Practice MD-102 Manage identity and compliance questions with full explanations on every answer.
Start practicing
Manage identity and compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?
2You are an endpoint administrator for a company that uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access Exchange Online. You have configured a Conditional Access policy that grants access to Exchange Online only if the device is marked as compliant. A user reports that they cannot access email from their iOS device, which is enrolled in Intune and shows as compliant. The user can access other Microsoft 365 services. What is the most likely cause?
3A company is implementing Windows Hello for Business and wants to use certificate-based authentication. They have an on-premises Active Directory and are using Azure AD Connect for hybrid identity. Which prerequisites must be met to support certificate-based Windows Hello for Business?
4You manage a Microsoft 365 tenant with 10,000 users. You are planning a Conditional Access policy to require MFA for all users. However, you need to ensure that users who have not yet registered for MFA are not blocked. What should you do to handle unregistered users?
5A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices that have a BitLocker encryption status of 'fully encrypted' are allowed to access corporate resources. They create a device compliance policy that requires BitLocker. However, some devices are still accessing resources even though they are not fully encrypted. What should you check?
6Which TWO of the following are required to implement Azure AD Join for Windows 10 devices in a hybrid environment with on-premises Active Directory?
7Which THREE of the following are valid methods for deploying Microsoft Intune compliance policies to devices?
8Refer to the exhibit. The JSON snippet shows the Azure AD Identity Protection MFA registration policy configuration for the Contoso tenant. A new user, Jane, joins the company and is assigned a license. Jane attempts to access the Azure portal and is prompted to register for MFA. She registers successfully. However, the next day, she is again prompted to register for MFA. What is the most likely cause?
9Refer to the exhibit. A Windows 10 device is showing as non-compliant. The compliance policy 'Require BitLocker' is assigned to all devices. The device does not have BitLocker enabled. However, the user is able to access corporate email on the device. What is the most likely reason for this?
10A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing the company's SaaS applications. However, they need to exclude a group of service accounts that use legacy authentication protocols. What is the recommended approach?
11An organization has deployed Microsoft Entra Connect Sync to synchronize on-premises Active Directory to Microsoft Entra ID. Users report that some cloud-only user accounts cannot be assigned licenses. The admin checks the provisioning logs and finds that the cloud accounts have a source of authority of 'Microsoft Entra ID'. What is the most likely cause?
12A company is planning to implement Microsoft Intune for mobile device management. They want to ensure that only compliant devices can access Exchange Online. Which technology should they use?
13An administrator is configuring Microsoft Entra ID Protection. They want to create a policy that automatically blocks sign-ins when the risk level is high. However, they notice that the policy is not triggering for some users who have high risk. What is the most likely reason?
14A company uses Microsoft 365 E3 licenses. They need to enforce that all users must use the Microsoft Authenticator app for MFA instead of SMS or phone call. What should the administrator configure?
15A company uses Microsoft Intune to manage Windows 10 devices. They want to ensure that devices have BitLocker enabled and are compliant before accessing corporate resources. Which TWO actions should the administrator take? (Choose two.)
16An organization is planning to implement a zero-trust security model. They need to evaluate the following capabilities in Microsoft 365. Which THREE are essential for a zero-trust architecture? (Choose three.)
17Refer to the exhibit. A user attempts to sign in to Microsoft Graph PowerShell and receives the error shown. What is the most likely cause?
18A company uses Microsoft 365 with hybrid identity. Users report that after changing their on-premises passwords, they cannot access SharePoint Online for up to 30 minutes, but Outlook on the web works immediately. You need to reduce the delay for SharePoint Online access. What should you do?
19A multinational organization uses Microsoft 365 E5 licenses. The compliance officer wants to ensure that all documents containing credit card numbers are automatically classified and protected with a label that applies encryption. You configure auto-labeling policies in Microsoft Purview. After 24 hours, the compliance officer reports that no documents have been labeled. The policy scope is set to 'All locations' and the policy is enabled. What is the most likely cause of the issue?
20You are configuring Microsoft Entra Conditional Access for a company that requires all employees to use multi-factor authentication (MFA) when accessing the Azure portal. The company also wants to block access from devices that are not compliant. You create a Conditional Access policy. Which two assignments must you configure to meet these requirements? (Choose two.)
21You are an enterprise administrator for Contoso Ltd. You need to configure Microsoft 365 tenant-wide settings for external collaboration. Which TWO actions should you take to meet the following goals: (1) allow only specific external domains to collaborate with your organization, and (2) ensure that external users are required to sign in with multi-factor authentication (MFA) before accessing shared resources?
22You are a Teams administrator. After running the PowerShell script shown in the exhibit, users report they cannot communicate with federated users from 'trusted.com'. What is the most likely cause?
23You are the compliance administrator for a large organization using Microsoft 365 E5 licenses. The company has a hybrid identity configuration with Azure AD Connect syncing on-premises Active Directory to Azure AD. The security team requires that all mobile devices accessing corporate email and documents must be enrolled in Microsoft Intune and compliant with company device policies. Recently, several users reported that they cannot access Outlook on their iOS devices, receiving a message: 'Your organization requires this device to be managed by Intune. Please install the Company Portal app and enroll your device.' However, after installing Company Portal and completing enrollment, they still cannot access Outlook and see the same error. Upon investigation, you find that the devices are showing as 'Compliant' in the Microsoft Intune admin center. You also verify that the Conditional Access policy requiring device compliance is correctly configured and assigned to all users. What should you do to resolve the issue?
24Order the steps for configuring a Windows 10 kiosk device using Assigned Access.
25Order the steps to configure Windows Defender Antivirus exclusions via Group Policy.
26Order the steps to migrate user profiles from Windows 10 to a new device using User State Migration Tool (USMT).
27Match each MDM (Mobile Device Management) enrollment method to its typical scenario.
28Match each Microsoft Entra ID (Azure AD) join type to its description.
29Match each Microsoft 365 compliance feature to its description.
The Manage identity and compliance domain covers the key concepts tested in this area of the MD-102 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all MD-102 domains — no account required.
The Courseiva MD-102 question bank contains 29 questions in the Manage identity and compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage identity and compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included