Exam MS-203 topic 2 question 16 discussion

Correct Answer is D, Mail Flow Rule. A connector dont encrypt messages (message content), just the connection itself (TLS).

Outbound connector can encrypt emails using "Always use Transport Layer Security (TLS) to secure the connection (recommended)". All Exchange mail flow rules are processed first, and then the DLP rules from the Security & Compliance Center are processed. https://docs.microsoft.com/en-us/microsoft-365/compliance/how-dlp-works-between-admin-centers?view=o365-worldwide

A is correct

Agree that D would be better, especially when it states that messages need to be encrypted (and not specifically in transport). But if I think twice about the requirement that the messages need to be inspected by DLP I come back to answer A. This is because DLP mail flow rule is already in place - most probably for all domains, so you cannot edit this one. Instead you'll create a new one for Fabrikam. And here comes the catch: "In the transport pipeline, mail flow rules evaluate and act on message before DLP rules." https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/configuration-best-practices#dont-chain-dlp-rule-actions-and-mail-flow-rule-conditions

The question asks for the solution to satisfy two requirements: messages to go through DLP rules before Encryption. How do you do this using a connector?

the link to the reference shows Mail flow rules and these are used to encrypt messages

You can create DLP policies in the Microsoft Purview compliance portal, but also in the Exchange admin center. DLP policies from the Admin center resemble those in Purview but have more options specific to handling mail. Source: https://learn.microsoft.com/en-us/microsoft-365/compliance/how-dlp-works-between-admin-centers?view=o365-worldwide The order in which the rules are processed: 1. DLP + mail flow rules from Exchange 2. DLP from Purview Within the Exchange admin center you can create a data loss prevention policy (tested it with one that scans for mail containing credit card numbers), lets say give it prio 3, and then create a mail flow rule that encrypts mail to fabrikam.com or whatever and give it prio 4. This will meet the requirement of encrypting the message itself while allowing for DLP before the encryption. Based on this the answer should be D. As stated by more people here, an outbound connector can only encrypt the connection, not the message itself; therefor A is wrong.

Correct Answer is A

You can create a mail flow rule which encrypts based on DLP inspection results: https://learn.microsoft.com/en-us/microsoft-365/compliance/ome-sensitive-info-types?view=o365-worldwide Example mail flow rule created with PowerShell when you want to encrypt a message if the email or attachment contains sensitive information: Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true New-TransportRule -Name "Encrypt outbound sensitive emails (out of box rule)" -SentToScope NotInOrganization -ApplyRightsProtectionTemplate "Encrypt" -MessageContainsDataClassifications @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="Drug Enforcement Agency (DEA) Number"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"}) -SenderNotificationType "NotifyOnly"

D is the correct answer

ON exam - 4/18/2022 All 3 case studies were also on exam

I think this is tricky verbiage question. It doesn't say ome or rms encryption. Note if you use mail flow rules and encrypt you won't be able to inspect messages for dlp.

Only a mailflow rule can encrypt a message itself, a connector can encrypt the connection. So answer is D

Connectors encrypt the traffic betwen endpoints only on the transport layer not the message itself. Based on Microsoft documentation it must be D. https://docs.microsoft.com/en-us/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email?view=o365-worldwide

"However, if you forward a message that was sent through a TLS-encrypted connection, that message isn't necessarily encrypted. TLS doesn't encrypt the message, just the connection." So yes connector will encrypt it during transport but it will not leave it encrypted at destination like mail flow encryption setting would

on exam 11-27-21

Little hint. Microsoft Exchange Online - you don't configure outbound setting. ~Server Exchange does~ Read the question, its say Exchange Online. Very little configuration on Connectors, there is no security or encryption. Transport Rule OR Mail Flow Rule there you have encryption and TLS. With Love~