Exam MS-101 topic 3 question 21 discussion

Answers are correct: YNY https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide Global Admins are members of Organization Management role in Exchange Online, which have the Compliance Admin right. So a Global Admin is able to change the policy

N: Compliance Data Admin does not have sufficient privilege. N: You cannot remove location once the preservation lock is in place. Y: You can still add. https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-preservation-lock?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-preservation-lock?view=o365-worldwide

- Yes - No - No

Based on the information provided, the updated answers to the questions are: A) Yes, User1 can add exchange email as a location to Policy1, as they have the Compliance Data Administrator role which allows them to manage settings for device management, data protection, data loss prevention, reports, and preservation. B) Yes, User2 can remove SharePoint sites from Policy1, as they have the Global Administrator role which grants them permissions to manage all aspects of Azure AD and Microsoft 365 services, including SharePoint. C) Yes, User2 can add the word "Acquisition" to Policy1, as they are a Global Administrator and have the necessary permissions to manage compliance policies. However, the current configuration of Policy1 only applies to content that contains the word "Merger," so adding a different keyword would require adjusting the policy configurations accordingly.

On exam on 13 aug'22

Preservation Lock locks a retention policy or retention label policy so that no one—including a global admin—can turn off the policy, delete the policy, or make it less restrictive. This configuration might be needed for regulatory requirements and can help safeguard against rogue administrators. To make it short. With "-RestrictiveRetention" you can only edit the policy to ADD content to it. See also; After a policy has been locked, no one can turn off or disable it, or remove content from the policy. And it's not possible to modify or delete content that's subject to the policy during the retention period. The only way that you can modify the retention policy are by adding content to it, or extending its duration. A locked policy can be increased or extended, but it can't be reduced, disabled, or turned off. Link; https://docs.microsoft.com/en-us/powershell/module/exchange/set-retentioncompliancepolicy?view=exchange-ps

https://docs.microsoft.com/en-us/powershell/module/exchange/set-retentioncompliancepolicy?view=exchange-ps#:~:text=%24true%3A%20Preservation%20Lock%20is%20enabled%20for%20the%20policy.%20No%20one%20(including%20an%20administrator)%20can%20turn%20off%20the%20policy%20or%20make%20it%20less%20restrictive

N | N | Y

When Policy is locked. Add or extend

You can add new locations but not remove them. Am I correct?

[or make it less restrictive], I was going for YES NO NO, but since user2 is a global admin and ADDING something doesn't make it LESS restrictive, then the last answer should be YES? Am I correct?

Confused. How is user 2 who is a "Global Admin" not able to remove SharePoint sites from Policy1?