- (Exam Topic 5)
You have a Microsoft 365 subscription that uses an Azure AD tenant named contoso.com. The tenant contains the users shown in the following table.

You add another user named User5 to the User Administrator role. You need to identify which two management tasks User5 can perform.
Which two tasks should you identify? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

1. A. Delete User2 and User4 only.
2. B. Reset the password of User4 only
3. C. Reset the password of any user in Azure AD.
4. D. Delete User1, User2, and User4 only.
5. E. Reset the password of User2 and User4 only.
6. F. Delete any user in Azure AD.

Correct Answer: AE
Users with the User Administrator role can create users and manage all aspects of users with some restrictions (see below).
Only on users who are non-admins or in any of the following limited admin roles:
• Directory Readers
• Guest Inviter
• Helpdesk Administrator
• Message Center Reader
• Reports Reader
• User Administrator Reference:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#availab

- (Exam Topic 5)
You have device compliance policies shown in the following table.

The device compliance state for each policy is shown in the following table.

NOTE: Each correct selection is worth one point.

Solution:


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 5)
You have a Microsoft 365 tenant that contains 500 Windows 10 devices and a Microsoft Endpoint Manager device compliance policy.
You need to ensure that only devices marked as compliant can access Microsoft Office 365 apps. Which policy type should you configure?

1. A. conditional access
2. B. account protection
3. C. attack surface reduction (ASR)
4. D. Endpoint detection and response

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

- (Exam Topic 5)
You have a Microsoft 365 E5 subscription.
Users access Microsoft 365 from both their laptop and a corporate Virtual Desktop Infrastructure (VDI) solution.
From Azure AD Identity Protection, you enable a sign-in risk policy.
Users report that when they use the VDI solution, they are regularly blocked when they attempt to access Microsoft 365.
What should you configure?

1. A. the Tenant restrictions settings in Azure AD
2. B. a trusted location
3. C. a Conditional Access policy exclusion
4. D. the Microsoft 365 network connectivity settings

Correct Answer: B
There are two types of risk policies in Azure Active Directory (Azure AD) Conditional Access you can set up to automate the response to risks and allow users to self-remediate when risk is detected:
Sign-in risk policy User risk policy
Configured trusted network locations are used by Identity Protection in some risk detections to reduce false positives.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

- (Exam Topic 5)
You have a Microsoft 365 tenant that contains 1,000 Windows 10 devices. The devices are enrolled in Microsoft Intune.
Company policy requires that the devices have the following configurations:
Require complex passwords.
Require the encryption of removable data storage devices.
Have Microsoft Defender Antivirus real-time protection enabled.
You need to configure the devices to meet the requirements. What should you use?

1. A. an app configuration policy
2. B. a compliance policyC a security baseline profile D a conditional access policy

Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started