MS-102 – Implement App Protection (Microsoft Defender for Cloud Apps)

1. What type of security solution is Microsoft Defender for Cloud Apps?

Endpoint Detection and Response (EDR)

Cloud Access Security Broker (CASB)

SIEM solution

Defender for Cloud Apps is a CASB.

2. Which deployment modes are supported by Defender for Cloud Apps?

Log collection, API connectors, and reverse proxy

Agent-only deployment

Firewall-based inspection only

It supports logs, APIs, and reverse proxy.

3. What is the purpose of Cloud Discovery?

Discover and analyze cloud apps using traffic logs

Apply DLP labels

Block user sign-ins

Cloud Discovery analyzes traffic logs to identify Shadow IT.

4. What does sanctioning an app mean?

Blocking all app access

Deleting the app tenant

Approving an app for use based on risk assessment

Apps are sanctioned or unsanctioned based on risk.

5. What do app connectors use to collect data?

Cloud app provider APIs

Firewall logs

Endpoint agents

App connectors use APIs for visibility and control.

6. Conditional Access App Control is based on which architecture?

Direct VPN tunneling

Reverse proxy

Endpoint agent scanning

It inspects traffic using reverse proxy.

7. What is a key benefit of Conditional Access App Control?

Real-time control of access and activities

Offline device protection

Email spam filtering

It provides real-time visibility and enforcement.

8. Which policy type scans files for sensitive data?

File policy

Activity policy

Access policy

File policies protect information in cloud apps.

9. What happens when a file policy is enabled?

Only new files are scanned

Scanning occurs once

Files are continuously scanned and actions applied

Policies continuously scan cloud environments.

10. Which policy detects unusual upload behavior like massive data transfers?

Cloud Discovery anomaly detection policy

File policy

Access policy

It detects abnormal activity from logs.

11. What is required before deploying Defender for Cloud Apps?

Licensing for every protected user

Intune enrollment

Firewall replacement

Each protected user requires a license.

12. What type of report provides ad-hoc cloud usage visibility?

Continuous report

Snapshot Cloud Discovery report

Threat analytics report

Snapshot reports are manual and ad-hoc.

13. How old can traffic log events be for Cloud Discovery?

90 days

30 days

180 days

Events older than 90 days are ignored.

14. Which alert classification means the alert is accurate but activity is legitimate?

Benign positive

False positive

True positive

Benign positive = valid but not a threat.

15. Where can administrators review and filter Cloud Apps alerts?

Secure Score

Alerts page in Microsoft Defender portal

Microsoft Entra admin center

Alerts are managed in Defender portal.