Microsoft 365 Exam Deep Dive: Password Protection and Content Explorer in Microsoft Entra and Purview
In the Microsoft 365 ecosystem, enforcing strong password policies and understanding how data classification works through sensitivity and retention labels are essential for both security administrators and exam candidates preparing for MS-102 or MD-102 (Endpoint Administrator).
This article provides a step-by-step explanation of two critical exam-style questions — one focusing on password protection in Microsoft Entra ID and the other on label visibility in Microsoft Purview Content Explorer.
We’ll cover the reasoning behind each answer, explain the concepts in depth, and highlight key takeaways for both practical implementation and exam success.
Enforcing Strong Password Protection in Microsoft 365
Scenario
You manage a Microsoft 365 subscription containing an Azure AD tenant named contoso.com.
A corporate policy requires that no user password can include the word “contoso.”
Your goal is to enforce this rule so that it applies automatically across all user accounts in the directory.
Question
Corporate policy states that user passwords must not include the word “contoso.” What should you do to implement this corporate policy?
Options:
A. From Azure AD Identity Protection, configure a sign-in risk policy.
B. From the Microsoft Entra admin center, create a Conditional Access policy.
C. From the Microsoft 365 admin center, configure the Password policy settings.
D. From the Microsoft Entra admin center, configure the Password protection settings.
✅ Correct Answer: D
Detailed Explanation
The key to this question lies in understanding Microsoft Entra ID Password Protection, which extends beyond standard password complexity requirements.
It allows administrators to define custom banned words that are specific to their organization.
When users attempt to change or set a new password, Microsoft Entra ID checks the password against:
- Microsoft’s global banned password list (common passwords like “Password123” or “Qwerty!”).
- Your organization’s custom banned list (like “Contoso,” “CompanyName2025,” or “ITAdmin”).
If a password contains any banned word or variation, the system rejects the password instantly.
How to Configure Password Protection
Step 1:
Sign in to the Microsoft Entra admin center → https://entra.microsoft.com
Step 2:
Navigate to:
Protection → Authentication methods → Password protection
Step 3:
Under Custom banned passwords, click Add words, and enter terms like:
contoso
companyname
admin
Step 4:
Set Enforce custom list to Yes.
Step 5:
If you have a hybrid environment, you can also sync these settings with on-premises Active Directory by installing and configuring the Azure AD Password Protection proxy and agent.
Why Other Options Are Incorrect
- Option A (Sign-in Risk Policy)
Used to monitor and respond to risky sign-ins (e.g., unfamiliar location or device).
Not related to password complexity enforcement. - Option B (Conditional Access Policy)
Controls access conditions based on sign-in context (user, device, location).
Cannot enforce password structure. - Option C (Microsoft 365 Admin Center)
The Microsoft 365 Admin Center only provides basic password expiration and length options — not banned word lists.
Real-World Use Case
Organizations often include their company name, department names, or seasonal phrases in passwords (e.g., Contoso2025!, ITTeam123!).
Such passwords are predictable and easily exploited in brute-force attacks.
By enforcing banned password policies, you align your organization with Microsoft’s Zero Trust principles — enforcing security at every layer, including authentication.
Understanding Sensitivity and Retention Labels in Content Explorer
Scenario
Your Microsoft 365 E5 tenant includes the following labels:
| Name | Type |
|---|---|
| Label1 | Sensitivity |
| Label2 | Retention |
You also manage the following items:
| Name | Stored in | Description |
|---|---|---|
| File1 | SharePoint | File document with Label1 (Sensitivity) |
| File2 | Teams | File document with Label2 (Retention) |
| Mail1 | Exchange Online | Email message with Label1 (Sensitivity) |
| Mail2 | Exchange Online | Email message with Label2 (Retention) |
Question
Which items can you view in Microsoft Purview Content Explorer?
Options:
A. File1 only
B. File1 and File2 only
C. File1 and Mail1 only
D. File2 and Mail2 only
E. File1, File2, Mail1, and Mail2
✅ Correct Answer: C (File1 and Mail1 only)
Detailed Explanation
Microsoft Purview Content Explorer helps administrators visualize and audit where sensitive information resides across Microsoft 365 workloads.
However, not all labels appear in Content Explorer.
To understand why, let’s break down the two label types:
| Label Type | Purpose | Visible in Content Explorer? | Example |
|---|---|---|---|
| Sensitivity Label | Protects and classifies data. Can apply encryption, watermarks, and access controls. | ✅ Yes | “Confidential,” “Highly Sensitive” |
| Retention Label | Manages data lifecycle. Controls how long data is kept or when it’s deleted. | ❌ No | “Retain for 7 Years,” “Auto-Delete After 90 Days” |
How Content Explorer Works
Content Explorer is available under Microsoft Purview → Data Classification → Content Explorer.
It displays files and emails that:
- Contain sensitive information types (like credit card or passport numbers), or
- Have sensitivity labels applied.
Retention labels, however, do not appear here because they manage compliance policies and are tracked separately in Data Lifecycle Management reports.
Analysis of Each Item
| Item | Label Type | Appears in Content Explorer? | Explanation |
|---|---|---|---|
| File1 (SharePoint) | Sensitivity | ✅ Yes | Label1 = Sensitivity Label |
| File2 (Teams) | Retention | ❌ No | Retention labels not shown |
| Mail1 (Exchange) | Sensitivity | ✅ Yes | Label1 = Sensitivity Label |
| Mail2 (Exchange) | Retention | ❌ No | Retention labels not shown |
Thus, only File1 and Mail1 appear in Content Explorer.
Practical Tip
As an administrator, use Content Explorer to:
- Track where sensitive data is stored or shared.
- Validate that sensitivity labeling policies are applied correctly.
- Identify high-risk data exposure areas before compliance audits.
You can view content at two permission levels:
- Summary View: Shows label counts and file types.
- Detailed View: Shows filenames and paths (requires additional permissions).
Exam Tip and Real-World Link
For MS-102 and MD-102 exams, Microsoft expects you to:
- Understand where to configure password protection (Microsoft Entra → Password protection).
- Know what Content Explorer does (shows sensitivity label usage, not retention labels).
- Be able to distinguish between data protection and data lifecycle management.
In real environments, mastering these settings helps:
- Enforce consistent security policies.
- Achieve data governance compliance with frameworks like GDPR or ISO 27001.
- Build a secure and auditable Microsoft 365 tenant.
Key Takeaways
| Feature | Purpose | Managed From |
|---|---|---|
| Password Protection | Blocks weak or banned words in passwords. | Microsoft Entra Admin Center → Authentication Methods → Password Protection |
| Sensitivity Labels | Protect and classify content with encryption and visual markings. | Microsoft Purview → Information Protection |
| Retention Labels | Manage how long data is retained or deleted for compliance. | Microsoft Purview → Data Lifecycle Management |
| Content Explorer | Audits and locates sensitive-labeled content in SharePoint, OneDrive, and Exchange. | Microsoft Purview → Data Classification → Content Explorer |
Conclusion
These two questions — though simple in format — cover powerful Microsoft 365 features that strengthen security and compliance posture.
- Use Password Protection to enforce strong authentication policies and reduce the risk of password-based attacks.
- Use Content Explorer to maintain visibility into where sensitive information lives across your environment.
For IT admins, this isn’t just an exam question — it’s a foundation of Zero Trust security and modern compliance in Microsoft 365.
