Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Deploy and manage a Microsoft 365 tenant practice sets

MS-102 Deploy and manage a Microsoft 365 tenant • Complete Question Bank

MS-102 Deploy and manage a Microsoft 365 tenant — All Questions With Answers

Complete MS-102 Deploy and manage a Microsoft 365 tenant question bank — all 0 questions with answers and detailed explanations.

248
Questions
Free
No signup
Certifications/MS-102/Practice Test/Deploy and manage a Microsoft 365 tenant/All Questions
Question 1easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator is onboarding a new custom domain for email in a Microsoft 365 tenant. Which step should be performed first?

Question 2easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company wants to prevent their Microsoft 365 tenant from allowing external users to be invited by default. Only specific administrators should be able to invite guests. Which setting should be changed?

Question 3mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company is planning to migrate from on-premises Exchange to Exchange Online and needs to ensure that mail flow can coexist between the two environments during the transition. Which tool should the administrator use to configure this hybrid deployment?

Question 4mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company wants to allow users to log in to Microsoft 365 using their existing on-premises Active Directory credentials and ensure that password changes are reflected immediately in the cloud. Which authentication method should be implemented?

Question 5easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A newly hired administrator needs to manage user accounts, licenses, and reset passwords. Which portal should they access?

Question 6easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization wants to authenticate users using their on-premises Active Directory without synchronizing passwords to Microsoft Entra ID. Which identity model should they choose?

Question 7easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator has created a new user account in Microsoft Entra ID. To ensure the user has a mailbox in Exchange Online, what is the next step?

Question 8mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization has registered the domain contoso.com and added it to their Microsoft 365 tenant. What is the next step to use this domain for user email addresses?

Question 9easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has recently signed up for Microsoft 365 Business Premium. They want to change the default domain from onmicrosoft.com to a custom domain they own. Which step must be completed first before the custom domain can be used for user email addresses?

Question 10easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator is managing a Microsoft 365 tenant and needs to delegate the ability to reset user passwords to a group of helpdesk staff. The helpdesk staff should not have any other administrative privileges. Which built-in role should the administrator assign?

Question 11easymultiple choice
Read the full DNS explanation →

An organization has just purchased Microsoft 365 subscriptions and wants to add their custom domain 'fabrikam.com' to the tenant. Which record must they add to their DNS provider to verify domain ownership?

Question 12easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to delegate the ability to manage user licenses and assign roles to a junior admin, but without granting them access to the Microsoft 365 admin center's other settings. Which role should the junior admin be assigned?

Question 13easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company plans to migrate their email from an on-premises Exchange server to Exchange Online. They want to ensure that during the migration, mail sent to users who have already been migrated is delivered to Exchange Online, while mail for non-migrated users is delivered to on-premises. Which type of domain configuration should they use?

Question 14easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A new helpdesk administrator needs to be able to reset user passwords and manage user account properties, but should not be able to manage licenses or assign administrative roles. Which built-in role should be assigned?

Question 15easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization has just purchased Microsoft 365 Business Standard licenses. The administrator adds a new user through the admin center. By default, does the new user receive a welcome email with sign-in instructions?

Question 16easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has purchased Microsoft 365 Business Standard and added the custom domain 'fabrikam.com' to the tenant. The company wants all new users to have 'fabrikam.com' as their default email domain instead of the onmicrosoft.com domain. How should the administrator achieve this?

Question 17easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization has just purchased Microsoft 365 Business Standard licenses and has added the custom domain 'contoso.com' to the tenant. The administrator wants all new user email addresses to use '@contoso.com' instead of the default '@contoso.onmicrosoft.com'. How can this be achieved?

Question 18mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to delegate the ability to manage user licenses, assign admin roles, and reset passwords to a group of users, but these users should not be able to modify tenant-level settings or billing. Which built-in role should be assigned?

Question 19easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has purchased Microsoft 365 Business Premium and added a custom domain 'contoso.com' to the tenant. They want all new users to have email addresses like user@contoso.com instead of the default onmicrosoft.com domain. What should the administrator do in the Microsoft 365 admin center?

Question 20easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization has just signed up for Microsoft 365 E3 with the initial domain 'contoso.onmicrosoft.com'. They need to create the first user accounts. What will be the default email address format for these new users if no custom domain is added yet?

Question 21easymultiple choice
Read the full DNS explanation →

A company has just purchased Microsoft 365 Business Standard and added the custom domain 'fabrikam.com' to the tenant. They want to verify domain ownership. Which DNS record type must they add to their DNS provider?

Question 22mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company wants to display a custom help desk phone number and email on the Microsoft 365 sign-in page so that users can contact support easily. Which area of the Microsoft 365 admin center should the administrator use to configure this?

Question 23easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to add custom branding to the Microsoft 365 sign-in page, including company logo and colors. Which section of the Microsoft 365 admin center should they navigate to?

Question 24easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company purchases Microsoft 365 E5 licenses for 500 users. The administrator wants to automatically assign licenses to new users based on their group membership. Which method should the administrator use?

Question 25mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company adds and verifies the custom domain 'contoso.com' in their Microsoft 365 tenant. However, emails sent to new users at user@contoso.com bounce back. The existing MX record for contoso.com points to the on-premises mail server. What is the most likely cause of the bounce?

Question 26mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to delegate the ability to view service health and manage service requests to a helpdesk team, without granting permissions to reset passwords, manage users, or access billing. Which built-in Microsoft 365 admin role should be assigned?

Question 27easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to open a Microsoft 365 support request because a critical service issue is affecting all users. Which two pieces of information should the administrator have readily available before contacting support? (Choose two.)

Question 28easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has just signed up for Microsoft 365 Business Standard without adding a custom domain. An administrator needs to create the first user accounts. What will be the default email address format for these new users?

Question 29easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

After adding a custom domain name to a Microsoft 365 tenant, what is the first step the administrator must complete before users can sign in using the custom domain?

Question 30mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to delegate the ability to view sign-in logs, audit logs, and security recommendations to a junior admin without granting any other administrative permissions. The junior admin should not be able to reset passwords or modify settings. Which built-in Microsoft Entra role should the administrator assign?

Question 31easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to customize the Microsoft 365 sign-in page to display the company logo and custom sign-in text. Where in the Microsoft 365 admin center should the administrator go to configure this?

Question 32mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company wants to ensure that all new users created in Microsoft 365 are automatically assigned a specific set of licenses based on their department. The company has 200 users across Sales, Marketing, and IT departments. Each department uses different Microsoft 365 license plans. Which approach should the administrator use?

Question 33easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company wants to migrate from on-premises Exchange to Exchange Online. They need to synchronize user mailboxes. Which tool should they use?

Question 34easymultiple choice
Read the full DNS explanation →

An administrator adds the custom domain 'contoso.com' to a new Microsoft 365 tenant and needs to verify domain ownership. Which type of DNS record must be added to the public DNS zone to complete verification?

Question 35mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to open a Microsoft 365 support request because all users are experiencing intermittent service outages for Exchange Online. Before contacting support, which two pieces of information should the administrator have ready to ensure efficient troubleshooting? (Choose two.)

Question 36easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company recently added the custom domain 'contoso.com' to their Microsoft 365 tenant. Users report that they cannot receive external email sent to their new domain addresses. The administrator confirmed that the domain status shows 'Active' in the Microsoft 365 admin center. What is the most likely cause of this issue?

Question 37mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company with 200 on-premises Exchange mailboxes plans to migrate to Exchange Online. They want to use a Microsoft-provided tool that supports granular control over mailbox migrations, allows batch migrations, and provides detailed reporting. Which migration method should the administrator choose?

Question 38hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has 500 users across Sales, Marketing, and IT departments. User objects are synced from on-premises Active Directory to Microsoft Entra ID using Azure AD Connect. Each department requires different Microsoft 365 license plans (e.g., Sales needs E3, Marketing needs Business Premium, IT needs E5). The administrator wants to automatically assign the appropriate license based on the department attribute without manual intervention. Which approach should the administrator use?

Question 39easymultiple choice
Read the full DNS explanation →

An administrator adds the custom domain 'fabrikam.com' to a new Microsoft 365 tenant. After adding the domain, the status shows 'Pending verification'. Which type of DNS record must be added to the public DNS zone to complete domain ownership verification?

Question 40mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to prevent users from inviting guest users from the domain 'contoso.com' to the tenant. The administrator needs to block all invitations for that specific domain while allowing invitations from all other external domains. Which setting in Microsoft Entra ID should be configured?

Question 41easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A new employee has been hired and their account already exists in the on-premises Active Directory. The administrator needs to provide the employee with access to Microsoft 365 services as quickly as possible. What is the most efficient way to enable the user?

Question 42easymultiple choice
Read the full DNS explanation →

An administrator is setting up a new Microsoft 365 tenant and has added the custom domain 'contoso.com'. The domain status shows 'Pending verification'. Which type of DNS record must the administrator add to the public DNS zone to complete domain ownership verification?

Question 43easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has purchased 1000 Microsoft 365 E5 licenses and wants to automatically assign licenses to users based on their department attribute, which is synchronized from on-premises Active Directory. The department attribute is stored in Azure AD. Which automated method should the administrator use to achieve this?

Question 44easymultiple choice
Read the full DNS explanation →

An administrator adds the custom domain 'adatum.com' to a new Microsoft 365 tenant. In the Microsoft 365 admin center, the domain status shows 'Pending verification'. Which type of DNS record must the administrator add to the public DNS zone to complete the domain ownership verification?

Question 45easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company recently acquired another company and needs to allow users from the acquired tenant to access its SharePoint Online sites as guest users, but only if those users already have accounts in the acquired Azure AD tenant. Which Microsoft 365 feature should be configured?

Question 46easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to configure email notifications for Exchange Online service health incidents to be sent to a specific IT support mailbox. Where should the administrator configure these notifications in the Microsoft 365 admin center?

Question 47easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to configure the company's organization profile in Microsoft 365, including the display name, technical contact, and privacy settings. Where should the administrator go in the Microsoft 365 admin center?

Question 48easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A user account was accidentally deleted 10 days ago. The administrator needs to restore the user's mailbox and OneDrive for Business content. Which method should the administrator use?

Question 49easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has registered the custom domain 'contoso.com' and wants to host email for the subdomain 'sales.contoso.com' in Exchange Online. They have already verified the root domain. What additional step is required?

Question 50easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to update the organization's display name, technical contact, and privacy statement URL in the Microsoft 365 admin center. Which page should they navigate to?

Question 51mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization uses a third-party SaaS application that supports SAML-based single sign-on. The application is not in the Azure AD gallery. What is the first step to configure SSO?

Question 52mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator has configured group-based licensing in Azure AD. After adding users to the group, some users do not receive licenses. The users are in the group and have an assigned usage location. What is a possible reason?

Question 53easymultiple choice
Read the full DNS explanation →

An administrator has added a custom domain 'contoso.com' to their Microsoft 365 tenant and verified ownership. However, users are unable to receive emails sent to their custom domain. Which type of DNS record must the administrator add in the public DNS zone to route emails to Exchange Online?

Question 54easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has just purchased Microsoft 365 E3 licenses. They want to configure the default mailbox storage limit for all new users. Which setting should they modify?

Question 55mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company needs to migrate several shared mailboxes from on-premises Exchange 2016 to Exchange Online. The company plans to keep some user mailboxes on-premises for now. Which migration strategy should they use for the shared mailboxes?

Question 56easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to add a second custom domain, 'contoso-europe.com', to their existing Microsoft 365 tenant. The domain 'contoso.com' is already verified. What is the first step the administrator should take?

Question 57easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has an existing Microsoft 365 tenant with the verified custom domain 'contoso.com'. The administrator now wants to add a second custom domain, 'contoso-europe.com', to the same tenant. What is the first step the administrator should take?

Question 58mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to receive real-time notifications for service incidents in Microsoft 365. The notifications must be sent to a Microsoft Teams channel instead of email. Which configuration should the administrator set up?

Question 59easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to add a custom domain 'fabrikam.com' to a new Microsoft 365 tenant. What is the first step the administrator should perform?

Question 60easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator needs to configure the default anti-spam policy for all users in the Microsoft 365 Defender portal. Where should the administrator navigate to find these settings?

Question 61easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to restrict which users in the organization can create Microsoft 365 groups. The requirement is that only members of the IT department (identified by the department attribute in Azure AD) should be able to create groups. Which configuration should the administrator use?

Question 62mediummultiple choice
Read the full DNS explanation →

An administrator has added the custom domain 'contoso.co.uk' to their Microsoft 365 tenant and verified ownership. Users now need to receive email at @contoso.co.uk. Which DNS record must the administrator add in the public DNS zone to route emails to Exchange Online?

Question 63easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A global administrator wants to track service health issues and configure notifications for service incidents. Which portal should they use to view the current health status and set up email notifications?

Question 64mediummultiple choice
Read the full DNS explanation →

A company has a Microsoft 365 tenant with the domain contoso.com. They acquire a subsidiary with the domain fabrikam.com and want to add it as an additional domain to the same tenant. The domain is already purchased and DNS management is available. What is the first step the administrator should take in the Microsoft 365 admin center?

Question 65easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A new administrator needs to automatically assign Microsoft 365 E5 licenses to all users in the Sales department. The Sales department is identified by the 'department' attribute in Azure AD. Which licensing method should the administrator use to minimize manual effort?

Question 66easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization wants to receive email notifications for all service health incidents. Which role must an administrator have to configure service health notifications in the Microsoft 365 admin center?

Question 67easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A newly hired Microsoft 365 administrator needs to receive email notifications for all service health incidents. The administrator wants to ensure they have the necessary permissions to configure these notifications. Which role is the minimum role required to manage service health notifications in the Microsoft 365 admin center?

Question 68easymultiple choice
Read the full DNS explanation →

An administrator has added the custom domain 'fabrikam.com' to their Microsoft 365 tenant and is now ready to verify ownership. Which type of DNS record should the administrator create in the public DNS zone to complete the verification?

Question 69easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator wants to add a custom domain 'contoso.com' to a new Microsoft 365 tenant. The domain is already registered and available. What is the first step the administrator should perform in the Microsoft 365 admin center?

Question 70mediummultiple choice
Read the full DNS explanation →

A company has a Microsoft 365 tenant with domain contoso.com. They own an additional domain fabrikam.com and have already added and verified it with a TXT record. Now they need to configure email to be routed to Exchange Online for fabrikam.com. Which DNS record must they create?

Question 71easymultiple choice
Read the full DNS explanation →

An administrator needs to add a custom domain 'contoso.org' to their Microsoft 365 tenant. They have already purchased the domain and have access to the DNS registrar. What is the first step the administrator should perform in the Microsoft 365 admin center?

Question 72mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An organization plans to automatically assign Microsoft 365 E3 licenses to all users in the 'Finance' department. The Finance department is identified by the 'Department' attribute in Azure AD. Which method should the administrator use to minimize manual effort?

Question 73mediummultiple choice
Review the full routing breakdown →

An administrator recently added a custom domain 'tailspintoys.com' to their Microsoft 365 tenant and verified it. They now need to configure the domain so that all recipient email addresses for 'info@tailspintoys.com' are delivered to a shared mailbox in Exchange Online. The domain is currently set as internal relay. What should the administrator do first to route email for this domain to Exchange Online?

Question 74easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator is planning to migrate from on-premises Exchange to Exchange Online. The current on-premises environment is Exchange 2016. The company has a hybrid deployment with Azure AD Connect. They want to use the cutover migration method. What is a prerequisite for starting a cutover migration?

Question 75easymultiple choice
Read the full DNS explanation →

An administrator wants to verify ownership of a custom domain 'adatum.com' in their Microsoft 365 tenant. They have already added the domain and received the TXT record value. However, the administrator's DNS hosting provider does not support adding a TXT record. Which alternative record type can be used for domain verification?

Question 76mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are planning the initial deployment of a new Microsoft 365 tenant for Contoso Ltd. Which three of the following actions are required or recommended as part of the tenant provisioning and initial configuration process? (Choose three.)

Question 77mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

As a Microsoft 365 administrator, you need to manage tenant health and adoption effectively. Which three of the following tools or features should you use to monitor and improve your Microsoft 365 tenant's performance and user engagement? (Choose three.)

Question 78mediummulti select
Read the full NAT/PAT explanation →

You are a Microsoft 365 Administrator for a multinational organization that is deploying a new Microsoft 365 tenant. The organization has strict compliance and security requirements. Which four of the following actions should you take to properly deploy and manage the tenant? Choose all that apply. (There are four correct answers.)

Question 79mediumdrag order
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Drag and drop the steps to deploy Microsoft Defender for Office 365 policies in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 80mediumdrag order
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Drag and drop the steps to configure role-based access control (RBAC) in Microsoft 365 Defender in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 81mediummatching
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Match each Microsoft 365 plan to its included services.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Web and mobile apps only

Desktop apps plus web and mobile

Business Standard plus security features

Full enterprise features without advanced security

E3 plus advanced security and analytics

Question 82mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization plans to migrate from on-premises Exchange to Exchange Online. You need to ensure minimal disruption during the migration. Which approach should you recommend?

Question 83hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company recently deployed Microsoft 365 Copilot. Users report that Copilot occasionally generates responses based on sensitive internal documents that should not be shared broadly. What should you configure to restrict Copilot's access?

Question 84easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A user reports they cannot access Microsoft Teams. They see a message: 'Your account is not enabled for Teams.' You verify the user has a valid Microsoft 365 E3 license assigned. What is the most likely cause?

Question 85mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Entra ID. You want to enforce Multi-Factor Authentication (MFA) for all users. You have already configured Conditional Access policies. However, some users are still able to sign in without MFA. What should you check first?

Question 86hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is deploying Microsoft Defender for Office 365. The security team wants to automatically remove messages identified as malware from all mailboxes after delivery. What should you configure?

Question 87mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to ensure that guest users who are invited to your Microsoft Entra ID tenant can access resources without needing to accept an invitation. What should you configure?

Question 88easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization wants to use Microsoft Intune to manage devices. You need to ensure that only corporate-owned devices can enroll. What configuration should you use?

Question 89mediummultiple choice
Read the full DNS explanation →

Your company has a Microsoft 365 tenant with a custom domain (contoso.com). You need to verify domain ownership before enabling email routing. Which DNS record type should you add?

Question 90hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Purview Information Protection. You need to ensure that when a user applies a sensitivity label to a document in SharePoint, the label is automatically applied to the document when it is downloaded. What should you configure?

Question 91mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which TWO actions are required to enable Microsoft 365 Copilot for your organization?

Question 92hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which THREE settings must be configured to set up a hybrid identity deployment using password hash synchronization?

Question 93easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which TWO tools can be used to manage Microsoft 365 tenant settings and configurations?

Question 94mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization plans to use Microsoft 365 Copilot. To ensure compliance, you need to prevent Copilot from accessing sensitive content in SharePoint Online document libraries that are labeled as 'Highly Confidential'. What should you configure?

Question 95hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 E5 licenses. You need to implement a secure score improvement plan. After reviewing the Secure Score, you notice a recommendation to 'Enable sign-in risk policy' in Microsoft Entra ID. However, you want to ensure that users who sign in from trusted locations are not challenged. What should you configure?

Question 96easymultiple choice
Read the full DNS explanation →

You are deploying a new Microsoft 365 tenant for a company that has a single domain, contoso.com. You need to verify domain ownership to enable email routing. Which DNS record type must you add to the public DNS zone?

Question 97mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization's Microsoft Intune environment enforces device compliance policies for iOS devices. You need to ensure that only devices with a passcode that is at least 6 characters and have jailbreak detection enabled are considered compliant. What should you configure?

Question 98hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company recently merged with another company that uses Microsoft 365. Both tenants have the same primary domain, contoso.com. You need to merge the two tenants into a single tenant while preserving user email addresses. What should you do?

Question 99easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are configuring Microsoft Purview for your organization. You need to ensure that all external emails are automatically tagged with an 'External' label in the subject line. Which feature should you configure?

Question 100mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically redirects emails containing malicious attachments to a quarantine folder for admin review. What type of policy should you create?

Question 101hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 and has enabled Microsoft Entra ID P2 licenses. You need to configure automatic user provisioning for a third-party SaaS application that supports SCIM 2.0. What should you do first in the Microsoft Entra admin center?

Question 102easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is migrating from on-premises Exchange to Exchange Online. You need to ensure that users can access their mailboxes during the migration with minimal interruption. Which migration method should you use?

Question 103mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 E5 licenses. You need to implement a solution to protect against ransomware attacks. Which TWO features should you configure?

Question 104hardmulti select
Read the full NAT/PAT explanation →

You are designing a Microsoft 365 tenant for a multinational organization. You need to ensure compliance with data residency requirements. Which THREE actions should you take?

Question 105easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization needs to manage guest access to Microsoft Teams. Which TWO methods can you use to control guest access?

Question 106mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is deploying Microsoft 365 and needs to ensure that all new users are automatically assigned a Microsoft 365 Business Basic license. You want to use a group-based licensing strategy with an Azure AD security group. What should you do first?

Question 107easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator. Users report that they cannot access Microsoft Teams. You check the Microsoft 365 admin center and see that the service health for Microsoft Teams shows a 'Service degradation' incident. What is the most appropriate initial action?

Question 108hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is migrating from on-premises Exchange to Exchange Online. You have configured a hybrid deployment. During testing, you notice that free/busy information is not being shared between on-premises and cloud users. All other hybrid features work. What is the most likely cause?

Question 109mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to ensure that all users in your Microsoft 365 tenant are automatically enrolled in Microsoft Intune when they sign up for Microsoft 365. You want to use the default enrollment policy. What should you do?

Question 110hardmultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Defender for Office 365. You have configured a safe attachment policy that should automatically detonate attachments in a sandbox before delivery. However, some users still receive malicious attachments. What should you check first?

Question 111mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator. You need to allow external users to access a SharePoint Online site without requiring them to sign in. Which sharing setting should you enable?

Question 112easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is using Microsoft 365 Business Premium. You want to ensure that all company-owned Windows 10 devices are automatically upgraded to Windows 11 when it becomes available through Windows Update. What should you configure?

Question 113hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 E5 tenant. You want to ensure that all users are automatically signed in to Microsoft 365 apps using single sign-on (SSO) when they are on the corporate network. You have Azure AD joined the devices. What additional configuration is required?

Question 114mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator. A user reports that they cannot send emails to a specific external domain. You check the Exchange Admin Center and see that the domain is not blocked. What should you check next?

Question 115mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which TWO actions are required to enable Microsoft 365 Copilot for all users in your tenant?

Question 116hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which THREE conditions must be met for a tenant-to-tenant migration of SharePoint Online content?

Question 117easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which TWO are valid methods for adding custom domains to Microsoft 365?

Question 118hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are reviewing a conditional access policy in Microsoft Entra ID. The policy is intended to block legacy authentication. However, users are still able to connect using Exchange ActiveSync without modern authentication. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "displayName": "Block Legacy Auth",
  "state": "enabled",
  "conditions": {
    "applications": {
      "includeApplications": ["All"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "clientAppTypes": [
      "exchangeActiveSync",
      "otherClients"
    ]
  },
  "grantControls": {
    "builtInControls": ["block"],
    "operator": "OR"
  }
}
```
Question 119easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You run the PowerShell command shown in the exhibit for a Microsoft 365 tenant. The output shows DisplayName as 'Contoso', DefaultDomainName as 'contoso.onmicrosoft.com', and InitialDomain as 'contoso.onmicrosoft.com'. What does this indicate about the tenant?

Exhibit

Refer to the exhibit.

```
Get-MsolCompanyInformation | fl DisplayName, DefaultDomainName, InitialDomain
```
Question 120mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are reviewing an ARM template that will be used to deploy a storage account for a Microsoft 365 migration project. The template includes 'supportsHttpsTrafficOnly': true. What is the primary benefit of this setting?

Exhibit

Refer to the exhibit.

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-02-01",
      "name": "[parameters('storageAccountName')]",
      "location": "eastus",
      "kind": "StorageV2",
      "sku": {
        "name": "Standard_LRS"
      },
      "properties": {
        "supportsHttpsTrafficOnly": true
      }
    }
  ]
}
```
Question 121mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 E5 licenses for all users. You need to configure role-based access control (RBAC) so that helpdesk staff can reset passwords and manage licenses, but cannot modify user principal names (UPNs) or delete users. Which role assignment should you use?

Question 122hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company has implemented Microsoft Entra ID tenant restrictions to prevent data exfiltration. You need to ensure that external users from a partner organization can access a SharePoint Online site without being blocked by tenant restrictions. What should you do?

Question 123easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator runs the PowerShell command shown in the exhibit. What is the immediate effect on the user?

Exhibit

Refer to the exhibit.
```
$params = @{
  "blockSignIn" = $true
  "signInActivity" = @{
    "lastSuccessfulSignInDateTime" = (Get-Date).AddDays(-90)
  }
}
Update-MgUser -UserId "user@contoso.com" -BodyParameter $params
```
Question 124mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 tenant with 5,000 users. You need to plan for tenant migration from an on-premises Exchange environment. You have a limited maintenance window and want to minimize user impact. Which approach should you recommend?

Question 125hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator. Users report that they cannot create Microsoft Teams meetings using the Teams desktop client. They receive an error: 'Meeting creation is disabled by your IT administrator.' You need to enable meeting creation. You check the Teams admin center and find that meeting policies are set to 'Off' for 'Allow private meeting scheduling'. However, after changing it to 'On', users still get the error. What is the most likely cause?

Question 126easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is planning to deploy Microsoft 365 Copilot. You need to ensure that all prerequisites are met. Which of the following is a mandatory prerequisite for enabling Microsoft 365 Copilot?

Question 127hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

An administrator creates a Conditional Access policy as shown in the exhibit. A user reports that they can still access Exchange Online using Outlook (modern authentication). Why does the policy not block the user?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "Block Legacy Auth",
  "state": "enabled",
  "conditions": {
    "clientAppTypes": ["exchangeActiveSync", "otherClients"]
  },
  "grantControls": {
    "builtInControls": ["block"]
  }
}
```
Question 128mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company uses Microsoft 365 and has recently deployed Microsoft Intune for mobile device management. You need to ensure that corporate data on iOS devices is protected by preventing users from copying data from managed apps to unmanaged apps. What should you configure?

Question 129easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization needs to create a custom domain in Microsoft 365. You have added the domain 'contoso.com' to the tenant. What is the next step to verify domain ownership?

Question 130mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID using Azure AD Connect. You need to ensure that password synchronization is enabled. Which TWO components are required for password synchronization to work?

Question 131hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. You need to block users from sharing credit card numbers via email. Which THREE components are required to implement this policy?

Question 132easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is deploying Microsoft 365 Copilot. You need to ensure that data security is maintained. Which THREE actions should you take?

Question 133mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A Global Administrator signs in to the Microsoft 365 admin center but is not prompted for MFA. The policy in the exhibit is the only Conditional Access policy. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "MFA for Admins",
  "state": "enabled",
  "conditions": {
    "users": {
      "includeRoles": ["Global Administrator", "Exchange Administrator"]
    },
    "applications": {
      "includeApplications": ["All"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa"]
  }
}
```
Question 134hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a hybrid identity setup with Azure AD Connect. You need to ensure that users can reset their passwords from the cloud and have the changes synchronized back to on-premises Active Directory. Which feature must you enable?

Question 135easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization wants to use Microsoft Defender for Office 365 to protect against malicious links and attachments in email. Which Defender plan is required?

Question 136mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 tenant configured with a custom domain contoso.com. Users report they cannot receive email from external senders; internal email works fine. You verify the MX record for contoso.com points to the Microsoft 365 mail exchanger. What should you check next?

Question 137easymultiple choice
Read the full NAT/PAT explanation →

Your organization is deploying Microsoft 365 for a multinational company. You need to ensure users in different regions authenticate against the nearest Microsoft Entra ID endpoint for performance. What should you configure?

Question 138hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your Microsoft 365 tenant has been configured with Microsoft Entra ID Connect synchronization from on-premises Active Directory. Users are unable to log in to Microsoft 365 services. You check the synchronization status and see that the last sync was successful. What is the most likely cause?

Question 139mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 Defender for Office 365. You need to ensure that phishing emails reported by users are automatically submitted for analysis in Microsoft Defender XDR. What should you configure?

Question 140easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are planning a Microsoft 365 tenant migration from an on-premises Exchange environment. You need to minimize the impact on end users during the migration. Which migration approach should you use?

Question 141hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your Microsoft 365 tenant contains sensitive financial data that must be retained for 7 years. You configure a retention policy in Microsoft Purview compliance portal. After 7 years, the data is still accessible to users. What is the most likely reason?

Question 142mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Microsoft 365 resources. What should you configure?

Question 143easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are configuring Microsoft Entra ID for a new organization. You need to ensure that users can self-service reset their passwords. Which licensing is required?

Question 144hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) policies to protect sensitive data in Microsoft Teams. You need to ensure that DLP policies apply to both chat and channel messages. What should you configure?

Question 145mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which TWO actions are required to configure a custom domain for your Microsoft 365 tenant?

Question 146hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which THREE factors are considered when Microsoft Entra ID evaluates a conditional access policy?

Question 147easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Which TWO are valid methods to add users to a Microsoft 365 tenant?

Question 148mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

The exhibit shows a DLP policy configuration. A user reports that they cannot share a document containing a credit card number from OneDrive for Business. However, the document was shared successfully last week. What is the most likely reason for the change?

Exhibit

Refer to the exhibit.

```json
{
  "policy": {
    "name": "Data Loss Prevention Policy",
    "locations": [
      "ExchangeOnline",
      "SharePointOnline",
      "OneDriveForBusiness",
      "Teams"
    ],
    "rules": [
      {
        "name": "Credit Card Number Rule",
        "condition": {
          "sensitiveInformationTypes": [
            {
              "id": "Credit Card Number",
              "minCount": 1
            }
          ]
        },
        "actions": [
          {
            "type": "BlockAccess",
            "config": {
              "blockMessage": "Access blocked due to DLP policy"
            }
          }
        ]
      }
    ]
  }
}
```
Question 149hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

The exhibit shows the output of a PowerShell command for a user. The user reports that they cannot access Microsoft Teams, although they have an E3 license (ENTERPRISEPACK). What is the most likely cause?

Exhibit

Refer to the exhibit.

```powershell
Get-MsolUser -UserPrincipalName user@contoso.com | Select-Object -Property UserPrincipalName, IsLicensed, Licenses

UserPrincipalName   IsLicensed   Licenses
-----------------   ----------   -------
user@contoso.com    True         {contoso:ENTERPRISEPACK}
```
Question 150mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

The exhibit shows a KQL query used in Microsoft 365 Defender. The query returns no results for admin@contoso.com. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
IdentityInfo
| where UserPrincipalName == "admin@contoso.com"
| project UserPrincipalName, AssignedRoles, LastPasswordChangeDateTime
| where AssignedRoles contains "Global Administrator"
```
Question 151mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 tenant configured with a custom domain. You need to verify domain ownership using a TXT record. Where in the Microsoft 365 admin center would you initiate this process?

Question 152easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has recently acquired a smaller organization and needs to consolidate both Microsoft 365 tenants. They want to minimize user disruption and retain existing email addresses. Which approach should they use?

Question 153hardmultiple choice
Read the full NAT/PAT explanation →

You are a Microsoft 365 administrator for a multinational company. The security team reports that a large number of failed sign-in attempts are originating from unexpected IP ranges. The company uses Microsoft Entra ID for identity. What should you configure to automatically block these malicious sign-ins?

Question 154mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 and wants to ensure that only compliant devices can access Exchange Online. You have Microsoft Intune for device management. What should you configure?

Question 155easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A user reports that they cannot access their Microsoft 365 mailbox via Outlook on the web. Other users can access their mailboxes. What is the most likely cause?

Question 156hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is planning to adopt Microsoft Copilot for Microsoft 365. The security team is concerned about data leakage. What must you implement to ensure that Copilot respects your organization's sensitivity labels and data classification?

Question 157mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to delegate the ability to reset user passwords in Microsoft Entra ID to a helpdesk team. However, they should not be able to modify other user attributes. What role should you assign?

Question 158easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 E5 subscription. You want to enable Microsoft Defender for Office 365 to protect against malicious attachments in email. Which policy should you configure?

Question 159hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is required to retain all emails sent to and from executives for 7 years due to regulatory compliance. You need to implement this with minimal administrative overhead. What should you use?

Question 160mediummulti select
Read the full NAT/PAT explanation →

Your organization uses Microsoft 365 and wants to implement a passwordless authentication strategy. Which TWO methods are supported natively in Microsoft Entra ID for passwordless sign-in?

Question 161hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company uses Microsoft Defender for Endpoint and wants to perform a live response on a device. Which THREE prerequisites must be met?

Question 162mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to configure Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared via email. Which THREE elements can you use to define the policy?

Question 163hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You are reviewing the service principal for Microsoft Graph in your tenant. The passwordCredentials array is empty. What does this indicate?

Exhibit

Refer to the exhibit.

{
  "appId": "00000003-0000-0000-c000-000000000000",
  "displayName": "Microsoft Graph",
  "passwordCredentials": []
}
Question 164mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. An administrator runs the KQL query in Microsoft Defender for Endpoint. The result set is empty. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kql
DeviceLogonEvents
| where Timestamp > ago(7d)
| where AccountName == "admin"
| project Timestamp, DeviceName, AccountName, IPAddress
| order by Timestamp desc
```
Question 165easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You have a Conditional Access policy configured as shown. What is the effect of this policy?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block access for external users from unknown IPs",
    "conditions": {
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"]
      },
      "locations": {
        "includeLocations": ["AllTrusted"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
```
Question 166mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 E5 tenant with 10,000 users. You need to ensure that when a user is detected as high-risk by Microsoft Entra ID Protection, the user is automatically blocked from accessing sensitive SharePoint sites. The solution should minimize administrative overhead. What should you do?

Question 167easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is deploying Microsoft 365 for a new subsidiary with 500 users. You need to configure the initial tenant with a custom domain (contoso.com) and verify ownership. What is the first step you must perform?

Question 168hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your Microsoft 365 tenant has 50,000 users. You are planning to migrate mailboxes from on-premises Exchange Server 2019 to Exchange Online using a full hybrid configuration. During the migration, you must ensure that free/busy information is synchronized between on-premises and Exchange Online. Which component is required for free/busy synchronization in a hybrid deployment?

Question 169mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator. You need to ensure that users can reset their own passwords without contacting the help desk. Which TWO components must be configured?

Question 170hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is deploying Microsoft 365 Copilot for 200 users. You need to ensure that Copilot can access user data from Microsoft Graph to provide personalized responses. Which THREE permissions must be granted?

Question 171easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are configuring Microsoft 365 tenant-to-tenant migration. Which THREE tasks must be completed before migrating users?

Question 172hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. A Conditional Access policy is created in Microsoft Entra ID. The policy targets the Office 365 app (which includes Exchange Online). You have 1000 users assigned. What is the immediate effect of this policy on users who are currently signed in?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "Block high-risk users from accessing email",
  "conditions": {
    "userRiskLevels": ["high"],
    "applications": {
      "includeApplications": ["Office365"]
    }
  },
  "grantControls": {
    "builtInControls": ["block"]
  }
}
```
Question 173easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You run the PowerShell command in a Microsoft 365 tenant. What does the output indicate?

Exhibit

Refer to the exhibit.
```powershell
Get-MgOrganization | Select-Object DisplayName, TechnicalNotificationMails
```
Output:
```
DisplayName     TechnicalNotificationMails
-----------     -------------------------
Contoso Ltd.    {admin@contoso.com, it@contoso.com}
```
Question 174mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You are reviewing a Microsoft Entra ID Governance access review. The JSON shows an access review scope for a SharePoint site. What does the 'isExternallyAccessible': false setting indicate about the site?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "SharePoint sensitive data protection",
    "description": "Blocks external sharing for sites with sensitive labels",
    "isExternallyAccessible": false,
    "sharepointIds": {
      "siteId": "contoso.sharepoint.com,00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"
    }
  }
}
```
Question 175mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft 365 Business Premium. You need to configure Windows 365 Cloud PCs for 10 users who require access to a custom line-of-business (LOB) application that is not compatible with Windows 11. The LOB app requires Windows 10 and 8 GB RAM. What is the most cost-effective Cloud PC configuration that meets the requirements?

Question 176hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator. Your tenant has a Microsoft Entra ID P2 license. You need to create a dynamic group for all users whose department is 'Engineering' and who are located in the United States. Which rule syntax should you use?

Question 177easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company has a Microsoft 365 E5 tenant. You need to ensure that all external emails are marked with a warning banner at the top of the email body. What should you configure?

Question 178mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom PowerShell script that runs in the user context after every device restart. Which Intune policy type should you use?

Question 179hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your Microsoft 365 tenant has a Microsoft Entra ID tenant with custom B2B collaboration settings. You need to allow external users from a specific domain (partner.com) to self-service sign up, but block all other external domains. What should you configure?

Question 180easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to ensure that all Microsoft 365 users in your organization have a consistent password policy that requires passwords to be at least 12 characters and include complexity requirements. What should you configure?

Question 181mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is planning to deploy Microsoft 365 for 500 users. You need to ensure that all users can authenticate using their on-premises Active Directory credentials while also enabling self-service password reset (SSPR) in the cloud. Which configuration should you implement?

Question 182hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A company has a Microsoft 365 E5 tenant with 10,000 users. You need to delegate the ability to manage Microsoft Entra ID roles to a group of support engineers. The solution must follow the principle of least privilege and allow engineers to assign only specific roles to users. What should you do?

Question 183easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 Business Premium. You need to ensure that when a user is assigned an Intune license, the device automatically enrolls in Microsoft Intune. What should you configure?

Question 184mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A user reports that they cannot access Microsoft Teams from their mobile device. Other Microsoft 365 services work fine. You verify that the device is compliant with Intune policies. What is the most likely cause?

Question 185hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a hybrid identity with Microsoft Entra Connect. You need to migrate from federation to password hash synchronization with seamless single sign-on (SSO). The migration must have minimal user impact. Which tool should you use?

Question 186easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to ensure that only users from your organization can access a SharePoint Online site. Which setting should you configure?

Question 187mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is implementing Microsoft 365 Copilot. You need to ensure that users' data is protected from being used for training the underlying AI models. What should you configure?

Question 188hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You have a Microsoft 365 E5 tenant with Microsoft Defender for Cloud Apps. You need to discover unsanctioned cloud apps used by users. What should you configure?

Question 189easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization needs to enforce multi-factor authentication (MFA) for all users. You want to use a security default policy. What is the prerequisite?

Question 190mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is using Microsoft 365 Business Premium. You need to ensure that devices are automatically enrolled in Microsoft Intune when users sign in with their work account. Which TWO configurations are required?

Question 191hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are planning a Microsoft 365 tenant migration from another tenant. You need to migrate email, OneDrive, and SharePoint content. Which THREE tools or methods can you use to migrate data?

Question 192mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP). You need to ensure that sensitive data such as credit card numbers cannot be shared externally via email. Which THREE components should you configure?

Question 193hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?

Exhibit

Refer to the exhibit.
```json
{
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "platforms": {
      "includePlatforms": ["iOS", "Android"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa", "compliantDevice"]
  }
}
```
Question 194mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You are creating a custom role in Microsoft Entra ID for helpdesk staff. What can users assigned this role do?

Exhibit

Refer to the exhibit.
```json
{
  "roleName": "Custom Helpdesk",
  "permissions": [
    "microsoft.directory/users/standard/read",
    "microsoft.directory/users/password/update"
  ]
}
```
Question 195easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You run this PowerShell command in your Microsoft 365 tenant. What is the purpose of the command?

Exhibit

Refer to the exhibit.
```
Get-MsolUser -All | Where-Object {$_.isLicensed -eq $false} | Select-Object UserPrincipalName
```
Question 196mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is preparing to deploy Microsoft 365 for 5,000 users. You need to ensure that all users can authenticate using their existing on-premises Active Directory credentials while minimizing infrastructure changes. You also need to support self-service password reset (SSPR) for cloud-only users. Which authentication method should you recommend?

Question 197easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 E5 tenant. You need to ensure that users are prompted to register for multifactor authentication (MFA) the first time they sign in. Which Microsoft Entra ID policy should you configure?

Question 198hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company recently acquired a subsidiary that uses a different Microsoft 365 tenant. You are tasked with merging the two tenants into one. The subsidiary has 1,500 users with unique email domains. You need to migrate all users, mailboxes, and SharePoint data while minimizing downtime and preserving data integrity. You have access to both tenants as global admin. What should you do first?

Question 199mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 Copilot for Sales. You need to ensure that only licensed users can access Copilot features, and that usage is monitored for compliance. What should you configure?

Question 200easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company has a Microsoft 365 E3 tenant. You need to enable Microsoft Purview Data Loss Prevention (DLP) to prevent sensitive data from being shared externally via email. What must you do first?

Question 201hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 tenant with 10,000 users. You are configuring Microsoft Entra ID Identity Protection to detect risky sign-ins. You need to ensure that when a sign-in risk level of 'High' is detected, the user is blocked from signing in and an administrator is notified. What should you configure?

Question 202mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Intune for mobile device management (MDM). You need to enforce that all iOS and Android devices must have a screen lock password of at least 6 characters before they can access corporate email. What should you configure?

Question 203easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is implementing Microsoft 365 Copilot for Microsoft 365. You need to ensure that Copilot can access data from across the organization, but only for users who have the appropriate permissions. What is the primary security boundary for Copilot data access?

Question 204mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization recently deployed Microsoft Defender for Office 365. Users report that some legitimate external emails are being quarantined as phishing attempts. You need to reduce false positives without compromising security. What should you do?

Question 205mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 E5 tenant with Microsoft Defender for Cloud Apps. You need to discover and control the use of unsanctioned cloud apps. Which TWO actions should you take? (Choose two.)

Question 206hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that Sentinel can ingest logs from Microsoft 365 Defender (XDR) and Microsoft Entra ID. Which THREE data connectors should you enable? (Choose three.)

Question 207easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is planning to use Microsoft 365 Copilot for Microsoft 365. Which THREE prerequisites are required for Copilot to function? (Choose three.)

Question 208hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You are reviewing an app registration in Microsoft Entra ID for the Microsoft Teams Admin Center. The permission shown is for another resource. What is the consequence of this permission configuration?

Exhibit

Refer to the exhibit.

{
  "appInfo": {
    "appId": "00000011-0000-0000-c000-000000000000",
    "displayName": "Microsoft Teams Admin Center"
  },
  "permissions": [
    {
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
      "resourceAccess": [
        {
          "id": "11356cb3-9cf7-4b2f-8c7b-7d8a9f4e4c5d",
          "type": "Role"
        }
      ]
    }
  ]
}
Question 209mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Refer to the exhibit. You run the PowerShell commands shown. The output displays 10 mailboxes with various RecipientTypeDetails, including UserMailbox, SharedMailbox, and RoomMailbox. You need to ensure that only user mailboxes are returned. What should you modify?

Exhibit

Refer to the exhibit.

Connect-ExchangeOnline -UserPrincipalName admin@contoso.com -ShowProgress $true
Get-Mailbox -ResultSize 10 | Select-Object DisplayName, RecipientTypeDetails, PrimarySmtpAddress
Question 210hardmultiple choice
Read the full NAT/PAT explanation →

You are a Microsoft 365 administrator for Contoso Corporation, a multinational company with 20,000 users. The company uses Microsoft 365 E5, Microsoft Entra ID P2, Microsoft Defender XDR, Microsoft Purview, and Microsoft Intune. The security team wants to implement a zero-trust access model. Requirements: 1. All access to corporate resources must require multifactor authentication (MFA) and device compliance. 2. Users must register for MFA before accessing any app. 3. Legacy authentication protocols must be blocked for all users. 4. External collaboration must be governed by identity governance. 5. Sensitive data in SharePoint Online must be protected by DLP. 6. All administrative actions must be audited. You need to design the configuration. Which combination of actions should you take?

Question 211mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 E5 licenses. You need to ensure that all external sharing links for SharePoint Online expire after 30 days by default. You configure this in the SharePoint admin center. However, users report that links created before the change still do not have an expiration. What should you do?

Question 212hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are deploying Microsoft 365 for a new subsidiary. The subsidiary has a single domain subsidiary.com. You need to configure a hybrid identity solution with Microsoft Entra ID. The on-premises Active Directory has a single domain and all user accounts are synchronized using Microsoft Entra Connect. You want to ensure that users can sign in to Microsoft 365 using their on-premises credentials without exposing the password hash to Microsoft. What should you do?

Question 213easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company has a Microsoft 365 E5 subscription. You need to configure multi-factor authentication (MFA) for all users. However, the CEO insists that he should not be prompted for MFA when connecting from the corporate office. What should you do?

Question 214mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 tenant with a custom domain contoso.com. You have configured Exchange Online to accept emails for contoso.com. You now need to add a subdomain sales.contoso.com and ensure that email sent to sales.contoso.com is delivered to a specific shared mailbox. What should you do?

Question 215hardmultiple choice
Read the full NAT/PAT explanation →

You manage a Microsoft 365 tenant for a multinational corporation. You need to implement Microsoft Purview Information Protection to automatically classify and protect documents containing credit card numbers. The solution must apply encryption automatically when a document is saved to SharePoint Online. What should you do?

Question 216easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 Business Premium. You need to ensure that all Windows 10 devices are enrolled in Microsoft Intune and comply with a device compliance policy that requires BitLocker encryption and a minimum OS version. What should you do first?

Question 217mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You have a Microsoft 365 E5 tenant. Users report that they cannot access the Microsoft 365 admin center (https://admin.microsoft.com). You verify that they have the Global Administrator role assigned. You check the sign-in logs in Microsoft Entra ID and see that the sign-in was blocked by a Conditional Access policy. The policy requires MFA and a compliant device. The users are using personal devices that are not enrolled. What should you do to allow access while maintaining security?

Question 218hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is deploying Microsoft 365 Copilot. You need to ensure that users can use Copilot in Word, Excel, and PowerPoint. The licensing is in place. However, you are concerned about data leakage. You want to ensure that Copilot does not use sensitive organizational data when generating content. What should you configure in Microsoft 365?

Question 219easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 E5 tenant. You need to set up a shared mailbox for the IT help desk (helpdesk@contoso.com). The help desk team needs to monitor the mailbox and respond to emails. What is the recommended way to grant access to the shared mailbox?

Question 220hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are reviewing a Conditional Access policy in Microsoft Entra ID. The exhibit shows the policy configuration. You need to allow users to access Office 365 applications from personal devices that are not enrolled in Microsoft Intune. However, the policy currently blocks access because it requires a compliant device. Users are prompted for MFA but then blocked due to device compliance. What should you modify in the policy?

Exhibit

Refer to the exhibit.

```json
{
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "locations": {
      "includeLocations": ["All"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa", "compliantDevice"]
  },
  "sessionControls": {
    "applicationEnforcedRestrictions": null,
    "cloudAppSecurity": {
      "cloudAppSecurityType": "monitorOnly"
    }
  }
}
```
Question 221mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is planning to migrate from on-premises Exchange to Exchange Online. You need to choose a migration strategy. Which TWO statements about migration methods are correct?

Question 222hardmulti select
Read the full NAT/PAT explanation →

You are implementing Microsoft Defender for Office 365. You need to configure anti-phishing policies to protect against user impersonation. Which THREE settings should you configure?

Question 223easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company uses Microsoft 365 Business Premium. You need to configure Microsoft Entra ID Protection to automatically remediate risks. Which TWO risk remediation actions can be configured?

Question 224hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are the Microsoft 365 administrator for a large enterprise with 50,000 users. The company is deploying Microsoft 365 Copilot for all users. You need to ensure that the data used by Copilot is protected and that Copilot does not inadvertently expose sensitive information. The company has strict data residency requirements: all data must remain within the European Union (EU). You have already configured data boundaries in Microsoft 365 to keep data in the EU. However, you are concerned about Copilot's AI model training. You need to implement additional controls. The company uses Microsoft Purview Information Protection with sensitivity labels. You have created a sensitivity label "Highly Confidential" that applies encryption and a "Confidential" label that applies visual markings. You also have a DLP policy that prevents sharing of "Highly Confidential" data externally. You need to ensure that when a user uses Copilot with a document labeled "Highly Confidential", the Copilot response does not include any of the sensitive content from that document. What should you do?

Question 225mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a hybrid identity deployment with Microsoft Entra Connect. You have synchronized all on-premises Active Directory users to Microsoft Entra ID. You need to enable Microsoft Entra ID Password Protection to automatically block weak passwords. You have installed the Password Protection proxy on a server and registered it. You also need to enforce the password protection policy for on-premises users. What additional step is required?

Question 226easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator for a small business with 50 users. The company is using Microsoft 365 Business Basic. You need to configure email for the custom domain contoso.com. You have added the domain in the Microsoft 365 admin center and verified ownership. Users currently have onmicrosoft.com email addresses. You need to change the primary email address for all users to their custom domain (e.g., user@contoso.com). What should you do?

Question 227mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Contoso recently acquired a company with an existing Microsoft 365 tenant. You need to migrate their user accounts and mailboxes to the Contoso tenant. The acquired company uses a custom domain for email. You must ensure minimal disruption and maintain email flow during migration. What should you do first?

Question 228hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Defender for Identity and has enabled Microsoft Secure Score. You notice that the Secure Score for Identity has dropped significantly after a recent configuration change. Which action is most likely to have caused the decrease?

Question 229easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

A user reports that they cannot access their Microsoft 365 mailbox from the Outlook desktop client, but they can access it via Outlook on the web. Other users in the same tenant are not experiencing issues. What is the most likely cause?

Question 230hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are configuring Microsoft Purview Information Protection for your tenant. You need to ensure that documents containing credit card numbers are automatically labeled as 'Highly Confidential' and encrypted. Which two components must you configure?

Question 231mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Line-of-Business (LOB) app to a group of devices. The app is not in the Microsoft Store. What is the recommended method to deploy the app?

Question 232easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to configure Microsoft Teams to allow external access for federation with another organization. The other organization uses a different domain. Which setting must you enable in the Teams admin center?

Question 233mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has a Microsoft 365 E5 subscription. You need to enforce that all users must use multi-factor authentication (MFA) when accessing Microsoft 365 services. Which TWO components should you configure?

Question 234hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is deploying Windows 11 using Microsoft Intune. You need to ensure that devices are automatically enrolled in Intune when users sign in with their Microsoft Entra ID credentials. Which THREE prerequisites must be met?

Question 235easymulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are implementing Microsoft Purview Data Lifecycle Management. You need to retain all emails for a minimum of 5 years but automatically delete them after 7 years. Which TWO actions should you configure?

Question 236hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that automatically blocks downloads of files containing sensitive information from SharePoint Online to unmanaged devices. What type of policy should you create?

Question 237easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You need to ensure that only users from your organization's on-premises Active Directory can access Microsoft 365 services. You have Microsoft Entra Connect configured. What is the simplest way to prevent cloud-only user accounts from signing in?

Question 238hardmultiple choice
Read the full NAT/PAT explanation →

Contoso is a multinational company with 50,000 users. They have a Microsoft 365 E5 subscription and use Microsoft Entra ID for identity. They recently deployed Microsoft Copilot for Microsoft 365 to 10,000 users. The security team wants to ensure that Copilot responses do not expose sensitive information. They also need to monitor Copilot usage for unusual activity. The company uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to configure the environment to meet these requirements. Which action should you take?

Question 239mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization has 5,000 users and uses Microsoft 365 E3. You are planning to migrate from on-premises Exchange to Exchange Online. You have already synchronized identities using Microsoft Entra Connect. The CIO wants to ensure that users can continue to access their email if the internet connection to Microsoft 365 is temporarily lost. You need to recommend a solution that provides offline access while minimizing cost and administrative overhead. What should you recommend?

Question 240easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are a Microsoft 365 administrator for a small business with 50 users. The company uses Microsoft 365 Business Premium. You need to ensure that all users have multi-factor authentication (MFA) enabled. The company does not have any custom conditional access policies. You want to implement MFA as quickly as possible with minimal configuration. What should you do?

Question 241mediummulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are the Microsoft 365 administrator for a large enterprise. You need to ensure that only users with a valid business justification can access sensitive data stored in SharePoint Online. The solution must enforce access reviews and provide detailed reports for auditors. Which TWO actions should you take?

Question 242hardmulti select
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company is deploying Microsoft 365 Copilot for all users. You need to ensure that Copilot responses are grounded only in organizational data that users already have permission to access. Additionally, you must comply with data residency requirements in the European Union. Which THREE actions should you take?

Question 243easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are the Microsoft 365 administrator for Contoso, a company with 5,000 users. The company recently acquired a subsidiary, Fabrikam, which has 2,000 users currently using on-premises Exchange and Active Directory. The goal is to migrate Fabrikam users to Microsoft 365 and merge their identities into the existing Contoso tenant. The migration must minimize user password changes and preserve existing email addresses. You need to plan the identity migration. What should you do first?

Question 244mediummultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization uses Microsoft 365 and has strict compliance requirements. The compliance officer has noticed that some users are able to access sensitive documents from unmanaged devices. You need to ensure that all access to sensitive data from unmanaged devices is blocked, while still allowing access from managed devices. The solution must be implemented using Microsoft Entra ID and Microsoft Intune. You have already deployed Microsoft Intune for mobile device management. What should you do?

Question 245mediummultiple choice
Read the full NAT/PAT explanation →

You are the Microsoft 365 administrator for a multinational company. The company has deployed Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. Recently, the security team detected that a user's credentials were compromised and used to access SharePoint Online from an unusual location. You need to investigate the incident and determine the full scope of the breach. The solution must use Microsoft 365 Defender to correlate events. What should you do first?

Question 246hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your organization is planning to deploy Microsoft 365 Copilot for all users. The compliance team has concerns about data leakage through Copilot responses. Specifically, they want to ensure that Copilot does not generate responses based on highly confidential data labeled with the 'Highly Confidential' sensitivity label. Additionally, users must be able to use Copilot for general productivity tasks. You need to configure Microsoft 365 Copilot to meet these requirements. The solution must use Microsoft Purview Information Protection. What should you do?

Question 247hardmultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

You are the Microsoft 365 administrator for a company with a hybrid identity configuration using Azure AD Connect. The company has a custom domain 'contoso.com' federated with Active Directory Federation Services (ADFS). All users are synced from on-premises Active Directory. The security team wants to implement Microsoft Entra ID Protection to detect risky sign-ins. However, they are concerned that federated authentication bypasses some risk detection capabilities. You need to ensure that Microsoft Entra ID Protection can evaluate risk for all sign-ins, including federated ones. What should you do?

Question 248easymultiple choice
Read the full Deploy and manage a Microsoft 365 tenant explanation →

Your company uses Microsoft 365 Business Premium. You need to ensure that all company-owned Windows 10 devices are automatically enrolled in Microsoft Intune when users sign in with their work account. The devices are Azure AD joined. You have configured automatic enrollment in Intune. However, some devices are not enrolling. You need to troubleshoot the issue. What should you check first?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

MS-102 Practice Test 1 — 10 Questions→MS-102 Practice Test 2 — 10 Questions→MS-102 Practice Test 3 — 10 Questions→MS-102 Practice Test 4 — 10 Questions→MS-102 Practice Test 5 — 10 Questions→MS-102 Practice Exam 1 — 20 Questions→MS-102 Practice Exam 2 — 20 Questions→MS-102 Practice Exam 3 — 20 Questions→MS-102 Practice Exam 4 — 20 Questions→Free MS-102 Practice Test 1 — 30 Questions→Free MS-102 Practice Test 2 — 30 Questions→Free MS-102 Practice Test 3 — 30 Questions→MS-102 Practice Questions 1 — 50 Questions→MS-102 Practice Questions 2 — 50 Questions→MS-102 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Deploy and manage a Microsoft 365 tenantImplement and manage Microsoft Entra identity and accessManage security and threats by using Microsoft Defender XDRManage compliance by using Microsoft PurviewManage users, groups, licensing, and supportImplement and manage identity and access in Microsoft Entra ID

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Deploy and manage a Microsoft 365 tenant setsAll Deploy and manage a Microsoft 365 tenant questionsMS-102 Practice Hub