.
A core feature is Cloud Security Posture Management (CSPM), which continually scans your cloud resources and provides recommendations to fix security weaknesses, helping you improve your overall security posture.
Defender for Cloud gives you a ‘secure score’ that summarizes how secure your environment is based on current settings and configurations. As you follow recommended actions and resolve issues, your secure score improves, indicating a lower risk level.
The tool also supports multicloud environments, allowing you to manage security across different providers through one centralized dashboard. This makes it easier to maintain consistent security policies and monitor the security of all your assets.
It offers both a free Foundational CSPM plan with essential features and a paid Defender CSPM plan that includes extra capabilities like AI-powered security analytics and advanced risk prioritization.

Example: Imagine a small IT company hosting applications in Azure and AWS. Using Microsoft Defender for Cloud, they can see all their cloud resources in one dashboard, receive alerts for potential security issues, and get recommendations on how to fix them. For example, if a storage account is publicly accessible and should not be, Defender for Cloud will flag this and guide the team to make it secure.

Use Case: A novice IT administrator in a business uses Microsoft Defender for Cloud to monitor their Azure subscriptions. They regularly check the secure score and follow step-by-step recommendations from Defender for Cloud, such as turning on encryption or restricting network access, to make sure their company’s data and applications in the cloud remain protected and compliant.

For more information see these links:

Describe Cloud Security Posture Management (CSPM)

Cloud Security Posture Management (CSPM) is a set of tools and practices designed to monitor and improve the security configuration of cloud environments, like Azure, AWS, and GCP. CSPM helps ensure resources are set up securely and in line with industry standards.
CSPM continually checks your cloud services and assets for misconfigurations or vulnerabilities. If issues are found, it gives actionable recommendations to fix them. This helps organizations reduce risk and stay compliant with security benchmarks.
In Azure, CSPM can provide a ‘secure score’—a simple rating that shows how secure your cloud setup is. When you fix recommended issues, your score improves, showing progress in your security posture.
CSPM works across multiple cloud providers, not just Azure, so you can get a unified view of your cloud security, identify weaknesses, and strengthen the configuration of all assets from a single place.
CSPM tools offer both free and paid plans. While free plans give basic security checks and recommendations, advanced (paid) plans include features like attack path analysis, AI-driven risk prioritization, and regulatory compliance assessments.

Example: A small company migrates its website to Azure. The IT admin enables CSPM through Microsoft Defender for Cloud. The tool scans the cloud setup and finds that their database is publicly accessible and not encrypted. Defender for Cloud recommends restricting access and enabling encryption. The admin follows the step-by-step guidance to fix these issues, immediately improving the company’s secure score and lowering their risk.

Use Case: An IT support specialist new to Azure uses CSPM to regularly review the cloud dashboard. When the secure score drops, they check the recommendations, such as enabling multi-factor authentication or updating firewall rules. By following these recommendations, they keep the environment’s security up to date and easily report to managers on the security status.

For more information see these links:

Describe how security policies and initiatives improve the cloud security posture

Security policies set clear rules and guidelines for how data and resources are protected in the cloud, reducing the chance of accidental misuse and helping organizations meet compliance requirements.
Security initiatives, such as regular vulnerability scans and implementing automated tools like Microsoft Defender for Cloud, provide ongoing visibility and recommendations to fix weak spots, ensuring security risks are identified and addressed quickly.
Continuous monitoring and governance using solutions like Azure Policy help enforce security standards automatically across all cloud resources, reducing manual errors and keeping protection up-to-date as environments change.

Example: A company uses Microsoft Defender for Cloud to automatically scan their Azure resources for security vulnerabilities, such as exposed data storage or weak passwords. When a risk is detected, Defender for Cloud provides step-by-step recommendations to fix the issue, helping the company respond immediately and strengthen its cloud security posture.

Use Case: An IT team at a small business sets up Azure Policy to enforce encryption on all new cloud storage accounts. Whenever someone attempts to create a storage account without encryption, the policy automatically blocks the action or sends an alert, preventing security gaps and ensuring sensitive data remains protected without constant manual checks.

For more information see these links:

Describe enhanced security features provided by cloud workload protection

Continuous Threat Detection: Microsoft Defender for Cloud uses advanced threat intelligence to continuously monitor cloud workloads (like virtual machines, storage accounts, and databases), quickly detecting unusual or suspicious activities that could indicate threats, such as ransomware or unauthorized access.
Automated Security Recommendations: The platform provides tailored security recommendations for each workload, guiding users to apply the best security settings and controls. This helps prevent common misconfigurations and strengthens overall protection without requiring deep security expertise.
Just-in-Time (JIT) Access & Network Hardening: Enhanced features like JIT access limit exposure by allowing access to critical resources only when needed and for a limited period. Adaptive network hardening further restricts traffic to only what’s necessary, reducing the risk of attacks.
Centralized Alerts & Incident Response: Security alerts are prioritized and presented in a centralized dashboard, helping IT teams quickly understand the nature and severity of threats and take targeted actions to remediate them.
Vulnerability Assessment: Defender for Cloud continuously assesses workloads for vulnerabilities and provides actionable steps to fix issues, helping to minimize exploitable weaknesses before attackers can use them.

Example: A company hosts its customer database on Azure. Microsoft Defender for Cloud identifies unusual login attempts from a foreign country and automatically sends an alert to the IT team. The system also recommends enabling multi-factor authentication and tightening network access rules to protect the database from unauthorized intrusion.

Use Case: An IT administrator at a small business uses Microsoft Defender for Cloud to monitor their cloud-hosted files and servers. When the platform detects a possible ransomware attack on one of their virtual machines, it immediately sends an alert and provides guidance on how to isolate the affected server and check for vulnerable configurations, empowering the administrator to respond promptly and limit damage.

For more information see these links:

Describe capabilities of Microsoft Sentinel

Define the concepts of security information and event management (SIEM) and security orchestration automated response (SOAR)

Security Information and Event Management (SIEM) is a technology that collects, analyzes, and monitors security data from many sources—such as devices, servers, and applications—to help organizations detect and understand security threats. Microsoft Sentinel acts as a cloud-native SIEM to provide a central view of all security events in your environment.
SIEM tools, like Microsoft Sentinel, help security teams detect suspicious activity and potential threats by correlating data from across the organization, making it easier to identify patterns that could indicate attacks.
Security Orchestration, Automation, and Response (SOAR) automates common security tasks and incident responses, reducing manual workloads for security teams. With Microsoft Sentinel’s SOAR capabilities, it’s possible to create automated playbooks that respond to certain threats instantly—for example, blocking a user or isolating a device if an attack is detected.
By combining SIEM and SOAR in Microsoft Sentinel, organizations can quickly collect and analyze threat data, and automatically respond to incidents, minimizing damage and improving overall security without requiring immediate human intervention.
Automation rules within SOAR free up security staff to focus on investigating complex threats, instead of responding manually to every alert or incident.

Example: Imagine an IT company uses Microsoft Sentinel to monitor login activity across all their computers. If Sentinel notices someone trying to log in from an unusual location (like a different country), it can automatically trigger an alert and run a playbook to temporarily block that user’s access and notify the security team, all without manual intervention.

Use Case: A novice IT administrator sets up Microsoft Sentinel for their small business. They configure Sentinel to collect logins and activity from company laptops, email, and cloud services. With SOAR playbooks, if a new alert for potential malware is detected on any device, Sentinel automatically isolates the affected device from the network, reducing the chance of the infection spreading, and sends a detailed report to the admin. This rapid, automated response helps keep the business secure, even when the admin isn’t available.

For more information see these links:

Describe threat detection and mitigation capabilities in Microsoft Sentinel

Microsoft Sentinel uses advanced analytics and AI to automatically detect suspicious activity, such as unusual login patterns, mass data deletion, or unauthorized app behavior. This helps security teams quickly identify potential threats from large amounts of data.
It collects and analyzes data from multiple sources including cloud apps, user behaviors, and connected devices, creating alerts and grouping them into incidents for simpler investigation and response.
Sentinel provides built-in threat intelligence and customizable detection rules so organizations can anticipate and catch new and sophisticated attacks. Automated response actions can be triggered to quickly mitigate threats, reducing manual work and response times.
Users can visualize security data and incidents using interactive dashboards and workbooks, making it easier for beginners to understand threats and monitor the health of their IT environment.
Security teams can leverage watchlists and integrate their own data or threat intelligence streams to tailor detection and mitigation for their specific business needs, such as monitoring high-value assets or employee departures.

Example: Imagine an IT team at a small company detects repeated failed logins from a country where none of their employees are located. Microsoft Sentinel automatically flags this unusual activity, creates an incident, and the security team can use Sentinel’s dashboard to review related alerts, enabling them to block the suspicious IP address and prevent a possible breach.

Use Case: An IT administrator at a managed services provider uses Microsoft Sentinel to monitor customer environments. Sentinel’s automated threat detection identifies a large data wipe initiated after an employee account is terminated. The admin receives an alert, investigates using Sentinel’s incident page, and initiates an automated data recovery and account lockout workflow, effectively mitigating the threat before customer data is lost.

For more information see these links:

Describe threat protection with Microsoft Defender XDR

Describe Microsoft Defender XDR services

Microsoft Defender XDR is a comprehensive security service that brings together multiple Microsoft Defender products to protect your organization’s devices, identities, email, and cloud apps from various threats.
It allows you to detect, investigate, and respond to threats from a single dashboard in the Microsoft Defender portal, simplifying security operations and making it easier to manage threats.
Defender XDR services include Defender for Endpoint (protects devices), Defender for Office 365 (protects emails), Defender for Identity (protects Active Directory accounts), Defender for Cloud Apps (protects SaaS applications), and integrations with Microsoft Sentinel for broader security monitoring.
Microsoft Defender XDR uses automation and artificial intelligence to automatically stop attacks, remediate affected resources, and provide real-time protection across the connected services and devices.
Security teams can proactively hunt for threats and create custom queries across all connected data sources, enabling quick identification and response to incidents using historical and real-time data.

Example: Imagine an employee at a small IT company receives an email with an attachment containing malware. Defender for Office 365 detects the threat and not only blocks the email but, through Defender XDR, communicates with Defender for Endpoint to check if the file has reached any devices and removes it if necessary, stopping the attack from spreading.

Use Case: A novice IT administrator in a managed services provider uses Microsoft Defender XDR to monitor all their company’s endpoints, emails, and cloud apps from one portal. When a suspicious login is detected in Microsoft 365, the system automatically responds by limiting the user’s access and triggering an investigation workflow, greatly reducing the time and effort required for manual response.

For more information see these links:

Describe Microsoft Defender for Office 365

Microsoft Defender for Office 365 is a cloud-based security service that focuses on protecting emails and collaboration tools like Teams, SharePoint, and OneDrive from threats such as phishing, malware, and business email compromise.
It uses advanced features like Safe Links (to scan and block malicious URLs), Safe Attachments (to detect harmful files), and anti-phishing protection to prevent users from falling victim to scams.
There are two main plans: Plan 1 offers strong email and collaboration protection for small and medium businesses, while Plan 2 adds tools for threat investigation, automation, and user training, which are helpful for larger organizations or those needing enhanced security visibility and response capabilities.
Defender for Office 365 keeps users safe by automatically detecting and stopping suspicious emails and files before they reach user inboxes, and it provides alerts and recommendations when threats are found.
It supports a Zero Trust security approach by always verifying users, limiting access, and assuming threats could happen, which together help minimize security risks in organizations.

Example: A small IT company receives an email with a suspicious attachment that looks like an invoice. Microsoft Defender for Office 365 scans the attachment and finds hidden malware. The email is automatically moved to quarantine before anyone can open it, preventing a potential security breach.

Use Case: A novice IT administrator at a managed service provider uses Microsoft Defender for Office 365 to protect both their company and clients’ Office 365 users. With default settings, the service automatically blocks phishing emails and suspicious file downloads, reducing the chance of accidental malware infections and making email security easier to manage without needing advanced expertise.

For more information see these links:

Describe Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is a security platform designed to protect devices like computers, laptops, tablets, and servers from cyber threats. It helps organizations keep their IT environments safe from viruses, malware, and advanced attacks.
It uses multiple layers of protection, including real-time threat detection, behavioral analysis, and cloud-driven intelligence to identify known and emerging threats before they can cause harm.
The tool can automatically investigate security alerts and take action, such as quarantining files or isolating infected machines, to reduce the impact of attacks and make response faster and easier for IT teams.
Microsoft Defender for Endpoint also provides security teams with detailed insights and reports, helping them understand risks, track incidents, and improve security processes over time.
It integrates with Microsoft Defender XDR, bringing device, email, and identity security into one unified platform, making management simpler and more effective for organizations.

Example: Imagine a company where employees receive a suspicious email with an infected attachment. An employee opens the attachment, but Microsoft Defender for Endpoint immediately detects the threat, blocks it, and informs the IT team—preventing the malware from spreading further.

Use Case: An IT administrator at a small business uses Microsoft Defender for Endpoint to monitor all company laptops. When a laptop is compromised by ransomware, Defender for Endpoint automatically isolates the device from the network and starts an investigation. This quick response contains the threat and helps the administrator clean the device without affecting the rest of the organization.

For more information see these links:

Describe Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a security tool that helps organizations monitor and protect their usage of cloud applications, such as Office 365, Google Workspace, and other SaaS apps.
It automatically discovers all cloud apps being used, including unsanctioned or risky ‘shadow IT’ apps, by analyzing network traffic or integrating with Microsoft Defender for Endpoint.
The tool provides threat protection by detecting suspicious activities (like ransomware or unusual downloads), controlling access based on user behavior, and preventing data leaks or compliance violations using advanced policies and integration with identity and device security platforms.

Example: Imagine a tech company where some employees start using an unsanctioned file-sharing cloud app to share large files. Defender for Cloud Apps detects this usage, assesses the risks, and notifies the IT team. The team can then block access to the risky app and enforce company policies to ensure data is only shared through approved and secure applications.

Use Case: A small IT department wants to prevent sensitive customer information from leaving their environment through unsanctioned cloud apps. They use Microsoft Defender for Cloud Apps to automatically discover all cloud app usage, apply data loss prevention policies to confidential files, and instantly block risky downloads to unmanaged devices, keeping customer data safe.

For more information see these links:

Describe Microsoft Defender for Identity

Microsoft Defender for Identity is a cloud-based security solution that helps protect your organization’s user accounts by monitoring and analyzing activities in both on-premises Active Directory and cloud identities.
It detects and alerts on suspicious behaviors such as compromised accounts, lateral movement, brute-force attacks, privilege escalation, and insider threats, using advanced analytics and machine learning.
Defender for Identity integrates with Microsoft Defender XDR for a unified view of security across devices, users, and resources, making it easier for IT teams to investigate incidents and take action quickly.

Example: Imagine a university where a hacker tries to use stolen staff credentials to access sensitive student records. Microsoft Defender for Identity can spot unusual login activity, such as access from a strange location or rapid password attempts, alert the IT team, and help block the attack before data is stolen.

Use Case: A school’s IT administrator receives a real-time alert from Microsoft Defender for Identity about a failed brute-force login attack targeting a teacher’s account. The system highlights the suspicious activity and recommends immediate password reset and account monitoring, helping prevent unauthorized access and protecting sensitive information.

For more information see these links:

Describe Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management is a tool that helps organizations find, assess, and fix security weaknesses (vulnerabilities) across all their important devices and systems, such as Windows, macOS, Linux, Android, iOS, and network hardware.
It provides a single dashboard to see all assets, detect risks in real time, and prioritize which vulnerabilities need immediate attention by using Microsoft’s threat intelligence and breach likelihood predictions.
Defender Vulnerability Management offers built-in tools and actionable recommendations to quickly remediate issues, like missing security updates or misconfigurations, and helps IT teams track progress on fixing these vulnerabilities.
Continuous monitoring is available even for devices not connected to the corporate network, giving IT teams up-to-date information on software, hardware, certificates, and browser extensions across the organization.
The platform helps automate and streamline the remediation process by integrating with tools like Microsoft Intune, so vulnerabilities are not only found but can be acted upon efficiently.

Example: Imagine an IT team running a small business notices through the Microsoft Defender Vulnerability Management dashboard that two of their computers are missing important security updates. The tool highlights these machines as high risk and gives step-by-step advice on installing the needed patches, helping prevent potential cyberattacks.

Use Case: A beginner IT administrator in a growing company uses the Defender Vulnerability Management dashboard to get an overview of every device on the company network. When a new vulnerability is detected on several employee laptops, the dashboard flags these and provides clear instructions. The administrator assigns the patching task through Microsoft Intune, ensures updates are applied, and tracks the progress—all from a single interface without needing specialized security knowledge.

For more information see these links:

Describe Microsoft Defender Threat Intelligence (Defender TI)

Microsoft Defender Threat Intelligence (Defender TI) is a platform designed to help IT teams detect, assess, and respond to cyber threats more efficiently by gathering and analyzing threat data from various sources.
Defender TI aggregates information such as DNS records, WHOIS details, malware signatures, SSL certificates, and more, making it easier to evaluate whether a website, domain, or IP address is suspicious or compromised.
With its easy-to-use interface, Defender TI enables users to quickly search for threat indicators, view profiles of known attackers, and collaborate with other security analysts within their organization, streamlining triage and incident response.
Defender TI supports threat hunting and vulnerability management by correlating your company’s asset inventory with known threats and vulnerabilities, helping prioritize which issues should be addressed first.
The platform reduces manual work for security teams by centralizing all relevant threat intelligence, so analysts can make accurate and timely decisions without needing to consult multiple, scattered sources.

Example: Imagine a security analyst at a small IT company notices a suspicious email that contains a link to an unfamiliar website. Using Defender TI, the analyst searches the website’s domain and instantly sees related threat articles, attacker profiles, and evidence that the domain is known for phishing attacks. This helps the team block the link and warn users within minutes.

Use Case: An IT support professional uses Defender TI to investigate an alert about a potential malware infection on a company workstation. By looking up the reported IP address in Defender TI, they quickly access enriched intel like previous malicious activity, contextual data, and analyst insights. This enables the team to confirm the threat’s nature, isolate the affected asset, and initiate remediation—minimizing disruption and harm to the business.

For more information see these links:

Describe the Microsoft Defender portal

The Microsoft Defender portal (https://security.microsoft.com) is a central hub for managing and monitoring your organization’s security. It brings together various Microsoft security services in one place, making it easier to view threats, incidents, reports, and recommendations.
The portal features a navigation bar on the left side that allows users to quickly access important areas, such as Incidents & alerts, Reports, Health, Permissions, and Settings. This organization helps you find what you need without having to browse multiple tools.
On the Home page, you see an overview of your environment’s security status, highlighting any active threats and providing actionable recommendations to help protect your data and devices. These recommendations are based on best practices and save time for IT teams.
You can customize your portal view and set notifications to stay informed about security updates, threats, and changes. The portal also offers integrated services like Defender XDR, Sentinel, Threat Intelligence, and Defender for Cloud, supporting unified threat protection across devices, users, and cloud workloads.
The portal is designed for ease of use, with guided tours and community resources to help beginners learn how to manage and respond to security threats, making it accessible even for those with limited IT experience.

Example: Imagine you are new to IT security and your company is worried about phishing emails. Using the Microsoft Defender portal, you log in and immediately see an alert about a suspicious email detected by Defender for Office 365. The portal provides steps to investigate and block similar threats, making it simple to take action and secure your organization.

Use Case: An IT administrator in a small business uses the Microsoft Defender portal to review security incidents every morning. They identify and resolve alerts related to malware or risky cloud app activity, ensuring company data stays protected with minimal effort and technical know-how.

For more information see these links:

Describe the capabilities of Microsoft compliance solutions (20–25%)

Describe Microsoft Service Trust Portal and privacy principles

Describe the Service Trust Portal offerings

The Service Trust Portal offers access to Microsoft’s audit reports, compliance documents, and certifications for cloud services like Microsoft 365, Azure, and Dynamics 365. These resources help organizations understand how Microsoft’s services meet international, industry-specific, and regional compliance standards such as ISO, SOC, GDPR, and FedRAMP.
Users can download independent auditor reports and detailed whitepapers from the Portal. This information helps organizations verify that security controls for Microsoft cloud services are regularly reviewed and meet required regulations.
The Portal provides tools such as Compliance Manager, which organizations can use to assess their own regulatory compliance posture and take action to reduce risks. The Portal also includes checklists, templates, and industry-specific guidance for sectors like healthcare, financial services, and government.
Access to many resources on the Service Trust Portal requires signing in with a Microsoft cloud services account (like Microsoft 365 or Azure) and accepting necessary agreements. Both trial and paid accounts are supported, making it accessible even to those just evaluating Microsoft services.

Example: Imagine an IT administrator at a small company preparing for a customer security review. They need to show that the company’s use of Microsoft 365 complies with global standards. By logging into the Service Trust Portal, the administrator downloads the latest ISO and SOC reports, which they can share during the review to demonstrate Microsoft’s compliance.

Use Case: A novice IT specialist in a growing business wants to ensure their company follows relevant data privacy and security regulations when using Azure. They use the Service Trust Portal to find and download specific compliance certifications, such as GDPR or HIPAA, and use the Compliance Manager tool to assess how well their Azure setup meets regulatory requirements.

For more information see these links:

Describe the privacy principles of Microsoft

You control your data: Microsoft ensures that customers always remain in control of their own data. This means you decide how your data is collected, used, and deleted within Microsoft services.
Transparency and data location: Microsoft is open about how data is handled, including where it is stored and processed. Customers can know the geographic location of their data and understand how it flows through Microsoft’s systems.
Security and compliance: Microsoft protects customer data with strong security measures, both when it is stored (‘at rest’) and when it is being moved or accessed (‘in transit’). Microsoft also complies with international regulations like GDPR and uses third-party certifications to prove their commitment to privacy.
No unauthorized use: Microsoft does not use your organization’s data for profiling, advertising, or training AI models. Your data stays within your control and is used only to provide and improve services as you allow.
Shared responsibility: In some Microsoft services, data protection requires both Microsoft and the customer (or their service providers) to follow best practices and meet legal requirements, ensuring privacy is a joint effort.

Example: An IT company uses Microsoft OneDrive to store sensitive project files. Microsoft ensures that only the company and its authorized users can access these files. Microsoft does not use or analyze this data for advertising or to train AI models, and keeps the data securely in the region specified by the company.

Use Case: A small IT business uses Microsoft 365 services to store client data and manage daily communications. The company can assure clients that all personal data stays inside their designated region, is never shared for advertising, and can be permanently deleted upon request. This allows the business to meet privacy requirements easily, even without a dedicated legal or IT team.

For more information see these links:

Describe Microsoft Priva

Microsoft Priva is a set of privacy management solutions that help organizations identify, manage, and reduce privacy risks by providing insights about how personal data is handled within Microsoft 365 environments.
Priva offers tools for monitoring data activities, assessing and reporting privacy risks, automating responses to data subject requests (like GDPR or FERPA requests), and ensuring sensitive information is treated according to privacy regulations.
It integrates with Microsoft Purview Compliance Manager and Data Loss Prevention, which means privacy actions taken in Priva can improve your organization’s compliance score and help you track progress towards meeting regulatory requirements.
Priva enables organizations to automate privacy operations, such as alerting users about risky data transfers, recommending remediation steps, and documenting privacy actions—making it much easier to maintain compliance.
For IT professionals, Priva provides dashboards, automated alerts, and customizable policies to simplify privacy governance and ensure personal data is only accessible to authorized users.

Example: Imagine a school using Microsoft 365 to store student records, including names, grades, and contact details. With Microsoft Priva, the school’s IT team can set up alerts to detect when student data is being shared outside approved internal groups. If a teacher accidentally sends student information to an unauthorized party, Priva notifies the teacher and the IT staff, recommends corrective action, and logs the event for compliance reporting.

Use Case: An IT administrator at a small business uses Priva to automatically identify files containing sensitive employee data. When these files are shared with external contacts, Priva sends real-time email alerts to both the users and the IT team, helping them immediately address the privacy risk and keeping the business aligned with privacy regulations like GDPR.

For more information see these links:

Describe compliance management capabilities of Microsoft Purview

Describe the Microsoft Purview compliance portal

The Microsoft Purview compliance portal is a central, easy-to-use website where organizations manage data security, governance, and compliance tasks. It offers a unified experience, allowing users to access all Purview solutions from a single location, making navigation straightforward for beginners.
Through the portal, users can track compliance status, review risk levels, and perform assessments using built-in tools like Compliance Manager. These tools help organizations understand how well they meet regulatory requirements (such as GDPR or HIPAA) and provide step-by-step guidance to address any gaps.
The portal includes features like auditing solutions (to monitor user and admin activities), eDiscovery (to find and collect digital evidence for legal cases), and data lifecycle management (to control access and retention of sensitive information). All these capabilities help organizations reduce risks and stay compliant with laws and policies.

Example: A small IT company uses the Microsoft Purview compliance portal to check their compliance with data protection laws. The company’s IT manager logs into the portal, views the compliance dashboard, and sees a score showing how well the company is meeting privacy and security standards. If the score is low, the portal provides a list of actions (like enabling multi-factor authentication or updating privacy policies) to improve compliance.

Use Case: An IT support specialist in a managed service provider (MSP) routinely uses the Microsoft Purview compliance portal to monitor client data security status. By accessing the portal’s audit logs and compliance reports, they can quickly identify potential risks, provide timely recommendations, and demonstrate regulatory compliance to clients during audits.

For more information see these links:

Describe Compliance Manager

Compliance Manager is a tool within Microsoft Purview that helps organizations assess, monitor, and manage their compliance with standards and regulations such as GDPR or ISO 27001. It centralizes compliance activities, making it easier to track progress.
It provides prebuilt and customizable assessments that map directly to regulatory requirements. Each assessment breaks down compliance into manageable controls and improvement actions assigned to responsible team members.
Compliance Manager automatically calculates a compliance score based on completed actions, highlighting areas that need attention and helping organizations prioritize tasks to reduce risk.
The tool offers clear step-by-step guidance and documentation for each improvement action, making it accessible even for those new to compliance tasks.
Compliance Manager includes workflow tracking, assigns compliance tasks to users, and allows storage of evidence, status notes, and audit results—all in one place for better collaboration and reporting.

Example: A small IT company wants to ensure their use of Microsoft 365 meets the requirements of GDPR, a key privacy regulation. Using Compliance Manager, they select the built-in GDPR assessment template. The tool automatically outlines required actions—such as controlling who has access to sensitive data or setting up data retention policies—and assigns these actions to appropriate staff. The team follows easy instructions in Compliance Manager, uploads evidence, and tracks their progress through the compliance score.

Use Case: An IT administrator at a managed service provider needs to demonstrate data protection compliance to win new business contracts. They use Compliance Manager to generate a compliance assessment report, showing which regulatory requirements are met, the tasks completed by the team, and outstanding actions. This report can be shared with potential clients to build trust and prove the company’s commitment to secure practices.

For more information see these links:

Describe the uses and benefits of compliance score

The compliance score in Microsoft Purview Compliance Manager shows how well your organization is meeting key data protection regulations and standards by combining points from completed improvement actions. You receive an initial score based on the Microsoft 365 data protection baseline, which reflects common privacy and security controls.
Compliance scores help you quickly identify which areas need attention and prioritize actions that have the greatest impact on reducing your risk. By focusing on recommended improvements, you can raise your score, meaning you are better aligned with regulatory requirements.
The score is easy to track and understand, making it helpful for organizations that are just starting to manage compliance. It also provides transparency to auditors and stakeholders about your progress and compliance posture, which is important during reviews or certification processes.
You can filter the dashboard to see compliance scores relevant to specific laws or standards, helping you focus on requirements that matter most to your industry or business type.
Microsoft Purview Compliance Manager assigns scores based on both actions managed by Microsoft and those completed by your organization, giving a comprehensive view of compliance efforts across your Microsoft 365 environment.

Example: A small IT company uses Microsoft Purview Compliance Manager to check if its data protection practices meet GDPR requirements. The Compliance Manager dashboard shows the company’s compliance score. After completing recommended improvement actions, like updating privacy settings and managing access permissions, the score increases. This helps the team know they are making progress and highlights remaining tasks to reach full compliance.

Use Case: An IT support team at a managed services provider wants to demonstrate to clients that they follow best practices for data security. By using Compliance Manager to track and improve their compliance score, they can easily report on completed actions and current status during client meetings. This builds trust and helps them win more business by showing a commitment to data protection and regulatory standards.

For more information see these links:

Describe information protection, data lifecycle management, and data governance capabilities of Microsoft Purview

Describe the data classification capabilities

Automatic Identification of Sensitive Data: Microsoft Purview can automatically scan your organization’s files, emails, and databases to identify sensitive data such as personal information, financial records, or confidential business documents. It uses built-in and customizable recognition patterns called sensitive information types to find and flag this data.
Application of Sensitivity and Retention Labels: After data is identified, Purview allows you to attach labels that indicate how sensitive the data is (for example, ‘Confidential’ or ‘Public’) and for how long it should be kept (retention labels). These labels guide users in handling the data safely and help enforce internal policies automatically.
Visibility and Monitoring with Dashboards: The data classification dashboard gives administrators clear insights into what types of sensitive data exist in the organization, where the data is stored, who is accessing it, and what actions they are taking. This visibility makes it easier to spot risks and ensure compliance with regulations.

Example: An IT team at a small company uses Microsoft Purview to scan its cloud storage. The system automatically finds files with customer credit card numbers and emails that mention social security numbers. These items are automatically labeled as ‘Sensitive’ so staff can easily identify and protect them.

Use Case: A novice IT administrator enables data classification in Microsoft Purview for their company’s Microsoft 365 environment. They use the dashboard to find that several shared files contain sensitive employee information, like passport numbers. Using this information, they set up rules to apply sensitivity labels and restrict file sharing, helping prevent accidental leaks and supporting compliance with data privacy laws.

For more information see these links:

Describe the benefits of Content explorer and Activity explorer

Content explorer helps you quickly find and view sensitive or classified data across locations like email, SharePoint, Teams, and OneDrive. This lets you understand where confidential information lives in your organization.
Activity explorer allows you to monitor and analyze how users interact with protected or sensitive content—such as opening, sharing, copying, or moving files. You can filter activity by date, user, location, label, and more to spot risky behaviors or compliance issues.
Both explorers support easy filtering and customizable views so you can focus on important data or activities (like files labeled ‘Confidential’ or activities involving external sharing). This helps you take action faster to prevent data leaks or meet compliance requirements.
With content explorer, you can give feedback on classification accuracy and improve detection over time, making your data protection policies stronger.
Activity explorer provides historical views (last 30 days) and built-in filter sets (like DLP activities or egress events), helping you quickly identify potential threats and respond appropriately.

Example: Imagine you’re an IT administrator at a company. You use content explorer to search for files across SharePoint sites that contain credit card numbers. You discover several files that aren’t properly protected and quickly apply a sensitivity label to secure them.

Use Case: A beginner IT professional is tasked with reporting where internal documents labeled ‘Confidential’ have been shared outside the organization. Using activity explorer, they filter for ‘Confidential’ files and ‘egress activities’, seeing which users sent documents externally and helping management respond to possible data leaks.

For more information see these links:

Describe sensitivity labels and sensitivity label policies

Sensitivity labels in Microsoft Purview are tags that you can apply to documents, emails, and other items to classify and protect information based on its sensitivity, such as Public, Confidential, or Highly Confidential.
Sensitivity label policies are used to publish and manage sensitivity labels for different users or groups. They determine which labels are available, who can use them, and set label priorities to resolve conflicts when multiple policies apply to a user.
You can configure policies to automatically assign a default label, require a label for certain items, or restrict who can see or apply specific labels. Policies are flexible and can be adjusted to fit organizational needs and compliance requirements.

Example: An IT company wants to protect client information. The organization creates sensitivity labels like ‘Public’, ‘Internal’, and ‘Confidential’. These labels are then published using label policies: all users can access ‘Public’ and ‘Internal’, but only senior staff can apply ‘Confidential’ to highly sensitive data such as contracts or private client details.

Use Case: A novice IT administrator sets up sensitivity labels and policies in Microsoft Purview so that employees working on sales proposals can easily tag confidential documents. By assigning a policy that requires a label on every new document, the admin ensures that sensitive information is automatically classified and access is controlled, reducing the risk of accidental data leaks.

For more information see these links:

Describe data loss prevention (DLP)

Data Loss Prevention (DLP) is a security strategy and set of tools designed to prevent unauthorized sharing, access, or leakage of sensitive information such as financial data, personal information, or trade secrets.
Microsoft Purview DLP helps organizations automatically detect and monitor sensitive data across emails, files, cloud apps, and endpoints like laptops or phones, reducing the risk of accidental or intentional data leaks.
DLP policies in Microsoft Purview can be configured to alert users, block risky actions (like sending sensitive files outside the company), or require justification before data is shared, ensuring information is protected without interrupting legitimate business processes.
DLP provides activity tracking and alerting, so administrators can investigate incidents, respond quickly, and keep improving the organization’s data protection approach.
By using DLP, organizations support compliance with data privacy laws and industry regulations by preventing sensitive data from leaving controlled environments.

Example: Imagine an employee tries to email a spreadsheet containing customer credit card numbers to someone outside the company. With Microsoft Purview DLP in place, the system detects the sensitive information in the attachment and either blocks the email, warns the sender, or requires additional approval before it can be sent. This helps prevent accidental data leaks.

Use Case: A small IT company uses Microsoft 365 for email and file sharing. To comply with privacy regulations, the IT administrator sets up DLP policies in Microsoft Purview to automatically flag or block any attempt to share files containing social security numbers, bank account details, or confidential business data outside the organization. This reduces the risk of data breaches and demonstrates responsible data handling to clients and regulators.

For more information see these links:

Describe records management

Records management refers to the systematic control of documents and information throughout their lifecycle, from creation to final disposal. In IT, records management helps organizations comply with laws and regulations by retaining important data and disposing of it safely when it is no longer needed.
With Microsoft Purview Records Management, organizations can declare documents and emails as official records. This locks them in a tamper-proof state, preventing edits or accidental deletion and ensuring the integrity of critical information.
Retention labels and policies can be set up to automatically classify, retain, and delete content based on business, legal, or regulatory requirements. This reduces manual work and ensures records are managed efficiently and consistently.
Event-based retention allows organizations to trigger specific retention periods when significant events occur, such as a student graduating or an employee leaving. This ensures records are kept for the correct amount of time.
Disposition review lets teams manually review records before permanent deletion, providing proof of disposition and ensuring compliance with audit or legal standards.

Example: A university uses Microsoft Purview to automatically apply retention labels to student emails and documents in Office 365. When a student graduates, an event-based retention policy marks their records to be kept for an additional five years to meet regulatory requirements. After this period, the records are sent for disposition review before being safely deleted.

Use Case: An IT administrator at a school sets up retention labels in Microsoft Purview so that teaching contracts in SharePoint are classified as official records. These documents are kept in a tamper-proof state for the duration required by law. When contracts expire, the system triggers a disposition review before deleting them, ensuring both compliance and data security.

For more information see these links:

Describe retention policies, retention labels, and retention label policies

Retention policies and retention labels are tools in Microsoft Purview that help organizations control how long data is kept and what happens to it at the end of its lifecycle. Retention policies apply the same retention rules across entire locations like mailboxes or SharePoint sites, while retention labels allow for more specific, item-level control.
Retention policies are best for broad scenarios (like keeping all emails for 7 years). They automatically govern the content in selected locations—such as Exchange mailboxes, SharePoint sites, Teams chats, and more—and don’t require manual user involvement.
Retention labels provide more granular control. They can be applied to individual documents, emails, or items, either manually by users or automatically based on conditions (like keywords, sensitive data, or events). Retention labels can also mark items as records, trigger disposition reviews, or travel with the content if it’s moved to a new location.
Retention label policies are used to publish and make retention labels available to users in specific locations. Admins control which locations (like specific SharePoint sites or mailboxes) receive these labels, and can choose to have labels applied automatically or allow users to apply them as needed.
Using a combination of retention policies, retention labels, and retention label policies helps organizations meet compliance, legal, and business needs by making sure data is kept (or deleted) according to clearly defined rules, with flexibility for both broad and precise scenarios.

Example: An IT company uses a retention policy to keep all employee emails for 7 years, which covers legal requirements. For sensitive HR documents stored in their SharePoint site, they use a specific retention label called ‘HR-Confidential: 10 Years’ that only applies to selected files, ensuring some data is kept longer and handled differently.

Use Case: A beginner IT administrator sets up a retention policy to make sure all Teams chat messages are deleted after 2 years. For financial reports stored in SharePoint, the admin creates a retention label—‘Financial Record: 7 Years’—and publishes it with a retention label policy so that finance team members can mark relevant files. This guarantees that chat data and financial documents are each managed according to company policy and compliance standards.

For more information see these links:

Describe unified data governance solutions in Microsoft Purview

Unified data governance in Microsoft Purview means that organizations can manage, secure, and monitor all their data—whether it lives on-premises, in the cloud (Azure, AWS), or in SaaS applications (like Microsoft 365)—from a single platform.
Purview uses tools like Data Map and Unified Catalog to automatically discover, scan, and map metadata about data sources, making it easier for users to identify and understand where sensitive or important data resides.
Business and technical users can collaborate using Purview by applying business terms, defining data ownership, and assigning stewardship roles, which helps clarify who is responsible for different types of data and how the data should be used.
Microsoft Purview enables setting rules and labels to manage data quality, classify sensitive information, and control who can access what data. This helps meet compliance requirements and manage risk.
With its unified approach, Purview reduces complexity and fragmentation across IT systems, giving decision-makers a comprehensive view and control over their entire data estate.

Example: A medium-sized IT company uses Microsoft Purview to scan and map all its data stored in Azure, on-premises SQL servers, and Power BI dashboards. By doing this, the company can see exactly where personal customer data is held, label it as sensitive, and restrict access so only authorized employees can view or edit it.

Use Case: An IT administrator at a managed services provider is tasked with ensuring that client data—spread across cloud services and local servers—is protected and only accessible to appropriate staff. Using Microsoft Purview’s unified data governance, they scan and classify all data sources, set up governance domains, and assign data stewards to oversee data quality and compliance. This streamlines audits and helps the organization stay compliant with regulations like GDPR.

For more information see these links:

Describe insider risk, eDiscovery, and audit capabilities in Microsoft Purview

Describe insider risk management

Insider risk management is about identifying and reducing risks that come from people within an organization, like employees or students, who might accidentally or intentionally cause harm by sharing sensitive information or breaking security policies.
Microsoft Purview Insider Risk Management uses tools like machine learning and behavioral analytics to monitor activities across Microsoft 365 services, such as email, Teams, SharePoint, and OneDrive, to spot risky behavior early.
The system uses customizable risk policy templates (such as for detecting data leaks or monitoring users who are leaving the organization) and can automatically trigger alerts and actions based on defined policies, all while protecting user privacy by pseudonymizing identities during investigations.
Integration with features like Data Loss Prevention (DLP) and HR systems helps organizations respond quickly by prioritizing serious risks and automating remediation actions, such as reminders, educational messages, or escalation to security teams.
Centralized dashboards in Purview make it easy for IT staff to review, triage, and investigate potential insider risk alerts, cutting down on manual work and helping schools and businesses comply with laws and regulations about data protection.

Example: A teacher in a school unintentionally shares a spreadsheet containing student grades with people outside of the school through email. Microsoft Purview Insider Risk Management detects this action as a possible data leak by using its monitoring tools and notifies the IT department to review and handle the incident, ensuring sensitive student information remains protected.

Use Case: In a university, when an employee hands in their resignation, the HR connector in Insider Risk Management automatically activates a policy to monitor for data theft by departing users. If the system detects unusual downloads of research data or attempts to share sensitive files externally, it can alert security staff and restrict access immediately, helping to prevent intellectual property loss.

For more information see these links:

Describe eDiscovery solutions in Microsoft Purview

eDiscovery in Microsoft Purview helps organizations find, hold, and export electronic data (like emails, documents, and chat messages) for legal or regulatory reasons. This is important when responding to lawsuits, audits, or internal investigations.
There are three main eDiscovery solutions in Purview: Content Search (for basic keyword searches and exports), eDiscovery (Standard) (adds case management and legal holds), and eDiscovery (Premium) (offers advanced features like custodian management, legal hold notifications, data analysis, and machine learning to focus on relevant information).
With eDiscovery (Standard) and (Premium), cases can be created so only assigned managers can access specific investigations, ensuring sensitive information is only viewed by authorized personnel. Legal holds can prevent data from being accidentally deleted while an investigation is ongoing.
eDiscovery integrates across Microsoft 365—covering Exchange (email), OneDrive, SharePoint, Teams, and more. This lets organizations collect all relevant data from a single place instead of searching each service separately.
eDiscovery (Premium) offers advanced features like filtering, tagging, and machine learning analysis to help legal or compliance teams quickly identify the most important data, speeding up investigations and reducing manual work.

Example: Imagine your company receives a legal request to provide all emails and Teams messages between two employees over the past six months. With Microsoft Purview eDiscovery, your IT or compliance team can create a case, search across all Microsoft 365 data sources for these communications, apply filters to find the exact messages needed, and then export the results for the legal team.

Use Case: A novice IT administrator at a small tech company is asked to respond to an internal HR investigation about data leaks. Using Microsoft Purview eDiscovery (Standard), the admin sets up a case, searches across email, OneDrive, and Teams for specific keywords related to the leak, and places the relevant users’ data on legal hold to ensure nothing is deleted during the investigation.

For more information see these links:

Describe audit solutions in Microsoft Purview

Microsoft Purview audit solutions automatically track, record, and store user and admin activities across Microsoft cloud services, such as Microsoft 365, Copilot, and Dynamics 365.
Audit logs include detailed information like user actions, dates, accessed files, prompts entered in Copilot, and any sensitive data labels applied. This helps organizations monitor compliance and security.
With Purview’s audit search tool, users with the proper permissions can easily filter and search audit records by user, activity type, date range, and more. This enables efficient investigation and quick response to potential risks.
Audit logs support forensic investigations and internal reviews by providing a searchable history of activities, which is crucial when responding to security events or compliance requirements.
These audit capabilities are enabled by default for organizations with proper licenses, making it easy for IT teams to set up and use Purview without complex configuration.

Example: An IT administrator at a company suspects that a user may have tried to access sensitive data without permission through Microsoft 365 Copilot. By using Microsoft Purview’s audit solution, the admin searches the audit logs for activities related to that user, checks the date and time of the suspicious action, and confirms whether the user accessed or tried to access confidential files.

Use Case: A beginner IT professional is assigned to investigate a potential data security incident. Using Microsoft Purview’s audit solutions, they log in to the Purview portal, open the audit log search tool, and filter activities for a specific date, user, and application (like Copilot). They easily identify unusual actions and export the results for review by their security team—helping resolve the incident quickly and efficiently.

For more information see these links: