Practice MS-102 Implement and manage Microsoft Entra identity and access questions with full explanations on every answer.
Start practicing
Implement and manage Microsoft Entra identity and access — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company uses Microsoft Entra ID for identity management. The security team wants to ensure that users cannot register applications in the tenant to prevent potential data leakage. Which setting should be configured?
2Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use their existing on-premises passwords to log in to cloud services, while maintaining password policy enforcement on-premises. Which feature should you implement?
3A multinational company uses Microsoft Entra ID with Conditional Access policies. They have a policy that requires multi-factor authentication (MFA) for all users when accessing the company's custom SaaS application. However, users from the European branch are reporting that they are prompted for MFA every time, even though they have already authenticated via a compliant device. What is the most likely cause?
4You are configuring Microsoft Entra ID Protection. You want to automatically respond to a specific risk level by requiring the user to change their password. Which risk policy should you configure?
5An organization is implementing Microsoft Entra Verified ID for verifiable credentials. They want to issue credentials to employees that can be used to prove employment status to third parties. Which component must be created first?
6Your company uses Microsoft Entra ID and has a hybrid identity with PHS. You need to ensure that when an on-premises user account is disabled, the corresponding cloud user is also blocked from signing in within 5 minutes. What should you configure?
7A company uses Microsoft Entra ID and has enabled self-service password reset (SSPR). Users are required to register for SSPR. Management wants to ensure that users from the HR department, who handle sensitive data, must use two methods for authentication during SSPR, while other users can use one method. What is the best way to achieve this?
8Your organization uses Microsoft Defender for Cloud Apps. You want to set up a policy that automatically suspends a user if they download more than 100 files from SharePoint Online within 10 minutes. Which type of policy should you create?
9You are configuring Microsoft Entra ID for a new organization. The CIO wants to ensure that all external users who are invited to collaborate via Microsoft Entra B2B must go through an approval process before gaining access. Which setting should you configure?
10Which TWO of the following are valid authentication methods in Microsoft Entra ID that can be used as part of a Conditional Access policy? (Select two.)
11Which THREE of the following are required to configure Microsoft Entra ID Governance for automated user provisioning to a third-party SaaS application? (Select three.)
12Which TWO of the following are valid methods to enforce device compliance in a Conditional Access policy? (Select two.)
13You are reviewing a Conditional Access policy in JSON format. The policy is applied to all users accessing Office 365 from trusted locations. What is the intended behavior of this policy?
14You are reviewing directory settings for Microsoft 365 Groups. Based on the exhibit, which statement is true?
15An administrator runs the Azure CLI command shown in the exhibit. What is the result of this command?
16Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts, such as Google or Facebook. Which identity solution should you configure?
17Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. Users report that they are frequently prompted for multi-factor authentication (MFA) even after signing in successfully. You want to minimize these prompts while maintaining security. What should you configure?
18You are a Microsoft 365 administrator. Your organization uses Microsoft Entra ID and Microsoft Intune for device management. You need to ensure that only compliant devices can access corporate email via Microsoft Outlook on mobile devices. What should you configure?
19Your organization is implementing a hybrid identity solution. You want to synchronize on-premises Active Directory users to Microsoft Entra ID. Which tool should you use?
20Your company has a Microsoft Entra tenant with 5,000 users. You need to delegate the ability to reset user passwords to the helpdesk team, but only for users in the Sales department. What is the most efficient way to achieve this?
21Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM) to manage administrative roles. You need to ensure that when a user activates the Global Administrator role, they must provide a justification and the activation is time-bound. Additionally, you want to require approval from the security team for this activation. What should you configure?
22You are implementing Microsoft Entra Verified ID. Which technology does it use to create decentralized digital identities?
23Your organization uses Microsoft Entra ID and has enabled Microsoft Entra Domain Services (Azure AD DS). You need to ensure that legacy applications that require NTLM authentication can still authenticate against the managed domain. What should you configure?
24Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You have configured Microsoft Entra Identity Governance. You need to create an access review for all guest users in the tenant to ensure their access is still required. The review should be recurring every 90 days and should auto-remove guests if they are not approved. What should you configure?
25You are configuring Microsoft Entra ID for your organization. You need to enable passwordless authentication for users. Which TWO authentication methods are passwordless and supported by Microsoft Entra ID?
26Your organization uses Microsoft Entra ID and has strict security requirements. You need to implement a Zero Trust security model. Which THREE of the following are foundational principles of Zero Trust that should be implemented?
27Your company uses Microsoft Entra ID for identity management. You are planning to implement Conditional Access policies. Which TWO components are required to create a Conditional Access policy?
28You are reviewing the following Conditional Access policy JSON in Microsoft Entra ID. What does this policy do?
29You are a Microsoft 365 administrator. You run the Get-MgPolicyCrossTenantAccessPolicyDefault cmdlet and see the exhibit output. What does this configuration imply?
30You run the Azure CLI command shown in the exhibit. What does the output represent?
31Your organization uses Microsoft Entra ID and requires users to authenticate using FIDO2 security keys. You need to ensure that users can register and manage their security keys through the My Security Info portal. Which authentication method policy setting should you enable?
32Your company has a Microsoft 365 tenant with Microsoft Entra ID. You are configuring Conditional Access policies to enforce multifactor authentication (MFA) for all users. However, you want to exclude break-glass emergency access accounts from MFA. What is the recommended best practice for managing these emergency access accounts?
33You are planning a migration from on-premises Active Directory to Microsoft Entra ID using cloud sync. You need to synchronize user passwords so that users can authenticate using their existing passwords. Which feature should you enable?
34Your organization uses Microsoft Entra ID Governance. You need to ensure that access reviews are automatically created for all guest users in the tenant and that reviews are sent to the guest users' managers for approval. You configure an access review policy. Which identity governance feature should you use?
35Your company uses Microsoft Entra ID and has a custom line-of-business application that supports SAML-based SSO. You need to configure the application to use Microsoft Entra ID as the identity provider. Which enterprise application configuration should you use?
36Your organization uses Microsoft Entra ID and has a Conditional Access policy that requires MFA for all external users. However, guest users from a partner organization are being blocked when they try to access a SharePoint Online site. You need to ensure that guest users can access the site without being prompted for MFA if they have already satisfied MFA in their home tenant. What should you configure?
37Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You are implementing Privileged Identity Management (PIM) to manage access to Azure AD roles. You need to ensure that when a user activates a privileged role, the activation request must be approved by their manager and must include a ticket number. What should you configure?
38Your company uses Microsoft Entra ID and wants to use Microsoft's recommendation to protect against password spray attacks. Which feature should you enable?
39Your organization uses Microsoft Entra ID and has a Conditional Access policy that requires compliant devices for access to corporate resources. You need to ensure that iOS devices are compliant before accessing Exchange Online. Which Microsoft Intune policy should you configure?
40Your organization uses Microsoft Entra ID and has a hybrid identity configuration with Active Directory Federation Services (AD FS). You are migrating to cloud authentication using Pass-through Authentication (PTA). Which TWO components are required for a PTA deployment?
41Your organization uses Microsoft Entra ID and wants to implement Identity Protection to detect risky users. Which THREE risk types can be detected by Identity Protection? (Choose three.)
42Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Which TWO authentication methods are considered passwordless by Microsoft? (Choose two.)
43Refer to the exhibit. You are reviewing a Conditional Access policy JSON. The policy is intended to block legacy authentication. However, users are still able to connect using Exchange ActiveSync. What is the most likely reason?
44Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts, such as Microsoft, Google, or Facebook. What should you configure?
45Your company is implementing a Zero Trust security model. You need to ensure that all user access requests to corporate resources are verified continuously, not just at the initial sign-in. Which Microsoft Entra ID feature should you use?
46Your organization has a hybrid identity environment with Microsoft Entra Connect. You are planning to migrate to cloud-only authentication using Microsoft Entra Cloud Sync. However, some legacy applications still require NTLM authentication. What should you do to ensure those applications can authenticate after the migration?
47You need to grant a vendor access to a specific SharePoint Online site for a limited time. The vendor does not have an account in your Microsoft Entra ID. What should you use?
48Your company uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email in Microsoft 365. Which Microsoft Entra ID feature should you combine with Intune compliance policies?
49Your organization uses Microsoft Entra ID Governance. You need to automate the removal of access when an employee leaves the company. The identity lifecycle should trigger access reviews and automatic deprovisioning. What should you configure?
50You need to prevent users from registering security information for Microsoft Entra self-service password reset (SSPR) if they are not in a specific group. What should you configure?
51Your organization uses Microsoft Entra Conditional Access. You need to block access from countries where your company does not operate. The list of blocked countries changes frequently. What is the most efficient way to manage this?
52Your company is deploying Microsoft Copilot for Microsoft 365. You need to ensure that only users who have completed a specific training course can use Copilot. What should you configure?
53Your organization uses Microsoft Entra ID. You need to enable users to reset their own passwords without administrator intervention. Which TWO components must be configured?
54You are designing a Microsoft Entra ID governance strategy. Which THREE features should you use to implement the principle of least privilege for administrative roles?
55Your company is implementing Microsoft Entra Conditional Access. You need to require multifactor authentication (MFA) for all users except those accessing from the corporate office. Which TWO components do you need?
56Your organization uses Microsoft Entra ID and requires that all guest users must have a mobile phone number registered for authentication. You need to enforce this requirement. What should you configure?
57Your company uses Microsoft Entra ID and has an app named App1 that requires permissions to read all user profiles. You need to grant admin consent for App1 to read profiles without requiring each user to consent. What should you do?
58Your organization uses Microsoft Entra ID and has a custom role that grants 'microsoft.directory/applications/credentials/update' permission. A security audit reveals that a user assigned this role has modified credentials for an application. You need to prevent such actions while allowing other application updates. What should you do?
59Your organization uses Microsoft Entra ID and wants to allow users to reset their own passwords using self-service password reset (SSPR). What is the minimum licensing required?
60Your company uses Microsoft Entra ID and has an application that requires users to consent to permissions. You want to allow users to consent to low-risk permissions but require admin approval for high-risk permissions. What should you configure?
61Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to ensure that when a user's on-premises Active Directory account is disabled, their Microsoft Entra ID account is also disabled within 30 minutes. What should you do?
62Your organization uses Microsoft Entra ID. You need to ensure that users cannot reuse their last 5 passwords when changing passwords. What should you configure?
63Your organization uses Microsoft Entra ID and has an application that requires the 'User.Read.All' permission. You need to grant this permission to the application but ensure that only an administrator can consent, not users. What should you do?
64Your organization uses Microsoft Entra ID and has a custom role that includes the permission 'microsoft.directory/applications/credentials/update'. You need to create a new role that includes all permissions of the existing role except the credential update permission. What is the best approach?
65Which TWO of the following are required to configure Microsoft Entra ID self-service password reset (SSPR) for cloud-only users? (Choose two.)
66Which THREE of the following are valid permissions in Microsoft Entra ID custom roles? (Choose three.)
67Which TWO of the following are features of Microsoft Entra ID Identity Protection? (Choose two.)
68Refer to the exhibit. You are configuring consent for the Microsoft Graph application. Which of the following statements is true based on the JSON?
69Refer to the exhibit. You run the PowerShell command to check the authentication method policy registration campaign. Which of the following is true?
70Refer to the exhibit. You are configuring permissions for a daemon application that runs without a user. Which permission should you request?
71Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can access internal applications using single sign-on (SSO) without storing passwords in the cloud. Which authentication method should you implement?
72Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You need to configure a conditional access policy that blocks access from devices that are not compliant with your organization's device compliance policies, as defined by Microsoft Intune. Which assignment should you configure in the policy?
73Your organization uses Microsoft Entra ID with P2 licenses. You need to identify and remediate users who are at risk due to leaked credentials or anomalous sign-in activity. You want to automate the response to high-risk users by requiring a password change. Which feature should you use?
74You are configuring Microsoft Entra ID to allow external users from a partner organization to access a specific SharePoint Online site. You need to ensure that the external users authenticate using their own corporate credentials and are automatically invited when they first access the resource. What should you configure?
75Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the conditional access policies you have configured for data access. What should you do?
76Your organization has a hybrid identity deployment using Microsoft Entra Connect Sync. You need to ensure that password writeback is enabled so that users can reset their own passwords from the cloud. Which prerequisite must be met?
77Your company uses Microsoft Entra ID. You need to restrict access to a critical application to only users who are in a specific security group and are signing in from a trusted location. You configure a conditional access policy with the following conditions: users (the security group), cloud apps (the critical application), conditions (locations: trusted IP ranges). However, users in the security group are still able to access the app from untrusted locations. What is the most likely reason?
78You are implementing Microsoft Entra Verified ID to issue verifiable credentials to employees for proof of employment. Which component is required to issue and verify credentials?
79Your organization uses Microsoft Entra ID with Application Proxy to publish on-premises web apps. Users report that they are prompted for credentials multiple times when accessing an app. You need to reduce the number of authentication prompts. What should you configure?
80Your organization uses Microsoft Entra ID. You need to implement a solution that allows users to sign in without a password using their smartphone. Which TWO authentication methods can be used?
81Your company uses Microsoft Entra ID with P2 licenses. You need to configure Privileged Identity Management (PIM) for Azure AD roles. Which THREE actions are possible with PIM?
82Your organization uses Microsoft Entra ID. You need to enable users to securely share documents with external partners. Which TWO features should you use?
83Refer to the exhibit. The Contoso tenant has a cross-tenant access policy configured for Fabrikam. Users from Fabrikam are unable to access resources in Contoso via B2B collaboration. What is the most likely reason?
84Refer to the exhibit. You have created a conditional access policy as shown. Users report that they can still access cloud apps from non-compliant devices. What is the most likely reason?
85Refer to the exhibit. You run the KQL query in Microsoft Sentinel. The query returns zero results even though you know user@contoso.com has had failed sign-in attempts in the last 30 days. What is the most likely reason?
86Contoso uses Microsoft Entra ID P2. Users report that password reset self-service does not work. You verify that the users have the required license. What should you check next?
87Your organization plans to allow external users to access a SharePoint Online site using their own Microsoft Entra ID credentials. You need to ensure that external users can authenticate without creating a guest account in your tenant. Which solution should you use?
88A company uses Microsoft Entra ID with group-based licensing. You assign a license to a group, but some members do not receive the license. There are no error messages in the audit logs. What is the most likely cause?
89You need to enforce multifactor authentication (MFA) for all users in a Microsoft Entra ID tenant. The solution must not require users to register security info if they already have it. Which approach should you use?
90An administrator needs to grant a user the ability to reset passwords for other users in Microsoft Entra ID. Which role should be assigned?
91Your organization uses Microsoft Entra Connect Sync. You need to ensure that specific on-premises Active Directory groups are synchronized to Microsoft Entra ID. What should you configure?
92You are implementing Microsoft Entra Identity Protection. You need to configure automated responses to medium and high user risk. Which policy should you create?
93A user is unable to sign in to Microsoft Teams because the account is locked. The administrator needs to unlock the account without resetting the password. What should the administrator do?
94You need to configure Microsoft Entra ID to allow users to authenticate using their existing social media accounts. Which identity provider type should you add?
95Which TWO permissions are required for a custom role to manage Conditional Access policies in Microsoft Entra ID?
96Which THREE conditions can be used in a Microsoft Entra Conditional Access policy to target specific sign-in scenarios?
97Which TWO Microsoft Entra ID features can be used to provide just-in-time (JIT) access to privileged roles?
98Which THREE are valid Microsoft Entra ID license plans that include Identity Protection?
99Refer to the exhibit. You manage an application registration in Microsoft Entra ID. The JSON shows the current state of the app's password credentials. The application is used by a daemon to acquire tokens. The certificate used for authentication expires on 2025-12-31. The application is currently using a client secret. The security policy requires rotating secrets every 6 months. What is the best course of action?
100Refer to the exhibit. You run this PowerShell script to disable high-risk users. However, some high-risk users remain enabled. What is the most likely reason?
101Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their Google Workspace credentials without creating external identities. What should you configure?
102A company has Microsoft Entra ID P2 licenses. They need to implement a conditional access policy that requires multifactor authentication (MFA) when accessing the Microsoft Entra admin center from a non-compliant device. However, they want to allow access from compliant devices without MFA. What is the best approach?
103You are configuring Microsoft Entra ID provisioning for a SaaS application that supports SCIM 2.0. The app requires the 'manager' attribute to be mapped. However, the manager attribute is not populated for all users. What should you do to avoid provisioning failures?
104Your organization uses Microsoft Entra ID and has enabled Microsoft Entra ID Protection. You notice that the number of 'Leaked Credentials' detections is high. What action should you take to automatically remediate this risk?
105You need to implement a solution that allows external partners to access specific SharePoint Online sites without creating guest user objects in Microsoft Entra ID. The partners will authenticate using their own identity provider. What should you use?
106Your company uses Microsoft Entra ID and wants to enforce that all users register for MFA within 14 days of account creation. Which policy should you configure?
107You have a hybrid identity environment with Microsoft Entra ID and Active Directory Domain Services (AD DS). You need to ensure that user passwords are synchronized to Microsoft Entra ID without any hashing of passwords. Which tool should you use?
108Your organization uses Microsoft Entra ID P2 and has enabled Microsoft Entra ID Protection. You need to generate a weekly report of users who are at risk due to anomalous sign-in activity and send it to the security team. What is the most efficient way to achieve this?
109A user reports that they cannot access a cloud app that requires MFA. The user's mobile phone is lost. They have no other registered MFA methods. What should the administrator do?
110Which TWO of the following are valid conditions that can be used in a Microsoft Entra ID conditional access policy? (Choose two.)
111Which THREE of the following are required to implement Microsoft Entra ID Identity Governance for access reviews? (Choose three.)
112Which TWO of the following are benefits of using Microsoft Entra ID Provisioning for cloud HR applications like Workday? (Choose two.)
113Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can reset their own passwords without administrator intervention, but only if they have registered for self-service password reset (SSPR). What should you configure?
114Your company uses Microsoft Entra ID with hybrid joined devices. You need to enforce multi-factor authentication (MFA) for all cloud app access but want to exclude specific locations (trusted IPs). What is the most efficient way to implement this?
115You are implementing Microsoft Entra ID Governance. You need to automate the creation of guest user accounts when employees submit a request through the company's HR system. What should you use?
116Your organization plans to use Microsoft Entra ID as the identity provider for a third-party SaaS application that supports SAML 2.0. You need to configure single sign-on (SSO) for the application. What should you create in Microsoft Entra ID?
117You are troubleshooting an issue where users from a partner organization cannot access a shared app in your Microsoft Entra ID tenant. The partner uses Microsoft Entra ID with a custom domain. You have configured cross-tenant access settings. Which setting is most likely misconfigured?
118Your organization requires that all administrators use phishing-resistant authentication methods. Which Microsoft Entra ID authentication method meets this requirement?
119You are designing a Microsoft Entra ID tenant for a new subsidiary. You need to ensure that users can authenticate using their existing on-premises Active Directory credentials without synchronizing password hashes to the cloud. Which identity model should you choose?
120Your company uses Microsoft Entra ID and has enabled Microsoft Entra ID Protection. You notice that a user's sign-in was blocked due to a medium user risk. However, the user claims the sign-in was legitimate. What should you do to allow future sign-ins without lowering security?
121You need to provide external partners with access to specific SharePoint Online sites without creating user objects in your Microsoft Entra ID. What should you use?
122Your organization is implementing a zero-trust security model. Which TWO Microsoft Entra ID features should you enable to enforce least-privilege access and continuous verification?
123You are deploying Microsoft Entra ID Governance. Which THREE capabilities should you include to meet compliance requirements for access recertification and lifecycle management?
124Your company uses Microsoft Entra ID with hybrid identity. You need to ensure that when a user is disabled in on-premises Active Directory, the corresponding cloud user is also disabled. Which TWO configurations are required?
125You are reviewing a Conditional Access session control configuration in Microsoft Entra ID. Based on the exhibit, what is the expected behavior when a user signs in?
126You are examining the default cross-tenant access policy for your Microsoft Entra ID tenant. Based on the exhibit, which statement is true?
127You are the identity architect for Contoso, a multinational company with 50,000 employees. Contoso uses Microsoft Entra ID with hybrid identity (PHS) and Microsoft Entra ID Protection. The company is deploying Microsoft Copilot for Microsoft 365 and wants to ensure that access to Copilot is controlled based on user risk, device compliance, and location. Additionally, the security team requires that all Copilot interactions are logged and auditable. You need to design a solution that meets these requirements with minimal administrative overhead. Current environment: - All users are synced from on-premises AD using Microsoft Entra Connect. - Devices are either Microsoft Entra hybrid joined or Microsoft Entra registered. - Microsoft Entra ID Protection is enabled with user risk and sign-in risk policies. - Microsoft Intune is used for device compliance policies. - All users have Microsoft 365 E5 licenses. Requirements: - Access to Copilot must be blocked for users with high user risk. - Access from untrusted locations must require MFA. - Only compliant devices can access Copilot. - All Copilot interactions must be captured in Microsoft Purview Audit (Standard). What should you do?
128Your organization uses Microsoft Entra ID P2 licenses. You need to configure a Conditional Access policy that requires phishing-resistant multifactor authentication (MFA) for all users accessing sensitive applications. Which authentication strength should you select in the policy?
129You are troubleshooting why a user cannot access a SharePoint Online site. The user is assigned a Conditional Access policy that requires compliant device, and the device is enrolled in Microsoft Intune but shows as non-compliant. What is the most likely cause?
130Your company has a hybrid identity configuration with Microsoft Entra Connect Sync. You need to enable password hash synchronization (PHS) for hybrid users. What is the prerequisite?
131Refer to the exhibit. You need to ensure that users accessing Exchange Online from unmanaged devices are blocked. What should you modify in the policy?
132Your organization uses Microsoft Entra ID Governance. You need to implement an access review for all users who have access to a critical application. The review must be recurring every quarter and require reviewers to provide a justification for their decisions. Which access review settings should you configure?
133You are implementing Microsoft Entra Verified ID. Which identity verification method uses a decentralized identity standard?
134Your organization uses Microsoft Entra ID. You need to ensure that users can only access company resources from trusted networks. Which Conditional Access condition should you configure?
135Your company deploys Microsoft 365 Copilot. You need to enforce that Copilot responses are based only on data within the tenant, not external sources. Which setting should you configure?
136You need to configure self-service password reset (SSPR) for users in Microsoft Entra ID. Which license is required?
137Your organization needs to implement a Conditional Access policy that blocks access from countries where the company has no business operations. Which TWO conditions should you configure?
138Your company uses Microsoft Entra ID P2. You need to configure Identity Protection to automatically remediate high-risk users. Which THREE actions can you configure?
139You are designing a tenant restriction policy using Microsoft Entra ID. Which TWO components are required?
140Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the Global Administrator. The security team reports that several users have been compromised due to weak passwords. You need to implement a solution that enforces strong password policies and blocks common passwords. The solution must also provide users with the ability to reset their own passwords securely if they forget them, without requiring help desk intervention. Additionally, you need to configure risk-based Conditional Access policies to block sign-ins from anonymous IP addresses and require MFA for high-risk sign-ins. You have the following options: A. Configure password protection in Microsoft Entra ID to enforce a custom banned password list and enable self-service password reset (SSPR) with MFA. Then create Conditional Access policies for sign-in risk and anonymous IP. B. Enable password hash sync and configure pass-through authentication. Create a Conditional Access policy to require MFA for all users. C. Implement Microsoft Entra ID Protection and enable MFA registration policy. Configure password expiration to 90 days. D. Use security defaults in Microsoft Entra ID and enable automatic password rollback. Which option should you choose?
141Your company, Fabrikam Inc., uses Microsoft Entra ID with hybrid identity. You have an on-premises Active Directory and use Microsoft Entra Connect Sync to synchronize users. You need to configure Microsoft Entra ID Protection to detect leaked credentials and risky sign-ins. Additionally, you must ensure that when a user is detected as high risk, their access is automatically blocked and they are required to change their password. You also need to enable password writeback so that password changes are written back to on-premises AD. You have the following options: A. Enable Identity Protection, configure user risk policy to require password change, and enable password writeback in Microsoft Entra Connect. B. Enable Identity Protection, configure sign-in risk policy to block access, and enable password hash sync. C. Configure Conditional Access policy to require MFA for all users, and enable seamless SSO. D. Deploy Microsoft Defender for Identity and configure automatic remediation. Which option should you choose?
142Your organization, Wingtip Toys, has a Microsoft 365 E3 tenant. You are implementing Microsoft Entra ID Governance. You need to create an access review for all guest users who have access to the company's HR application. The review must be performed by the application owner, and any denied access should be automatically removed after the review completes. You also need to ensure that if the reviewer does not respond, their access is automatically revoked. You have the following options: A. Create an access review with scope: All guest users, reviewers: Application owner, auto-apply results: Yes, action to apply if reviewers don't respond: Remove access. B. Create an access review with scope: All users, reviewers: Resource owners, auto-apply results: No, action to apply if reviewers don't respond: Keep access. C. Create an access review with scope: Group members, reviewers: Group owner, auto-apply results: Yes, action to apply if reviewers don't respond: Keep access. D. Create an access review with scope: All guest users, reviewers: Resource owner, auto-apply results: No, action to apply if reviewers don't respond: Remove access. Which option should you choose?
143Your organization uses Microsoft Entra ID P2 licensing. You need to ensure that when a user's risk level is detected as 'high' by Identity Protection, the user is automatically required to perform a password change during their next sign-in. Which conditional access policy configuration should you use?
144Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You plan to use Microsoft Entra Connect Sync to synchronize user accounts. The security team requires that all cloud-only users must be blocked from syncing to on-premises AD. What should you do to meet this requirement?
145A user reports they cannot access a SharePoint Online site. They receive an error stating that their account is disabled. You check Microsoft Entra ID and see the user's account is enabled. What is the most likely cause?
146Refer to the exhibit. The conditional access policy JSON shown above is applied to all users. A user authenticates from a trusted location and wants to access a cloud app. Which combination of controls will be enforced?
147You need to allow external users from a specific partner organization to access a SharePoint Online site using their own Microsoft Entra ID credentials. Which feature should you configure?
148Your organization uses Microsoft Entra ID P2. You want to automatically remediate high-risk users by requiring them to change their password. However, you also want to allow users to self-remediate if they believe the risk detection is false positive. What should you implement?
149Which TWO actions can you perform using Microsoft Entra ID Governance? (Choose two.)
150Which THREE are valid methods to protect against password spray attacks in Microsoft Entra ID? (Choose three.)
151Which TWO are prerequisites for implementing Microsoft Entra ID Identity Protection? (Choose two.)
152Which THREE are features of Microsoft Entra ID Governance? (Choose three.)
153You are the identity administrator for Contoso Ltd., a multinational company with 10,000 employees. The company uses Microsoft Entra ID P2 licenses for all users. The security team has mandated the following requirements: 1) All users must use multi-factor authentication (MFA) when accessing any cloud app from untrusted networks. 2) Users who are detected as high risk by Identity Protection must be automatically blocked from signing in until an administrator reviews the risk. 3) Guest users from partner organizations must have their access reviewed every 90 days. 4) The IT department must be able to grant temporary administrative access to specific roles for up to 4 hours without requiring approval from a manager. You need to design a solution that meets all requirements with minimal administrative effort. Which combination of actions should you take?
154Your organization, Fabrikam Inc., uses Microsoft Entra ID with a hybrid identity configuration. You have 500 cloud-only users and 5,000 synced users from on-premises Active Directory. The company wants to implement a passwordless authentication strategy. The following requirements must be met: 1) All users must be able to sign in without a password on Windows 10/11 devices that are Microsoft Entra joined. 2) Users who are not assigned a mobile phone must be able to use a security key (FIDO2). 3) The solution must work for both cloud-only and synced users. 4) The passwordless method should require the lowest administrative overhead for enrollment. Which passwordless authentication method should you recommend?
155Your company, Northwind Traders, uses Microsoft Entra ID P1. You need to allow employees to reset their own passwords without help desk intervention. The company policy requires that password resets be secured with two verification methods. Additionally, users must not be able to reuse the last 10 passwords. The solution must minimize administrative effort. What should you configure?
156Your organization, Contoso, has a Microsoft Entra ID tenant with 50,000 users. You are implementing a zero-trust security model. The following requirements must be met: 1) All access to SaaS applications must be restricted based on user, device, and location. 2) Users accessing from unmanaged devices must only be allowed browser-based access and must accept terms of use. 3) The IT team must be able to grant temporary access to the Global Administrator role for up to 8 hours. 4) All external users must have their access reviewed every 6 months. Which combination of Microsoft Entra features should you use?
157Your company, Alpine Ski House, uses Microsoft Entra ID P2. You have the following requirements: 1) Users in the Finance department must be required to use MFA when accessing the financial application, but only if they are not on the corporate network. 2) All users must be automatically blocked if Identity Protection detects their account as compromised (high user risk). 3) You need to ensure that the password change process after a high-risk detection does not allow users to reuse the last 5 passwords. 4) The solution must minimize false positives and allow users to self-remediate if they believe a risk detection is incorrect. Which configuration should you implement?
158Your organization uses Microsoft Entra ID P2 licenses. You need to configure a Conditional Access policy that requires phishing-resistant authentication for all users when accessing the Azure Management application. Which TWO authentication methods satisfy the requirement?
159Your company is implementing a Microsoft Entra ID Governance solution. You need to ensure that access reviews are performed for all guest users in the Finance department. The review must be conducted by the guest user's manager. Which THREE actions should you take?
160Refer to the exhibit. You have a Conditional Access policy as shown. A Global Administrator reports that they are not prompted for MFA when accessing the Azure portal. Which is the most likely reason?
161Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You need to protect a custom SaaS application that uses SAML-based SSO. The application does not support Conditional Access. You want to enforce session controls such as blocking downloads of sensitive files. What should you implement?
162You are troubleshooting a user who cannot sign in to Microsoft Teams. Sign-in logs show error code 53003 with additional details 'Blocked by Conditional Access'. The user is a member of a group that is excluded from the Conditional Access policy. What is the most likely cause?
163Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You have 10,000 users and 500 applications. You are planning to implement a comprehensive identity security strategy. Your requirements are: 1. All users must use phishing-resistant MFA for accessing business-critical applications. 2. Users accessing sensitive HR data must be required to use a compliant device. 3. Any authentication attempt from an anonymous IP address or from a country where Contoso has no business operations must be blocked. 4. All external collaboration must be governed by access reviews that require sponsor approval. 5. You need to monitor and respond to identity risks in real time. You need to design a solution using Microsoft Entra ID features. Which combination of features should you implement?
164You are the identity administrator for a multinational company with 50,000 users. The company uses Microsoft Entra ID P2 and has recently acquired a small subsidiary with 300 users that uses a different identity provider (Okta). You need to integrate the subsidiary's identities into your Microsoft Entra tenant. Requirements: - The subsidiary's users must be able to access Microsoft 365 applications using their existing Okta credentials. - You must minimize changes to the subsidiary's existing infrastructure. - All access to Microsoft 365 must be governed by your Conditional Access policies. - Passwords must not be stored in Microsoft Entra ID. What should you implement?
165Your organization uses Microsoft 365 Business Premium with Microsoft Entra ID P1. You have 200 users. You need to enforce multi-factor authentication (MFA) for all users accessing the company's CRM application, which is a third-party SaaS app integrated via SAML. The CRM app does not support modern authentication protocols. You want to use a Microsoft solution that does not require additional licenses. What should you use?
166Your company has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the security administrator. You need to implement a solution that automatically detects and remediates identity risks. Requirements: - Risky sign-ins (e.g., from anonymous IP addresses) should be automatically blocked. - Users with confirmed compromised credentials should be forced to reset their password at next sign-in. - You need to receive alerts when high-risk events occur. - The solution must minimize false positives. Which Microsoft Entra ID features should you combine?
The Implement and manage Microsoft Entra identity and access domain covers the key concepts tested in this area of the MS-102 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all MS-102 domains — no account required.
The Courseiva MS-102 question bank contains 166 questions in the Implement and manage Microsoft Entra identity and access domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Implement and manage Microsoft Entra identity and access domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included