MS-102 Practice Tests on 365 Administration Exam Topics

Fill the missing word. To protect data in Acme Cloud Workspace from accidental deletion, cyber threats and other forms of data loss, administrators should implement a comprehensive __ strategy?

• ❏ A. Retention and legal hold policy

• ❏ B. Cloud Storage snapshot policies

• ❏ C. Encryption at rest

• ❏ D. Backup

At Meridian Tech when a Microsoft Teams data loss prevention rule prevents external sharing of confidential content what happens to messages that contain that sensitive information and are sent to external recipients within 30 seconds?

• ❏ A. quarantined for compliance review

• ❏ B. redacted and delivered with placeholders

• ❏ C. automatically deleted from the thread

• ❏ D. blocked and not delivered to external recipients

A regional retailer named Meridian Retail runs an on premises Active Directory domain and has an AD FS farm with two AD FS servers on the internal network and two Web Application Proxy servers in the DMZ. The team configures hybrid identity with an Entra ID tenant and deploys a custom Microsoft Entra Connect setup that uses one active Entra Connect server and one server in staging mode. The requirement is to track sign in activity including the count and kinds of authentications and the count and kinds of authentication failures. The administrators install the Microsoft Entra Connect Health agent for AD FS on the AD FS servers and on the WAP servers. Does this configuration provide the required authentication activity and failure telemetry?

• ❏ A. Enable Entra ID sign in logs and forward them to Log Analytics

• ❏ B. Yes installing the Entra Connect Health agent on AD FS and WAP is sufficient

• ❏ C. No

• ❏ D. Deploy Microsoft Sentinel and ingest AD FS and Entra ID telemetry

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

The security operations unit at Northwind Logistics is overwhelmed by a continuous stream of security alerts. Which capability in Microsoft 365 Defender can automate the investigation and remediation of those alerts?

• ❏ A. Microsoft Intelligent Security Graph

• ❏ B. Automated investigation and remediation

• ❏ C. Microsoft Defender for Endpoint

• ❏ D. Security Action Center

A user has not configured alternate contact methods for self service password reset. What should they do next?

• ❏ A. Contact Microsoft support to request a password reset

• ❏ B. Ask the Microsoft 365 administrator to reset the account password

• ❏ C. Use a registered mobile phone to receive a verification code and reset the password

You are the IT lead for a midsize firm that recently moved its messaging to Microsoft 365 and initially used the tenant default onmicrosoft.com domain, but the company now wants to use its own domain example.com for email and other services and you have already added and verified example.com in the Microsoft 365 admin center, what is the next action you should take to complete the custom domain setup?

• ❏ A. Attempt to delete the tenant default onmicrosoft.com domain

• ❏ B. Configure the domain DNS records such as MX TXT and CNAME at the domain registrar

• ❏ C. Change each user primary email address to use the new example.com domain manually from the admin console

• ❏ D. Create a separate Microsoft 365 tenant that is bound to example.com and migrate users into it

When you create a data loss prevention policy for an organization that includes Exchange Online, SharePoint, OneDrive, and Teams which configuration choice specifies the exact services and repositories where the policy will be enforced?

• ❏ A. Permissions

• ❏ B. Sensitivity labels

• ❏ C. Locations

• ❏ D. Retention labels

Which threat management capabilities are bundled with Contoso Email Protection subscriptions? (Choose 3)

• ❏ A. Anti-spam filtering

• ❏ B. Protection against malicious URLs and attachments

• ❏ C. Anti-malware scanning

• ❏ D. Advanced anti-phishing controls

• ❏ E. Zero hour automatic message removal

Which of the following statements describe features and advantages of using Contoso Entra Connect and Contoso Entra Cloud Sync for hybrid identity management? (Choose 3)

• ❏ A. Password Hash Synchronization lets users sign in with their local directory credentials without deploying extra infrastructure

• ❏ B. Federation integration enables authentication to be redirected to external identity systems including third party multifactor services

• ❏ C. Pass through Authentication requires lightweight on premises agents but enforces on premises account states immediately

• ❏ D. Connect Health telemetry is available without purchasing additional service licenses

In Microsoft 365 Defender where do you go to review high severity incidents that occurred in the past seven days?

• ❏ A. Alerts

• ❏ B. Incidents

• ❏ C. Threat analytics

• ❏ D. Advanced hunting

As a compliance lead at a regional bank you want to understand which tiers Compliance Manager uses when calculating scores. Which of the following is not a level at which Compliance Manager assigns a score value?

• ❏ A. Control rating

• ❏ B. End user behavior score

• ❏ C. Remediation action score

• ❏ D. Evaluation score

You manage tenant services for a company that uses Contoso 365 and you need to add multiple verified domains to the subscription. What is the maximum number of domains you can register?

• ❏ A. 1200 domains

• ❏ B. 900 domains

• ❏ C. 150 domains

• ❏ D. 600 domains

Which two primary elements of Entra Connect Health are used to monitor directory synchronization services? (Choose 2)

• ❏ A. Cloud Monitoring

• ❏ B. Entra Connect Health monitoring agent

• ❏ C. Identity Protection for Azure Active Directory

• ❏ D. Entra Connect Health for synchronization services

Brightleaf Systems holds a Microsoft 365 E3 subscription and plans to trial attack simulation training for all employees. Which pairing of social engineering tactic and training scenario does the E3 trial offer?

• ❏ A. Credential harvesting and Mass Market Phishing

• ❏ B. Credential harvesting and Web based phishing

• ❏ C. Malicious hyperlink and Web Phishing

• ❏ D. Malware attachment and Identity Theft simulation

Which actions enable administrators to deploy sensitivity labels and label policies in the Compliance Center? (Choose 2)

• ❏ A. Publish sensitivity labels by adding them to a label policy

• ❏ B. Delete sensitivity labels and retroactively remove protections

• ❏ C. Use PowerShell cmdlets to configure additional label settings

An international marketing firm is configuring its Acme Productivity Suite tenant and needs to manage global account details and security policies. Which tasks can an administrator perform when managing the organization settings? (Choose 4)

• ❏ A. Change the organization’s legal entity name

• ❏ B. Require multifactor authentication for users

• ❏ C. Apply a custom visual theme and logo to the tenant

• ❏ D. Define password expiration and rotation rules

Fabrikam Inc is looking to strengthen access controls for its Microsoft Azure administrative operations and they must ensure that every administrator uses an extra verification step when they manage Azure resources regardless of where they sign in from. Which Conditional Access policy will meet this requirement?

• ❏ A. Block sign ins that use legacy authentication protocols

• ❏ B. Require organization managed devices for administrative applications

• ❏ C. Enforce multi factor authentication for administrative operations in Azure

• ❏ D. Block access from specific geographic regions

Marigold Systems used an App Usage Scanner and discovered multiple high risk third party applications being accessed by staff members, and the chief information officer wants immediate measures to reduce security exposure, which action should be taken first?

• ❏ A. Cut off access to all identified high risk applications immediately

• ❏ B. Enforce conditional access controls through Cloud Identity to restrict risky app access

• ❏ C. Deploy Data Loss Prevention policies using Cloud DLP

• ❏ D. Perform a detailed assessment of application usage and possible data exposure

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

You work as a compliance administrator at a regional charity and you need to limit access to a SharePoint Online site by using sensitivity labels. Which capability must you activate first?

• ❏ A. Microsoft Purview compliance portal

• ❏ B. Enable sensitivity label support for Teams Microsoft 365 groups and SharePoint sites

• ❏ C. Autolabeling policies for SharePoint

• ❏ D. Azure Information Protection unified labeling client

Which metric is not typically displayed in a network diagnostics overview within an admin portal?

• ❏ A. DNS lookup latency

• ❏ B. Individual user web browsing history

• ❏ C. TCP round trip latency

• ❏ D. HTTP error rate

You manage IT for a mid sized company named Meridian Solutions and you plan to deploy multi factor authentication while minimizing user disruption. Which MFA approach lets you enforce detailed access rules based on conditions such as a user’s network location or the compliance state of their device?

• ❏ A. Microsoft Authenticator mobile app

• ❏ B. OATH one time password hardware tokens

• ❏ C. Azure Active Directory security defaults

• ❏ D. Conditional Access policies

A workstation at BrightWave Analytics is exhibiting unusual outbound connections and unauthorized processes and you must stop further damage immediately. Which capability of the vendor endpoint protection solution should you use?

• ❏ A. Threat and vulnerability risk management

• ❏ B. Attack surface reduction policies

• ❏ C. Endpoint isolation

• ❏ D. Automated investigation and remediation

• ❏ E. Custom indicators of compromise

As the messaging administrator for a regional nonprofit you want to apply encryption only when messages are delivered to people outside your company. Which condition should you add to the mail flow rule to achieve that goal?

• ❏ A. The recipient is inside the organization

• ❏ B. The sender is outside the organization

• ❏ C. The recipient is outside the organization

• ❏ D. The sender is inside the organization

A multinational retailer plans to use Microsoft Entra Privileged Identity Management to strengthen administration across their Azure and Microsoft 365 tenants. Which combination of controls should they implement to manage privileged roles effectively?

• ❏ A. Assign eligible roles but rely on manual quarterly access reviews and skip activation MFA for convenience

• ❏ B. Make all Global Administrator accounts permanently active while enforcing multi factor authentication for activation

• ❏ C. Maintain permanent break glass emergency accounts and do not require MFA when activating roles

• ❏ D. Apply time limited eligible assignments for critical administrators enforce multi factor authentication for role activation and enable automated access reviews

Is it possible to retrieve license purchase records, subscription status, and billing cadence from the Entra ID admin center?

• ❏ A. Entra ID admin center

• ❏ B. Microsoft 365 admin center

A regional insurance company runs an on premises Active Directory domain with a domain controller named DC-01 and a member host named SRV-APP02. The security team plans to deploy Microsoft 365 Defender for Identity and install a standalone sensor on SRV-APP02. What configuration is required so the Defender for Identity sensor can observe the domain controller network traffic?

• ❏ A. Install the Microsoft Monitoring Agent on SRV-APP02

• ❏ B. Add SRV-APP02 to the Domain Admins group

• ❏ C. Enable port mirroring from DC-01 to SRV-APP02

• ❏ D. Open inbound Windows Firewall rules on SRV-APP02 for traffic from DC-01

If security teams leave insider risk alerts uninvestigated for a prolonged interval can the system increase the alert severity level?

• ❏ A. No the alert severity remains the same

• ❏ B. Yes unresolved alerts can have their severity escalated

At Verdant Systems you must assign a role in Azure Active Directory to an engineer who needs to configure multi factor authentication settings and manage user authentication methods while also handling support cases in both the Azure portal and the Microsoft 365 admin center. Which role should you assign to this engineer?

• ❏ A. Privileged Authentication Administrator

• ❏ B. User Administrator

• ❏ C. Authentication Administrator

• ❏ D. Authentication Policy Administrator

A regional nonprofit called HarborTech is adding a custom domain such as staff.example.com to its CloudWork productivity platform and must prove control of the domain before it can be used with the service, what method can be used to verify ownership?

• ❏ A. Upload a verification HTML file to the site root

• ❏ B. Add a TXT record to the domain DNS records

• ❏ C. Send a message from an address at the domain to the vendor support team

• ❏ D. Arrange a live video session with support to present identity documents

How do app connectors used by a cloud access security broker collect telemetry and configuration data from the cloud services they monitor?

• ❏ A. They require installing agent software on every user device

• ❏ B. They use cloud providers’ public APIs to collect telemetry and settings without agents

• ❏ C. They intercept user sessions as an inline proxy to enforce policies

You are a Microsoft 365 administrator at Evergreen Technologies and after you re enabled directory synchronization several users are unable to sign in. What is the most likely cause of this problem?

• ❏ A. Directory synchronization was turned off using Azure AD PowerShell

• ❏ B. User passwords were modified in Microsoft 365

• ❏ C. The on premises Active Directory regained authority over the user accounts

• ❏ D. Accounts were deleted from the local Active Directory

You work as a risk analyst at Northbridge Systems and you are reviewing the internal threat categories covered in a recent compliance briefing. Which of the following items was not defined as an internal risk in that briefing?

• ❏ A. Insider trading by employees

• ❏ B. Theft of company intellectual property

• ❏ C. Employee morale and job satisfaction

• ❏ D. Unauthorized disclosure of confidential information

You work as the IT lead for a regional nonprofit called HarborTech and you must apply configuration policies for Microsoft 365 Apps for enterprise to staff computers that are not joined to an Active Directory domain. Which capability should you use?

• ❏ A. Microsoft 365 Apps Health

• ❏ B. Servicing Profile

• ❏ C. Office Customization Tool

• ❏ D. Office Cloud Policy Service

As an administrator at NovaTech you need to restore a user’s ability to send email after they were blocked. Which approaches can you use to remove the block?

• ❏ A. Reset the user password in the tenant identity management console

• ❏ B. Use Exchange Online PowerShell to clear the block

• ❏ C. Both of the above methods

• ❏ D. Remove the account from the “Restricted accounts” section of the organization security portal

Which Microsoft Entra ID Protection settings will send immediate alerts for high risk accounts and deliver a weekly digest to selected security leads?

• ❏ A. Enable the “Users at risk detected” alert for low risk accounts and notify all administrators

• ❏ B. Enable the “Users at risk detected” alert for high risk accounts and configure the weekly digest to selected security leads

• ❏ C. Rely on the Risky users report in the admin center for manual reviews

ArborTech is configuring endpoint data loss prevention inside the ArborTech Data Governance portal and the security team needs clarity on how the settings behave across platforms and resources. Which of the following statements about endpoint DLP settings are accurate? (Choose 2)

• ❏ A. Restricted app groups take precedence over entries in the restricted apps list when both appear in the same rule

• ❏ B. Network share coverage and exclusion settings extend endpoint DLP policies to file shares and mapped network drives

• ❏ C. You can configure file path exclusions for both Windows and macOS clients

• ❏ D. Advanced content classification and enforcement is available only on Windows devices

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

As an administrator of a Contoso 365 tenant which administrative role must be assigned to permit creation of guest users in the tenant directory?

• ❏ A. Compliance Administrator

• ❏ B. Privileged Role Administrator

• ❏ C. Global Administrator or a limited Azure AD directory role like Guest Inviter or User Administrator

• ❏ D. Security Administrator

You are the IT lead at a growing retail chain named Cedar Row and you need to monitor the Microsoft Secure Score for the organization over time. You have observed a decline during the past four weeks. Which tab should you open to view the score timeline and the actions recorded in that timeframe?

• ❏ A. Trends and metrics

• ❏ B. Dashboard overview

• ❏ C. Cloud Monitoring

• ❏ D. Score history

You are the IT lead for Meridian Finance and you need to delegate compliance responsibilities to specific administrators. One team member must monitor regulatory compliance procedures and handle compliance alerts across Microsoft 365 services. Which role should you assign to that team member?

• ❏ A. Microsoft 365 Migration Administrator

• ❏ B. Global Administrator

• ❏ C. Compliance Data Administrator

• ❏ D. Exchange Administrator

An email has two retention labels. One label deletes the message after three years and the other preserves the message for eight years before deleting it. Which retention period applies?

• ❏ A. Removed after three years

• ❏ B. Retained for eight years then removed

• ❏ C. Preserved permanently

You are the chief information security officer at a regional retail chain that is planning to migrate its operations to cloud platforms. What is a core concern you should have about Microsoft 365?

• ❏ A. How well Microsoft 365 integrates with Google Cloud Identity for unified access control

• ❏ B. Whether the Microsoft 365 user experience will require extensive retraining for staff

• ❏ C. How Microsoft 365 defends employee accounts and organizational data against cyber attacks

• ❏ D. The pricing differences between Microsoft 365 subscription tiers

Aegis Health Solutions plans to use Microsoft Entra Connect cloud sync to mirror their on premises Active Directory with Microsoft Entra ID and they want to restrict synchronization to employees in specific departments and groups. Which configuration change in the cloud sync setup will best enforce this limitation?

• ❏ A. Use attribute mappings to filter users by their department attribute

• ❏ B. Use on demand provisioning to manually pick individual users for synchronization

• ❏ C. Apply scoping filters that target security groups or organizational units in the on premises Active Directory

• ❏ D. Enable password hash synchronization across the entire on premises directory

A regional distributor requires 25 mailboxes for staff and two of the mailboxes will be shared by two employees. Five staff members are field technicians who do not need the desktop Microsoft 365 apps. The administrator purchased 20 Microsoft 365 Business Standard licenses and 5 Microsoft 365 Business Basic licenses to minimize cost. Is this the correct purchase for licensing the users?

• ❏ A. Buy a reduced set of 23 licenses with 18 Microsoft 365 Business Standard and 5 Microsoft 365 Business Basic

• ❏ B. Yes the purchased mix of licenses is appropriate

• ❏ C. No this procurement is not optimal

• ❏ D. Use Exchange Online Plan 1 for the five field technicians instead of Business Basic

Aurora Systems uses Microsoft 365 and its policy prohibits sending Social Security Numbers by email. Can you create an Azure Information Protection label and configure its policy from the Azure portal to enforce that restriction?

• ❏ A. True

• ❏ B. False

Which core element should be secured to establish a Zero Trust control plane?

• ❏ A. Network firewall rules

• ❏ B. Digital identities for users services and devices

• ❏ C. Cloud VPN configurations

For high availability in its file synchronization service Contoso recommends running how many active Sync agents?

• ❏ A. Two active Sync agents

• ❏ B. Four active Sync agents

• ❏ C. Three active Sync agents

• ❏ D. One active Sync agent

A regional firm named Northbridge Solutions uses Microsoft 365 for email collaboration and cloud tools and they plan to roll out Microsoft Intune for device management. All staff currently have Microsoft 365 Business Standard and the organization does not want to upgrade from Standard although they may accept a modest additional cost. Which license would allow them to deploy Microsoft Intune?

• ❏ A. Microsoft 365 Business Premium

• ❏ B. Microsoft Intune standalone subscription

• ❏ C. Microsoft 365 E3 license

• ❏ D. Enterprise Mobility and Security E3

In the Everguard compliance dashboard how long can it take for rule matches from the default endpoint DLP policy to appear in the status tile?

• ❏ A. 1.5 days

• ❏ B. 3 days

• ❏ C. 2 days

• ❏ D. 1 day

Which statements about role assignments in Contoso’s Entra Privileged Identity Management are accurate? (Choose 3)

• ❏ A. Active role assignments provide immediate role access without extra steps

• ❏ B. PIM supports only permanent role assignments

• ❏ C. Eligible role assignments require activation or a request for approval before use

• ❏ D. Time limited assignments can be scheduled with specific start and end dates for both eligible and active statuses

When synchronizing data with a cloud provider how should an integration handle API rate limits and throttling?

• ❏ A. Use event streaming to avoid polling APIs

• ❏ B. Batch and pace API calls and stagger large operations over time

• ❏ C. Ignore limits and retry on throttled responses

The correct option is Backup.

A comprehensive Backup strategy provides separate, restorable copies of data so administrators can recover from accidental deletion, corruption, or ransomware. Backups enable point in time restores and can be stored in separate locations or systems so recovery is possible even when the primary environment is compromised.

Retention and legal hold policy preserves data for compliance and can prevent intentional deletion, but it does not create recoverable copies or provide point in time restores for operational recovery.

Cloud Storage snapshot policies suggests point in time copies for certain storage types, but snapshots are usually limited to particular resources and do not replace a full backup program that includes offsite retention and recovery planning.

Encryption at rest protects the confidentiality of stored data, but it does not prevent deletion or corruption and it does not provide a mechanism to restore lost or compromised data.

When a question asks about protecting data from accidental deletion or ransomware focus on recoverability and think backup as the operational solution rather than only retention rules or encryption.

The correct option is automatically deleted from the thread.

When a Microsoft Teams data loss prevention rule prevents external sharing of confidential content the enforcement removes the offending messages from the conversation so that the sensitive content is no longer accessible in the thread. This removal happens within the short evaluation window so messages sent to external recipients are deleted rather than left visible.

Microsoft Purview DLP for Teams scans messages and applies the configured enforcement action in real time and in this scenario the configured action is removal so the messages are deleted from the thread.

quarantined for compliance review is incorrect because Teams chat messages are not moved to a quarantine folder in the same way that some email threats are handled. Quarantine workflows apply to other service areas and are not the typical Teams DLP outcome.

redacted and delivered with placeholders is incorrect because Teams does not typically replace sensitive chat content with placeholders for external recipients. Redaction is not the standard enforcement for Teams chat messages.

blocked and not delivered to external recipients is incorrect because blocking would prevent delivery but the described behavior is that the message is removed from the thread after detection. The exam scenario expects the deletion behavior rather than simple blocking.

Focus on the exact enforcement verb used in the question and match it to the action described in the Microsoft documentation when you choose an answer.

The correct option is No.

This configuration does not provide the required authentication activity and failure telemetry. The Microsoft Entra Connect Health agent for AD FS monitors service health, performance counters, and configuration issues and it generates alerts, but it does not produce aggregated counts and kinds of authentications or the detailed authentication failure counts that the requirement asks for.

To capture counts and types of authentications and failures you must collect Entra ID sign in logs for cloud authentication events and you must also collect AD FS audit and debug events from the on premises AD FS servers and the Web Application Proxy layer. Those logs need to be forwarded to Log Analytics or a SIEM and you must enable the appropriate diagnostic settings to get the detailed telemetry.

Enable Entra ID sign in logs and forward them to Log Analytics is not sufficient by itself. Entra ID sign in logs provide detailed cloud authentication events but they do not include the AD FS internal events and WAP layer failures needed for a complete view of on premises federation activity.

Yes installing the Entra Connect Health agent on AD FS and WAP is sufficient is incorrect because the Connect Health agent focuses on health and performance and does not emit the kinds of authentication and failure counts requested. The agent helps troubleshoot AD FS performance and configuration but it does not replace sign in logs or AD FS audit logging for authentication metrics.

Deploy Microsoft Sentinel and ingest AD FS and Entra ID telemetry is not the selected answer to the question as presented, but it is a valid remediation. If you deploy Sentinel and ingest both Entra ID sign in logs and AD FS events into Log Analytics you can build reports that show counts and kinds of authentications and failures. The option is marked incorrect for the prompt because the question asked whether the current agent installation already provides the required telemetry.

When you must decide if an existing deployment meets a logging requirement first list what each component actually collects and then map those items to the required telemetry. Entra Connect Health provides health metrics and alerts not detailed sign in or authentication failure counts.

Automated investigation and remediation is the correct option.

This capability in Microsoft 365 Defender automatically investigates alerts by collecting related signals and applying built in investigation logic to determine the scope and cause of an incident. It can then apply automated remediation actions to contain threats and reduce the manual effort required by the security operations team.

Microsoft Intelligent Security Graph is incorrect because it is a set of threat intelligence and APIs that surface signals across Microsoft services rather than the specific automation feature that runs investigations and remediations.

Microsoft Defender for Endpoint is incorrect because it is a product that provides endpoint protection and telemetry. The question asks for the capability that automates investigation and remediation across alerts and products which is the automated investigation and remediation feature within Microsoft 365 Defender.

Security Action Center is incorrect because that name does not refer to the automated investigation and remediation capability. It sounds like a console or summary view and it is not the feature that performs automated investigations and remediation.

When a question asks about a capability look for an answer that describes an automatic action or workflow rather than a product name. Focus on terms like automated investigation or remediation when alerts need to be handled with minimal manual work.

The correct answer is Ask the Microsoft 365 administrator to reset the account password.

This is correct because self service password reset requires alternate contact methods to be registered and if the user has not configured those methods they cannot use the automated reset flow. The administrator can reset the password from the Microsoft 365 admin center or enable self service password reset for the user so they can recover their account in the future.

Contact Microsoft support to request a password reset is incorrect because Microsoft support will generally not reset a customer account password without verification and administrative control. The organization administrator is the person with the required privileges to perform the reset.

Use a registered mobile phone to receive a verification code and reset the password is incorrect because this option relies on the user having previously registered a mobile number or other authentication method. Since the user did not set up alternate contact methods they cannot receive a verification code and cannot complete a self service reset.

When self service password reset is unavailable check whether alternate contact methods are configured and if they are not ask your Microsoft 365 administrator to perform the reset or enable SSPR for future recovery.

The correct action is Configure the domain DNS records such as MX TXT and CNAME at the domain registrar.

After you have added and verified example.com Microsoft 365 still requires the DNS records to be published at your registrar so mail and other services can be routed to the tenant. By configuring the domain DNS records such as MX TXT and CNAME at the domain registrar you provide the MX record that directs email to Exchange Online the TXT record that is used for verification and SPF and the CNAME records that support Autodiscover and other service endpoints. Once those records are in place and propagated you can safely update user addresses and complete the domain switch.

Attempt to delete the tenant default onmicrosoft.com domain is incorrect because the onmicrosoft.com domain is the tenant default and it cannot be removed while it is in use. Deleting or trying to remove that domain is not the step to complete custom domain setup and it will fail if objects still reference it.

Change each user primary email address to use the new example.com domain manually from the admin console is not the immediate next step because mailflow will break if DNS is not configured first and manual changes for many users are inefficient. You should publish the required DNS records and then update user addresses using bulk methods or PowerShell when ready.

Create a separate Microsoft 365 tenant that is bound to example.com and migrate users into it is unnecessary and disruptive because you have already verified example.com in the existing tenant. Creating a new tenant would add complexity and would require removing the domain from the original tenant before it could be used elsewhere.

Publish DNS records first and confirm they have propagated before changing user addresses. Use bulk update tools or PowerShell to update many accounts to avoid manual edits.

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

The correct answer is Locations.

Locations is the setting used when you define exactly which services and repositories the DLP policy will monitor and enforce. When you create a policy you choose locations such as Exchange Online mailboxes, SharePoint sites, OneDrive accounts, and Teams chats and channels so the policy applies only where you select. You can also scope to specific sites or mailboxes for precise control.

Permissions is not correct because permissions determine who can access content and what they can do. Permissions settings do not define the scope of DLP enforcement across services and repositories.

Sensitivity labels are used to classify and protect content by applying labels that can enforce encryption or access restrictions. They do not specify which services or repositories a DLP policy will be applied to, so they are not the correct choice.

Retention labels control how long content is retained and when it is deleted or reviewed. They manage retention and disposition of content and do not define the exact locations where a DLP policy is enforced. Therefore they are not correct.

When a question asks which setting defines where a policy is applied remember to look for the Locations option in the DLP policy wizard. Choosing specific services or sites is how you scope enforcement while labels and permissions serve different functions.

The correct options are Anti-spam filtering, Anti-malware scanning, and Zero hour automatic message removal.

Anti-spam filtering is a core capability that blocks unsolicited and bulk email before it reaches user inboxes and it is commonly included in base email protection subscriptions because it reduces noise and lowers the risk of users interacting with malicious messages.

Anti-malware scanning inspects attachments and message content for known malware signatures and heuristics so that malicious files are detected and quarantined or blocked as part of the standard threat management stack.

Zero hour automatic message removal lets the service retroactively remove or quarantine messages after delivery when a new threat is identified and it provides an important safety net for threats that are discovered after emails were allowed through.

Protection against malicious URLs and attachments is listed as incorrect because URL rewriting and advanced attachment sandboxing are often provided by higher tier features such as Safe Links and Safe Attachments rather than by the most basic bundled subscription.

Advanced anti-phishing controls is incorrect because advanced phishing protection typically includes sophisticated impersonation detection and automated threat response and those controls are usually part of an upgraded or separate product tier.

When you see a list that mixes core and advanced features look for the basic capabilities that every email protection tier includes such as anti-spam and anti-malware and treat URL rewriting, sandboxing, and advanced anti-phishing as features to verify against higher level plans.

The correct options are Password Hash Synchronization lets users sign in with their local directory credentials without deploying extra infrastructure, Federation integration enables authentication to be redirected to external identity systems including third party multifactor services, and Pass through Authentication requires lightweight on premises agents but enforces on premises account states immediately.

Password Hash Synchronization lets users sign in with their local directory credentials without deploying extra infrastructure is correct because the feature synchronizes a hash of the on premises password to Azure AD so users can sign in to cloud services with the same credentials and there is no need to deploy and maintain federation servers for primary cloud authentication.

Federation integration enables authentication to be redirected to external identity systems including third party multifactor services is correct because federation redirects sign in requests to the external security token service so third party MFA and corporate authentication policies can handle the authentication flow while Azure AD accepts the federated tokens.

Pass through Authentication requires lightweight on premises agents but enforces on premises account states immediately is correct because pass through authentication uses agents installed on premises to validate credentials against the local directory and it reflects account locks and password changes in real time without full federation.

Connect Health telemetry is available without purchasing additional service licenses is incorrect. Azure AD Connect Health for comprehensive telemetry and alerts requires the appropriate Azure AD licensing and is not an always free capability.

On exam questions focus on where authentication is validated and whether the option requires on premises infrastructure or specific licensing. Pay special attention to wording that mentions real time enforcement or extra infrastructure and remember that Azure AD Connect Health typically requires premium licensing.

The correct option is Incidents.

In Microsoft 365 Defender the Incidents view aggregates related alerts into incidents and provides an incident level timeline with severity and time range filters so you can review high severity incidents from the past seven days.

Alerts is incorrect because alerts are individual detections and they do not provide the correlated, incident level view that is used to review high severity incidents across a time window.

Threat analytics is incorrect because it provides threat intelligence reports and guidance rather than a list of recent incidents to review.

Advanced hunting is incorrect because it is a query based telemetry tool for custom investigations and hunting rather than the default incident dashboard for reviewing recent high severity incidents.

When a question asks where to review recent incidents think about the place that consolidates and correlates alerts. Use the Incidents page and check the time and severity filters to match the requirement.

End user behavior score is the correct answer because Compliance Manager does not assign a separate tier called End user behavior score when it calculates its compliance score.

Compliance Manager calculates an overall compliance score from measurements that are tied to controls and to actions that improve compliance. The scoring model uses things such as Control rating to reflect the state of a control, and it accounts for points from improvement or remediation activities often expressed as a Remediation action score. The assessment or evaluation of controls is also represented in the scoring model and is commonly referenced as an Evaluation score. There is no distinct End user behavior score produced by Compliance Manager as a scoring level.

Control rating is incorrect because it is a real scoring element that represents how a control is implemented and how many points it contributes to the overall score.

Remediation action score is incorrect because remediation or improvement actions are tracked and scored to increase the compliance score when they are completed.

Evaluation score is incorrect because evaluation or assessment results are part of the scoring model and contribute to the overall compliance calculation.

Read the question carefully and focus on the scoring model elements that are tied to controls and improvement actions. Pay attention to whether an option describes a control or an action versus a behavioral metric that sounds plausible but is not part of Compliance Manager.

The correct answer is 900 domains.

Microsoft 365 tenants can add up to 900 domains that are verified for use with email addresses and identity services. This limit is set by Microsoft and applies to the tenant as a whole so administrators must remove an existing verified domain if they need to add more after reaching the limit.

1200 domains is incorrect because the supported maximum is lower than that and Microsoft documents state the limit is 900 rather than 1200.

150 domains is incorrect because that number is far below the actual supported maximum and would understate the number of domains you can register.

600 domains is incorrect because it is also below the documented maximum and does not reflect the current limit of 900 domains.

Memorize key numeric limits and then verify them in the official documentation when studying. 900 is the number to remember for verified domains in a Microsoft 365 tenant.

The correct answers are Entra Connect Health monitoring agent and Entra Connect Health for synchronization services.

The Entra Connect Health monitoring agent is the component you install on the server running Azure AD Connect and it collects telemetry such as performance counters, events, and errors so that synchronization health can be evaluated and issues can be diagnosed.

The Entra Connect Health for synchronization services component is the service and portal view that aggregates the agent telemetry and it provides alerts, health insights, and reports specifically about directory synchronization operations and status.

Cloud Monitoring is not correct because it is a generic term for monitoring solutions and it does not refer to the specific Entra Connect Health agent or the synchronization services view that monitor AD Connect sync.

Identity Protection for Azure Active Directory is focused on sign in risk and user identity threats and it does not provide the on premises synchronization telemetry or sync service health reporting that Entra Connect Health delivers.

When a question asks about Entra Connect Health look for choices that mention an agent or explicit synchronization services since those are the elements that collect and display directory sync health.

The correct option is Credential harvesting and Web based phishing.

Credential harvesting and Web based phishing is correct because the attack simulation training scenario is designed to replicate a phishing web page that collects credentials and measures user responses. The simulated attack sends a phishing email that directs users to a fake sign in page and that matches the description of web based phishing aimed at credential harvesting.

Credential harvesting and Mass Market Phishing is incorrect because the scenario name in the training is focused on web based phishing and credential collection rather than a generic mass market phishing label. The trial highlights targeted web page credential capture rather than a broad mass market classification.

Malicious hyperlink and Web Phishing is incorrect because the exam and product use the specific terminology of web based phishing paired with credential harvesting. Using a generic term like web phishing or emphasizing just a malicious hyperlink does not match the precise scenario name offered in the trial.

Malware attachment and Identity Theft simulation is incorrect because malware attachment simulations and identity theft simulations are different types of exercises and they are not the pairing described by the attack simulation training trial for Microsoft 365 E3. The trial focuses on phishing that leads to credential harvesting via web pages rather than delivering malware attachments or an identity theft scenario.

When you see answer choices that differ by wording pay attention to the exact feature names used in Microsoft documentation. Match the precise phrase such as Web based phishing with the corresponding outcome like Credential harvesting to select the correct option.

The correct options are Publish sensitivity labels by adding them to a label policy and Use PowerShell cmdlets to configure additional label settings.

Publish sensitivity labels by adding them to a label policy is the mechanism administrators use in the Compliance Center to deploy labels to users and workloads. Creating labels alone does not make them available to users, and administrators must publish sensitivity labels by adding them to a label policy to set scope, targeting, and policy behavior so the labels are actually applied.

Use PowerShell cmdlets to configure additional label settings is correct because some label configuration and bulk or advanced management tasks are supported only through PowerShell. Administrators can automate publishing, adjust settings that are not available in the portal, and manage labels at scale by using the provided cmdlets.

Delete sensitivity labels and retroactively remove protections is incorrect because deleting a label does not reliably or automatically remove protections from content that was already labeled. Protections such as encryption and rights management are applied to content and may persist or require explicit removal workflows rather than simply deleting the label.

Remember that labels must be published to be available to users and that PowerShell can manage settings and scenarios that are not exposed in the portal.

The correct options are Change the organization’s legal entity name, Require multifactor authentication for users, Apply a custom visual theme and logo to the tenant, and Define password expiration and rotation rules.

Change the organization’s legal entity name is a tenant profile setting that administrators can edit in the organization or tenant settings. Updating the legal entity name ensures billing records and official communications reflect the correct company information.

Require multifactor authentication for users can be enforced by administrators through identity and access controls such as conditional access policies or security defaults. Requiring MFA is a common tenant level security policy to protect user accounts from compromise.

Apply a custom visual theme and logo to the tenant is a branding capability available to administrators so that sign in pages and the productivity suite interface can display corporate logos and color schemes. This helps maintain consistent company branding for users.

Define password expiration and rotation rules is an identity policy that administrators can configure to require periodic password changes and to set complexity and rotation requirements. These rules are part of the tenant level password and authentication settings.

When deciding which tasks belong to organization settings look for global scope items that affect all users such as identity policies, branding, and legal or billing information. Tenant level responsibilities usually include these types of controls.

The correct option is Enforce multi factor authentication for administrative operations in Azure.

This Conditional Access policy can be scoped to Azure administrative roles and to the management applications so it forces an extra verification step whenever an administrator performs administrative tasks. It ensures an additional authentication factor is required for administrative operations regardless of where the administrator signs in from which meets the requirement.

Block sign ins that use legacy authentication protocols helps reduce risk by stopping older clients that cannot do modern authentication but it does not itself force every administrator to perform an extra verification step for administrative operations regardless of location.

Require organization managed devices for administrative applications restricts administrative access to managed or compliant devices which can improve security but it will block administrators who are not on managed devices and it does not guarantee that every admin will use an extra verification factor at every sign in.

Block access from specific geographic regions restricts access based on location which can reduce exposure from certain areas but it does not enforce multi factor authentication for all administrators regardless of where they sign in and so it does not satisfy the stated requirement.

When a question asks to force an extra verification step for all administrators look for a Conditional Access policy that targets administrative roles and requires multi factor authentication rather than one that only focuses on device or location restrictions.

The correct answer is Perform a detailed assessment of application usage and possible data exposure. This investigation should come first because it reveals what data is at risk and which users and apps are involved so the organization can prioritize responses and avoid unnecessary disruption.

A detailed assessment provides the evidence needed to take targeted actions. It lets you identify the apps that actually have access to sensitive data and the scope of exposure so you can plan measured responses such as targeted blocking, tailored access policies, or tuned data protection rules rather than applying blunt measures.

Cut off access to all identified high risk applications immediately is not the best opening move because an immediate blanket cutoff can disrupt critical business functions and may block legitimate services. You should confirm risk and impact before taking broad enforcement actions.

Enforce conditional access controls through Cloud Identity to restrict risky app access is a useful control but it depends on knowing which users and data to protect and how apps are used. Conditional access should be applied after the assessment so policies are accurate and do not cause excessive access problems.

Deploy Data Loss Prevention policies using Cloud DLP can reduce data exfiltration risk but DLP policies require careful tuning and testing to avoid false positives and to target the right data. DLP deployment is often a follow up remediation once you understand the exposure from the assessment.

Start with a data driven assessment to identify affected users and sensitive data before enforcing controls or blocking access. This approach limits business disruption and yields better tuned security actions.

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

The correct option is Enable sensitivity label support for Teams Microsoft 365 groups and SharePoint sites.

This setting is a tenant level capability that must be turned on before sensitivity labels can be applied to Microsoft 365 groups, Teams, and SharePoint sites. Once Enable sensitivity label support for Teams Microsoft 365 groups and SharePoint sites is enabled you can publish labels that enforce protection and change site privacy and guest access settings to limit who can access the site.

Microsoft Purview compliance portal is where you go to configure sensitivity labels and other compliance features but it is not the specific capability you must activate. The portal is the management location rather than the individual setting that enables site labeling.

Autolabeling policies for SharePoint are used to automatically apply labels to content based on conditions and content inspection. Autolabeling helps classify and protect files but it does not enable the site level labeling capability that controls site privacy and guest access.

Azure Information Protection unified labeling client refers to an older client side solution for applying labels to files. This approach does not enable the tenant level site labeling feature and it is less relevant on newer exams because Microsoft has consolidated labeling into the Microsoft Purview information protection framework.

When questions ask about protecting sites think about tenant level settings and look for the option that specifically enables labels for Teams, Microsoft 365 groups, and SharePoint sites in the compliance center.

The correct answer is Individual user web browsing history.

Network diagnostics overviews in admin portals are designed to show infrastructure and application level metrics that reflect network health and performance. They therefore surface aggregate and protocol level signals rather than records of what a specific person visited, because showing individual browsing history would create privacy and compliance problems.

DNS lookup latency is an example of a typical network metric that shows how long name resolution takes and it helps diagnose resolution or DNS server issues.

TCP round trip latency is commonly shown to indicate round trip times for connections and it helps identify latency and routing problems across the network.

HTTP error rate is usually included to show the proportion of failed requests at the application layer and it helps surface service or endpoint issues.

When answering these questions ask whether the metric is an aggregate network health indicator or sensitive per-user data. Dashboards usually show the former and avoid exposing the latter.

The correct option is Conditional Access policies.

Conditional Access policies are the policy engine in Azure Active Directory that evaluate signals such as network location, device compliance state, user and group membership, application, and sign in risk to make access decisions. They can require MFA, block or grant access, or require a compliant device based on those conditions, and they integrate with Intune device compliance to enforce posture based controls.

Microsoft Authenticator mobile app provides a convenient and strong second factor for authentication through push notifications or one time codes. It is an authentication method and not a policy engine, so it cannot on its own enforce detailed access rules based on location or device compliance.

OATH one time password hardware tokens are physical devices that generate time based one time passwords for MFA. They offer a form of verification but they do not evaluate conditions like network location or device health and so they cannot implement conditional access rules.

Azure Active Directory security defaults enable simple, tenant wide protections such as requiring MFA for privileged accounts and blocking legacy authentication. They are intentionally broad and global and do not provide the granular, conditional controls that Conditional Access policies deliver.

When a question mentions enforcing access based on signals like location or device posture look for Conditional Access because it is the Azure AD feature that evaluates conditions and applies controls.

The correct answer is Endpoint isolation.

Endpoint isolation immediately severs or restricts network connectivity for the affected workstation so it cannot make outbound connections or spread malicious activity. This containment action allows responders to preserve the device for forensic analysis while preventing further damage and lateral movement.

Threat and vulnerability risk management focuses on discovering and prioritizing vulnerabilities and exposures across systems to reduce risk over time. It is not an immediate containment action to stop an ongoing compromise.

Attack surface reduction policies are preventive controls that harden endpoints and block risky behaviors before incidents occur. They do not directly sever a device’s current network connections to contain an active breach.

Automated investigation and remediation can investigate alerts and perform remediation steps based on playbooks and it may take automated actions. The explicit, fastest action to stop outbound activity on an actively compromised host is to isolate the device, which is the containment capability.

Custom indicators of compromise allow you to create detections and blocking rules for known IOCs and help hunting efforts. Creating and deploying indicators takes time and does not immediately stop all activity on a compromised host in the same direct way that isolation does.

When a host is actively compromised choose isolation to immediately stop network activity and preserve evidence. On exam questions prefer answers that describe direct containment rather than detection or long term risk reduction.

The recipient is outside the organization is the correct choice.

Add the condition The recipient is outside the organization to a mail flow rule to match messages delivered to external recipients. This condition evaluates who will receive the message so you can apply an action such as encryption only when the final recipient is not within your tenant.

The recipient is inside the organization is incorrect because it matches internal recipients and would cause encryption for messages that stay inside the company rather than for external deliveries.

The sender is outside the organization is incorrect because it triggers based on who sends the message and not who receives it. That rule could encrypt messages from external senders even when the recipients are internal.

The sender is inside the organization is incorrect because it would match messages sent by internal users and not specifically those delivered to external people. This would not meet the stated goal of encrypting only external deliveries.

When a question asks about applying controls for external recipients look for conditions that reference the recipient and explicitly state outside the organization.

Apply time limited eligible assignments for critical administrators enforce multi factor authentication for role activation and enable automated access reviews is correct.

Apply time limited eligible assignments for critical administrators implements just in time access so administrators do not have standing privileges and this reduces the window attackers can exploit if an account is compromised.

Enforce multi factor authentication for role activation adds an additional verification step at the time of elevation and it protects eligible role activations from unauthorized use even if credentials are compromised.

Enable automated access reviews ensures that assignments are validated on a regular cadence and it helps remove stale or inappropriate access to meet governance and compliance requirements.

Assign eligible roles but rely on manual quarterly access reviews and skip activation MFA for convenience is wrong because skipping activation MFA removes a critical protection and manual quarterly reviews are too infrequent to detect or remove risky assignments promptly.

Make all Global Administrator accounts permanently active while enforcing multi factor authentication for activation is wrong because permanently active Global Administrator accounts create unnecessary standing privileges and increase attack surface even if MFA is enforced for other operations.

Maintain permanent break glass emergency accounts and do not require MFA when activating roles is wrong because emergency accounts should be tightly controlled monitored and used only in true emergencies and removing MFA for activation undermines their security and auditability.

On configuration questions look for answers that apply the principle of least privilege and that combine just in time access with MFA and automated reviews to show continuous governance.

Microsoft 365 admin center is correct because it is the portal that contains subscription and billing management and so it shows purchase records, subscription status, invoices, and billing cadence for Microsoft 365 services.

The Microsoft 365 admin center centralizes billing and subscription tasks so administrators can view purchase history, manage payment methods, change billing cycles, and download invoices from one place.

Entra ID admin center is incorrect because Entra ID focuses on identity and access management and it only shows license assignments and SKU details for users rather than purchase records, invoice history, or billing cadence for subscriptions.

When a question mentions invoices, billing, or purchase history think of the Microsoft 365 admin center since identity portals generally handle user and license management rather than billing.

Enable port mirroring from DC-01 to SRV-APP02 is correct. Enable port mirroring from DC-01 to SRV-APP02 ensures the standalone Microsoft Defender for Identity sensor on SRV-APP02 can receive a copy of the domain controller network traffic so it can analyze authentication and directory activity without being installed on the DC.

The Defender for Identity standalone sensor is a passive network sensor that needs visibility into the DC traffic at the network layer. By using Enable port mirroring from DC-01 to SRV-APP02 you direct a copy of the frames from the DC interface to the sensor host so the sensor can inspect LDAP, Kerberos, and other traffic patterns associated with identity signals.

Install the Microsoft Monitoring Agent on SRV-APP02 is incorrect because the Microsoft Monitoring Agent is used for Log Analytics and Azure monitoring. It does not provide the passive network capture capability that a Defender for Identity standalone sensor requires.

Add SRV-APP02 to the Domain Admins group is incorrect because elevating the host to a privileged domain account is not required for the sensor to observe network traffic and it would introduce unnecessary security risk. The sensor works by receiving mirrored network traffic rather than by using elevated domain credentials.

Open inbound Windows Firewall rules on SRV-APP02 for traffic from DC-01 is incorrect because adjusting firewall rules does not cause the domain controller to send a copy of its traffic to the sensor. The sensor needs network level mirroring or a span port so it can capture raw traffic, and firewall changes on the sensor host are not a substitute for port mirroring.

When a question mentions a standalone network sensor think about how the sensor will observe traffic. Choose network level solutions like port mirroring rather than installing agents or changing privileged accounts.

Yes unresolved alerts can have their severity escalated is correct.

Many insider risk and security monitoring systems are designed to increase an alert’s severity when it remains open and uninvestigated for a prolonged interval because continued lack of action can indicate an escalating threat or additional corroborating signals. Platforms typically factor elapsed time, new telemetry, and event correlation into risk scoring so the alert severity is raised to prompt attention from analysts.

Automatic escalation helps ensure that emerging incidents do not languish at a low priority and that analysts are guided to the most critical items. The exact thresholds and mechanisms for escalation vary by product and configuration so the timing you see in one system may differ from another.

No the alert severity remains the same is incorrect because keeping severity static despite new evidence or long unresolved status would risk missing an evolving incident and would contradict common designs in modern security operations where alerts can change state over time.

When a question mentions alerts left uninvestigated think about whether the system would adapt over time. Many security products raise priority through escalation or increased risk scoring rather than keeping alerts static.

The correct answer is Authentication Administrator.

The Authentication Administrator role allows an engineer to configure multi factor authentication settings and to manage user authentication methods such as phone numbers and app based methods. The role also provides the permissions required to handle authentication related support tasks in the Azure portal and in the Microsoft 365 admin center so the engineer can manage users authentication and respond to support cases across both consoles.

Privileged Authentication Administrator is incorrect because that role is focused on protecting and managing elevated or emergency administrative access and it is not intended for general tenant wide MFA configuration and everyday user authentication method management.

User Administrator is incorrect because that role primarily manages user and group accounts and can perform password resets but it does not grant the comprehensive authentication method and MFA configuration permissions or the cross portal support capabilities required in this scenario.

Authentication Policy Administrator is incorrect because that role concentrates on tenant level authentication policies and rules and it does not provide the per user authentication method management and support access in the Microsoft 365 admin center that the question requires.

When a question asks about configuring MFA and managing authentication methods look for roles that explicitly include the word Authentication and verify whether the role covers both method management and support permissions in the Azure portal and Microsoft 365 admin center.

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

Add a TXT record to the domain DNS records is correct.

A DNS TXT verification proves control of the domain at the DNS provider so the vendor can confirm ownership without needing access to the web server. To verify a domain you add a specific verification string as a DNS TXT record and the vendor checks that the record resolves, which is the standard and automated method for domain-level verification.

Upload a verification HTML file to the site root is incorrect because that method requires control of the web hosting and HTTP access to the site. Some services accept an HTML file for site verification but it does not prove control of the domain at the DNS level and it is not the expected method for domain DNS verification in this scenario.

Send a message from an address at the domain to the vendor support team is incorrect because an email alone can be spoofed or misrouted and it relies on manual action by support staff. Vendors use automated DNS checks to provide a reliable cryptographic proof of control rather than manual email confirmation.

Arrange a live video session with support to present identity documents is incorrect because that process verifies a person not the domain. It is not a standard automated way to assert domain ownership and it would be impractical for routine domain verification for a service like CloudWork.

When a question asks about proving domain control think of DNS TXT records first because they provide automated and authoritative proof at the DNS level and they are commonly required for custom domains.

They use cloud providers’ public APIs to collect telemetry and settings without agents is correct.

App connectors are built to use the cloud service provider APIs so they can retrieve activity logs, configuration and telemetry directly from the service. This API based integration typically uses service accounts or OAuth to access the tenant data and it allows the CASB to provide visibility and controls without installing software on each user device.

They require installing agent software on every user device is incorrect because app connectors do not depend on per device agents to collect telemetry. The data comes from the cloud service rather than from endpoint installed agents in most connector deployments.

They intercept user sessions as an inline proxy to enforce policies is incorrect for app connectors because session interception is a different deployment mode. Some CASB solutions offer inline proxy capabilities for real time controls, but the app connector specifically obtains information via the cloud providers’ APIs rather than by being inline.

When a question asks how an app connector obtains data look for answers that mention APIs or agentless collection. If an option mentions inline or proxy interception it is describing a different deployment mode.

The correct answer is The on premises Active Directory regained authority over the user accounts.

When directory synchronization is re enabled the on premises Active Directory becomes the source of authority for those accounts. Azure AD will accept and enforce the account attributes and passwords from the on premises directory and cloud changes can be overwritten or ignored. If the on premises accounts or passwords do not match what users expect they will fail to sign in until the on premises state is corrected or password synchronization is configured.

Directory synchronization was turned off using Azure AD PowerShell is not the best explanation because the method used to disable synchronization does not itself cause the post re enable behavior. The issue described is caused by the change in source of authority after synchronization is resumed rather than by how sync was previously disabled.

User passwords were modified in Microsoft 365 is unlikely because once sync is re enabled the on premises credentials take precedence and cloud password changes can be overwritten. If passwords were changed only in Microsoft 365 those changes would not be the lasting cause when on premises authority is restored.

Accounts were deleted from the local Active Directory is also not the most likely cause in this scenario because deleted on premises accounts would typically be removed from Azure AD during sync. The question implies the accounts still exist but authentication fails due to authority and password source, so deletion is a less likely explanation.

Remember that when directory synchronization is turned back on the on premises AD becomes the source of authority for users and passwords. Check the source of authority and password sync settings first when investigating sign in failures.

The correct choice is Employee morale and job satisfaction.

Employee morale and job satisfaction refers to a broad organizational condition and not to a concrete malicious or risky action by an insider. Compliance briefings that list internal threat categories typically enumerate specific actions or events that directly harm confidentiality integrity or availability rather than general workforce metrics that may influence risk.

Insider trading by employees is incorrect because it is a direct misuse of privileged information for financial gain and that constitutes a classic internal threat covered in compliance materials.

Theft of company intellectual property is incorrect because theft or exfiltration of intellectual property is a clearly defined internal threat that compliance and security controls aim to prevent and detect.

Unauthorized disclosure of confidential information is incorrect because intentional or accidental disclosure directly compromises confidentiality and is routinely listed as an internal risk in compliance briefings.

Focus on whether an option names a specific harmful action rather than a general organizational metric when the question asks about internal threat categories.

The correct option is Office Cloud Policy Service.

Office Cloud Policy Service lets administrators create and apply configuration policies for Microsoft 365 Apps for enterprise from the cloud and it works for users and devices that are not joined to an Active Directory domain. The service stores policies in the cloud and the Office clients apply those policies when users sign in with their work or school accounts so you can manage settings even on unmanaged or Azure AD joined machines.

Microsoft 365 Apps Health is incorrect because that capability focuses on monitoring the health and telemetry of Office clients and it does not provide a mechanism to push configuration policies to users or devices.

Servicing Profile is incorrect because servicing profiles control update channels and how Microsoft 365 Apps receive updates and releases and they are not a general policy engine for applying configuration settings to non domain joined devices.

Office Customization Tool is incorrect because that tool is used to create installation configuration for deploying Office and it is aimed at setup and deployment scenarios rather than centrally applying ongoing configuration policies from the cloud to existing client installations.

When a question asks about applying Office settings to devices outside a domain think cloud first and remember that the Office Cloud Policy Service is designed for that exact scenario.

The correct option is Both of the above methods.

The Reset the user password in the tenant identity management console approach addresses identity level problems such as compromised credentials or sign in blocks so resetting the password can restore authentication and allow the user to send mail. The Use Exchange Online PowerShell to clear the block approach addresses mailbox and mail flow controls so PowerShell enables an administrator to remove mailbox specific send restrictions or clear transport level blocks without changing the user password. Depending on the root cause an admin may need one or both of these actions which is why the combined option is correct.

Reset the user password in the tenant identity management console is incorrect when chosen alone because it only fixes identity related issues and will not remove Exchange level send restrictions or transport blocks. If the block was applied by Exchange you must also clear it at the messaging level.

Use Exchange Online PowerShell to clear the block is incorrect when chosen alone because Exchange level fixes do not resolve identity problems such as a compromised password or a disabled account. In those cases you must also restore or reset the user account in the tenant identity management console.

Remove the account from the “Restricted accounts” section of the organization security portal is incorrect because that action does not describe the standard, supported way to clear send blocks in Exchange or Azure AD. That wording may refer to older or different security features and is not the current method used to restore sending rights on the modern admin consoles.

When an option says Both of the above methods check that each listed method addresses different root causes and pick the combined choice if both methods are valid in practice.

The correct answer is Enable the “Users at risk detected” alert for high risk accounts and configure the weekly digest to selected security leads.

This option is correct because Microsoft Entra Identity Protection can send immediate notifications when a user is flagged at the high risk level and it also supports configuring a weekly digest that is sent only to selected security leads. Enabling the alert for high risk accounts ensures prompt action on high severity signals and configuring the digest recipient list provides the targeted weekly summary the question describes.

Enable the “Users at risk detected” alert for low risk accounts and notify all administrators is incorrect because low risk detections do not typically require the same immediate high priority alerts and notifying all administrators is not the targeted weekly digest behavior described in the question. Sending alerts for low risk accounts to all admins would create noise rather than immediate, focused responses.

Rely on the Risky users report in the admin center for manual reviews is incorrect because the risky users report is for manual review and investigation and it does not by itself produce immediate alerts for high risk accounts or an automated weekly digest to selected security leads.

When a question asks about immediate alerts and scheduled digests focus on notification settings in Microsoft Entra Identity Protection and verify the configured risk level and recipients. Check that Users at risk detected is set for the correct risk level and that the digest recipients are restricted to the intended security leads.

The correct options are Network share coverage and exclusion settings extend endpoint DLP policies to file shares and mapped network drives and Advanced content classification and enforcement is available only on Windows devices.

Network share coverage and exclusion settings extend endpoint DLP policies to file shares and mapped network drives is correct because endpoint DLP can be configured to include or exclude network shares and mapped drives so that the same monitoring and enforcement rules that apply to local files also apply to files on SMB and other network locations. Coverage settings bring those remote locations into scope and exclusion settings let administrators exempt specific shares or paths from policy checks.

Advanced content classification and enforcement is available only on Windows devices is correct because the more advanced inspection and enforcement capabilities depend on Windows specific components and file system integration. Those advanced features rely on OS level hooks and drivers that are not available on macOS so vendors often limit them to Windows endpoints.

Restricted app groups take precedence over entries in the restricted apps list when both appear in the same rule is incorrect because precedence is not determined simply by grouping. Policy evaluation follows the product’s rule resolution order and specificity rather than a blanket rule that groups always override individual list entries.

You can configure file path exclusions for both Windows and macOS clients is incorrect because file path exclusions are typically implemented using Windows path semantics and kernel level filtering. In this product those exclusion controls are supported on Windows endpoints and do not apply in the same way on macOS.

Read choices about operating system support carefully and look for phrases like Windows only or explicit support for network shares. Those keywords often reveal the intended correct answers.

Global Administrator or a limited Azure AD directory role like Guest Inviter or User Administrator is correct. This option names the roles that are allowed to create or invite guest users in the tenant directory.

Global Administrator has full directory permissions and can create and invite guest accounts as part of its broad administrative privileges.

Guest Inviter is a narrow role that is specifically intended to allow users to invite external guests without giving wider administrative rights. User Administrator can create and manage user accounts including guest users and so it can also be used to add guests when that level of access is assigned.

Compliance Administrator is incorrect because that role is focused on compliance tasks such as data governance, eDiscovery, and information protection and it does not grant permissions to create or invite guest users.

Privileged Role Administrator is incorrect because that role manages role assignments and role settings but it does not by itself grant the ability to invite guest users unless the user also has a role that allows user creation or guest invitations.

Security Administrator is incorrect because that role is centered on security features and incident response and it does not provide the permissions needed to create or invite guest accounts in the directory.

When an exam question asks who can invite guest users look for roles that explicitly mention invite or user management permissions and choose the least privileged role that fits the scenario such as Guest Inviter when appropriate.

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

The correct option is Score history.

The Score history tab shows your Microsoft Secure Score plotted over time and lists the actions or changes that affected the score during the selected timeframe. You can use this view to identify when the decline started and to review which recommended actions were added, removed, or marked complete so you can target your remediation work.

Trends and metrics is incorrect because that phrasing does not refer to the Secure Score timeline view and it usually refers to aggregated metrics rather than the recorded score history.

Dashboard overview is incorrect because the dashboard gives a summary snapshot of current score and recommendations and does not provide the detailed timeline of score changes and recorded actions.

Cloud Monitoring is incorrect because that option refers to monitoring cloud resources and telemetry and it is not the Secure Score history view.

When a question asks where to see changes over time look for wording like history or timeline rather than dashboard or summary pages because those typically show only the current state.

The correct answer is Compliance Data Administrator.

The Compliance Data Administrator role grants permissions to manage compliance features in the Microsoft Purview compliance portal and across Microsoft 365. A person with this role can review and act on compliance alerts, run content searches and assist with investigations. These capabilities make it the right choice for monitoring regulatory compliance procedures and handling alerts across services.

Microsoft 365 Migration Administrator is focused on planning and performing migrations of mailboxes and data and does not provide broad compliance alert monitoring across Microsoft 365, so it is not appropriate.

Global Administrator has full tenant privileges and could perform compliance tasks but it is far too broad for a delegated compliance responsibility. Assigning this role would violate the principle of least privilege when a specific compliance role is available.

Exchange Administrator manages Exchange Online and mail related settings and it does not provide comprehensive compliance monitoring across all Microsoft 365 services, so it is not the correct role for this requirement.

Match the task to the role scope by choosing roles that specifically reference compliance or the Purview compliance portal when the requirement is to monitor alerts investigations or data governance.

The correct answer is Retained for eight years then removed.

Retained for eight years then removed applies because when multiple retention labels or policies apply the one that preserves content for the longest period takes precedence. The label that retains for eight years prevents the shorter deletion rule from removing the email at three years and the message is kept until the eight year retention period finishes and is then removed.

Removed after three years is incorrect because that deletion-only label is shorter than the eight year retention label and it cannot override a label that retains content for a longer period. The three year deletion would not occur while the longer retention is in effect.

Preserved permanently is incorrect because no permanent preservation label is applied in this scenario. The longest applicable retention is Retained for eight years then removed which results in eventual deletion after eight years.

When multiple retention rules could apply look for the one that preserves content the longest or explicitly retains then deletes. Read each option to see if it only deletes or if it first retains for a period and then deletes.

How Microsoft 365 defends employee accounts and organizational data against cyber attacks is the correct concern.

This is a primary issue because moving to a SaaS productivity suite shifts responsibility for many security controls to the vendor and because compromised user accounts and email are a common way attackers gain access to corporate data.

You should evaluate identity protection such as Azure Active Directory features like multi factor authentication and conditional access, threat protection such as Microsoft Defender for Office 365, and information protection such as Data Loss Prevention and sensitivity labels to understand the platform defensive posture and incident response capabilities.

How well Microsoft 365 integrates with Google Cloud Identity for unified access control is not the best answer because cross identity integration is a specific operational consideration and can often be solved with federation and provisioning tools, but it is narrower than the overarching risk of account compromise and data breaches.

Whether the Microsoft 365 user experience will require extensive retraining for staff is more of an adoption and change management concern rather than a core security risk, so it is not the primary focus for a chief information security officer planning migrations.

The pricing differences between Microsoft 365 subscription tiers are an important procurement topic but they are not the central security concern when assessing how to protect accounts and data during and after migration.

On migration questions prioritize options that mention security and data protection and treat cost or UX choices as secondary unless the question explicitly asks about them.

Apply scoping filters that target security groups or organizational units in the on premises Active Directory is correct.

This option uses cloud sync scoping filters to explicitly limit which objects are synchronized by targeting specific security groups or organizational units. Scoping filters operate at the selection level so only members of the chosen groups or objects located in the specified OUs are included in synchronization. This is the most direct and reliable way to restrict synchronization to employees in particular departments or groups.

Use attribute mappings to filter users by their department attribute is incorrect. Attribute mappings determine how attributes are transformed and which attribute values flow to Entra ID and they do not serve as the primary mechanism to select which accounts are synchronized in cloud sync. Selection is controlled by scoping filters rather than by attribute mappings.

Use on demand provisioning to manually pick individual users for synchronization is incorrect. Cloud sync does not provide a standard manual per user provisioning mode for ongoing synchronization and it is not the intended method to enforce department or group based scopes. Group or OU based scoping is the supported way to control which users get synced.

Enable password hash synchronization across the entire on premises directory is incorrect. Password hash synchronization relates to authentication and does not restrict which user objects are included in synchronization. Enabling it for the directory will not limit sync to specific departments or groups.

When you need to limit which users are synchronized focus on options that control selection such as scoping filters or group membership rather than settings that control attributes or authentication.

No this procurement is not optimal is the correct answer.

The purchase of 20 Microsoft 365 Business Standard and 5 Microsoft 365 Business Basic licenses only provides 25 user licenses while the scenario implies two mailboxes are shared by two employees which increases the number of users who need access. Licensing is assigned per user rather than per mailbox so every person who needs to sign in and access mail must be covered by a license. That means the current mix leaves two users without licenses and the procurement is therefore not optimal.

The choice to give the five field technicians Business Basic is reasonable because they do not need the desktop Office apps and Business Basic includes Exchange mail, Teams, and OneDrive which are typically sufficient for field staff. The main issue is that the overall quantity of licenses must be adjusted to cover every user who will access email.

Buy a reduced set of 23 licenses with 18 Microsoft 365 Business Standard and 5 Microsoft 365 Business Basic is wrong because reducing the total number of licenses to 23 would leave even more users without the required user licenses. You must count users who access mail and not just distinct mailboxes when sizing licenses.

Yes the purchased mix of licenses is appropriate is wrong because the purchased mix only covers 25 users and the scenario requires licenses for every person who will access mail. The administrator underbought licenses so the statement that the mix is appropriate is incorrect.

Use Exchange Online Plan 1 for the five field technicians instead of Business Basic is wrong because Microsoft 365 Business Basic already includes Exchange Online capabilities and it also provides Teams and OneDrive which are useful for field staff. Replacing Business Basic with Exchange Online Plan 1 would remove those additional services and would not be the expected cost optimal choice for typical field technician needs.

When sizing licenses on the exam remember that licensing is per user and not per mailbox. Count every person who will sign in and access email and remember that shared mailboxes do not eliminate the need to license each user who accesses them.

The correct answer is False.

You cannot create an Azure Information Protection label and configure its policy from the Azure portal to enforce blocking Social Security Numbers in email. Sensitivity labels and label policies are managed in the Microsoft Purview compliance portal and Data Loss Prevention policies in the Microsoft 365 compliance tools are used to detect and block SSNs in Exchange Online messages.

The Azure Information Protection classic tooling and the Azure portal based policy management have been superseded by unified labeling in Microsoft Purview. Unified labels and DLP work together to classify content and enforce protection or blocking for sensitive items such as Social Security Numbers.

True is incorrect because you do not configure these label policies in the Azure portal. The Azure portal does not host the unified labeling and DLP policy management for Microsoft 365 that is required to automatically detect and prevent sending SSNs by email.

When you see questions about labeling and email protection check whether the management surface named is the Microsoft 365 compliance or Purview portal and not the Azure portal. Remember that the older Azure Information Protection classic controls have been retired and that unified labeling and DLP live in the Purview tools.

The correct answer is Digital identities for users services and devices.

Securing digital identities is the foundation of a Zero Trust control plane because Zero Trust treats identity as the primary trust anchor and requires continuous authentication and authorization for every request. By managing identities and their credentials you can implement least privilege, multi factor authentication, context aware access, and centralized policy decisions that apply to users services and devices across cloud resources.

Network firewall rules are important for network level defense but they operate at the perimeter or traffic control layer and do not provide the continuous identity and access validation that a Zero Trust control plane requires. Firewalls alone cannot make access decisions based on user identity device posture and real time risk signals.

Cloud VPN configurations provide encrypted network connectivity between sites but they create implicit network trust and rely on network boundaries rather than identity based controls. VPNs are a connectivity mechanism and not the identity driven control plane that Zero Trust depends on.

When you see Zero Trust questions look for answers that emphasize identity and continuous authentication and authorization rather than only network perimeter controls.

All exam questions are from my MS-102 Udemy Course and certificationexams.pro

Three active Sync agents is the correct choice.

Three active Sync agents provides a simple majority for leader election and quorum which keeps the synchronization service available when one agent fails. Running three active agents gives redundancy and it allows the system to make progress with a single failure while avoiding a single point of failure.

Two active Sync agents is incorrect because two agents cannot form a stable majority if one fails and they are prone to split decisions without an additional voter.

Four active Sync agents is incorrect because an even number of agents can lead to tied votes and it is not the recommended configuration for avoiding split decisions. An odd number of agents is normally preferred for robust quorum behavior.

One active Sync agent is incorrect because a single agent is a single point of failure and it does not provide any redundancy for high availability.

When you see questions about high availability look for answers that mention quorum or an odd number of voting agents because those configurations usually allow the system to tolerate failures while avoiding split votes.

The correct answer is Microsoft Intune standalone subscription.

Microsoft Intune standalone subscription lets the organisation add Intune device management without requiring an upgrade of all staff from Microsoft 365 Business Standard. Purchasing the standalone subscription allows you to assign Intune to only the users or devices that need it so the firm can accept a modest additional cost rather than moving everyone to a higher plan.

Microsoft Intune standalone subscription provides mobile device management, application protection, and policy enforcement independently of the Microsoft 365 plan level so it directly meets the stated requirement.

Microsoft 365 Business Premium is incorrect because it would also provide Intune but it requires upgrading Business Standard users to Business Premium and the organisation explicitly does not want that upgrade.

Microsoft 365 E3 license is incorrect because it is an enterprise level bundle that represents a much larger upgrade and cost than buying just Intune for the users who need it, so it does not match the firm’s constraints.

Enterprise Mobility and Security E3 is incorrect because although it historically includes Intune capabilities it is an enterprise add on and it is not the minimal, targeted purchase the organisation is looking for.

Focus on the constraints in the question and favour a standalone or add on licence when the organisation does not want to upgrade existing plans. Carefully note who needs the new capabilities before choosing a licence.

The correct answer is 2 days.

Rule matches from the default endpoint DLP policy can take up to 2 days to appear in the status tile because the compliance dashboard processes events in batches and performs classification and aggregation which introduce processing latency.

1.5 days is incorrect because the documented processing window is up to two days and not limited to one and a half days.

3 days is incorrect because it overstates the maximum expected delay and the dashboard does not typically require three days to surface default DLP policy matches.

1 day is incorrect because although some matches may appear within a day the safe documented upper bound is 2 days so choosing one day understates the possible delay.

When a question asks how long something can take look for the maximum or upper bound in the official documentation and choose the answer that matches that value.

Active role assignments provide immediate role access without extra steps, Eligible role assignments require activation or a request for approval before use, and Time limited assignments can be scheduled with specific start and end dates for both eligible and active statuses are correct.

Active role assignments provide immediate role access without extra steps means when a user is assigned an active role they receive the permissions immediately. There is no activation or approval step for active assignments and access continues until the assignment expires or is removed.

Eligible role assignments require activation or a request for approval before use means eligible users do not have standing privileges. They must activate the role or follow an approval workflow to elevate to active status and gain the permissions for a limited duration.

Time limited assignments can be scheduled with specific start and end dates for both eligible and active statuses means PIM supports scheduling so you can enforce when an assignment becomes valid and when it ends. Assignments can be configured with start and end dates whether they are eligible or active.

PIM supports only permanent role assignments is incorrect because PIM supports eligible assignments and time limited assignments as well as permanent assignments when needed. The intent of PIM is to reduce standing privileges so time bound and eligible roles are core features.

When evaluating statements look for the words active, eligible, and time limited and map them to PIM behaviors. Those keywords usually reveal whether access is immediate, requires activation or approval, or can be scheduled.

Batch and pace API calls and stagger large operations over time is correct.

This approach reduces the chance of hitting provider quotas by spreading load and keeping per-second request rates within allowed limits. Batching lowers the number of requests by combining many small operations into fewer calls and pacing lets you control request throughput so you avoid sudden spikes. Implementing retries with exponential backoff and jitter and honoring retry headers from the API complements batching and pacing and helps recover gracefully when throttling does occur.

Use event streaming to avoid polling APIs is incorrect because streaming may reduce the need to poll but it does not eliminate provider quotas or other rate limits. Not all services provide streaming endpoints and streaming alone does not handle bulk syncs or large backfills where batching and pacing are still required.

Ignore limits and retry on throttled responses is incorrect because blindly retrying can amplify load and prolong outages. You should not ignore limits and you must implement controlled retries with exponential backoff, respect Retry-After headers, and use client side rate limiting or queues to prevent repeated throttling.

On exam questions choose answers that mention batching, pacing, exponential backoff, or honoring retry headers rather than approaches that assume unlimited API access.