SC-200 Practice Questions

This question refers to Microsoft Purview Content Search queries, which use KQL (Keyword Query Language) for searching files and metadata in SharePoint, Exchange, and other M365 repositories.

Search1: Author: " User1 " FileExtension:xlsx

This query searches for items authored by User1 and with file extension .xlsx .

In the dataset, only File3.xlsx has the .xlsx extension, but its Author is User3 , not User1.

Therefore, S earch1 will not return File3 → Answer: No . (Correction after logical review)

Search2: Author: " User* " and FileExtension:*

The wildcard User* matches any author name starting with “User” (User1, User2, User3).

FileExtension:* matches any file type that has a n extension.

Therefore, all three files (File1.docx, File2.docx, File3.xlsx) match this query.

Hence, Search2 will return File1 → Answer: Yes .

Search3: Author:(User1..3)

The range (User1..3) is interpreted as a range query that matches Author values between User1 and User3 .

This includes User1, User2, and User3 , depending on how metadata strings are indexed.

Therefore, File2 (authored by User2) is included in this range.

Hence, Search3 will return File2 → Answer: Yes .

✅ Final Correct Table

Statement

Yes

No

Search1 will return File3

✔ ️

Search2 will return File1

✔ ️

Search3 will return File2

✔ ️

Summary:

Search1: No (author and extension don’t match).

Search2: Yes (wildcard matches all “User” authors).

Search3: Yes (range includes User2).

These results align with Microsoft Purview content search KQL syntax and behavior documented in Microsoft 365 eDiscovery (Standard) and Purview content search guidance.

In advanced hunting, EmailPostDeliveryEvents records post-delivery actions taken on messages (e.g., Zero-hour Auto Purge – ZAP , Automated Investigation and Response). To find emails tha t were detected but not removed , filter for the post-delivery action with ActionType has " ZAP " and ActionResult == " Error " , which indicates ZAP attempted to remove the item but failed.

To correlate these mailbox events with recipient sign-ins, join to Sign inLogs . The mailbox recipient field is RecipientEmailAddress ; the corresponding identity field in sign-in data is the user principal name, exposed in normalized hunting schemas as AccountUpn . Therefore, use:

join kind=inner (...) on $left.RecipientEmailAdd ress == $right.AccountUpn

A complete pattern looks like:

EmailPostDeliveryEvents

| where Timestamp > = ago(7d)

| where ActionType has " ZAP " and ActionResult == " Error "

| project ErrorTime=Timestamp, ActionType, NetworkMessageId, RecipientEmailAddress

| join kind=inner (

SigninLogs

| project AccountUpn=UserPrincipalName, AppDisplayName, Protocol, DeviceDetail

) on $left.RecipientEmailAddress == $right.AccountUpn

| project ErrorTime, ActionType, NetworkMessageId, RecipientEmailAddress, AppDisplayName, Protocol, DeviceDetail

This returns failed ZAP removals and the associated recipient sign-in context.

Table: MicrosoftGraphActivityLogs

ResponseStatusCode: 401

In Microsoft Sentinel or Log Analytics workspaces, when analyzing logs for Microsoft Entra ID (formerly Azure AD) or Microsoft Graph API requests, authorization failures (requests denied due to invalid credentials or insufficient permissions) are typically represented by HTTP status code 401 (Unauthorized) .

According to Microsoft documentation for Microsoft Graph Activity Logs (part of Microsoft Entra ID logs integration with Azure Monitor and Sentinel), the ResponseStatusCode field contains the HTTP response code for API requests made to Microsoft Graph. The most relevant codes are:

401 – Unauthorized: The request could not be completed due to invalid or missing authentication credentials.

403 – Forbidden: The request was authenticated but does not have permission for the requested resource.

Since the question specifies identifying “requests that failed due to insufficient authorization ,” this refers specifically to authorization failures —situations where the system could not authenticate or authorize the request at all. In Microsoft’s terminology, this most directly maps to HTTP 401 Unauthorized responses.

The MicrosoftGraphActivityLogs table stores these entries, as it captures API requests from Entra-integrated applications to Microsoft Graph endpoints, including the fields ResponseStatusCode, AppId, UserId, ServicePrincipalId, RequestUri, and RequestMethod.

The appropriate KQL query completion would therefore be:

MicrosoftGraphActivityLogs

| where ResponseStatusCode == 403 or ResponseStatusCode == 401

| project AppId, UserId, ServicePrincipalId, ResponseStatusCode, RequestUri, RequestMethod

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual mac hines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Query successful

This is a role-based access control (RBAC) question using the principle of least privilege.

The table of users and roles is:

Name

Role

User1

Security administrator

User2

Security reader

User3

Contributor

Export to Sheets

Action: This is a management/configuration task at the subscription level, often related to enabling Defender plans and installing extensions on VMs.

Required Permissions: The ability to modify security policies and settings in Microsoft Defender for Cloud and the permission to install extensions on VMs.

The Security Administrato r role is explicitly designed for this, granting permissions to manage the security features, policies, and program enrollment (like enabling Defender plans).

The Contributor role can also perform this by installing the necessary agents and extensions, but it grants broad access to manage all resources, violating the principle of least privilege for a purely security-focused task.

Least Privilege User: User1 (Security administrator)

A ction: This task has two parts:

Review security recommendations: This is a read-only action. The Security Reader role is sufficient.

Enable server vulnerability scans: This means configuring a security feature (Vulnerability Assessment), which requires wri te access to the security configuration or the resource itself.

The Security Reader role cannot perform the " enable " action.

The Security Administrator role has the permissions required to modify security policy and configuration to enable scanning features.

The Contributor role can also do this, but again, the Security Administrator role is the least privileged for a security-specific configuration change.

Least Privilege User: Since the entire task includes an " enable " (write) action, we must use the role that can perform both read and write security actions. User1 (Security administrator) is the appropriate choice.

Task Analysis and Role Mapping 1. Enable Microsoft Defender for Servers on virtual machines. 2. Review security recommendations and enable server vulnerability scans.

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1

In Microsoft Defender for Cloud (formerly Azure Security Center), workflow automation is used to run Logic Apps in response to recommendations or alerts . Because your goal is to automatically remediate security risks (which are surfaced as recommendations —secure score items like missing configurations or hardening tasks), the Logic App should be wired to the Recommendation trigger. The workflow automation rule monitors recommendation events and calls your Logic App with the recommendation payload, enabling parameterized remediation. To test the Logic App from within Defender for Cloud, you use the Recommendations blade: open any applicable recommendation and choose the action to run the associated Logic App. This directly invokes LA1 with the correct context (affected resource, subscription, control ID), allowing you to validate inputs, connections, and remediation steps on demand. Options like Automation rules (alerts) or Workflow automation page “Run” aren’t suited for validating recommendation-driven remediation scenarios because they either act on alerts or don’t pass the full recommendation context needed for remediation. Therefore, select the Recommendation trigger and test execution from Recommendations .