Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsMS-102Exam Questions

Microsoft · Free Practice Questions · Last reviewed May 2026

MS-102 Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
120 min time limit
Pass: 700/1000 / 1000
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Deploy and manage a Microsoft 365 tenant2. Implement and manage Microsoft Entra identity and access3. Manage security and threats by using Microsoft Defender XDR4. Manage compliance by using Microsoft Purview5. Manage users, groups, licensing, and support6. Implement and manage identity and access in Microsoft Entra ID
1

Domain 1: Deploy and manage a Microsoft 365 tenant

All Deploy and manage a Microsoft 365 tenant questions
Q1
easyFull explanation →

An administrator is onboarding a new custom domain for email in a Microsoft 365 tenant. Which step should be performed first?

A

Add the domain in the Microsoft 365 admin center

The initial step is to register the domain with Microsoft 365 so it can be associated with the tenant.

B

Verify domain ownership by adding a TXT record

C

Configure DNS records for Microsoft services

D

Set the domain as the primary email domain

Why: Before you can use a custom domain for email or any other service in Microsoft 365, you must first add the domain to the tenant in the Microsoft 365 admin center. This creates the domain object in Azure Active Directory and initiates the verification process. Only after the domain is added can you proceed to verify ownership and configure DNS records.
Q2
easyFull explanation →

A company wants to prevent their Microsoft 365 tenant from allowing external users to be invited by default. Only specific administrators should be able to invite guests. Which setting should be changed?

A

External Identities – External collaboration settings

This setting controls who can invite guest users; it can be changed to restrict invitations to administrators.

B

Conditional Access policy to block external users

C

Tenant restrictions

D

B2B direct connect

Why: The correct setting is under External Identities – External collaboration settings, specifically the 'Guest invite settings' option. By default, this is set to 'Anyone in the organization can invite guest users including guests and non-admins'. Changing it to 'Only users assigned to specific admin roles can invite guest users' restricts guest invitations to designated administrators, meeting the requirement to prevent default external user invitations.
Q3
mediumFull explanation →

A company is planning to migrate from on-premises Exchange to Exchange Online and needs to ensure that mail flow can coexist between the two environments during the transition. Which tool should the administrator use to configure this hybrid deployment?

A

Azure AD Connect

B

Exchange Hybrid Configuration Wizard

This wizard guides through the steps to establish a hybrid relationship between on-premises Exchange and Exchange Online, including mail flow and free/busy sharing.

C

Microsoft 365 Admin Center

D

Exchange Admin Center

Why: The Exchange Hybrid Configuration Wizard (HCW) is the correct tool because it automates the configuration of coexistence features between on-premises Exchange and Exchange Online, including mail flow routing, free/busy sharing, and OAuth authentication. It generates the necessary connectors and settings to support a hybrid deployment, ensuring seamless mail flow during migration.
Q4
mediumFull explanation →

A company wants to allow users to log in to Microsoft 365 using their existing on-premises Active Directory credentials and ensure that password changes are reflected immediately in the cloud. Which authentication method should be implemented?

A

Password Hash Synchronization (PHS)

B

Pass-through Authentication (PTA)

C

Federation with AD FS

AD FS federates authentication so that Microsoft 365 trusts the on-premises system; any password change in on-prem AD is immediately reflected.

D

Azure AD Seamless SSO

Why: Federation with AD FS is correct because it allows users to authenticate directly against on-premises Active Directory, and password changes made on-premises are immediately reflected in the cloud since authentication never passes the password hash to Azure AD. This meets the requirement for instant password change propagation without any synchronization delay.
Q5
easyFull explanation →

A newly hired administrator needs to manage user accounts, licenses, and reset passwords. Which portal should they access?

A

Microsoft 365 admin center

This portal centralizes user management, license assignment, and common administrative functions for Microsoft 365.

B

Microsoft Entra admin center

C

Microsoft 365 Defender

D

Azure Active Directory admin center

Why: The Microsoft 365 admin center (admin.microsoft.com) is the primary portal for day-to-day user administration tasks such as creating and managing user accounts, assigning licenses, and resetting passwords. It provides a unified interface for these common identity and license management operations within a Microsoft 365 tenant.
Q6
easyFull explanation →

An organization wants to authenticate users using their on-premises Active Directory without synchronizing passwords to Microsoft Entra ID. Which identity model should they choose?

A

Federated identity

Federated identity uses on-premises authentication (e.g., AD FS) and does not require password synchronization to the cloud.

B

Synchronized identity

C

Cloud-only identity

D

Microsoft-managed identity

Why: Federated identity allows users to authenticate against on-premises Active Directory using protocols such as WS-Federation, SAML 2.0, or AD FS, without synchronizing password hashes to Microsoft Entra ID. This model relies on a trust relationship between the on-premises identity provider and Entra ID, ensuring passwords never leave the local environment.

Want more Deploy and manage a Microsoft 365 tenant practice?

Practice this domain
2

Domain 2: Implement and manage Microsoft Entra identity and access

All Implement and manage Microsoft Entra identity and access questions
Q1
easyFull explanation →

A company uses Microsoft Entra ID for identity management. The security team wants to ensure that users cannot register applications in the tenant to prevent potential data leakage. Which setting should be configured?

A

Set the 'Admin consent requests' setting to 'Allow'

B

Enable the 'Admin consent workflow'

C

Set 'Users can register applications' to 'No' in User settings

This prevents users from registering applications.

D

Set 'Users can consent to apps accessing company data' to 'No'

Why: Option C is correct because setting 'Users can register applications' to 'No' in the Microsoft Entra ID User settings explicitly prevents non-admin users from creating application registrations in the tenant. This directly addresses the security team's goal of blocking users from registering apps, which could otherwise expose tenant data through misconfigured or malicious applications.
Q2
mediumFull explanation →

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use their existing on-premises passwords to log in to cloud services, while maintaining password policy enforcement on-premises. Which feature should you implement?

A

Password Hash Synchronization (PHS)

PHS synchronizes password hashes to Entra ID, enabling same-password use.

B

Pass-through Authentication with Seamless SSO

C

Active Directory Federation Services (AD FS)

D

Install Azure AD Connect with default settings

Why: Password Hash Synchronization (PHS) synchronizes the hash of on-premises Active Directory user passwords to Microsoft Entra ID, enabling users to log in to cloud services with the same password. It enforces password policies on-premises because the on-premises domain controller remains the authoritative source for password complexity, expiration, and lockout rules. PHS does not require additional infrastructure beyond Azure AD Connect and works even if the on-premises network is temporarily unavailable.
Q3
hardFull explanation →

A multinational company uses Microsoft Entra ID with Conditional Access policies. They have a policy that requires multi-factor authentication (MFA) for all users when accessing the company's custom SaaS application. However, users from the European branch are reporting that they are prompted for MFA every time, even though they have already authenticated via a compliant device. What is the most likely cause?

A

The user's device is not marked as compliant

B

The user has per-user MFA enabled

C

The Conditional Access policy has a session control that requires sign-in frequency

Sign-in frequency forces re-authentication after a set time, even on compliant devices.

D

The policy includes a location condition that is not met

Why: Option C is correct because the Conditional Access policy includes a session control that requires sign-in frequency, which forces users to re-authenticate with MFA at a specified interval regardless of device compliance or previous authentication. Even if the device is compliant and the user has already authenticated, the sign-in frequency control overrides session persistence and prompts for MFA again based on the configured time period (e.g., every hour). This explains why European branch users are repeatedly prompted for MFA despite having authenticated via a compliant device.
Q4
easyFull explanation →

You are configuring Microsoft Entra ID Protection. You want to automatically respond to a specific risk level by requiring the user to change their password. Which risk policy should you configure?

A

MFA registration policy

B

Sign-in risk policy

C

Session risk policy

D

User risk policy

User risk policy can require a password change when risk is detected.

Why: Option C is correct because the user risk policy can be configured to require a password change when user risk is elevated. Sign-in risk policy typically triggers MFA or block. Options A and D are not standard risk policies.
Q5
mediumFull explanation →

An organization is implementing Microsoft Entra Verified ID for verifiable credentials. They want to issue credentials to employees that can be used to prove employment status to third parties. Which component must be created first?

A

A presentation request policy

B

A distributed ledger network

C

A credential manifest in the Microsoft Entra admin center

The credential manifest defines the claims and rules for issuance.

D

A decentralized identifier (DID) for the organization

Why: The credential manifest defines the rules for issuing a verifiable credential, including the claims schema, display information, and issuance policies. In Microsoft Entra Verified ID, you must create the credential manifest in the Entra admin center before any credentials can be issued, as it serves as the template that governs the credential's structure and validation. Without a manifest, there is no definition for what the credential contains or how it should be presented.
Q6
hardFull explanation →

Your company uses Microsoft Entra ID and has a hybrid identity with PHS. You need to ensure that when an on-premises user account is disabled, the corresponding cloud user is also blocked from signing in within 5 minutes. What should you configure?

A

Deploy Azure AD Connect cloud sync

Cloud sync can sync changes more frequently, down to 1 minute, meeting the 5-minute requirement.

B

Enable password writeback

C

Configure Azure AD Connect to sync the 'userAccountControl' attribute

D

Configure Microsoft Entra Connect Sync to use filtered synchronization

Why: Option B is correct because Azure AD Connect can be configured for password writeback and also syncs account control flags. However, the specific feature to block sign-in quickly is not password writeback. Actually, the correct approach is to use Azure AD Connect's 'Exchange hybrid deployment' or 'UserPrincipalName update'? Wait, the correct answer is to use 'Azure AD Connect Sync' with 'userAccountControl' attribute sync. But among the options, Option B (Enable password writeback) does not block sign-in. Option A (Configure Azure AD Connect to sync the 'userAccountControl' attribute) is correct because the 'userAccountControl' attribute includes the 'ACCOUNTDISABLE' flag, and syncing it will disable the cloud account. However, the sync cycle runs every 30 minutes by default. To achieve 5 minutes, you need to use 'Azure AD Connect cloud sync' or 'Microsoft Identity Manager'. Since the question says 'configure', the closest is to enable the 'Password writeback'? No. Let me re-evaluate: The correct answer is to use 'Azure AD Connect' with 'Exchange hybrid' to sync 'msExchUserAccountControl'? Actually, the standard way is to sync 'userAccountControl' and set the sync interval to 5 minutes. But that's not an option. Option C (Deploy Azure AD Connect cloud sync) is the best because cloud sync can sync changes more frequently than 30 minutes. Option B (Enable password writeback) is for password changes, not account disable. Option D (Configure Microsoft Entra Connect Sync to use filtered synchronization) does not help. So Option C is correct.

Want more Implement and manage Microsoft Entra identity and access practice?

Practice this domain
3

Domain 3: Manage security and threats by using Microsoft Defender XDR

All Manage security and threats by using Microsoft Defender XDR questions
Q1
easyFull explanation →

A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?

A

Microsoft 365 Defender portal

This portal provides a unified incident management view across Microsoft Defender XDR products, correlating alerts from multiple domains.

B

Microsoft Sentinel

C

Microsoft Defender for Cloud

D

Microsoft 365 compliance center

Why: The Microsoft 365 Defender portal (security.microsoft.com) is the correct choice because it provides a unified incident management console that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. This allows the security administrator to investigate and respond to a complex incident spanning endpoints, email, and identities from a single pane of glass, leveraging automated investigation and response (AIR) capabilities.
Q2
mediumFull explanation →

An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?

A

Microsoft Defender for Cloud Apps

Defender for Cloud Apps provides app discovery, session controls, and policies to block unauthorized activities in cloud apps.

B

Microsoft Defender for Endpoint

C

Microsoft Defender for Identity

D

Microsoft Defender for Office 365

Why: Microsoft Defender for Cloud Apps is the correct component because it is specifically designed to provide visibility into shadow IT and enforce policies on cloud applications. Its 'Governance' actions include blocking downloads from risky apps by integrating with the cloud app's API to prevent data exfiltration, which directly addresses the requirement.
Q3
easyFull explanation →

An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?

A

Attack surface reduction rules

ASR rules can block executables from running from common temporary folders, reducing the risk of malware execution.

B

Network protection

C

Exploit protection

D

Controlled folder access

Why: Attack surface reduction (ASR) rules are a Microsoft Defender for Endpoint capability that can block executable files from running from specific locations, such as the Windows Temp folder. Rule GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 specifically targets this behavior by preventing executables and scripts from launching from temporary folders. This is the correct capability because ASR rules are designed to reduce the attack surface by controlling common malware entry points and persistence mechanisms.
Q4
easyFull explanation →

A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?

A

Automated investigation and response (AIR)

AIR uses automation to investigate alerts and take predefined remediation actions, such as isolating devices or deleting malicious emails.

B

Advanced hunting

C

Threat analytics

D

Attack surface reduction rules

Why: Automated investigation and response (AIR) is the Microsoft Defender XDR capability that automatically investigates alerts and takes remediation actions across endpoints, email, and identities without manual intervention. It uses playbooks and machine learning to triage incidents, determine scope, and apply actions like isolating devices or deleting malicious emails.
Q5
hardFull explanation →

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

A

Attack simulation training

B

Threat Explorer

C

User reported settings in the Microsoft 365 Defender portal

These settings can be configured to route reported messages for automated investigation and automatically block senders detected as malicious.

D

Safe Links

Why: User reported settings in the Microsoft 365 Defender portal allow administrators to configure how user-reported messages are handled. When enabled, users can report suspicious emails directly from Outlook, and these reports can automatically trigger an investigation and block the sender via automated investigation and response (AIR) policies. This directly addresses the requirement to have user-reported emails initiate security actions.
Q6
hardFull explanation →

A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?

A

Kusto Query Language (KQL)

KQL is the query language used in Microsoft Defender XDR advanced hunting to create custom detection rules.

B

PowerShell

C

Splunk SPL

D

SQL

Why: Microsoft Defender XDR uses Kusto Query Language (KQL) for advanced hunting queries, including custom detection rules. KQL allows querying the DeviceProcessEvents and DeviceNetworkEvents tables to correlate process launches with network connections, making it the correct choice for this scenario.

Want more Manage security and threats by using Microsoft Defender XDR practice?

Practice this domain
4

Domain 4: Manage compliance by using Microsoft Purview

All Manage compliance by using Microsoft Purview questions
Q1
mediumFull explanation →

A compliance officer needs to automatically retain emails that contain personally identifiable information (PII) for 10 years and then permanently delete them. Which Microsoft Purview feature should be configured?

A

Auto-apply retention labels based on sensitive information types

Retention labels can be auto-applied to emails containing PII, triggering a 10-year retention and subsequent deletion.

B

Data Lifecycle Management retention policy

C

Data classification

D

eDiscovery

Why: Auto-apply retention labels based on sensitive information types allow you to automatically classify and retain emails containing PII for a specified period (10 years) and then permanently delete them. This feature uses sensitive information types (e.g., Social Security Number, Credit Card Number) to detect PII and applies a retention label that enforces the retention and deletion actions at the item level, which is required for targeted compliance scenarios.
Q2
hardFull explanation →

A compliance officer needs to prevent external users from printing or copying content from documents stored in a SharePoint Online site. Which Microsoft Purview feature should be configured to enforce this restriction?

A

Sensitivity labels with encryption and usage rights

Sensitivity labels can include protection settings that restrict actions like print, copy, and edit using Azure Rights Management.

B

Data Loss Prevention (DLP) policy

C

Information Barriers

D

Microsoft Purview Information Protection without encryption

Why: Sensitivity labels with encryption and usage rights allow administrators to apply Azure Rights Management (Azure RMS) protection to documents, which can restrict actions such as printing and copying. By configuring a sensitivity label with specific usage rights (e.g., 'View Only' or disabling 'Extract' and 'Print'), external users are prevented from printing or copying content even after the document is downloaded or accessed in SharePoint Online. This is the only Purview feature that directly enforces persistent content-level restrictions on external users.
Q3
mediumFull explanation →

A compliance officer needs to automatically classify documents in SharePoint Online that contain credit card numbers. The classification should apply a label that restricts access and adds a header. Which two Microsoft Purview features must be configured? (Choose two.)

A

Sensitivity labels

Sensitivity labels define the actual protection settings, such as encryption, access restrictions, and header/footer markings.

B

Retention labels

C

Data Loss Prevention (DLP) policies

D

Auto-labeling policies

Auto-labeling policies use conditions such as sensitive info types to automatically assign sensitivity labels to content.

Why: Sensitivity labels are correct because they are the Microsoft Purview feature that applies classification markings (such as headers and footers) and encryption or access restrictions to documents. For this scenario, a sensitivity label must be configured to enforce the required header and access restrictions on content containing credit card numbers.
Q4
mediumFull explanation →

A compliance administrator needs to ensure that all documents in a SharePoint library are retained for exactly 7 years and then allow users to manually dispose of them sooner after a review. What should they configure in Microsoft Purview?

A

Create a retention label with a retention period of 7 years and enable disposition review

Disposition review provides a manual review step before deletion, allowing users to dispose items early if approved.

B

Create a retention label with a retention period of 7 years and no additional action

C

Create a sensitivity label that restricts access

D

Create a record label

Why: Option A is correct because the requirement specifies a fixed 7-year retention period followed by user-initiated disposal after a review. A retention label with a retention period of 7 years and disposition review enabled allows content to be retained for exactly 7 years, after which a disposition review triggers a manual approval process for disposal. This matches the need for both mandatory retention and manual disposal after review.
Q5
mediumFull explanation →

An organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to create a policy that blocks users from pasting credit card numbers into web forms in Microsoft Edge. Which type of DLP policy should they configure?

A

Endpoint DLP

Endpoint DLP monitors devices and can block clipboard paste actions on web forms in Edge.

B

Exchange DLP

C

SharePoint DLP

D

Teams DLP

Why: Endpoint DLP is correct because it monitors and controls activities on Windows 10/11 and macOS endpoints, including the ability to block pasting sensitive data like credit card numbers into web forms in Microsoft Edge. This policy extends DLP protection to unmanaged browsers and specific user actions, such as paste, clipboard, and print, which are not covered by cloud-based DLP policies.
Q6
mediumFull explanation →

A legal department needs to preserve all communications related to an ongoing lawsuit. They identify specific users and require that their mailbox items and OneDrive files are not altered or deleted. Which Microsoft Purview feature should be used?

A

Litigation Hold

Litigation Hold preserves mailbox and OneDrive content in-place, preventing deletion or changes.

B

Retention Policy

C

Data Loss Prevention (DLP)

D

eDiscovery

Why: Litigation Hold is the correct feature because it preserves all mailbox items and OneDrive files for specific users in their current state, preventing any alteration or deletion by users or automated processes. This is essential for legal holds where data must be immutable for eDiscovery purposes, and it applies at the user level rather than broadly across the organization.

Want more Manage compliance by using Microsoft Purview practice?

Practice this domain
5

Domain 5: Manage users, groups, licensing, and support

All Manage users, groups, licensing, and support questions
Q1
mediumFull explanation →

A company has a Microsoft 365 E5 subscription. The security team requires that all guest users must have terms of use acceptance before accessing resources. Which Azure AD feature should be configured?

A

Azure AD Terms of Use

Azure AD Terms of Use allows creating and requiring acceptance.

B

Conditional Access policy

C

Azure AD Identity Protection

D

Self-service password reset

Why: Azure AD Terms of Use (ToU) is the correct feature because it allows administrators to present a document to guest users that they must accept before accessing resources. This directly meets the security team's requirement for mandatory terms of use acceptance. Conditional Access policies can enforce ToU acceptance, but the ToU document itself is created and managed under the Azure AD Terms of Use blade.
Q2
easyFull explanation →

A user reports they cannot access SharePoint Online but can access Outlook. The admin verifies the user has an E3 license assigned. What is the most likely cause?

A

License not assigned

B

MFA challenge failing

C

User account is disabled

D

SharePoint Online service plan is disabled

A service plan can be disabled per user.

Why: The user can access Outlook (Exchange Online) but not SharePoint Online, which indicates that the user's E3 license is assigned and the account is active. The most likely cause is that the SharePoint Online service plan within the E3 license is disabled. Each Microsoft 365 license includes multiple service plans (e.g., Exchange Online, SharePoint Online, Teams), and an admin can disable individual plans while keeping the license assigned. If the SharePoint Online service plan is disabled, the user will be blocked from accessing SharePoint Online despite having a valid license.
Q3
hardFull explanation →

A company uses dynamic groups based on department attribute. A user moved from Sales to Marketing but the group membership did not update after 48 hours. What should the admin do first?

A

Delete and recreate the group

B

Run a PowerShell script to update membership

C

Wait another 24 hours

D

Manually refresh the dynamic group in Azure AD

Manual refresh forces recalculation.

Why: Option D is correct because Azure AD dynamic group membership evaluation is not instantaneous; it occurs on a periodic schedule. When a user's attribute changes, the admin can manually trigger a refresh by selecting 'Refresh' on the dynamic group's overview page in the Azure portal, which forces an immediate evaluation of the membership rules. This is the first troubleshooting step before waiting longer or using other methods.
Q4
mediumFull explanation →

An organization wants to delegate user creation to help desk staff without granting global admin rights. Which role should be assigned?

A

Global Administrator

B

Helpdesk Administrator

C

License Administrator

D

User Administrator

Can create users and manage licenses.

Why: The User Administrator role is the correct choice because it grants the specific permissions needed to create and manage users and groups, including resetting passwords, without the broad privileges of Global Administrator. This role aligns with the principle of least privilege for help desk staff who need to perform user creation tasks.
Q5
easyFull explanation →

A company needs to ensure that only users from specific IP ranges can access Exchange Online. Which tool should be used?

A

Azure AD Conditional Access with Named Locations

Named locations define trusted IPs.

B

Security & Compliance Center

C

Multi-factor authentication

D

Azure AD Connect

Why: Azure AD Conditional Access with Named Locations is the correct tool because it allows administrators to define trusted IP ranges as named locations and then enforce access policies that restrict Exchange Online access to only those IP ranges. This integrates directly with Azure AD authentication, evaluating the user's IP address during sign-in to grant or block access based on the policy.
Q6
hardFull explanation →

A user with an E5 license is unable to use Azure Information Protection (AIP). The admin confirms the license is assigned. What is the most likely cause?

A

AIP requires an additional subscription

B

AIP client is not installed

C

AIP service plan is disabled in the license

Service plans can be toggled per user.

D

User account is blocked

Why: Even with an E5 license assigned, the Azure Information Protection (AIP) service plan must be explicitly enabled for the user. By default, some service plans within an E5 license may be disabled, and the AIP service plan (commonly labeled as 'Azure Information Protection' or 'Information Protection for Office 365') must be toggled on in the user's license settings in the Microsoft 365 admin center. Without this, the user cannot activate AIP features regardless of license assignment.

Want more Manage users, groups, licensing, and support practice?

Practice this domain
6

Domain 6: Implement and manage identity and access in Microsoft Entra ID

All Implement and manage identity and access in Microsoft Entra ID questions
Q1
hardFull explanation →

An organization has Microsoft Entra ID P2 licenses and wants to configure a Conditional Access policy to restrict access to Microsoft 365 services. Which of the following can be used as conditions in the policy? (Choose two that apply)

A

Device platform

Device platform is a standard condition in Conditional Access that allows policies to be scoped based on the user's device operating system.

B

User risk

User risk is a condition available when Identity Protection is enabled; it evaluates the risk level associated with the user account (e.g., leaked credentials).

C

Authentication strength

D

Application ID

Why: Device platform is a valid condition in Microsoft Entra Conditional Access policies, allowing administrators to target specific operating systems such as Windows, macOS, iOS, or Android. This enables granular control over access based on the device type, which is essential for enforcing security requirements like requiring compliant devices on certain platforms.
Q2
mediumFull explanation →

An organization with Microsoft Entra ID P2 licenses wants to require multi-factor authentication (MFA) for all users but allow them to register their authentication methods before being forced to use MFA. Which configuration should they implement?

A

Conditional Access policy with MFA grant and a registration campaign

The registration campaign prompts users to register MFA methods before the MFA requirement is enforced, meeting the scenario.

B

Security defaults

C

Per-user MFA

D

Identity Protection user risk policy

Why: Conditional Access policies can include a registration campaign for combined security info registration, allowing users to preregister MFA methods before the policy requiring MFA is enforced. This provides a smooth user experience. Security defaults enforce MFA immediately without a pre-registration period. Per-user MFA requires enabling MFA per user and does not include a registration campaign. Identity Protection user risk policy triggers MFA based on risk, not a blanket requirement.
Q3
mediumFull explanation →

An organization wants to enforce that all administrators use a phishing-resistant authentication method (e.g., FIDO2 security keys or Windows Hello for Business) when accessing Microsoft 365 admin portals. Which Microsoft Entra ID feature should be used?

A

Conditional Access authentication strength

Authentication strength policies let you require specific MFA methods; configuring a policy for admins with a phishing-resistant strength ensures compliance.

B

Security defaults

C

Per-user MFA

D

Identity Protection

Why: Option A is correct because Conditional Access authentication strength allows administrators to define and enforce specific authentication methods, such as FIDO2 security keys or Windows Hello for Business, which are phishing-resistant. By creating a policy that targets admin roles and requires an authentication strength policy that mandates these methods, the organization can ensure that only phishing-resistant credentials are accepted when accessing Microsoft 365 admin portals. This granular control goes beyond simple MFA enforcement by specifying the exact authentication method required.
Q4
hardFull explanation →

An organization with Microsoft Entra ID P2 licenses needs to enforce that all users accessing the Azure portal must use FIDO2 security keys for multi-factor authentication. Which configuration should be implemented?

A

Create a Conditional Access policy that requires MFA and select FIDO2 as the authentication strength in the grant controls

B

Create a Conditional Access policy that requires MFA and set the grant control to require a specific device platform

C

Configure an authentication strength policy that requires FIDO2 and assign it to a Conditional Access policy

Authentication strengths define acceptable methods; they are then referenced in Conditional Access grant controls to enforce the required method.

D

Configure an authentication methods policy that allows only FIDO2 security keys

Why: Option C is correct because in Microsoft Entra ID, authentication strengths allow you to define a specific set of authentication methods (e.g., FIDO2 security keys) and then assign that strength to a Conditional Access policy. This ensures that only FIDO2 security keys are accepted for MFA when accessing the Azure portal, meeting the requirement precisely.
Q5
mediumFull explanation →

An organization wants to enable users to reset their own passwords using the Microsoft Authenticator app and to prevent reuse of the last five passwords. Which Microsoft Entra ID features should be configured?

A

Microsoft Entra ID Protection and SSPR

B

Self-Service Password Reset (SSPR) and Password Protection

SSPR enables self-service resets; Password Protection enforces password reuse restrictions and custom ban lists.

C

Conditional Access and SSPR

D

Identity Governance and SSPR

Why: The requirement to enable users to reset their own passwords via the Microsoft Authenticator app is fulfilled by Self-Service Password Reset (SSPR), which supports the Authenticator app as an authentication method. The requirement to prevent reuse of the last five passwords is fulfilled by Password Protection, specifically the password reuse policy within the custom banned password list or the enforcement of password history via on-premises integration. Option B correctly pairs these two features.
Q6
easyFull explanation →

A company wants to ensure that all new users register for multi-factor authentication (MFA) within 14 days of account creation. Which Microsoft Entra ID feature should be used?

A

MFA registration campaign

MFA registration campaign allows admins to require users to register for MFA within a set timeframe.

B

Conditional Access policy

C

Identity Protection

D

Access Reviews

Why: The MFA registration campaign in Microsoft Entra ID is specifically designed to enforce user registration for MFA within a defined time frame, such as 14 days. It targets new users and sends them reminders to register, blocking access until registration is completed, which directly meets the company's requirement.

Want more Implement and manage identity and access in Microsoft Entra ID practice?

Practice this domain

Frequently asked questions

How many questions are on the MS-102 exam?

The MS-102 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the MS-102 exam?

Microsoft 365 administration scenario questions covering tenant management, compliance, security, messaging, and collaboration services.

How are MS-102 questions organised by domain?

The exam covers 6 domains: Deploy and manage a Microsoft 365 tenant, Implement and manage Microsoft Entra identity and access, Manage security and threats by using Microsoft Defender XDR, Manage compliance by using Microsoft Purview, Manage users, groups, licensing, and support, Implement and manage identity and access in Microsoft Entra ID. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual MS-102 exam questions?

No. These are original exam-style practice questions written against the official Microsoft MS-102 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 MS-102 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all MS-102 questionsTake a timed practice test