1. B
Set-SPOTenant -SharingDomainRestrictionMode AllowList is the correct cmdlet to configure SharePoint Online to only allow external sharing with specific verified domains. This creates an allow list of approved domains for external collaboration while blocking all others.

2. A
The correct sequence is: Create policy → Select admin roles → Configure location condition → Require MFA → Enable policy. This ensures all components are configured before enabling, and the location condition can exclude the corporate network while requiring MFA from external locations.

3. D
Creating a tenant allow/block list entry for the partner domain is the recommended approach in Defender for Office 365 Plan 2. This allows specific domains or email addresses while maintaining other security protections. Option A bypasses too much security, and options B and C are less precise methods.

4. C
Azure Rights Management (Azure RMS) service must be activated before sensitivity labels can apply encryption. RMS provides the encryption infrastructure that sensitivity labels use. The other components depend on RMS being active first.

5. C
A Mail flow rule (transport rule) with Office 365 Message Encryption is the most appropriate solution for automatically encrypting emails based on content conditions like credit card numbers being sent externally. This provides automatic encryption at the transport level.

6. A
External access settings in Teams admin center control federation and communication with external Teams and Skype for Business users. You can disable Skype for Business federation while maintaining Teams-to-Teams external communication here.

7. A
Seamless SSO can be enabled by running the Azure AD Connect wizard and selecting the seamless SSO feature. It works with Password Hash Sync and doesn’t require changing the authentication method or deploying additional infrastructure.

8. A
Litigation Hold is the appropriate solution to preserve mailbox content and prevent deletion or modification during legal investigations. It suspends all retention and deletion processes for the mailbox while maintaining user access.

9. A
Enabling an archive mailbox provides virtually unlimited additional storage through auto-expanding archives in Exchange Online. The archive is included with most licenses and doesn’t require a license change.

10. A
The Unified Audit Log with a configured retention policy is the correct solution. Microsoft 365 allows audit log retention policies up to 10 years for E5 licenses, and this captures all administrative actions across Microsoft 365 services.

11. A
A Conditional Access policy with app-enforced restrictions (also called application-enforced restrictions) for SharePoint allows you to control device access at a granular level, permitting browser-only access from unmanaged devices while blocking downloads.

12. C
Hybrid migration with move requests is the best method for migrating mailboxes in batches over an extended period. It provides the most flexibility, allows coexistence, and enables incremental migration without service disruption.

13. A
A retention policy scoped to the Exchange email location with a delete action after 30 days in the Deleted Items folder is the correct approach. This uses Microsoft Purview Data Lifecycle Management to automatically enforce deletion policies.

14. A
The user must enroll their device in Microsoft Intune and ensure it meets the compliance policies required by the Conditional Access policy. Personal devices can be enrolled and marked compliant if they meet organizational requirements.

15. A
A Teams retention policy with location-specific settings allows you to configure automatic deletion of Teams channel messages after a specified period. This can be applied to specific teams or channels as needed.

16. A
Kerberos Constrained Delegation (KCD) must be properly configured for SSO to work with Azure AD Application Proxy. KCD allows the Application Proxy connector to obtain Kerberos tickets on behalf of users for authentication to backend applications.

17. A
Microsoft 365 Groups expiration policy in Azure AD automatically enforces expiration for all Microsoft 365 Groups (including Teams) and requires group owners to renew them before the expiration date. This can be set to any duration including 180 days.

18. A
Content Search in Microsoft Purview combined with New-ComplianceSearchAction with the -Purge parameter is the correct method to search across all mailboxes and permanently delete malicious emails. This is the recommended approach for post-breach email remediation.

19. A
An Autopilot deployment profile must be configured with Azure AD join and automatic Intune enrollment settings. This profile is assigned to devices (by serial number or hardware hash) and automates the entire OOBE process.

20. A
Creating a communication compliance policy is the first step. These policies define what communications to monitor, what conditions to look for (like harassment keywords), and who will review flagged communications.

21. A
Automated investigation and remediation (AIR) settings with full automation level in Microsoft Defender for Endpoint can automatically isolate devices when critical threats are detected. This enables rapid response without manual intervention.

22. A
Granting Full Access permission without automapping allows the user to access the shared mailbox through File > Open > Other User’s Mailbox but prevents it from automatically appearing in their folder list. Automapping can be disabled using PowerShell with the -AutoMapping $false parameter.

23. A
The “data theft by departing users” template in Insider Risk Management is specifically designed to detect unusual data downloads and risky activities by employees who have submitted resignations or are identified as departing users.

24. A
The anti-phishing policy with composite authentication settings allows you to configure actions for emails that fail SPF, DKIM, and DMARC checks. You can set it to reject or quarantine messages that fail multiple authentication checks.

25. A
Role settings in Privileged Identity Management allow you to configure activation requirements, including requiring approval from designated approvers before users can activate privileged roles like Global Administrator.

26. A
App protection policy data protection settings with “Policy managed apps” as the allowed destination for cut, copy, and paste operations prevents data transfer from managed apps to unmanaged personal apps while allowing transfer between managed apps.