MS-102 Microsoft 365 Administrator Certification
You have a new Microsoft 365 E5 tenant.You need to enable an alert policy that will be triggered when an elevation of Microsoft Exchange Online administrative privileges is detected.What should you do first? A. Enable auditing. B. Enable Microsoft 365 usage analytics. C. Create an Insider risk management policy. D. Create a communication compliance policy
Enable auditing.
Your network contains an on-premises Active Directory domain named contoso.local. The domain contains five domain controllers.Your company purchases Microsoft 365 and creates an Azure AD tenant named contoso.onmicrosoft.com.You plan to install Azure AD Connect on a member server and implement pass-through authentication.You need to prepare the environment for the planned implementation of pass-through authentication.Which three actions should you perform? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point. A. From a domain controller, install an Authentication Agent. B. From the Microsoft Entra admin center, configure an authentication method. C. From Active Directory Domains and Trusts, add a UPN suffix. D. Modify the email address attribute for each user account. E. From the Microsoft Entra admin center, add a custom domain name. F. Modify the User logon name for each
From Active Directory Domains and Trusts, add a UPN suffix From the Microsoft Entra admin center, add a custom domain name. Modify the User logon name for each user account.
You have a Microsoft 365 subscription.You plan to implement Microsoft Purview Privileged Access Management.Which Microsoft Office 365 workloads support privileged access? A. Microsoft Exchange Online only B. Microsoft Teams only C. Microsoft Exchange Online and SharePoint Online only D. Microsoft Teams and SharePoint Online only E. Microsoft Teams, Exchange Online, and SharePoint Online
Microsoft Exchange Online only
Which users will be contacted by Microsoft if the tenant experiences a data breach? A. User1 only B. User2 only C. User3 only D. User1 and User2 only E. User2 and User3 only
User2 only
You have a Microsoft 365 E5 subscription.You plan to implement Microsoft Purview policies to meet the following requirements:Identify documents that are stored in Microsoft Teams and SharePoint that contain Personally Identifiable Information (PII).Report on shared documents that contain PII.What should you create? A. a data loss prevention (DLP) policy B. a retention policy C. an alert policy D. a Microsoft Defender for Cloud Apps policy
a data loss prevention (DLP) policy
You have a Microsoft 365 subscription.You configure a new Azure AD enterprise application named App1. App1 requires that a user be assigned the Reports Reader role.Which type of group should you use to assign the Reports Reader role and to access App1? A. a Microsoft 365 group that has assigned membership B. a Microsoft 365 group that has dynamic user membership C. a security group that has assigned membership D. a security group that has dynamic user membership
a security group that has assigned membership
You have a Microsoft 365 subscription.You need to configure a compliance solution that meets the following requirements:Defines sensitive data based on existing data samplesAutomatically prevents data that matches the samples from being shared externally in Microsoft SharePoint or email messagesWhich two components should you configure? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point. A. a trainable classifier B. a sensitive info type C. an insider risk policy D. an adaptive policy scope E. a data loss prevention (DLP) policy
a trainable classifier a data loss prevention (DLP) policy
You have a Microsoft 365 E5 subscription.Users access Microsoft 365 from both their laptop and a corporate Virtual Desktop Infrastructure (VDI) solution.From Azure AD Identity Protection, you enable a sign-in risk policy.Users report that when they use the VDI solution, they are regularly blocked when they attempt to access Microsoft 365.What should you configure? A. the Tenant restrictions settings in Azure AD B. a trusted location C. a Conditional Access policy exclusion D. the Microsoft 365 network connectivity settings
a trusted location
Your company has a Microsoft 365 subscription.You need to identify all the users in the subscription who are licensed for Office 365 through a group membership. The solution must include the name of the group used to assign the license.What should you use? A. Active users in the Microsoft 365 admin center B. Reports in Microsoft Purview compliance portal C. the Licenses blade in the Microsoft Entra admin center D. Reports in the Microsoft 365 admin center
. the Licenses blade in the Microsoft Entra admin center
You have a Microsoft 365 E5 tenant.Users store data in the following locations:Microsoft Teams -Microsoft OneDrive -Microsoft Exchange Online -Microsoft SharePoint -You need to retain Microsoft 365 data for two years.What is the minimum number of retention policies that you should create? A. 1 B. 2 C. 3 D. 4
3
You have a Microsoft 365 E5 subscription.From the Microsoft 365 Defender portal, you plan to export a detailed report of compromised users.What is the longest time range that can be included in the report? A. 1 day B. 7 days C. 30 days D. 90 days
30 days
You have a Microsoft 365 E5 subscription.You need to create Conditional Access policies to meet the following requirements:All users must use multi-factor authentication (MFA) when they sign in from outside the corporate network.Users must only be able to sign in from outside the corporate network if the sign-in originates from a compliant device.All users must be blocked from signing in from outside the United States and Canada.Only users in the R&D department must be blocked from signing in from both Android and iOS devices.Only users in the finance department must be able to sign in to an Azure AD enterprise application named App1. All other users must be blocked from signing in to App1.What is the minimum number of Conditional Access policies you should create? A. 3 B. 4 C. 5 D. 6 E. 7 F. 8
4
You have a Microsoft 365 subscription.You need to add additional onmicrosoft.com domains to the subscription. The additional domains must be assignable as email addresses for users.What is the maximum number of onmicrosoft.com domains the subscription can contain? A. 1 B. 2 C. 5 D. 10 Reveal Solution
5
You are reviewing alerts in the Microsoft 365 Defender portal.How long are the alerts retained in the portal? A. 30 days B. 60 days C. 3 months D. 6 months E. 12 months
6 months
You have a Microsoft 365 subscription that contains a user named User1.User1 requires admin access to perform the following tasks:Manage Microsoft Exchange Online settings.Create Microsoft 365 groups.You need to ensure that User1 only has admin access for eight hours and requires approval before the role assignment takes place.What should you use? A. Azure AD Identity Protection B. Microsoft Entra Verified ID C. Conditional Access D. Azure AD Privileged Identity Management (PIM)
Azure AD Privileged Identity Management (PIM)
You have a Microsoft E5 subscription.You need to ensure that administrators who need to manage Microsoft Exchange Online are assigned the Exchange Administrator role for five hours at a time.What should you implement? A. Azure AD Privileged Identity Management (PIM) B. a conditional access policy C. a communication compliance policy D. Azure AD Identity Protection E. groups that have dynamic membership
Azure AD Privileged Identity Management (PIM)
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.You need to ensure that users are prevented from opening or downloading malicious files from Microsoft Teams, OneDrive, or SharePoint Online.What should you do? A. Create a new Anti-malware policy. B. Configure the Safe Links global settings. C. Create a new Anti-phishing policy. D. Configure the Safe Attachments global settings.
Configure the Safe Attachments global settings
Your company has a Microsoft 365 E5 subscription.Users in the research department work with sensitive data.You need to prevent the research department users from accessing potentially unsafe websites by using hyperlinks embedded in email messages and documents. Users in other departments must not be restricted.What should you do? A. Create a data loss prevention (DLP) policy that has a Content is shared condition. B. Modify the safe links policy Global settings. C. Create a data loss prevention (DLP) policy that has a Content contains condition. D. Create a new safe links policy.
Create a new safe links policy.
Your network contains an Active Directory domain named adatum.com that is synced to Azure AD.The domain contains 100 user accounts.The city attribute for all the users is set to the city where the user resides.You need to modify the value of the city attribute to the three-letter airport code of each city.What should you do? A. From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser cmdlets. B. From Azure Cloud Shell, run the Get-ADUser and Set-ADUser cmdlets. C. From Windows PowerShell on a domain controller, run the Get-MgUser and Update-MgUser cmdlets. D. From Azure Cloud Shell, run the Get-MgUser and Update-MgUser cmdlets.
From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser cmdlets
You have a Microsoft 365 subscription.You suspect that several Microsoft Office 365 applications or services were recently updated.You need to identify which applications or services were recently updated.What are two possible ways to achieve the goal? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point. A. From the Microsoft 365 admin center, review the Service health blade. B. From the Microsoft 365 admin center, review the Message center blade. C. From the Microsoft 365 admin center, review the Products blade. D. From the Microsoft 365 Admin mobile app, review the messages.
From the Microsoft 365 admin center, review the Message center blade. From the Microsoft 365 Admin mobile app, review the messages.
You have a Microsoft 365 subscription.You register two applications named App1 and App2 to Azure AD.You need to ensure that users who connect to App1 require multi-factor authentication (MFA). MFA is required only for App1. What should you do? A. From the Microsoft Entra admin center, create a conditional access policy. B. From the Microsoft 365 admin center, configure the Modem authentication settings. C. From the Enterprise applications blade of the Microsoft Entra admin center, configure the Users settings. D. From Multi-Factor Authentication, configure the service settings.
From the Microsoft Entra admin center, create a conditional access policy
You have a Microsoft 365 E5 subscription.You define a retention label that has the following settings:Retention period: 7 years -Start the retention period based on: When items were createdYou need to prevent the removal of the label once the label is applied to a file.What should you select in the retention label settings? A. Retain items forever or for a specific period B. Mark items as a regulatory record C. Mark items as a record D. Retain items even if users delete
Mark items as a regulatory record
You have a Microsoft 365 tenant.You plan to manage incidents in the tenant by using the Microsoft 365 Defender.Which Microsoft service source will appear on the Incidents page of the Microsoft 365 Defender portal? A. Microsoft Sentinel B. Microsoft Defender for Cloud C. Azure Arc D. Microsoft Defender for Identity
Microsoft Defender for Identity
You have a Microsoft 365 E5 subscription that contains the following user: Name: User1 -UPN: [email protected] Email address: [email protected] MFA enrollment status: Disabled -When User1 attempts to sign in to Outlook on the web by using the [email protected] email address, the user cannot sign in.You need to ensure that User1 can sign in to Outlook on the web by using [email protected] should you do? A. Assign an MFA registration policy to User1. B. Reset the password of User1. C. Add an alternate email address for User1. D. Modify the UPN of User1.
Modify the UPN of User1.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Your network contains an Active Directory domain.You deploy an Azure AD tenant. Another administrator configures the domain to synchronize to Azure AD. You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully. You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.You need to ensure that the 10 user accounts are synchronized to Azure A
NO
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen .Your network contains an Active Directory domain.You deploy an Azure AD tenant. Another administrator configures the domain to synchronize to Azure AD.You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully. You need to ensure that the 10 user accounts are synchronized to Azure A
No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Your network contains an Active Directory domain.You deploy an Azure AD tenant. Another administrator configures the domain to synchronize to Azure AD.You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully. You need to ensure that the 10 user accounts are synchronized to Azure AD.
No
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains 1,000 Windows 10 devices.You perform a proof of concept (PoC) deployment of Microsoft Defender for Endpoint for 10 test devices. During the onboarding process, you configure Microsoft Defender for Endpoint-related data to be stored in the United States.You plan to onboard all the devices to Microsoft Defender for Endpoint.You need to store the Microsoft Defender for Endpoint data in Europe.What should you do first? A. Delete the workspace. B. Create a workspace. C. Onboard a new device. D. Offboard the test devices.
Offboard the test devices
Your network contains an Active Directory forest named contoso.local.You purchase a Microsoft 365 subscription.You plan to move to Microsoft 365 and to implement a hybrid deployment solution for the next 12 months.You need to prepare for the planned move to Microsoft 365.What is the best action to perform before you implement directory synchronization? More than one answer choice may achieve the goal. Select the BEST answer. A. Purchase a third-party X.509 certificate. B. Create an external forest trust. C. Rename the Active Directory forest. D. Purchase a custom domain name.
Purchase a custom domain name
Your company has 10,000 users who access all applications from an on-premises data center.You plan to create a Microsoft 365 subscription and to migrate data to the cloud.You plan to implement directory synchronization.User accounts and group accounts must sync to Azure AD successfully.You discover that several user accounts fail to sync to Azure AD.You need to resolve the issue as quickly as possible.What should you do? A. From Active Directory Administrative Center, search for all the users, and then modify the properties of the user accounts. B. Run idfix.exe, and then click Edit. C. From Windows PowerShell, run the start-AdSyncSyncCycle -PolicyType Delta command. D. Run idfix.exe, and then click Complete.
Run idfix.exe, and then click Edit.
Security Requirements -Fabrikam identifies the following security requirements:After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.The membership of the UserLicenses group must be validated monthly. Unused user accounts must be removed from the group automatically.After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-based applications automatically.The principle of least privilege must be used.Which role should you assign to User1? A. Hygiene Management B. Security Reader C. Security Administrator D. Records Management
Security Reader
You need to ensure that a user named User1 can view the advisories to investigate service health issues.Which role should you assign to User1? A. Message Center Reader B. Reports Reader C. Service Support Administrator D. Compliance Administrator
Service Support Administrator
Your network contains three Active Directory forests. There are forests trust relationships between the forests.You create an Azure AD tenant.You plan to sync the on-premises Active Directory to Azure AD.You need to recommend a synchronization solution. The solution must ensure that the synchronization can complete successfully and as quickly as possible if a single server fails.What should you include in the recommendation? A. one Azure AD Connect sync server and one Azure AD Connect sync server in staging mode B. three Azure AD Connect sync servers and one Azure AD Connect sync server in staging mode C. six Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode D. three Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode
one Azure AD Connect sync server and one Azure AD Connect sync server in staging mode
Your network contains an on-premises Active Directory domain named contoso.com. For all user accounts, the Logon Hours settings are configured to prevent sign-ins outside of business hours. You plan to sync contoso.com to an Azure AD tenant you need to recommend a solution to ensure that the logon hour restrictions apply when synced users sign in to Azure AD. What should you include in the recommendation? A. pass-through authentication B. conditional access policies C. password synchronization D. Azure AD Identity Protection policies
pass-through authentication
Your on-premises network contains an Active Directory domain.You have a Microsoft 365 subscription.You need to sync the domain with the subscription. The solution must meet the following requirements:On-premises Active Directory password complexity policies must be enforced.Users must be able to use self-service password reset (SSPR) in Azure AD.What should you use? A. password hash synchronization B. Azure AD Identity Protection C. Azure AD Seamless Single Sign-On (Azure AD Seamless SSO) D. pass-through authentication
pass-through authentication
The principle of least privilege must be used. You need to ensure that all the sales department users can authenticate successfully during Project1 and Project2.Which authentication strategy should you implement for the pilot projects? A. pass-through authentication B. pass-through authentication and seamless SSO C. password hash synchronization and seamless SSO D. password hash synchronization
password hash synchronization and seamless SSO
You have a Microsoft 365 E3 subscription that uses Microsoft Defender for Endpoint Plan 1.Which two Defender for Endpoint features are available to the subscription? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point. A. advanced hunting B. security reports C. digital certificate assessment D. device discovery E. attack surface reduction (ASR)
security reports attack surface reduction (ASR)
You have a Microsoft 365 E5 subscription.Conditional Access is configured to block high-risk sign-ins for all users.All users are in France and are registered for multi-factor authentication (MFA).Users in the media department will travel to various countries during the next month.You need to ensure that if the media department users are blocked from signing in while traveling, the users can remediate the issue without administrator intervention.What should you configure? A. an exclusion group B. the MFA registration policy C. named locations D. self-service password reset (SSPR)
self-service password reset (SSPR)
You have a Microsoft 365 E5 subscription.You plan to create a data loss prevention (DLP) policy that will be applied to all available locations.Which conditions can you use in the DLP rules of the policy? A. sensitive info types B. content search queries C. keywords D. sensitivity labels
sensitive info types
Overview Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000 employees worldwide.Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the United States. Existing Environment Active Directory Environment -The network contains an Active Directory forest named fabrikam.com. The forest contains all the identities used for user and computer authentication. Each department is represented by a top-level organizational unit (OU) that contains several child OUs for user accounts and computer accounts.All users authenticate to on-premises applications by signing in to their device by using a UPN format of [email protected] does NOT plan to implement identity federation. Network Infrastructure Each office has a high-speed connection to the Internet.Each office contains two domain controllers. All domain controllers are config
text (TXT)
You have a Microsoft 365 E5 subscription that contains a user named User1.User1 exceeds the default daily limit of allowed email messages and is on the Restricted entities list.You need to remove User1 from the Restricted entities list.What should you use? A. the Exchange admin center B. the Microsoft Purview compliance portal C. the Microsoft 365 admin center D. the Microsoft 365 Defender portal E. the Microsoft Entra admin center
the Microsoft 365 Defender portal
You have a Microsoft 365 E5 subscription.You need to compare the current Safe Links configuration to the Microsoft recommended configurations.What should you use? A. Microsoft Purview B. Azure AD Identity Protection C. Microsoft Secure Score D. the configuration analyzer
the configuration analyzer
You have a Microsoft 365 subscription.You configure a data loss prevention (DLP) policy.You discover that users are incorrectly marking content as false positive and bypassing the DLP policy.You need to prevent the users from bypassing the DLP policy.What should you configure? A. actions B. incident reports C. exceptions D. user overrides
user overrides