Microsoft 365 Fundamentals Practice Test (MS-900)

The Zero Trust Model requires that every access request is authenticated, authorized, and encrypted, treating all resources as if they are on an open network. This approach enhances security by eliminating implicit trust within the network. Traditional models like the Perimeter Security Model assume that everything inside the network is trusted, which can be a vulnerability if the perimeter is breached. The Trusted Network Model and Open Access Model do not enforce strict verification of every access request as the Zero Trust Model does.

Purchasing through a Cloud Solution Provider (CSP) is the best option for organizations needing flexibility. CSPs offer monthly billing cycles and the ability to adjust license quantities as the organization's needs change.

Purchasing directly from Microsoft via a Microsoft Customer Agreement (MCA) can offer monthly billing, but is often geared towards annual or multi-year commitments with less flexibility than CSP for scaling down.

Entering into an Enterprise Agreement (EA) is designed for large organizations (500+ users) committing to a multi-year term. While licenses can be added, they can typically only be reduced annually, offering less flexibility.

Purchasing through an Open Value agreement is a volume licensing program that provides rights to the latest software versions but generally involves a three-year agreement term and is less flexible for monthly adjustments compared to CSP.

The correct answer is Microsoft Intune. Intune is a cloud-based unified endpoint management (UEM) service that allows organizations to manage devices (desktops, mobile devices, virtual endpoints) and applications entirely from the cloud. This eliminates the need for on-premises servers.

• Configuration Manager is Microsoft's traditional on-premises management solution.
• Windows Autopilot is a technology used for provisioning and setting up new devices, but it relies on an MDM service like Intune for ongoing management.
• Microsoft Defender for Endpoint is a security platform for threat detection and response, not a primary device management tool.

Microsoft 365 is a comprehensive subscription that combines Office 365 productivity apps, Windows 10 Enterprise upgrade, and Enterprise Mobility + Security features. This unified subscription meets the organization's needs for productivity tools, operating system upgrades, and advanced security in one package. Office 365 offers productivity apps but does not include the operating system upgrade or advanced security features. Windows 10 Enterprise provides the operating system upgrade but lacks productivity apps and the full security suite. Enterprise Mobility + Security delivers advanced security features but does not encompass productivity tools or the operating system upgrade.

Administrators create Microsoft 365 service requests in the Microsoft 365 admin center. From the portal, choose Support > New service request (or Help & support > Contact support) to log a ticket that is tracked by Microsoft support engineers.

Creating a post in community forums or Microsoft Q&A does not open an official ticket. The Microsoft 365 Service Health dashboard lets you view incidents but does not submit new requests. The Support and Recovery Assistant (SaRA) can diagnose local client issues but does not lodge a service-level ticket.

Microsoft Viva Insights provides personal and organizational analytics to help improve productivity and well-being. It offers features like recommendations for focused work time, mindfulness breaks, and insights on work patterns that may lead to burnout.

Viva Learning facilitates access to learning content

Viva Connections enhances employee engagement with company communications.

Viva Topics helps in knowledge discovery by organizing content and expertise.

Microsoft Purview Insider Risk Management is specifically designed to help organizations detect, investigate, and take action on risky activities occurring inside their organization, such as data leaks by employees. It provides tools to monitor user behavior, identify potential insider threats, and remediate them. In contrast, Microsoft Purview eDiscovery is used for finding and exporting content in response to legal matters, Data Lifecycle Management focuses on managing the retention and deletion of data, and Compliance Manager offers assessments to manage compliance requirements but does not monitor internal user activities.

Microsoft OneDrive is designed for individual users to store files in the cloud, allowing access from anywhere, including offline access, and facilitates secure sharing with others. It synchronizes files across devices, making it ideal for consultants needing access on the go.

Microsoft Teams is a collaboration platform focused on chat, meetings, and team communication, but it isn't primarily used for individual cloud storage or offline file access.

Microsoft SharePoint is geared towards creating intranet sites and managing organization-wide documents and content collaboratively, rather than providing personal cloud storage with offline access.

Microsoft Exchange is an email and calendaring server solution and does not offer features for storing and sharing work documents.

Windows Autopilot is the best solution to meet the company's requirements for simplifying device deployment, this is because it automates the deployment of new devices by allowing them to be shipped directly from the supplier to the end-user. When the user turns on the device for the first time, Windows Autopilot automatically enrolls the device in the organization's management environment and applies configuration policies, apps, and settings without requiring IT staff to manually set up the device. This streamlines the deployment process and reduces the time and effort required by IT.

Microsoft Endpoint Configuration Manager is an on-premises solution primarily used for managing existing devices and requires IT intervention for device imaging and deployment.

Microsoft Endpoint Analytics provides insights into device performance and health but does not handle device deployment.

Co-management with Microsoft Intune allows devices to be managed by both Configuration Manager and Intune but does not by itself offer a solution for automated device deployment directly from supplier to employee.

SharePoint Online enables multiple users to access, share, and co-author documents in real-time from any location, supporting collaboration in a flexible work environment. Microsoft Forms is used for creating surveys and quizzes, Power Automate automates workflows between apps and services, and Exchange Online provides email and calendar services—none of which specifically facilitate simultaneous document editing.

Users do not need administrator approval to use SSPR. Instead, they must successfully verify their identity through the authentication methods that an administrator has allowed for SSPR (for example, a code sent by SMS, an Authenticator app approval, or another configured option). This verification step ensures the person requesting the reset is the legitimate account owner while eliminating help-desk involvement, which reduces support overhead and restores access quickly. Options that mention administrator, help-desk, or network-location approval are incorrect because no such approval is required once SSPR is enabled.

The Zero Trust security model operates on the principle of not trusting any user or device by default, regardless of whether they are inside or outside the network. It requires continuous verification of identities and access privileges before granting access to resources, aligning with the organization's strategy. The Perimeter-Based security model assumes that users within the network are trusted, which doesn't meet the organization's requirement to verify all users and devices. The Defense-in-Depth model focuses on layered security controls but doesn't specifically mandate verifying every access request. The Least Privilege model ensures users have only the access necessary for their roles but doesn't address verifying all access requests regardless of location.

Microsoft Secure Score delivers a numerical assessment of an organization's security posture across Microsoft 365 workloads. The dashboard displays the current score, historical trends, and a list of prioritized improvement actions that administrators can implement or mark as risk-accepted.

Microsoft Defender for Endpoint includes a Secure Score for Devices that measures only endpoint configuration, not the full tenant. Microsoft Entra ID shows an Identity Secure Score limited to identity-related controls. Microsoft Compliance Manager tracks regulatory controls and provides a compliance score, not a security posture score with Microsoft 365-wide recommendations.

Microsoft 365 requires that each user has a Usage location specified before a license can be assigned. This setting informs Microsoft which country’s data residency and service availability rules apply to the user (for example, services such as Teams Audio Conferencing are not offered in all regions). If Usage location is left blank, the licensing service blocks the assignment and returns an error indicating that a mandatory property is missing. Preferred language and time zone are optional user properties, and the tenant-level billing address does not satisfy the per-user requirement.

Administrators can configure sensitivity labels or auto-labeling policies that automatically detect data (by matching sensitive information types, trainable classifiers, etc.) and apply the appropriate label to documents and emails without user action. This automatic labeling works across Office apps, SharePoint, OneDrive, and Exchange Online and supplements manual labeling rather than replacing higher-priority labels that a user may already have applied.

The most cost-effective solution is to purchase Microsoft Defender for Office 365 add-on licenses for the specified users. Add-on licenses enhance the functionality of base licenses by providing additional features to selected users without the need to upgrade their entire base license.

Upgrading the base licenses from Microsoft 365 E3 to E5 for those users would provide the necessary features but at a higher cost compared to the add-on licenses.

Purchasing Microsoft 365 E5 licenses for all users is unnecessary and would result in significantly higher expenses.

It is not possible to enable Microsoft Defender for Office 365 features in the admin center without additional licenses.

Purchasing licenses through a Cloud Solution Provider allows companies to work with a Microsoft partner that can offer personalized support and flexible billing options. The partner provides value-added services and can tailor offerings to the company's specific needs.

An Enterprise Agreement is typically suited for larger organizations and involves a direct agreement with Microsoft, lacking the personalized third-party support.

Buying directly from Microsoft with direct billing does not provide the additional support and flexibility offered by a partner.

The Microsoft Open License program is for perpetual licenses and is being phased out, making it less suitable for cloud services like Microsoft 365.

Conditional Access in Microsoft Entra ID allows administrators to create and enforce policies that control access to resources based on specific conditions such as sign-in risk, user location, device compliance, and more. By implementing Conditional Access policies, you can dynamically respond to changing risks and ensure that access to sensitive data is appropriately secured.

Identity Protection helps detect and remediate identity-based risks but doesn't directly enforce access policies. Multi-Factor Authentication (MFA) requires additional verification methods during sign-in but doesn't allow for conditional enforcement based on context. Self-Service Password Reset (SSPR) enables users to reset their passwords without administrator intervention but doesn't control access conditions.

Creating a service request in the Microsoft 365 admin center is the correct method to directly engage Microsoft support for assistance with issues unresolved by self-help resources. This approach ensures that your case is handled by support engineers who can provide targeted help. Posting on social media is not a formal support channel and may not result in timely or professional assistance. Waiting without action does not address the issue proactively, and reinstalling Office applications is unlikely to solve mailbox access problems caused by service-related issues.

Microsoft Defender for Office 365 provides comprehensive protection for Microsoft 365 services such as Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams against advanced threats like phishing and malware. It is specifically designed to secure email and collaboration tools.

Microsoft Defender for Endpoint protects devices like desktops and laptops.

Microsoft Defender for Identity monitors on-premises Active Directory signals to identify compromised identities.

Microsoft Defender for Cloud Apps helps secure the use of cloud applications but does not specifically target email and collaboration platforms.