PL-500 Question #122: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question You are setting up a data loss prevention (DLP) policy for an environment. The default policy group is set to Non-business. You must configure the following apps in the policy: - AppA will be used for tracking business-sensitive data. - AppB will be deployed in six months and must be automatically added to the published policy. - AppC uses a custom connector. The connector uses personal data for testing. When testing is complete, the connector will connect to business-sensitive data. You need to select the appropriate policy for each app. Which policy should you use for each app? To answer, drag the appropriate policies to the correct apps. Each app may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Explanation

This question tests the understanding of Data Loss Prevention (DLP) policy assignment for applications based on their data sensitivity, development stage, and automatic inclusion requirements.

Approach. To answer correctly, policies must be matched to apps based on their described characteristics:

• AppA: 'AppA will be used for tracking business-sensitive data.' This directly indicates that AppA should handle business data. Therefore, 'Business data' is the appropriate policy. This ensures that AppA can interact with other business data sources while preventing data leakage to non-business services.
• AppB: 'AppB will be deployed in six months and must be automatically added to the published policy.' The requirement for automatic addition points to the default behavior for new applications. The scenario explicitly states, 'The default policy group is set to Non-business.' Thus, the 'Default group' policy is correct, as it ensures AppB is automatically categorized into the non-business group upon deployment.
• AppC: 'AppC uses a custom connector. The connector uses personal data for testing. When testing is complete, the connector will connect to business-sensitive data.' During the testing phase with personal data, and given its future connection to business-sensitive data, it's crucial to prevent any accidental mixing or exfiltration. Assigning the 'Blocked' policy ensures that AppC's custom connector cannot interact with any data sources, providing the highest level of data protection until it's ready for production and explicitly moved to the 'Business data' policy. This prevents potential data loss or compliance issues during development and testing.

Common mistakes.

• common_mistake. Common mistakes include:
• Assigning 'Business data' to AppC: While AppC will eventually connect to business-sensitive data, it is currently in a testing phase using personal data. Assigning 'Business data' prematurely could lead to data mixing or unauthorized access if not properly secured, which defeats the purpose of DLP.
• Assigning 'Blocked' to AppB: AppB needs to be automatically added to a policy upon deployment. Assigning 'Blocked' would prevent it from operating entirely, which contradicts the deployment requirement.
• Assigning 'Default group' to AppA: AppA is explicitly stated to handle business-sensitive data. Assigning it to the 'Default group' (Non-business) would prevent it from accessing necessary business data sources or inaccurately categorize it.
• Using 'Move to business': 'Move to business' is not a policy category for an app in the same way 'Blocked' or 'Business data' are. It typically refers to an administrative action to change a connector's data group classification, not a policy to assign to an app itself, making it a distractor option in this context.

Concept tested. Data Loss Prevention (DLP) policies, Power Platform data groups (Business, Non-business, Blocked), connector classification, and managing application lifecycle stages within DLP frameworks.

No community discussion yet for this question.