Microsoft 365 Security Administration — Question 63

Your network contains an on-premises Active Directory domain. The domain contains servers that run Windows Server and have advanced auditing enabled.

The security logs of the servers are collected by using a third-party SIEM solution.

You purchase a Microsoft 365 subscription and plan to deploy Microsoft Defender for Identity by using standalone sensors.

You need to ensure that you can detect when sensitive groups are modified and when malicious services are created.

What should you do?

Answer options

• A. Configure Event Forwarding on the domain controllers.
• B. Modify the Domain synchronizer candidate settings on the Microsoft Defender for Identity sensors.
• C. Turn on Delayed updates for the Microsoft Defender for Identity sensors.
• D. Enable the Audit account management Group Policy setting for the servers.

Correct answer: A

Explanation

The correct answer is A because configuring Event Forwarding on the domain controllers allows the collection of security logs necessary for monitoring changes to sensitive groups. The other options do not directly address the requirement to detect modifications and are not essential for monitoring these security events.