CCNA Manage identity and compliance Questions

29 questions · Manage identity and compliance · All types, answers revealed

1
MCQhard

You are a Teams administrator. After running the PowerShell script shown in the exhibit, users report they cannot communicate with federated users from 'trusted.com'. What is the most likely cause?

A.The AllowedDomains list does not include a wildcard ' * ' to allow all domains, so only trusted.com is allowed.
B.The script sets AllowPublicUsers to $false, which blocks all external communication including federated users.
C.The script sets AllowFederatedUsers to $true, which disables federated user communication.
D.The script did not run in a Teams PowerShell session that supports the Set-CsTenantFederationConfiguration cmdlet.
AnswerD

The New-CsOnlineSession and Import-PSSession sequence is correct, but if the module is not properly loaded or the session is not created with the right endpoint, the cmdlets may not be available, causing the script to have no effect.

Why this answer

Option D is correct because the `Set-CsTenantFederationConfiguration` cmdlet is only available in a remote Teams PowerShell session (connected via `Connect-MicrosoftTeams`), not in a local Skype for Business Online or legacy PowerShell module. If the script was run in an incompatible session (e.g., an older Skype for Business Online Connector or a local PowerShell window without proper module import), the cmdlet would not execute, leaving the federation configuration unchanged. This would cause the default settings to block federated communication with 'trusted.com'.

Exam trap

The trap here is that candidates focus on the federation settings (AllowedDomains, AllowFederatedUsers) and overlook the critical prerequisite of running the cmdlet in the correct PowerShell session, assuming any PowerShell window can execute Teams cmdlets.

How to eliminate wrong answers

Option A is wrong because the `AllowedDomains` list is used to restrict which federated domains are allowed when `AllowFederatedUsers` is `$true`; a missing wildcard does not block all communication—it only limits allowed domains, but the script's primary issue is that the cmdlet itself did not run. Option B is wrong because `AllowPublicUsers` controls Skype for Business public IM connectivity (e.g., with Skype consumer), not federated users from another organization's Teams/Skype for Business domain. Option C is wrong because setting `AllowFederatedUsers` to `$true` enables federated communication, not disables it; the problem is that the cmdlet never executed.

2
Drag & Dropmedium

Order the steps to migrate user profiles from Windows 10 to a new device using User State Migration Tool (USMT).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ScanState collects data, specify store, install new OS, LoadState restores, then verify.

3
MCQmedium

A company uses Microsoft 365 with hybrid identity. Users report that after changing their on-premises passwords, they cannot access SharePoint Online for up to 30 minutes, but Outlook on the web works immediately. You need to reduce the delay for SharePoint Online access. What should you do?

A.Run a Delta Sync in Azure AD Connect.
B.Configure password writeback in Azure AD Connect.
C.Enable Azure AD Seamless Single Sign-On.
D.In Azure AD, configure the user to require password change at next sign-in.
AnswerA

Delta Sync immediately synchronizes recent password changes, reducing the delay.

Why this answer

The delay occurs because password changes are synchronized only during the next Azure AD Connect sync cycle, which by default runs every 30 minutes. Running a Delta Sync immediately replicates the new password hash to Azure AD, eliminating the wait for SharePoint Online authentication.

Exam trap

The trap here is confusing password writeback (cloud-to-on-premises) with password hash synchronization (on-premises-to-cloud), leading candidates to select writeback when the actual issue is sync frequency.

How to eliminate wrong answers

Option B is wrong because password writeback is used for self-service password reset from the cloud to on-premises, not for synchronizing on-premises password changes to Azure AD. Option C is wrong because Azure AD Seamless SSO provides silent authentication on domain-joined devices but does not affect the synchronization of password hashes. Option D is wrong because requiring a password change at next sign-in is a policy that forces the user to update their password, but it does not accelerate the sync of an already-changed password.

4
Matchingmedium

Match each Microsoft Entra ID (Azure AD) join type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Personal devices with work account access

Devices owned by organization, cloud-only

Devices joined to on-premises AD and Azure AD

Hybrid join with automatic device enrollment

Hybrid join using federation services

Why these pairings

Join types determine device identity and management scope in MD-102.

5
MCQeasy

You are the compliance administrator for a large organization using Microsoft 365 E5 licenses. The company has a hybrid identity configuration with Azure AD Connect syncing on-premises Active Directory to Azure AD. The security team requires that all mobile devices accessing corporate email and documents must be enrolled in Microsoft Intune and compliant with company device policies. Recently, several users reported that they cannot access Outlook on their iOS devices, receiving a message: 'Your organization requires this device to be managed by Intune. Please install the Company Portal app and enroll your device.' However, after installing Company Portal and completing enrollment, they still cannot access Outlook and see the same error. Upon investigation, you find that the devices are showing as 'Compliant' in the Microsoft Intune admin center. You also verify that the Conditional Access policy requiring device compliance is correctly configured and assigned to all users. What should you do to resolve the issue?

A.Disable the Conditional Access policy, wait 10 minutes, and then re-enable it.
B.Recreate the Conditional Access policy with the same settings and assign it to the affected users.
C.Check if the affected users have an Intune license assigned; if not, assign one.
D.Verify that the devices are properly registered in Azure AD and, if not, ask users to unenroll and re-enroll their devices.
AnswerD

This addresses the common issue of devices being compliant but not properly registered in Azure AD, which causes Conditional Access to fail.

Why this answer

The issue is that the devices are compliant in Intune but not properly registered in Azure AD, which is a prerequisite for Conditional Access policies to evaluate device compliance. Even after enrollment, if the device registration fails or is incomplete, the Conditional Access policy will still block access. Option D addresses this by verifying and fixing the Azure AD registration, typically requiring unenrollment and re-enrollment to trigger a fresh registration.

Exam trap

The trap here is that candidates assume 'Compliant in Intune' automatically means 'Registered in Azure AD,' but Conditional Access evaluates Azure AD registration status separately, and a compliant device can still fail the registration check.

How to eliminate wrong answers

Option A is wrong because disabling and re-enabling a Conditional Access policy does not fix underlying device registration issues; it only temporarily removes the policy enforcement, which is not a sustainable solution. Option B is wrong because recreating the policy with identical settings does not resolve the root cause of devices not being properly registered in Azure AD; it would still evaluate the same non-registered devices. Option C is wrong because the affected users already have Microsoft 365 E5 licenses, which include Intune, and the devices show as compliant, indicating licensing is not the issue; the problem is Azure AD registration, not licensing.

6
MCQeasy

A company is implementing Windows Hello for Business and wants to use certificate-based authentication. They have an on-premises Active Directory and are using Azure AD Connect for hybrid identity. Which prerequisites must be met to support certificate-based Windows Hello for Business?

A.All users must have the Microsoft Authenticator app installed.
B.Conditional Access policies must be configured to require Windows Hello for Business.
C.An enterprise certification authority (CA) must be deployed and all devices must be Azure AD joined or hybrid Azure AD joined.
D.All users must be configured for passwordless sign-in.
AnswerC

Certificate-based Windows Hello requires a CA and hybrid or Azure AD joined devices.

Why this answer

Certificate-based Windows Hello for Business requires an enterprise PKI to issue and validate certificates for authentication. Devices must be Azure AD joined or hybrid Azure AD joined to enroll these certificates and support the certificate trust model. On-premises Active Directory and Azure AD Connect provide the hybrid identity foundation, but the CA and appropriate device join state are the critical prerequisites.

Exam trap

The trap here is that candidates often confuse the prerequisites for certificate-based Windows Hello for Business with those for passwordless sign-in or MFA, mistakenly thinking that the Authenticator app or Conditional Access policies are required, when in fact the core requirement is an enterprise CA and the correct device join state.

How to eliminate wrong answers

Option A is wrong because the Microsoft Authenticator app is used for phone-based MFA or passwordless phone sign-in, not for certificate-based Windows Hello for Business, which relies on a PKI and device certificates. Option B is wrong because Conditional Access policies are used to enforce sign-in risk or compliance requirements, not to establish the infrastructure prerequisites for certificate-based Windows Hello for Business; the CA and device join state must exist first. Option D is wrong because passwordless sign-in is a broader concept that can be achieved via FIDO2 security keys or phone sign-in, but certificate-based Windows Hello for Business specifically requires a CA and does not mandate that all users be configured for passwordless sign-in.

7
MCQeasy

A company uses Microsoft 365 E3 licenses. They need to enforce that all users must use the Microsoft Authenticator app for MFA instead of SMS or phone call. What should the administrator configure?

A.MFA service settings in the legacy portal
B.Authentication methods policy
C.Security defaults
D.Conditional Access policy
AnswerB

This policy controls which methods are allowed.

Why this answer

The Authentication methods policy (B) is the correct configuration because it allows administrators to control exactly which authentication methods users can register and use for MFA. By targeting the policy to all users and disabling SMS and voice call while enabling Microsoft Authenticator (push notifications or OTP), the requirement is met. This policy supersedes legacy MFA settings and provides granular control over modern authentication methods.

Exam trap

The trap here is that candidates often confuse the Authentication methods policy with Conditional Access policies, assuming that a Conditional Access policy can restrict MFA methods, but in reality, Conditional Access only controls when MFA is required, not which methods are allowed.

How to eliminate wrong answers

Option A is wrong because the MFA service settings in the legacy portal only control per-user MFA enforcement and basic method availability (call, SMS, app), but they do not allow disabling specific methods like SMS or phone call for all users—they only enable or disable the app as a whole. Option C is wrong because Security defaults enforce a baseline set of security policies (including requiring MFA for all users) but do not allow granular control to restrict MFA methods to only the Authenticator app; they permit any available method. Option D is wrong because a Conditional Access policy can require MFA but cannot restrict which specific MFA methods (e.g., Authenticator app vs.

SMS) are allowed; method restriction is handled exclusively by the Authentication methods policy.

8
Matchingmedium

Match each Microsoft 365 compliance feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevent sensitive data from being shared inappropriately

Classify and protect documents and emails with labels

Manage retention and disposal of records

Search and export content for legal investigations

Log and investigate user and admin activities

Why these pairings

Compliance features are part of the Microsoft 365 security and compliance center, relevant for endpoint administrators.

9
MCQmedium

Refer to the exhibit. A Windows 10 device is showing as non-compliant. The compliance policy 'Require BitLocker' is assigned to all devices. The device does not have BitLocker enabled. However, the user is able to access corporate email on the device. What is the most likely reason for this?

A.The compliance policy has a grace period of 7 days for BitLocker.
B.The compliance policy is not assigned to the device.
C.The device is configured as a kiosk device, which exempts it from compliance.
D.There is no Conditional Access policy that requires compliant device for access to corporate email.
AnswerD

Without a Conditional Access policy, compliance status does not block access.

Why this answer

D is correct because compliance policies alone do not enforce access restrictions; they only report device compliance status. To block access to corporate email, a Conditional Access policy must be configured to require a compliant device. Without such a policy, the device can still access email even if it is non-compliant.

Exam trap

The trap here is that candidates assume a compliance policy automatically blocks access to resources when a device is non-compliant, but in reality, a separate Conditional Access policy is required to enforce that block.

How to eliminate wrong answers

Option A is wrong because a grace period delays enforcement but does not allow access if the device is non-compliant and a Conditional Access policy is in place; the question states the device is non-compliant and still accessing email, so the absence of Conditional Access is the key. Option B is wrong because the exhibit states the compliance policy is assigned to all devices, so the device is indeed assigned the policy. Option C is wrong because kiosk devices are not exempt from compliance policies; they can be targeted by compliance policies and Conditional Access, and there is no built-in exemption for kiosk mode in this context.

10
MCQhard

A multinational organization uses Microsoft 365 E5 licenses. The compliance officer wants to ensure that all documents containing credit card numbers are automatically classified and protected with a label that applies encryption. You configure auto-labeling policies in Microsoft Purview. After 24 hours, the compliance officer reports that no documents have been labeled. The policy scope is set to 'All locations' and the policy is enabled. What is the most likely cause of the issue?

A.The policy is deployed in simulation mode only.
B.No sensitivity labels have been published to the users.
C.Auto-labeling requires Azure Information Protection (AIP) add-on license.
D.The priority of the policy is too low compared to other policies.
AnswerA

Auto-labeling policies start in simulation mode; you must turn on the policy to apply labels.

Why this answer

Auto-labeling policies in Microsoft Purview can be configured in simulation mode, which evaluates documents against the policy rules and reports what would be labeled without actually applying any labels. Since the compliance officer reports that no documents have been labeled after 24 hours, the most likely cause is that the policy is still in simulation mode, which is a common deployment step to validate the policy before turning it on for real labeling.

Exam trap

The trap here is that candidates may assume auto-labeling policies apply labels immediately upon creation, overlooking the deliberate simulation mode that Microsoft requires for validation before production deployment.

How to eliminate wrong answers

Option B is wrong because publishing sensitivity labels to users is required for manual labeling, but auto-labeling policies apply labels automatically based on conditions, regardless of whether labels are published to users. Option C is wrong because auto-labeling for sensitive information types like credit card numbers is included with Microsoft 365 E5 licenses and does not require an additional Azure Information Protection (AIP) add-on license. Option D is wrong because policy priority affects which label is applied when multiple policies match, but it does not prevent labeling entirely; if the policy is enabled and in production mode, it would still apply labels even if its priority is lower.

11
Multi-Selectmedium

Which THREE of the following are valid methods for deploying Microsoft Intune compliance policies to devices?

Select 3 answers
A.Assign the policy to a user group, which applies to devices enrolled by those users.
B.Assign the policy to an Azure AD group that contains devices.
C.Assign the policy directly to individual devices from the Intune console.
D.Assign the policy to a dynamic device group created using device rules.
E.Assign the policy to a device category.
AnswersA, B, D

User-based assignment applies policies to devices enrolled by those users.

Why this answer

Option A is correct because Microsoft Intune compliance policies can be assigned to user groups, and when a user in the group enrolls a device, the policy applies to that device. This is the most common deployment method, leveraging user-based targeting to ensure compliance settings are enforced on devices associated with those users.

Exam trap

The trap here is that candidates may confuse device categories as a direct assignment target, but they are only used to define membership rules for dynamic device groups, not as a policy assignment scope.

12
Multi-Selecteasy

You are configuring Microsoft Entra Conditional Access for a company that requires all employees to use multi-factor authentication (MFA) when accessing the Azure portal. The company also wants to block access from devices that are not compliant. You create a Conditional Access policy. Which two assignments must you configure to meet these requirements? (Choose two.)

Select 2 answers
A.Grant access, require Microsoft Entra hybrid joined device
B.Grant access, block access for non-compliant devices
C.Grant access, require multi-factor authentication
D.Grant access, require device to be marked as compliant
AnswersC, D

This enforces MFA for access.

Why this answer

Option C is correct because the requirement to enforce multi-factor authentication (MFA) for Azure portal access is met by configuring the 'Grant' control to 'Require multi-factor authentication'. Option D is correct because blocking access from non-compliant devices is achieved by selecting 'Require device to be marked as compliant' under Grant controls, which ensures only devices that meet compliance policies (e.g., Intune-managed) are allowed. Both assignments are necessary to satisfy the two distinct requirements.

Exam trap

The trap here is that candidates often confuse 'Block access for non-compliant devices' (which does not exist as a Grant control) with the correct 'Require device to be marked as compliant', or they mistakenly think a hybrid join requirement is needed for MFA enforcement.

13
Drag & Dropmedium

Order the steps for configuring a Windows 10 kiosk device using Assigned Access.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the account, then navigate to Settings, set up the kiosk with the user, choose the app, and test by signing in.

14
MCQhard

You are an endpoint administrator for a company that uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access Exchange Online. You have configured a Conditional Access policy that grants access to Exchange Online only if the device is marked as compliant. A user reports that they cannot access email from their iOS device, which is enrolled in Intune and shows as compliant. The user can access other Microsoft 365 services. What is the most likely cause?

A.The user does not have an Exchange Online license assigned.
B.The Conditional Access policy is configured to block access from non-corporate networks.
C.The device compliance policy is not set to require a PIN or password.
D.The Exchange Online workload is not enabled in Intune for mobile device management.
AnswerD

If the workload is not enabled, Intune cannot enforce compliance for Exchange Online access, causing the block.

Why this answer

The most likely cause is that the Exchange Online workload is not enabled in Intune for mobile device management (MDM). Even though the device is enrolled and compliant, Intune must have the Exchange Online workload enabled to apply Conditional Access policies that govern email access. Without this, the Conditional Access policy cannot enforce compliance checks specifically for Exchange Online, resulting in access being blocked despite the device showing as compliant.

Exam trap

The trap here is that candidates assume a compliant device automatically satisfies all Conditional Access requirements, but they overlook the prerequisite that the specific workload (e.g., Exchange Online) must be enabled in Intune for the policy to apply to that service.

How to eliminate wrong answers

Option A is wrong because the user can access other Microsoft 365 services, which also require an Exchange Online license if they were using Exchange features, but the issue is specific to email access; a missing license would affect all Exchange-dependent services, not just Conditional Access. Option B is wrong because the policy is configured to grant access only if the device is compliant, not to block based on network location; a non-corporate network block would affect all services, not just Exchange Online. Option C is wrong because the device is already marked as compliant in Intune, meaning it has passed all assigned compliance policies, including any PIN or password requirements; if a PIN were missing, the device would not show as compliant.

15
Multi-Selectmedium

Which TWO of the following are required to implement Azure AD Join for Windows 10 devices in a hybrid environment with on-premises Active Directory?

Select 2 answers
A.Active Directory Federation Services (AD FS) deployed.
B.Windows 10 devices that are domain-joined to the on-premises Active Directory.
C.Azure AD Connect with device writeback enabled.
D.Azure AD Premium P1 licenses for all users.
E.Windows Hello for Business configured for all users.
AnswersB, C

Devices must be domain-joined to be hybrid Azure AD joined.

Why this answer

Option B is correct because Azure AD Join in a hybrid environment requires devices to be domain-joined to on-premises Active Directory first. This allows Azure AD Connect to synchronize the device objects and, with device writeback enabled, register them in Azure AD, enabling seamless single sign-on and conditional access.

Exam trap

The trap here is that candidates often assume AD FS is mandatory for any hybrid identity scenario, but Microsoft supports multiple authentication methods (e.g., PHS, PTA) that do not require AD FS for Azure AD Join.

16
MCQmedium

A company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?

A.Create a Conditional Access policy requiring MFA for all cloud apps, including break-glass accounts. Then disable per-user MFA.
B.Create a Conditional Access policy requiring MFA for all users only when accessing from outside the corporate network.
C.Create a Conditional Access policy requiring MFA for all users, excluding break-glass accounts. Disable per-user MFA for all users.
D.Disable per-user MFA for all users, then create a Conditional Access policy requiring MFA for all cloud apps.
AnswerC

This ensures MFA is always enforced and provides emergency access via break-glass accounts.

Why this answer

Option C is correct because you need to exclude the break-glass accounts from the Conditional Access policy to ensure admin access if something goes wrong. You should first create a Conditional Access policy that requires MFA for all users except the break-glass accounts, then disable the per-user MFA for all users. Option A is incorrect because disabling per-user MFA before creating the policy would leave users without MFA.

Option B is incorrect because using a Conditional Access policy to require MFA from outside the network only would not enforce MFA for internal access. Option D is incorrect because creating a policy without excluding break-glass accounts could lock out administrators.

17
MCQhard

An administrator is configuring Microsoft Entra ID Protection. They want to create a policy that automatically blocks sign-ins when the risk level is high. However, they notice that the policy is not triggering for some users who have high risk. What is the most likely reason?

A.The sign-in risk policy is overriding the user risk policy.
B.The users have MFA enabled, so they are exempt from risk policies.
C.The user risk policy is set to 'Report-only' mode instead of 'On'.
D.The policy is configured to apply only to a test group, and the affected users are not members.
AnswerC

Report-only mode only logs, does not block.

Why this answer

Option C is correct because when a user risk policy is set to 'Report-only' mode, it evaluates risk and generates reports but does not enforce any actions such as blocking sign-ins. For automatic blocking to occur, the policy must be set to 'On' (enabled). The administrator likely configured the policy correctly in terms of risk level but overlooked the enforcement mode, which is a common misconfiguration in Microsoft Entra ID Protection.

Exam trap

The trap here is that candidates often assume a policy is automatically enforcing once configured with a risk level, overlooking the separate 'mode' setting that controls enforcement versus reporting-only behavior.

How to eliminate wrong answers

Option A is wrong because sign-in risk policies and user risk policies are independent; one does not override the other. They evaluate different risk types (sign-in vs. user) and can be configured separately. Option B is wrong because having MFA enabled does not exempt users from risk policies; in fact, MFA is often a remediation step, and risk policies can still block or require additional actions regardless of MFA status.

Option D is wrong because if the policy were configured to apply only to a test group and the affected users were not members, the policy would not apply at all, but the question states the policy is not triggering for some users who have high risk, implying it is applied but not enforcing—this points to a mode issue, not a scope issue.

18
Multi-Selectmedium

You are an enterprise administrator for Contoso Ltd. You need to configure Microsoft 365 tenant-wide settings for external collaboration. Which TWO actions should you take to meet the following goals: (1) allow only specific external domains to collaborate with your organization, and (2) ensure that external users are required to sign in with multi-factor authentication (MFA) before accessing shared resources?

Select 2 answers
A.Disable external sharing in the Microsoft 365 admin center for all workloads.
B.Configure the SharePoint and OneDrive domain allowlist to include only the approved external domains.
C.Configure the SharePoint and OneDrive domain blocklist to exclude all external domains except the approved ones.
D.Create a Conditional Access policy in Azure AD that requires MFA for all external users accessing your tenant.
E.Enable B2B direct connect in the cross-tenant access settings for the approved external domains.
AnswersB, D

This restricts sharing to only the domains in the allowlist, meeting goal 1.

Why this answer

Option B is correct because configuring the SharePoint and OneDrive domain allowlist restricts external sharing to only the approved external domains, meeting the first goal. Option D is correct because a Conditional Access policy in Azure AD can require MFA for all external users, satisfying the second goal by enforcing authentication requirements before access to shared resources.

Exam trap

The trap here is that candidates often confuse domain allowlists with blocklists, or assume that B2B direct connect settings (which manage cross-tenant access for Teams) can enforce MFA, when in fact only Conditional Access policies provide that control for external users accessing shared resources.

19
MCQeasy

A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices that have a BitLocker encryption status of 'fully encrypted' are allowed to access corporate resources. They create a device compliance policy that requires BitLocker. However, some devices are still accessing resources even though they are not fully encrypted. What should you check?

A.The devices are running Windows 10 Home edition, which does not support BitLocker.
B.The compliance policy is not assigned to the user or device groups.
C.The compliance policy is set to 'Report non-compliant' instead of 'Block non-compliant'.
D.The compliance policy has a grace period configured that allows access for non-compliant devices.
AnswerB

Without assignment, the policy does not apply, and non-compliant devices can still access resources.

Why this answer

Option B is correct because a device compliance policy must be assigned to the appropriate user or device groups to take effect. If the policy is not assigned, Intune will not evaluate the devices against the BitLocker requirement, and non-compliant devices will continue to access corporate resources. The scenario indicates that the policy was created but not enforced, which points directly to a missing assignment.

Exam trap

The trap here is that candidates assume creating a compliance policy automatically enforces it, but Microsoft Intune requires explicit assignment to user or device groups before the policy is evaluated and acted upon.

How to eliminate wrong answers

Option A is wrong because Windows 10 Home edition does not include BitLocker, but the question states the devices are managed by Intune and the policy requires BitLocker; if a device lacked BitLocker support, it would simply be marked non-compliant, not bypass the policy. Option C is wrong because Intune compliance policies do not have a 'Report non-compliant' vs 'Block non-compliant' setting; the enforcement is controlled by Conditional Access policies, not the compliance policy itself. Option D is wrong because a grace period in a compliance policy allows non-compliant devices to remain compliant temporarily, but the question states devices are 'still accessing resources even though they are not fully encrypted,' which would be consistent with a grace period—however, the core issue is that the policy was never assigned, so the grace period is irrelevant.

20
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. They want to ensure that devices have BitLocker enabled and are compliant before accessing corporate resources. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Assign the device compliance policy to all users.
B.Create a device compliance policy that requires BitLocker.
C.Enable Windows Hello for Business.
D.Create a device configuration profile to enable BitLocker.
E.Create a Conditional Access policy that grants access only to compliant devices.
AnswersB, E

Compliance policy checks BitLocker status.

Why this answer

Option B is correct because a device compliance policy in Microsoft Intune can include the setting to require BitLocker on Windows 10 devices. This policy evaluates the device's BitLocker status and marks it as noncompliant if BitLocker is not enabled, which is a prerequisite for Conditional Access to block access to corporate resources.

Exam trap

The trap here is that candidates often confuse a device configuration profile (which enables BitLocker) with a compliance policy (which evaluates and enforces BitLocker status), leading them to select Option D instead of understanding that both a compliance policy and a Conditional Access policy are required for the stated goal.

21
MCQhard

Refer to the exhibit. The JSON snippet shows the Azure AD Identity Protection MFA registration policy configuration for the Contoso tenant. A new user, Jane, joins the company and is assigned a license. Jane attempts to access the Azure portal and is prompted to register for MFA. She registers successfully. However, the next day, she is again prompted to register for MFA. What is the most likely cause?

A.The MFA registration policy is disabled.
B.The user's MFA registration is being reset due to a synchronization issue with on-premises Active Directory.
C.The policy is not including all users.
D.The policy excludes the user Jane.
AnswerB

If the user is synced from on-premises, changes in on-premises can reset the MFA registration state.

Why this answer

The most likely cause is that the user's MFA registration is being reset due to a synchronization issue with on-premises Active Directory. When Azure AD Connect synchronizes a user object from on-premises AD, it can overwrite the cloud MFA registration state if the on-premises attribute (such as 'StrongAuthenticationMethods' or 'StrongAuthenticationTime') is not set or is reset. This causes the user to be treated as unregistered, prompting MFA registration again despite a previous successful registration.

Exam trap

The trap here is that candidates often assume the issue is with the policy configuration (enabled, scope, or exclusions) rather than recognizing that a synchronization reset of the MFA registration state is the root cause in a hybrid environment.

How to eliminate wrong answers

Option A is wrong because if the MFA registration policy were disabled, Jane would not have been prompted to register at all, let alone repeatedly. Option C is wrong because the policy not including all users would mean Jane is not targeted by the policy, so she would not be prompted to register for MFA. Option D is wrong because if the policy explicitly excluded Jane, she would not be prompted to register for MFA in the first place.

22
MCQhard

An organization has deployed Microsoft Entra Connect Sync to synchronize on-premises Active Directory to Microsoft Entra ID. Users report that some cloud-only user accounts cannot be assigned licenses. The admin checks the provisioning logs and finds that the cloud accounts have a source of authority of 'Microsoft Entra ID'. What is the most likely cause?

A.The accounts have the 'cloudOnly' attribute set to true, which blocks license assignment.
B.The accounts have no proxyAddresses, so licensing fails.
C.The accounts are missing the 'UsageLocation' attribute, which is required for license assignment.
D.The users are not synchronized because the sync schedule is set to manual.
AnswerC

UsageLocation must be set before assigning licenses.

Why this answer

The most likely cause is that the cloud-only user accounts are missing the 'UsageLocation' attribute. In Microsoft Entra ID, a UsageLocation must be set before licenses can be assigned to any user, including cloud-only accounts. Without this attribute, license assignment fails regardless of the user's source of authority.

Exam trap

The trap here is that candidates may assume license assignment failures are due to synchronization issues or missing proxyAddresses, but the real requirement is the UsageLocation attribute, which is often overlooked in cloud-only user provisioning.

How to eliminate wrong answers

Option A is wrong because there is no 'cloudOnly' attribute in Microsoft Entra ID; the source of authority is determined by the 'dirSyncEnabled' property, and cloud-only accounts have it set to false, which does not block license assignment. Option B is wrong because proxyAddresses are not required for license assignment; they are used for email routing and recipient resolution, not licensing. Option D is wrong because the question states the accounts are cloud-only, not synchronized from on-premises, so the sync schedule is irrelevant to these users.

23
Drag & Dropmedium

Order the steps to configure Windows Defender Antivirus exclusions via Group Policy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Open GPMC, edit GPO, navigate to exclusions, configure, then force update.

24
MCQmedium

Refer to the exhibit. A user attempts to sign in to Microsoft Graph PowerShell and receives the error shown. What is the most likely cause?

A.The user is not registered for MFA.
B.The user does not have an appropriate Microsoft Entra ID license assigned.
C.The device is not registered in Microsoft Entra ID.
D.The sign-in was blocked by a Conditional Access policy.
AnswerB

Error code 50058 indicates missing license.

Why this answer

The error shown indicates that the user lacks the required license for Microsoft Entra ID (formerly Azure AD) features needed to sign in to Microsoft Graph PowerShell. Microsoft Graph PowerShell requires an appropriate Microsoft Entra ID license (such as Premium P1 or P2) to access directory-level APIs and authentication methods. Without this license, the service cannot validate the user's identity for Graph API calls, resulting in the sign-in failure.

Exam trap

Microsoft often tests the misconception that MFA registration or device compliance is the root cause of Graph PowerShell sign-in failures, when in fact the underlying license requirement for Microsoft Entra ID is the specific gate that Microsoft enforces for directory API access.

How to eliminate wrong answers

Option A is wrong because the error message does not mention multi-factor authentication (MFA) registration; MFA registration errors typically prompt for additional verification or show a specific MFA-related error code. Option C is wrong because device registration in Microsoft Entra ID is not a prerequisite for signing in to Microsoft Graph PowerShell; the user can authenticate from any device as long as they have the correct credentials and license. Option D is wrong because Conditional Access policy blocks usually display a distinct error message referencing the policy name or a 'blocked by Conditional Access' notice, not a generic license-related error.

25
Matchingmedium

Match each MDM (Mobile Device Management) enrollment method to its typical scenario.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

User-owned devices enrolled with user affinity

Company-owned devices assigned to a specific user

Shared or kiosk devices not tied to a user

Zero-touch deployment for new Windows devices

Enroll multiple devices using a shared account

Why these pairings

These enrollment scenarios are key for Intune management in MD-102.

26
MCQeasy

A company is planning to implement Microsoft Intune for mobile device management. They want to ensure that only compliant devices can access Exchange Online. Which technology should they use?

A.Mobile Application Management (MAM) policies
B.Intune compliance policies without Conditional Access
C.Azure AD join with automatic enrollment
D.Conditional Access policies with device compliance
AnswerD

Conditional Access can block non-compliant devices.

Why this answer

Conditional Access policies with device compliance (Option D) is the correct technology because it integrates Intune compliance policies with Azure AD Conditional Access to enforce access controls on Exchange Online. When a device is marked non-compliant by Intune, Conditional Access blocks or restricts access to Exchange Online, ensuring only compliant devices can connect. This is the standard Microsoft approach for combining device management with identity-driven access control.

Exam trap

The trap here is that candidates often confuse Intune compliance policies alone with Conditional Access, thinking that marking a device non-compliant automatically blocks access, when in fact a Conditional Access policy is required to enforce the block.

How to eliminate wrong answers

Option A is wrong because Mobile Application Management (MAM) policies control app-level data protection and do not evaluate device compliance; they apply to apps regardless of device enrollment status. Option B is wrong because Intune compliance policies alone cannot block access to Exchange Online; they require a Conditional Access policy to enforce the compliance state. Option C is wrong because Azure AD join with automatic enrollment handles device registration and enrollment into Intune but does not enforce access restrictions based on compliance; it is a prerequisite, not the enforcement mechanism.

27
MCQhard

You manage a Microsoft 365 tenant with 10,000 users. You are planning a Conditional Access policy to require MFA for all users. However, you need to ensure that users who have not yet registered for MFA are not blocked. What should you do to handle unregistered users?

A.Configure the Conditional Access policy in 'Report-only' mode to identify unregistered users.
B.Enable the Azure AD Identity Protection MFA registration policy to require users to register for MFA within 14 days.
C.Exclude all users who have not registered for MFA from the Conditional Access policy.
D.Create a separate Conditional Access policy that requires MFA only for users who have not registered for MFA.
AnswerB

This policy ensures users register before they are required to use MFA, preventing lockout.

Why this answer

Option B is correct because the Azure AD Identity Protection MFA registration policy automatically enforces MFA registration for all users within a specified grace period (default 14 days), ensuring that users who have not yet registered are prompted to register before being blocked by a Conditional Access policy. This policy works in conjunction with Conditional Access by pre-registering users, so when the CA policy requiring MFA is enabled, all users already have MFA credentials available, preventing lockout.

Exam trap

The trap here is that candidates often confuse 'Report-only mode' (which only logs, not registers) with a solution for handling unregistered users, or they incorrectly assume that excluding unregistered users or creating a separate policy for them would solve the problem without causing lockout.

How to eliminate wrong answers

Option A is wrong because Report-only mode only logs what would happen if the policy were enforced, but does not actually register users for MFA; unregistered users would still be blocked when the policy is turned on. Option C is wrong because excluding unregistered users from the CA policy would leave them without MFA protection, defeating the purpose of the policy and creating a security gap. Option D is wrong because a separate CA policy requiring MFA for unregistered users would still block them since they have no MFA method registered to satisfy the requirement, causing a lockout.

28
MCQmedium

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing the company's SaaS applications. However, they need to exclude a group of service accounts that use legacy authentication protocols. What is the recommended approach?

A.Enable Security defaults and add the service accounts group to the excluded users list.
B.Assign the 'Require MFA' baseline policy and exclude the service accounts group.
C.Create a Conditional Access policy targeting all cloud apps, requiring MFA, and excluding the service accounts group.
D.Enable per-user MFA and exclude the service accounts group.
AnswerC

Conditional Access allows scoping to all cloud apps and excluding specific groups.

Why this answer

Option C is correct because Conditional Access is the recommended method for granular MFA enforcement in Microsoft Entra ID P1. It allows you to target all cloud apps (including SaaS applications) with a 'Require MFA' grant control and exclude a specific group of service accounts. This approach supports legacy authentication protocols by excluding those accounts, while Security defaults or per-user MFA would either block legacy auth or lack the necessary exclusion granularity.

Exam trap

The trap here is that candidates often confuse Security defaults or per-user MFA as viable alternatives, not realizing that only Conditional Access provides the group-based exclusion and granular control required for service accounts using legacy authentication protocols.

How to eliminate wrong answers

Option A is wrong because Security defaults enforce MFA for all users and block legacy authentication protocols entirely; they do not allow excluding a group of service accounts from the MFA requirement, and the 'excluded users' list in Security defaults is not available. Option B is wrong because the 'Require MFA' baseline policy is deprecated and no longer available in Microsoft Entra ID; it also lacks the flexibility to exclude specific groups. Option D is wrong because per-user MFA is a legacy configuration that does not support group-based exclusions and forces MFA on a per-user basis, which is less manageable and does not integrate with Conditional Access policies for SaaS app targeting.

29
Multi-Selecthard

An organization is planning to implement a zero-trust security model. They need to evaluate the following capabilities in Microsoft 365. Which THREE are essential for a zero-trust architecture? (Choose three.)

Select 3 answers
A.Azure AD Application Proxy
B.Multi-factor authentication (MFA)
C.Azure AD Connect sync
D.Device compliance policies
E.Conditional Access policies
AnswersB, D, E

Verifies identity.

Why this answer

Multi-factor authentication (MFA) is essential for a zero-trust architecture because it enforces strong identity verification beyond just a password, ensuring that each authentication request is validated with an additional factor (e.g., a phone call, text message, or authenticator app). This aligns with the zero-trust principle of 'never trust, always verify' by requiring explicit proof of identity at every access attempt, even if the user is inside the corporate network.

Exam trap

The trap here is that candidates often confuse infrastructure components (like Azure AD Connect sync or Application Proxy) with security controls, mistakenly thinking they are required for zero trust when they are merely supporting services for hybrid identity or remote access.

Ready to test yourself?

Try a timed practice session using only Manage identity and compliance questions.