MS-102 Implement and manage Microsoft Entra identity and access • Complete Question Bank
Complete MS-102 Implement and manage Microsoft Entra identity and access question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
{
"conditions": {
"applications": {
"includeApplications": ["Office365"]
},
"users": {
"includeUsers": ["All"]
},
"clientAppTypes": ["browser", "mobileAppsAndDesktopClients"],
"locations": {
"includeLocations": ["AllTrusted"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["mfa", "compliantDevice"]
}
}Refer to the exhibit.
PowerShell output:
Get-AzureADDirectorySetting | Select-Object *
Id : 1234-...
DisplayName : Group.Unified
TemplateId : 62375ab9-...
Values : {[EnableGroupCreation, true], [GroupCreationAllowedGroupId, ], [UsageGuidelinesUrl, ], [ClassificationDescriptions, ], [DefaultClassification, ], [PrefixSuffixNamingRequirement, ], [CustomBlockedWordsList, ], [EnableMSStandardBlockedWords, false]}Refer to the exhibit.\n\n{\n \"conditions\": {\n \"users\": {\n \"includeUsers\": [\"All\"],\n \"excludeUsers\": [\"Admin@contoso.com\"]\n },\n \"applications\": {\n \"includeApplications\": [\"All\"]\n },\n \"clientAppTypes\": [\"MobileAppsAndDesktopClients\"]\n },\n \"grantControls\": {\n \"builtInControls\": [\"Mfa\"],\n \"operator\": \"OR\"\n }\n}Refer to the exhibit.\n\nPowerShell Output from Get-MgPolicyCrossTenantAccessPolicyDefault:\n\nId : default\nB2bCollaborationInbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting\nB2bCollaborationOutbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting\nInboundTrust : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyInboundTrust\n IsMfaAccepted : True\n IsCompliantDeviceAccepted : False\n IsHybridAzureAdJoinedDeviceAccepted : False\n\nAdditionalProperties : {{}}Refer to the exhibit.
{
"policy": {
"displayName": "Block legacy authentication",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"exchangeActiveSync",
"other"
],
"signInRiskLevels": [],
"userRiskLevels": [],
"applications": {
"includeApplications": [
"All"
]
},
"users": {
"includeUsers": [
"All"
]
}
},
"grantControls": {
"builtInControls": [
"block"
],
"operator": "OR"
}
}
}Refer to the exhibit.
{
"apps": [
{
"appId": "00000003-0000-0000-c000-000000000000",
"displayName": "Microsoft Graph",
"permissions": [
{
"name": "User.Read.All",
"adminConsentRequired": true,
"userConsentPossible": false
},
{
"name": "Mail.Read",
"adminConsentRequired": false,
"userConsentPossible": true
}
]
}
]
}Refer to the exhibit.
PS C:\> (Get-MgPolicyAuthenticationMethodPolicy).RegistrationCampaign.Email
Value : enabled
IncludeTargets : [{"targetType":"group","id":"all_users","isSystemTarget":true}]
ExcludeTargets : []
State : enabledRefer to the exhibit.
{
"appId": "00000003-0000-0000-c000-000000000000",
"displayName": "Microsoft Graph",
"permissions": [
{
"name": "User.Read.All",
"type": "Application",
"adminConsentRequired": true,
"userConsentPossible": false
}
]
}Refer to the exhibit.
```powershell
Get-MgPolicyCrossTenantAccessPolicy
Id : /policies/crossTenantAccessPolicy
DisplayName : Default policy
DefaultPolicy : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyDefault
(DefaultPolicy properties)
B2BCollaborationInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BCollaborationOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
OfficeSyncInbound : @{AllowedTenants=}
OfficeSyncOutbound : @{AllowedTenants=}
IsServiceDefault : True
Get-MgPolicyCrossTenantAccessPolicyPartner -CrossTenantAccessPolicyId "/policies/crossTenantAccessPolicy"
Id : /policies/crossTenantAccessPolicy/partners/contoso.com
TenantId : contoso.com
B2BCollaborationInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BCollaborationOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
OfficeSyncInbound : @{AllowedTenants=}
OfficeSyncOutbound : @{AllowedTenants=}
IsServiceDefault : False
AutomaticUserConsentSettings: @{InboundAllowed=; OutboundAllowed=}
```Refer to the exhibit.
```json
{
"displayName": "Block access for non-compliant devices",
"conditions": {
"users": {
"includeUsers": ["All"]
},
"applications": {
"includeApplications": ["All"]
},
"clientAppTypes": ["browser", "mobileAppsAndDesktopClients"],
"devices": {
"deviceStates": {
"include": ["All"]
}
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["compliantDevice"]
}
}
```Refer to the exhibit. ```kusto SigninLogs | where TimeGenerated > ago(30d) | where UserPrincipalName == "user@contoso.com" | summarize TotalAttempts = count(), FailedAttempts = countif(ResultType != 0), Locations = make_set(Location) by AppDisplayName | where FailedAttempts > 0 ```
Refer to the exhibit.
{
"appId": "00000000-0000-0000-0000-000000000000",
"displayName": "ContosoApp",
"passwordCredentials": [
{
"customKeyIdentifier": "abc123",
"endDateTime": "2025-12-31T23:59:59Z",
"keyId": "11111111-1111-1111-1111-111111111111",
"startDateTime": "2024-01-01T00:00:00Z",
"secretText": null,
"hint": "***"
}
]
}Refer to the exhibit.
$users = Get-AzureADUser -All $true
foreach ($user in $users) {
$risky = Get-AzureADIdentityRiskyUser -Filter "userPrincipalName eq '$($user.UserPrincipalName)'"
if ($risky.riskLevel -eq 'high') {
Set-AzureADUser -ObjectId $user.ObjectId -AccountEnabled $false
}
}Refer to the exhibit.
{
"signInFrequency": "EveryTime",
"sessionControls": [
{
"applicationEnforcedRestrictions": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "monitorOnly",
"isEnabled": true
},
"persistentBrowser": null,
"signInFrequency": {
"type": "everyTime",
"value": null
}
}
]
}Refer to the exhibit.
PowerShell Output:
Get-MgPolicyCrossTenantAccessPolicyDefault -Default
Id : default
DisplayName : Default policy
IsServiceDefault : True
B2BCollaborationInbound : @{Applications=; UsersAndGroups=; Organizations=}
B2BCollaborationOutbound : @{Applications=; UsersAndGroups=; Organizations=}
B2BDirectConnectInbound : @{Applications=; UsersAndGroups=; Organizations=}
B2BDirectConnectOutbound : @{Applications=; UsersAndGroups=; Organizations=}
InboundTrust : @{IsMfaAccepted=$false; IsCompliantDeviceAccepted=$false; IsHybridAzureADJoinedDeviceAccepted=$false}You are the identity architect for Contoso, a multinational company with 50,000 employees. Contoso uses Microsoft Entra ID with hybrid identity (PHS) and Microsoft Entra ID Protection. The company is deploying Microsoft Copilot for Microsoft 365 and wants to ensure that access to Copilot is controlled based on user risk, device compliance, and location. Additionally, the security team requires that all Copilot interactions are logged and auditable. You need to design a solution that meets these requirements with minimal administrative overhead.
Current environment: - All users are synced from on-premises AD using Microsoft Entra Connect. - Devices are either Microsoft Entra hybrid joined or Microsoft Entra registered. - Microsoft Entra ID Protection is enabled with user risk and sign-in risk policies. - Microsoft Intune is used for device compliance policies. - All users have Microsoft 365 E5 licenses.
Requirements: - Access to Copilot must be blocked for users with high user risk. - Access from untrusted locations must require MFA. - Only compliant devices can access Copilot. - All Copilot interactions must be captured in Microsoft Purview Audit (Standard).
What should you do?
{"title":"Exhibit: Conditional Access Policy JSON","content":"{\n \"conditions\": {\n \"applications\": {\n \"includeApplications\": [\"Office365\"]\n },\n \"users\": {\n \"includeUsers\": [\"All\"]\n },\n \"clientAppTypes\": [\"browser\", \"mobileAppsAndDesktopClients\"]\n },\n \"grantControls\": {\n \"operator\": \"OR\",\n \"builtInControls\": [\"mfa\", \"compliantDevice\"]\n }\n}"}{
"conditions": {
"users": {
"includeUsers": ["All"]
},
"applications": {
"includeApplications": ["All"]
},
"locations": {
"includeLocations": ["AllTrusted"]
},
"clientAppTypes": ["browser", "mobileAppsAndDesktopClients"]
},
"grantControls": {
"builtInControls": ["mfa"],
"termsOfUse": ["termsOfUseId1"]
},
"sessionControls": {
"signInFrequency": {
"value": 1,
"type": "hours"
},
"persistentBrowser": {
"mode": "never"
}
}
}{
"ConditionalAccessPolicies": [
{
"displayName": "Require MFA for admins",
"conditions": {
"users": {
"includeRoles": ["Global Administrator", "Exchange Administrator"]
},
"applications": {
"includeApplications": ["Office 365 Exchange Online", "Microsoft Azure Management"]
}
},
"grantControls": {
"builtInControls": ["mfa"]
}
}
]
}Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You have 10,000 users and 500 applications. You are planning to implement a comprehensive identity security strategy. Your requirements are: 1. All users must use phishing-resistant MFA for accessing business-critical applications. 2. Users accessing sensitive HR data must be required to use a compliant device. 3. Any authentication attempt from an anonymous IP address or from a country where Contoso has no business operations must be blocked. 4. All external collaboration must be governed by access reviews that require sponsor approval. 5. You need to monitor and respond to identity risks in real time.
You need to design a solution using Microsoft Entra ID features. Which combination of features should you implement?
You are the identity administrator for a multinational company with 50,000 users. The company uses Microsoft Entra ID P2 and has recently acquired a small subsidiary with 300 users that uses a different identity provider (Okta). You need to integrate the subsidiary's identities into your Microsoft Entra tenant. Requirements: - The subsidiary's users must be able to access Microsoft 365 applications using their existing Okta credentials. - You must minimize changes to the subsidiary's existing infrastructure. - All access to Microsoft 365 must be governed by your Conditional Access policies. - Passwords must not be stored in Microsoft Entra ID.
What should you implement?
Your company has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the security administrator. You need to implement a solution that automatically detects and remediates identity risks. Requirements: - Risky sign-ins (e.g., from anonymous IP addresses) should be automatically blocked. - Users with confirmed compromised credentials should be forced to reset their password at next sign-in. - You need to receive alerts when high-risk events occur. - The solution must minimize false positives.
Which Microsoft Entra ID features should you combine?