MS-102 Exam Questions and Answers

An administrator is onboarding a new custom domain for email in a Microsoft 365 tenant. Which step should be performed first?

Add the domain in the Microsoft 365 admin center

The initial step is to register the domain with Microsoft 365 so it can be associated with the tenant.

Verify domain ownership by adding a TXT record

Configure DNS records for Microsoft services

Set the domain as the primary email domain

Why: The correct first step is to add the custom domain in the Microsoft 365 admin center. After adding the domain, you must verify ownership by adding a TXT record in your DNS hosting provider. Only after verification can you configure other DNS records and set the domain as the primary email domain.

A company wants to prevent their Microsoft 365 tenant from allowing external users to be invited by default. Only specific administrators should be able to invite guests. Which setting should be changed?

External Identities – External collaboration settings

This setting controls who can invite guest users; it can be changed to restrict invitations to administrators.

Conditional Access policy to block external users

Tenant restrictions

B2B direct connect

Why: The external collaboration settings in Microsoft Entra ID (Azure AD) control guest invitation permissions. By default, all users can invite guests. Changing the setting to 'Only users with specific admin roles can invite guests' restricts invite ability. Conditional Access policies can block external access but do not control the ability to invite. B2B direct connect is for cross-tenant collaboration without invitations.

A company is planning to migrate from on-premises Exchange to Exchange Online and needs to ensure that mail flow can coexist between the two environments during the transition. Which tool should the administrator use to configure this hybrid deployment?

Azure AD Connect

Exchange Hybrid Configuration Wizard

This wizard guides through the steps to establish a hybrid relationship between on-premises Exchange and Exchange Online, including mail flow and free/busy sharing.

Microsoft 365 Admin Center

Exchange Admin Center

Why: The Exchange Hybrid Configuration Wizard in the on-premises Exchange admin center automates the setup of hybrid deployment, allowing mailbox coexistence and mail flow routing between on-premises and cloud. Azure AD Connect is for directory synchronization, not hybrid mail flow. The Microsoft 365 Admin Center and Exchange Admin Center are management portals but do not configure the hybrid setup directly.

A company wants to allow users to log in to Microsoft 365 using their existing on-premises Active Directory credentials and ensure that password changes are reflected immediately in the cloud. Which authentication method should be implemented?

Password Hash Synchronization (PHS)

Pass-through Authentication (PTA)

Federation with AD FS

AD FS federates authentication so that Microsoft 365 trusts the on-premises system; any password change in on-prem AD is immediately reflected.

Azure AD Seamless SSO

Why: Federation with AD FS provides real-time password validation against on-premises Active Directory, so password changes take effect immediately in Microsoft 365. Password Hash Synchronization syncs hashes periodically (every few minutes). Pass-through Authentication validates passwords on-premises but still relies on sync for password updates. Seamless SSO is only for silent sign-on. Therefore, AD FS federation is the correct choice for immediate password change synchronization.

A newly hired administrator needs to manage user accounts, licenses, and reset passwords. Which portal should they access?

Microsoft 365 admin center

This portal centralizes user management, license assignment, and common administrative functions for Microsoft 365.

Microsoft Entra admin center

Microsoft 365 Defender

Azure Active Directory admin center

Why: The Microsoft 365 admin center (admin.microsoft.com) provides the primary interface for managing users, assigning licenses, and performing administrative tasks like password resets. The Microsoft Entra admin center is more focused on identity and security configurations. Microsoft 365 Defender is for security monitoring and response. The Azure AD portal is legacy and not the recommended entry point.

An organization wants to authenticate users using their on-premises Active Directory without synchronizing passwords to Microsoft Entra ID. Which identity model should they choose?

Federated identity

Federated identity uses on-premises authentication (e.g., AD FS) and does not require password synchronization to the cloud.

Synchronized identity

Cloud-only identity

Microsoft-managed identity

Why: Federated identity allows authentication to occur on-premises (e.g., using AD FS) without passwords being stored in the cloud. Synchronized identity requires password hash sync, cloud-only has no on-premises AD, and Microsoft-managed identity is not a valid model.

Want more Deploy and manage a Microsoft 365 tenant practice?

All Implement and manage identity and access in Microsoft Entra ID questions

Domain 2: Implement and manage identity and access in Microsoft Entra ID

An organization has Microsoft Entra ID P2 licenses and wants to configure a Conditional Access policy to restrict access to Microsoft 365 services. Which of the following can be used as conditions in the policy? (Choose two that apply)

Device platform

Device platform is a standard condition in Conditional Access that allows policies to be scoped based on the user's device operating system.

User risk

User risk is a condition available when Identity Protection is enabled; it evaluates the risk level associated with the user account (e.g., leaked credentials).

Authentication strength

Application ID

Why: In a Conditional Access policy, conditions define the signal under which the policy is enforced. Device platform and User risk are both valid conditions. Device platform allows targeting based on the operating system (e.g., Windows, iOS). User risk evaluates the likelihood of a user's identity being compromised, based on signals from Identity Protection. Authentication strength is a grant control (what to enforce), not a condition. Application ID is used to select cloud apps, not as a condition.

An organization with Microsoft Entra ID P2 licenses wants to require multi-factor authentication (MFA) for all users but allow them to register their authentication methods before being forced to use MFA. Which configuration should they implement?

Conditional Access policy with MFA grant and a registration campaign

The registration campaign prompts users to register MFA methods before the MFA requirement is enforced, meeting the scenario.

Security defaults

Per-user MFA

Identity Protection user risk policy

Why: Conditional Access policies can include a registration campaign for combined security info registration, allowing users to preregister MFA methods before the policy requiring MFA is enforced. This provides a smooth user experience. Security defaults enforce MFA immediately without a pre-registration period. Per-user MFA requires enabling MFA per user and does not include a registration campaign. Identity Protection user risk policy triggers MFA based on risk, not a blanket requirement.

An organization wants to enforce that all administrators use a phishing-resistant authentication method (e.g., FIDO2 security keys or Windows Hello for Business) when accessing Microsoft 365 admin portals. Which Microsoft Entra ID feature should be used?

Conditional Access authentication strength

Authentication strength policies let you require specific MFA methods; configuring a policy for admins with a phishing-resistant strength ensures compliance.

Security defaults

Per-user MFA

Identity Protection

Why: Authentication strengths in Conditional Access allow you to specify which authentication methods are required, including phishing-resistant methods (e.g., FIDO2). By creating a Conditional Access policy that targets administrator roles and uses the 'Phishing-resistant MFA' authentication strength, you enforce the requirement. Security defaults enforce MFA but not a specific method. Per-user MFA requires MFA per user without method control. Identity Protection is for risk-based policies.

An organization with Microsoft Entra ID P2 licenses needs to enforce that all users accessing the Azure portal must use FIDO2 security keys for multi-factor authentication. Which configuration should be implemented?

Create a Conditional Access policy that requires MFA and select FIDO2 as the authentication strength in the grant controls

Create a Conditional Access policy that requires MFA and set the grant control to require a specific device platform

Configure an authentication strength policy that requires FIDO2 and assign it to a Conditional Access policy

Authentication strengths define acceptable methods; they are then referenced in Conditional Access grant controls to enforce the required method.

Configure an authentication methods policy that allows only FIDO2 security keys

Why: Authentication strengths allow you to group authentication methods by required level of security. You create an authentication strength that requires FIDO2 security keys, then assign that strength to a Conditional Access policy's grant control. The authentication methods policy only controls which methods users can register, not enforcement. Conditional Access cannot directly reference individual methods; it references authentication strengths. Thus, option C is correct.

An organization wants to enable users to reset their own passwords using the Microsoft Authenticator app and to prevent reuse of the last five passwords. Which Microsoft Entra ID features should be configured?

Microsoft Entra ID Protection and SSPR

Self-Service Password Reset (SSPR) and Password Protection

SSPR enables self-service resets; Password Protection enforces password reuse restrictions and custom ban lists.

Conditional Access and SSPR

Identity Governance and SSPR

Why: Self-service password reset (SSPR) allows users to reset their own passwords after verifying their identity via methods like Microsoft Authenticator. Password Protection includes custom banned password lists and enforcement of password history (i.e., preventing reuse of recent passwords). Identity Protection is for detecting risky sign-ins. Conditional Access controls access conditions. Identity Governance manages access certifications. So the combination of SSPR and Password Protection fulfills both requirements.

A company wants to ensure that all new users register for multi-factor authentication (MFA) within 14 days of account creation. Which Microsoft Entra ID feature should be used?

MFA registration campaign

MFA registration campaign allows admins to require users to register for MFA within a set timeframe.

Conditional Access policy

Identity Protection

Access Reviews

Why: MFA registration campaign (part of Microsoft Entra ID P2) enforces a registration requirement within a specified number of days. Conditional Access requires MFA but does not enforce the registration timeline, Identity Protection detects risks, and Access Reviews manage group memberships.

Want more Implement and manage identity and access in Microsoft Entra ID practice?

All Manage security and threats by using Microsoft Defender XDR questions

Domain 3: Manage security and threats by using Microsoft Defender XDR

A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?

Microsoft 365 Defender portal

This portal provides a unified incident management view across Microsoft Defender XDR products, correlating alerts from multiple domains.

Microsoft Sentinel

Microsoft Defender for Cloud

Microsoft 365 compliance center

Why: Microsoft 365 Defender portal (also known as the Microsoft Defender XDR portal) provides a unified experience for managing security across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. It correlates alerts into incidents and enables cross-domain investigation. Microsoft Sentinel is a SIEM for broader security data, Microsoft Defender for Cloud is for cloud infrastructure, and the Microsoft 365 compliance center focuses on compliance and data governance.

An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?

Microsoft Defender for Cloud Apps

Defender for Cloud Apps provides app discovery, session controls, and policies to block unauthorized activities in cloud apps.

Microsoft Defender for Endpoint

Microsoft Defender for Identity

Microsoft Defender for Office 365

Why: Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) provides visibility and control over cloud apps, including the ability to create session policies that block downloads or restrict activities for risky apps. Microsoft Defender for Endpoint focuses on endpoints, Defender for Identity on on-premises AD, and Defender for Office 365 on email and collaboration.

An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?

Attack surface reduction rules

ASR rules can block executables from running from common temporary folders, reducing the risk of malware execution.

Network protection

Exploit protection

Controlled folder access

Why: Attack surface reduction (ASR) rules target specific software behaviors often used by malware, such as running executables from the Temp folder. Network protection blocks outbound connections to malicious IPs. Exploit protection applies memory mitigations. Controlled folder access protects folders from unauthorized changes by ransomware. The correct answer is ASR rules.

A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?

Automated investigation and response (AIR)

AIR uses automation to investigate alerts and take predefined remediation actions, such as isolating devices or deleting malicious emails.

Advanced hunting

Threat analytics

Attack surface reduction rules

Why: Automated investigation and response (AIR) in Microsoft Defender XDR orchestrates the investigation and automatic remediation of incidents across multiple domains (endpoints, email, identities). Advanced hunting is for custom threat hunting queries. Threat analytics provides threat intelligence reports. Attack surface reduction rules are preventive controls. Therefore, AIR is the correct feature.

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

Attack simulation training

Threat Explorer

User reported settings in the Microsoft 365 Defender portal

These settings can be configured to route reported messages for automated investigation and automatically block senders detected as malicious.

Safe Links

Why: User reported settings in the Microsoft 365 Defender portal allow you to define what happens when users report messages. By configuring the reporting experience to automatically trigger an investigation and add the sender to the tenant block list, you can turn user reports into automated remediation. Attack simulation training is for phishing training, not automatic blocking. Threat Explorer is a manual investigation tool. Safe Links protects URLs but does not handle user reports.

A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?

Kusto Query Language (KQL)

KQL is the query language used in Microsoft Defender XDR advanced hunting to create custom detection rules.

PowerShell

Splunk SPL

SQL

Why: Advanced hunting in Microsoft Defender XDR uses Kusto Query Language (KQL) to build queries for threat hunting and custom detection rules. PowerShell, Splunk SPL, and SQL are not native to the Defender XDR advanced hunting interface.

Want more Manage security and threats by using Microsoft Defender XDR practice?

All Manage compliance by using Microsoft Purview questions

Domain 4: Manage compliance by using Microsoft Purview

A compliance officer needs to automatically retain emails that contain personally identifiable information (PII) for 10 years and then permanently delete them. Which Microsoft Purview feature should be configured?

Auto-apply retention labels based on sensitive information types

Retention labels can be auto-applied to emails containing PII, triggering a 10-year retention and subsequent deletion.

Data Lifecycle Management retention policy

Data classification

eDiscovery

Why: Retention labels can be auto-applied to emails based on sensitive information types (e.g., credit card numbers, social security numbers) using an auto-labeling policy. When the label is applied, the retention period of 10 years starts. After 10 years, the label's action (delete) is executed. Retention policies apply to all content in a location and cannot be scoped to specific sensitive content. Data classification discovers but does not enforce retention. eDiscovery is for search and hold, not lifecycle.

A compliance officer needs to prevent external users from printing or copying content from documents stored in a SharePoint Online site. Which Microsoft Purview feature should be configured to enforce this restriction?

Sensitivity labels with encryption and usage rights

Sensitivity labels can include protection settings that restrict actions like print, copy, and edit using Azure Rights Management.

Data Loss Prevention (DLP) policy

Information Barriers

Microsoft Purview Information Protection without encryption

Why: Sensitivity labels with encryption and usage rights can restrict actions such as printing, copying, and forwarding. When a sensitivity label is applied to a document, those restrictions are enforced regardless of where the document is accessed. Data Loss Prevention (DLP) policies prevent sharing of sensitive information but do not control printing or copying once access is granted. Information Barriers restrict communication and collaboration between specific groups. Rights Management is part of sensitivity labels; the label itself is the primary configuration.

A compliance officer needs to automatically classify documents in SharePoint Online that contain credit card numbers. The classification should apply a label that restricts access and adds a header. Which two Microsoft Purview features must be configured? (Choose two.)

Sensitivity labels

Sensitivity labels define the actual protection settings, such as encryption, access restrictions, and header/footer markings.

Retention labels

Data Loss Prevention (DLP) policies

Auto-labeling policies

Auto-labeling policies use conditions such as sensitive info types to automatically assign sensitivity labels to content.

Why: To automatically classify documents, an auto-labeling policy is used to detect sensitive information types (e.g., credit card numbers) and automatically apply a sensitivity label. The sensitivity label itself defines the protection actions (restrict access, add header). Retention labels are for retention/deletion, not classification. DLP policies can detect sensitive info but cannot apply labels automatically.

A compliance administrator needs to ensure that all documents in a SharePoint library are retained for exactly 7 years and then allow users to manually dispose of them sooner after a review. What should they configure in Microsoft Purview?

Create a retention label with a retention period of 7 years and enable disposition review

Disposition review provides a manual review step before deletion, allowing users to dispose items early if approved.

Create a retention label with a retention period of 7 years and no additional action

Create a sensitivity label that restricts access

Create a record label

Why: A retention label with a retention period of 7 years and a disposition review enables the retention period for 7 years and then requires a manual review before permanent deletion. This allows users to trigger disposition earlier if needed via a manual action. A retention label without disposition review would auto-delete after 7 years without a manual option. Sensitivity labels are for protection, not retention. Record labels are a type of retention label but typically enforce a more rigid policy; the scenario specifically asks for manual disposition, which is enabled only with disposition review.

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to create a policy that blocks users from pasting credit card numbers into web forms in Microsoft Edge. Which type of DLP policy should they configure?

Endpoint DLP

Endpoint DLP monitors devices and can block clipboard paste actions on web forms in Edge.

Exchange DLP

SharePoint DLP

Teams DLP

Why: Endpoint DLP policies monitor and control activities on Windows and macOS devices, including clipboard operations like paste. Exchange, SharePoint, and Teams DLP policies are service-specific and do not cover endpoint clipboard actions.

A legal department needs to preserve all communications related to an ongoing lawsuit. They identify specific users and require that their mailbox items and OneDrive files are not altered or deleted. Which Microsoft Purview feature should be used?

Litigation Hold

Litigation Hold preserves mailbox and OneDrive content in-place, preventing deletion or changes.

Retention Policy

Data Loss Prevention (DLP)

eDiscovery

Why: Litigation Hold preserves all content in Exchange Online mailboxes and OneDrive for Business, preventing deletion and modification for eDiscovery purposes. Retention policies automate retention, DLP prevents data loss, and eDiscovery is for search and export.

Want more Manage compliance by using Microsoft Purview practice?