20+ practice questions focused on Manage identity and compliance — one of the most tested topics on the Microsoft 365 Endpoint Administrator MD-102 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Manage identity and compliance PracticeA company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?
Explanation: Option C is correct because you need to exclude the break-glass accounts from the Conditional Access policy to ensure admin access if something goes wrong. You should first create a Conditional Access policy that requires MFA for all users except the break-glass accounts, then disable the per-user MFA for all users. Option A is incorrect because disabling per-user MFA before creating the policy would leave users without MFA. Option B is incorrect because using a Conditional Access policy to require MFA from outside the network only would not enforce MFA for internal access. Option D is incorrect because creating a policy without excluding break-glass accounts could lock out administrators.
You are an endpoint administrator for a company that uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access Exchange Online. You have configured a Conditional Access policy that grants access to Exchange Online only if the device is marked as compliant. A user reports that they cannot access email from their iOS device, which is enrolled in Intune and shows as compliant. The user can access other Microsoft 365 services. What is the most likely cause?
Explanation: The most likely cause is that the Exchange Online workload is not enabled in Intune for mobile device management (MDM). Even though the device is enrolled and compliant, Intune must have the Exchange Online workload enabled to apply Conditional Access policies that govern email access. Without this, the Conditional Access policy cannot enforce compliance checks specifically for Exchange Online, resulting in access being blocked despite the device showing as compliant.
A company is implementing Windows Hello for Business and wants to use certificate-based authentication. They have an on-premises Active Directory and are using Azure AD Connect for hybrid identity. Which prerequisites must be met to support certificate-based Windows Hello for Business?
Explanation: Certificate-based Windows Hello for Business requires an enterprise PKI to issue and validate certificates for authentication. Devices must be Azure AD joined or hybrid Azure AD joined to enroll these certificates and support the certificate trust model. On-premises Active Directory and Azure AD Connect provide the hybrid identity foundation, but the CA and appropriate device join state are the critical prerequisites.
You manage a Microsoft 365 tenant with 10,000 users. You are planning a Conditional Access policy to require MFA for all users. However, you need to ensure that users who have not yet registered for MFA are not blocked. What should you do to handle unregistered users?
Explanation: Option B is correct because the Azure AD Identity Protection MFA registration policy automatically enforces MFA registration for all users within a specified grace period (default 14 days), ensuring that users who have not yet registered are prompted to register before being blocked by a Conditional Access policy. This policy works in conjunction with Conditional Access by pre-registering users, so when the CA policy requiring MFA is enabled, all users already have MFA credentials available, preventing lockout.
A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices that have a BitLocker encryption status of 'fully encrypted' are allowed to access corporate resources. They create a device compliance policy that requires BitLocker. However, some devices are still accessing resources even though they are not fully encrypted. What should you check?
Explanation: Option B is correct because a device compliance policy must be assigned to the appropriate user or device groups to take effect. If the policy is not assigned, Intune will not evaluate the devices against the BitLocker requirement, and non-compliant devices will continue to access corporate resources. The scenario indicates that the policy was created but not enforced, which points directly to a missing assignment.
+15 more Manage identity and compliance questions available
Practice all Manage identity and compliance questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Manage identity and compliance. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Manage identity and compliance questions on the MD-102 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Manage identity and compliance is tested as part of the Microsoft 365 Endpoint Administrator MD-102 blueprint. Practicing with targeted Manage identity and compliance questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free MD-102 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Manage identity and compliance is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Manage identity and compliance practice session with instant scoring and detailed explanations.
Start Manage identity and compliance Practice →