Question 9 - Microsoft AB-900 Exam Questions [April 2026 Update]

Q: 9

You are investigating a suspected data theft incident and need to answer two separate questions: 1. Who changed several Entra admin roles and consented a suspicious enterprise application? 2. What potentially sensitive actions a speciﬁc user took across Exchange Online, SharePoint, and Teams in the last 30 days? Multiple engineers propose di[erent approaches to pull the necessary evidence while maintaining a clear separation between directory-level conﬁguration changes and cross- workload user activity. Which proposed approach best uses the appropriate tools for each part of this investigation?

Options

Correct Answer:

Explanation

This approach correctly separates the investigation into two appropriate tools based on the scope of each requirement. Microsoft Entra audit logs are specifically designed to capture directory-level configuration changes, including admin role modifications and application consent events. Microsoft Purview Audit (unified audit log) is the comprehensive solution for tracking user and admin activities across all Microsoft 365 workloads, including Exchange Online, SharePoint, and Teams. This separation ensures investigators use the most appropriate and comprehensive data source for each aspect of the investigation.

Why Incorrect

Option A is incorrect: Microsoft Entra sign-in logs only capture authentication events (successful and failed sign-ins). They do not record configuration changes like role modifications or application consent, nor do they capture detailed user activities within workloads like file access in SharePoint or message deletions in Exchange.

Option B is incorrect: Microsoft Entra audit logs are limited to directory-level events and do not capture activities within Microsoft 365 workloads. They would miss critical user actions in Exchange Online, SharePoint, and Teams that are essential for the second part of the investigation.

Option C is incorrect: While Microsoft 365 Defender's advanced hunting provides powerful threat investigation capabilities, it does not replace audit logs. It focuses on security signals and threats rather than comprehensive audit trails of all user and admin activities, particularly directory configuration changes.

References

1. Microsoft Learn - "Monitor Microsoft Entra activity with audit logs" (docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs) - Details that Entra audit logs capture directory changes including role assignments and app consent

2. Microsoft Learn - "Search the audit log in Microsoft Purview" (docs.microsoft.com/microsoft-365/compliance/audit-log-search) - Explains unified audit log captures activities across all Microsoft 365 services

3. Microsoft 365 Security Documentation - "Investigate incidents in Microsoft 365 Defender" (docs.microsoft.com/microsoft-365/security/defender/investigate-incidents) - Clarifies Defender's role in security investigations versus audit logging

4. Microsoft Learn - "Microsoft Entra sign-in logs" (docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins) - Specifies sign-in logs contain only authentication events

5. Microsoft Purview Documentation - "Auditing solutions in Microsoft Purview" (docs.microsoft.com/microsoft-365/compliance/audit-solutions-overview) - Describes comprehensive workload coverage of unified audit log

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE