Free Microsoft MS-900 Practice Test Questions MCQs

Explanation:
Windows Autopilot is used for device provisioning, but Office 365 ProPlus deployment requires separate configuration through Microsoft 365 admin tools. Two supported methods include allowing users to self-install from the Office 365 portal and enabling automatic deployment through admin policies. These options leverage cloud-based deployment rather than traditional MSI packages or Autopilot profile modifications.

Correct Option:

A - Use the self-install option on the Office 365 dashboard
This method allows users to install Office 365 ProPlus directly from the Office 365 software download page. Admins can enable or restrict this feature through the Office 365 admin center under Software download settings. It is a user-driven deployment model suitable for self-sufficient employees and requires no additional infrastructure.

C - Enable auto-deployment of Office 365 apps for all devices
This refers to deploying Office 365 ProPlus via Microsoft Intune or Configuration Manager integration with Microsoft 365 Apps admin center. Admins can configure automatic installation policies targeting devices or users. This method ensures Office is deployed silently without user intervention and is centrally managed.

Incorrect Option:

B - Download and install the Office ProPlus Windows Installer (MSI) package
Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus) is no longer distributed via traditional MSI packages for current subscription versions. The recommended deployment uses Click-to-Run technology. While volume licensed versions may offer MSI, the question specifies Office 365 ProPlus subscription, making this method outdated and unsupported.

D - Update the Windows Autopilot deployment profile to include the Office 365 apps
Windows Autopilot deployment profiles do not contain settings to directly deploy Office 365 applications. Autopilot provisions the device and joins it to Azure AD/Intune, but application deployment must be configured separately through Intune or Configuration Manager policies. Autopilot itself does not include Office deployment capabilities.

Reference:
Choose how to deploy Microsoft 365 Apps

Manage Office installation options in the Microsoft 365 admin center

Explanation:
This question tests your knowledge of Azure AD capabilities and limitations. You need to evaluate three separate statements about Azure AD functionality regarding device management, directory integration, and authentication support. Each statement must be assessed independently based on Microsoft's official documentation.

Statement 1: You can manage Azure AD-joined machines by using group policy.

Answer: No
Group Policy is an Active Directory Domain Services (AD DS) feature and requires on-premises domain controllers. Azure AD-joined devices cannot process traditional Group Policy Objects (GPOs). These devices are managed using Microsoft Intune or mobile device management (MDM) policies via MDM enrollment with Azure AD.

Statement 2: Azure AD requires integration with Active Directory Domain Services by using secure lightweight Directory Access Protocol (LDAP).

Answer: No
Azure AD does not require integration with on-premises AD DS using secure LDAP. Azure AD is a cloud-native identity solution that functions independently. While organizations can optionally integrate Azure AD with on-premises AD DS using Azure AD Connect, secure LDAP is used for LDAP authentication to Azure AD Domain Services, not Azure AD itself.

Statement 3: Azure AD supports Azure AD Authentication Library (ADAL) authentication.

Answer: Yes
Azure AD supports ADAL for authentication. ADAL is the legacy authentication library for Azure AD that enables client applications to acquire tokens and authenticate users. However, Microsoft now recommends using Microsoft Authentication Library (MSAL) as ADAL is being deprecated, but Azure AD still supports ADAL-based authentication.

Reference:
Group Policy for Azure AD joined devices

What is Azure AD?

ADAL vs MSAL

Explanation:
Microsoft 365 provides several security-related benefits through built-in capabilities, shared responsibility, and Microsoft's operational investments. The question focuses on what Microsoft offers as part of the cloud service—not guarantees of absolute security or unauthorized access. Correct answers reflect Microsoft's documented security commitments and operational practices.

Correct Option:

B - Microsoft simplifies infrastructure management to help detect and respond to threats.
Microsoft 365 shifts infrastructure management to Microsoft, allowing organizations to focus on data and identity protection. Microsoft continuously monitors and applies security updates, patches, and threat intelligence across its cloud services. This reduces administrative overhead while improving threat detection and response through tools like Microsoft Defender and Sentinel.

C - Microsoft 365 monitors all customers for threats to prevent attacks.
Microsoft operates global threat intelligence and monitoring across Microsoft 365 services. This includes analyzing telemetry from billions of signals to identify emerging threats and applying protections such as blocking malicious attachments or links. Customers benefit from Microsoft's scale, which enables faster detection and mitigation than most individual organizations.

E - Microsoft employs a full-time team of penetration testers to identify vulnerabilities.
Microsoft maintains a dedicated team of security experts, including penetration testers and red teams, who continuously test Microsoft 365 for vulnerabilities. This proactive security testing helps identify and remediate weaknesses before they can be exploited. Customers gain from Microsoft's substantial investment in security research and engineering.

Incorrect Option:

A - Microsoft 365 prevents all attackers from gaining access to company data.
This statement is incorrect because no system can guarantee prevention of all attacks. Microsoft 365 provides advanced security controls and defense-in-depth, but security is a shared responsibility. Customers must also implement proper configuration, identity protection, and user training. Absolute prevention is impossible and not promised by Microsoft.

D - Microsoft 365 can troubleshoot security issues by accessing customer data without explicit permission from the customer.
This is false. Microsoft strictly follows privacy and data protection policies. Access to customer data for troubleshooting requires explicit customer authorization and is governed by strict controls. Microsoft cannot access customer data without permission, except under limited lawful circumstances outlined in the Online Services Terms.

Reference:
Microsoft 365 security overview

Shared responsibility in the cloud

Microsoft security testing

Microsoft privacy and data protection

Explanation:
The question specifically asks for an add-on licensing solution that protects against privacy risks. While Microsoft Purview focuses on compliance and data governance, Microsoft Priva is designed specifically for privacy risk management. It helps organizations respect user privacy, automate subject rights requests, and assess privacy risks in their Microsoft 365 environment.

Correct Option:

C - Microsoft Priva
Microsoft Priva is a privacy-focused solution that helps organizations protect personal data and comply with privacy regulations. It provides capabilities such as privacy risk assessments, subject rights request automation, and data minimization recommendations. Priva is available as an add-on license to Microsoft 365 and works alongside Purview to address privacy-specific risks.

Incorrect Option:

A - Safe Attachments
Safe Attachments is a feature of Microsoft Defender for Office 365. It protects against zero-day malware and malicious content in email attachments and documents. While it enhances security, it does not address privacy risks or personal data protection, which is the requirement in the question.

B - Microsoft Purview
Microsoft Purview is a comprehensive compliance solution covering information protection, data loss prevention, insider risk management, and data governance. Although it includes some privacy-related capabilities, it is primarily focused on compliance and data security rather than dedicated privacy risk management. Priva is the specific privacy add-on.

D - Azure Monitor
Azure Monitor is a monitoring and observability platform for Azure resources and on-premises infrastructure. It collects and analyzes telemetry data but does not provide privacy risk management or personal data protection capabilities relevant to Microsoft 365 privacy requirements.

Reference:
Microsoft Priva overview

Microsoft Priva vs Microsoft Purview

Microsoft 365 licensing for privacy

Explanation:
This question requires matching Microsoft 365 work management services to their correct feature descriptions. Each service has distinct capabilities for scheduling, task management, resource planning, and personal productivity. Understanding the core function of each Microsoft 365 tool is essential for correct matching.

Correct Matching:

Feature 1: Provides a service that allows you to track, manage, and organize your team's appointments and calendars.

Service: Microsoft Bookings
Microsoft Bookings is an online appointment scheduling tool. It allows organizations to manage customer appointments, staff calendars, and automated notifications. It integrates with Microsoft Teams and Outlook, making it ideal for service-based businesses needing centralized appointment management.

Feature 2: Provides a service that allows you to assign and manage tasks by using task cards.

Service: Microsoft Planner
Microsoft Planner is a lightweight project management tool that uses Kanban-style boards. Teams can create plans, assign tasks with due dates, attach files, and track progress using visual task cards. It is integrated within Microsoft Teams and is suitable for team-based task collaboration.

Feature 3: Provides a service that allows you to plan, prioritize, and manage resources.

Service: Microsoft Project
Microsoft Project is a professional project management solution for complex planning. It provides Gantt charts, resource management, budgeting, and advanced scheduling capabilities. It is available as both web-based (Project for the web) and desktop versions for enterprise project management needs.

Note:
Microsoft To Do is not used in any of the matches above. It is a personal task management app for individual productivity and synchronization with Outlook tasks, not for team-based appointment scheduling, task card management, or resource planning.

Reference:
Microsoft Bookings documentation

Microsoft Planner documentation

Microsoft Project documentation

Microsoft To Do documentation

Explanation:
The requirement is to apply different authentication behaviors depending on the application—enforcing additional verification for third-party federated apps but not for Microsoft Outlook. This is a classic scenario for Conditional Access policies in Azure AD, which allow granular controls based on application, user, location, device state, and risk level. MFA alone cannot selectively exclude specific applications without Conditional Access policies.

Correct Option:

A - Conditional Access
Conditional Access is the Azure AD feature that evaluates signals and enforces policies accordingly. You can create a policy targeting the federated third-party application requiring MFA, and another policy excluding Microsoft Outlook from MFA requirements. This provides the precise control needed without affecting Outlook access.

Incorrect Option:

B - Multi-factor authentication (MFA)
MFA is an authentication method, not a policy engine. While MFA can be enabled per user, it applies globally to all applications the user accesses. Per-user MFA cannot differentiate between Outlook and a third-party app. Conditional Access is required for application-specific MFA enforcement.

C - Active Directory Federation Services (AD FS)
AD FS is an on-premises identity federation service. It can provide MFA using third-party providers but does not offer the cloud-native, granular application-specific Conditional Access policies available in Azure AD. AD FS alone cannot selectively exclude Outlook from MFA requirements.

D - Self-service password reset (SSPR)
SSPR allows users to reset their own passwords without help desk intervention. It does not provide MFA enforcement or conditional access capabilities. SSPR can utilize MFA for verification during password reset, but it does not control authentication prompts for application access.

Reference:
What is Conditional Access?

Common Conditional Access policies

MFA vs Conditional Access

Explanation:
This question requires matching client features to the correct authentication source in a hybrid environment where on-premises apps use AD DS and cloud services use Azure AD. Understanding which directory service supports each capability is essential. Windows Hello requires on-premises AD DS integration, Intune management works with Azure AD joined devices, and Outlook on the web MFA is an Azure AD feature.

Correct Matching:

Client Feature 1: Log on to devices by using Windows Hello.

Authentication Source: AD DS only
Windows Hello for Business requires integration with on-premises AD DS for certificate-based or key-trust deployments. Even in hybrid scenarios, the Windows Hello provisioning process relies on AD DS for domain-joined devices. Azure AD-only devices use alternative methods, but the question specifies on-premises AD DS exists.

Client Feature 2: Log on to devices that are managed by Microsoft Intune.

Authentication Source: Azure AD only
Intune-managed devices must be joined or registered with Azure AD. Intune uses Azure AD as the identity provider for device enrollment, compliance, and management. While hybrid Azure AD joined devices exist, Intune management itself authenticates through Azure AD, not directly through on-premises AD DS.

Client Feature 3: Sign in to Outlook on the web by using multi-factor authentication.

Authentication Source: Azure AD only
Outlook on the web (Exchange Online) is a cloud service that authenticates through Azure AD. Multi-factor authentication policies are configured and enforced in Azure AD, regardless of whether the user is synced from on-premises AD DS. The authentication source for MFA is Azure AD.

Note:
"AD DS and Azure AD" is not used in any of the matches above because each feature relies primarily on one authentication source in this hybrid context, though synchronization may exist.

Reference:
Windows Hello for Business overview

Intune enrollment for Windows devices

MFA for Microsoft 365

Explanation:
Microsoft eDiscovery is a tool within Microsoft Purview for identifying, preserving, and exporting content relevant to legal or investigative cases. It supports searching across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. However, eDiscovery is not used for automated retention policies—that is handled by Microsoft Purview retention policies and labels.

Statement 1: Microsoft eDiscovery can be used to identify email content needed as evidence in a legal case.

Answer: Yes
eDiscovery is specifically designed for legal and investigative purposes. It allows authorized users to search for email content in Exchange Online, place holds on relevant mailboxes, and export results for legal review. This is a core eDiscovery capability.

Statement 2: Microsoft eDiscovery can be used to search for specific documents that are stored in SharePoint Online.

Answer: Yes
eDiscovery supports content searches across SharePoint Online sites and OneDrive for Business. Users can search for specific documents based on keywords, authors, dates, or other metadata, making it useful for identifying relevant evidence in investigations.

Statement 3: Microsoft eDiscovery can be used to ensure that documents in SharePoint sites are retained for seven years and then deleted.

Answer: No
Retention and deletion policies are managed by Microsoft Purview retention policies and labels, not eDiscovery. eDiscovery focuses on identifying, preserving, and exporting content for legal cases. Automated retention and deletion are compliance features separate from eDiscovery.

Reference:
Microsoft eDiscovery overview

Content search in Microsoft 365

Learn about retention policies and labels

Explanation:
This question requires matching cloud security features in Microsoft 365 and Azure to their correct descriptions. Each feature serves a distinct purpose: app discovery, access control, data protection, or infrastructure security. Understanding the primary function of each Microsoft security solution is necessary for accurate matching.

Correct Matching:

Description 1: Provide insight into which apps are being used in the organization and the risk levels for the apps.

Feature: Cloud Discovery dashboard
The Cloud Discovery dashboard is part of Microsoft Defender for Cloud Apps. It analyzes traffic logs to discover cloud app usage, assesses risk scores based on regulatory compliance and security standards, and provides visibility into shadow IT within the organization.

Description 2: Classify and label emails and documents in the organization.

Feature: Microsoft Azure Information Protection
Azure Information Protection (now part of Microsoft Purview Information Protection) enables organizations to classify, label, and protect sensitive documents and emails. It applies persistent protection that follows content wherever it goes, whether stored in SharePoint, emailed, or saved locally.

Description 3: Block users from accessing cloud apps from certain devices.

Feature: Microsoft Azure AD Conditional Access
Conditional Access policies in Azure AD can restrict access to cloud applications based on device compliance, location, or risk level. Administrators can block access from non-compliant devices, unmanaged devices, or specific device platforms to enforce security requirements.

Description 4: Manage security policies, monitor attacks against virtual machines, and provide remediation for vulnerabilities.

Feature: Microsoft Azure Security Center
Azure Security Center (now Microsoft Defender for Cloud) provides unified security management across hybrid cloud workloads. It includes vulnerability assessment, threat detection for virtual machines, security policy management, and recommendations for remediation to strengthen infrastructure security.

Note:
All four features are used exactly once in the matching above. Each description aligns precisely with one security feature's primary function.

Reference:
Microsoft Defender for Cloud Apps overview

Azure Information Protection documentation

Azure AD Conditional Access

Microsoft Defender for Cloud

Explanation:
This question requires matching common business scenarios to the correct Microsoft 365 service. Each service has a primary function: Exchange Online handles email and calendar, Microsoft Teams is the collaboration hub for meetings and chat, and Microsoft Stream is for video management. Understanding these core capabilities ensures accurate matching.

Correct Matching:

Scenario 1: Users need to communicate in email, use a calendar, and store contacts.

Microsoft 365 service: Exchange Online
Exchange Online is the cloud-based email, calendar, and contacts solution in Microsoft 365. It provides enterprise-grade email hosting, shared calendars, global address lists, and contact management. These are the core functions described in this scenario.

Scenario 2: Users need a central hub for meetings, chat, content, and calling.

Microsoft 365 service: Microsoft Teams
Microsoft Teams is the collaboration workspace in Microsoft 365. It integrates persistent chat, voice and video meetings, file sharing, and calling capabilities. Teams serves as the central hub bringing together people, conversations, and content in one interface.

Note:
Microsoft Stream is not used in either match. Microsoft Stream is the video service for storing, managing, and sharing videos within an organization. While videos can be shared in Teams, Stream's primary purpose is video content management, not email, calendar, or meetings.

Reference:
Exchange Online documentation

Microsoft Teams documentation

Microsoft Stream overview