MS-102 Flashcards — Free Microsoft 365 Administrator MS-102 Study Cards

Add the domain in the Microsoft 365 admin center

The correct first step is to add the custom domain in the Microsoft 365 admin center. After adding the domain, you must verify ownership by adding a TXT record in your DNS hosting provider. Only after verification can you configure other DNS records and set the domain as the primary email domain.

Conditional Access policy with MFA grant and a registration campaign

Conditional Access policies can include a registration campaign for combined security info registration, allowing users to preregister MFA methods before the policy requiring MFA is enforced. This provides a smooth user experience. Security defaults enforce MFA immediately without a pre-registration period. Per-user MFA requires enabling MFA per user and does not include a registration campaign. Identity Protection user risk policy triggers MFA based on risk, not a blanket requirement.

Microsoft 365 Defender portal

Microsoft 365 Defender portal (also known as the Microsoft Defender XDR portal) provides a unified experience for managing security across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. It correlates alerts into incidents and enables cross-domain investigation. Microsoft Sentinel is a SIEM for broader security data, Microsoft Defender for Cloud is for cloud infrastructure, and the Microsoft 365 compliance center focuses on compliance and data governance.

Auto-apply retention labels based on sensitive information types

Retention labels can be auto-applied to emails based on sensitive information types (e.g., credit card numbers, social security numbers) using an auto-labeling policy. When the label is applied, the retention period of 10 years starts. After 10 years, the label's action (delete) is executed. Retention policies apply to all content in a location and cannot be scoped to specific sensitive content. Data classification discovers but does not enforce retention. eDiscovery is for search and hold, not lifecycle.

The MX record for the domain is missing or points to an incorrect mail server.

After adding a custom domain to Microsoft 365, you must update the DNS records for email delivery. Even though the domain is verified and active, the MX record must point to Exchange Online (contoso-com.mail.protection.outlook.com) for email to flow correctly. Without the correct MX record, external senders cannot deliver mail.

Configure group-based licensing using Microsoft Entra dynamic groups with rules based on the department attribute.

Group-based licensing with dynamic groups allows automatic assignment of licenses based on user attributes like department. You create dynamic groups with membership rules (e.g., user.department -eq "Sales") and assign the appropriate license plan to each group. Licenses will be automatically assigned to new users and removed when the attribute changes.

Group-based licensing with dynamic groups

Group-based licensing with Azure AD dynamic groups allows automatic assignment of licenses based on user attributes like department. The administrator can create a dynamic group that includes users with a specific department value, then assign the license to that group. PowerShell scripts or manual assignment are not fully automated or scalable for this purpose.

TXT record

To verify ownership of a custom domain in Microsoft 365, you need to add a TXT record provided by the Microsoft 365 admin center to your DNS hosting provider. This TXT record contains a unique verification string.

Split domain

A split domain configuration allows the MX record to point to Exchange Online, which then routes mail to the appropriate mailbox based on the recipient's location (cloud or on-premises). This enables a phased migration while maintaining mail flow. Coexistence is a general concept but not a specific domain type; shared domain is not a standard term; forwarding domain does not exist as a domain type.

Add 'sales.contoso.com' as a custom domain and verify ownership by adding a DNS TXT record.

Each subdomain must be added and verified separately in Microsoft 365 if it will be used for services like Exchange or SharePoint. Verification proves ownership and enables DNS routing.

Disable trust for MFA from the external tenant in the cross-tenant access settings

In Microsoft Entra cross-tenant access settings, you can configure which claims (MFA, device compliance, etc.) you trust from external tenants. By default, B2B collaboration trusts MFA claims from the home tenant. To require the resource tenant's MFA, you must disable trust for MFA from the external tenant. Then, if Conditional Access policy requires MFA, the guest user will be prompted for MFA by Contoso.

Create a computer account named AZUREADSSOACC in each AD forest

Seamless SSO requires creating a computer account named AZUREADSSOACC in each on-premises Active Directory forest. This account represents the cloud authentication service. No additional servers or connection points are needed.

Create a Conditional Access policy set to block access when sign-in risk is high

Conditional Access policies can use 'Sign-in risk' as a condition. By setting the sign-in risk level to 'High' and the access control to 'Block access', the policy will block sign-ins matching that risk. Grant controls like 'Require MFA' would be used for lower risk levels but not block. Session controls are for controlling sessions after access. The policy must be scoped to the specific cloud app. Therefore, the correct approach is a Conditional Access policy that blocks access when sign-in risk is high.

Create a Conditional Access policy that targets the application, requires MFA, and excludes the service account group

Conditional Access policies allow you to target specific applications and user groups, and exclude groups from the policy. This is the most flexible and recommended method. Per-user MFA is legacy and less manageable; Security Defaults enforces MFA for all without exclusion; Identity Protection risk policies focus on risk rather than access control.

Pass-Through Authentication (PTA) with Seamless SSO

Pass-Through Authentication (PTA) validates passwords against on-premises Active Directory without storing password hashes in Azure AD. Combined with Seamless SSO, it provides the required SSO experience. Password Hash Sync stores hashes in the cloud. Federation requires additional infrastructure.

Ensure Microsoft Entra Connect is configured to synchronize the disabled status; this happens automatically.

By default, Microsoft Entra Connect synchronizes the accountEnabled attribute from on-premises Active Directory. When an on-premises user is disabled, the attribute is set to false in the cloud, which blocks sign-ins. No additional configuration is needed beyond ensuring the synchronization is correctly configured. Dynamic groups or PowerShell scripts are unnecessary because the sync handles this automatically.

In the admin center, go to Settings > Domains, select the custom domain, and click 'Set as default'.

In the Microsoft 365 admin center, under Settings > Domains, you can set a custom domain as the default. This ensures that when new users are created, they are assigned the custom domain as their primary email domain. Changing the MX record or using PowerShell aliases does not change the default domain for new users.

Enable password writeback

Password writeback must be enabled in Azure AD Connect to write password changes back to on-premises Active Directory. Enabling SSPR in Azure AD is necessary but without writeback, only cloud passwords can be reset. Federation Services or Application Proxy are not required for this scenario.

Set the 'Number of methods required to reset' to 2 in the SSPR authentication methods settings.

SSPR authentication methods are configured in the Microsoft Entra admin center under Password reset > Authentication methods. The administrator sets the 'Number of methods required to reset' to 2. This forces users to register two methods (e.g., phone and email) during registration.

MX record pointing to contoso-com.mail.protection.outlook.com

To route email to Exchange Online, an MX record must be created pointing to the tenant's mail exchanger (e.g., contoso-com.mail.protection.outlook.com). The CNAME for Autodiscover, SPF TXT record, and SRV record are supplementary but not the primary record for mail routing.

Role settings for Security Administrator

Role settings in PIM control activation requirements, including approval, justification, and maximum activation duration. Role assignments define who is eligible. Access reviews are for periodic reviews. Alerts notify of suspicious activities. Therefore, the administrator should modify the role settings for Security Administrator.

Sign-in risk policy

Sign-in risk policy can block sign-ins based on risk levels. Known malicious IP addresses are detected as sign-in risk events (e.g., sign-ins from anonymous IP addresses or known malicious IPs). User risk policy deals with user account compromise.