Free Microsoft Fundamentals MS-900 Actual Exam Questions - Question 9 Discussion
A company plans to migrate to Microsoft 365. You need to advise the company about how Microsoft provides protection in a multitenancy environment. What are three ways that Microsoft provides protection? Each correct answer presents part of the solution.
B imo, since Azure AD is definitely about authorization and RBAC at the tenant level, which helps isolate access. E also makes sense because isolating mailbox databases by tenant would add a strong security boundary. A seems legit too since BitLocker is commonly used for encrypting data at rest on servers. C is off because TLS protects data in transit, not at rest, so that can be dropped. D feels wrong because Azure AD doesn’t really operate at the transport layer for access control. F contradicts the isolation principle, so it’s unlikely they mix mailboxes from different tenants in the same d
Maybe D, B, and E? B and D both mention Azure AD providing authorization and RBAC, but at different layers. I think Microsoft really focuses on Azure AD to control access at the tenant level and also at the transport layer to secure communications. E seems right because isolating mailboxes per tenant in Exchange Online is a good way to protect data in a multitenant setup. A sounds okay but BitLocker is more about disk encryption, not really tenant-level protection. TLS in C is more about data in transit, so that’s probably out.
TLS (option C) is mainly about protecting data in transit, not at rest, so that’s a no for this question. F doesn’t really make sense if we consider security boundaries—Microsoft typically isolates tenant data, so E makes more sense because mailbox databases usually hold mailboxes from just one tenant to prevent cross-tenant exposure. Pairing E with A and B fits well: BitLocker for data at rest encryption, Azure AD for tenant-level access control, and database isolation for tenant separation.
E imo, because Exchange Online aims to isolate tenant data, so mailbox databases typically only contain mailboxes from a single tenant, not multiple. That would provide better security boundaries. Also, A seems legit since BitLocker is known for encrypting data at rest. B fits too since Azure AD handles authorization and role-based access control at the tenant layer rather than transport, which is more about network security. So I’d go with A, B, and E here.
A and B for sure, plus F since Exchange is multitenant by design.
BitLocker encryption is definitely a key method Microsoft uses, so A makes sense. Also, Azure AD’s role-based access control is more about the tenant layer, not transport, so B looks right too. F fits since mailboxes are multitenant. So, A, B, and F.
A imo, because BitLocker is definitely used to encrypt data at rest on servers, so that’s one way Microsoft protects customer content. F also fits since Exchange Online mailbox databases do contain mailboxes from multiple tenants but still keep data isolated. D seems off because Azure AD controls authorization at the tenant layer, not transport. So I’d go with A, B, and F.
Maybe B, D, and F? I’m not 100% sure, but Azure AD definitely handles authorization. Though I wonder if they meant TLS for data in transit rather than at rest, so C might be off. Also, I thought mailbox databases usually contain multiple tenants in Exchange Online for efficiency—does that mean option E is wrong? Just wish they’d clarify what exactly they mean by “tenant layer” vs “transport layer” here.