MD-102 · topic practice

Manage identity and compliance practice questions

Practise Microsoft 365 Endpoint Administrator MD-102 Manage identity and compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Manage identity and compliance

What the exam tests

What to know about Manage identity and compliance

Manage identity and compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Manage identity and compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Manage identity and compliance questions

20 questions · select your answer, then reveal the explanation

A company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?

You are an endpoint administrator for a company that uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access Exchange Online. You have configured a Conditional Access policy that grants access to Exchange Online only if the device is marked as compliant. A user reports that they cannot access email from their iOS device, which is enrolled in Intune and shows as compliant. The user can access other Microsoft 365 services. What is the most likely cause?

A company is implementing Windows Hello for Business and wants to use certificate-based authentication. They have an on-premises Active Directory and are using Azure AD Connect for hybrid identity. Which prerequisites must be met to support certificate-based Windows Hello for Business?

You manage a Microsoft 365 tenant with 10,000 users. You are planning a Conditional Access policy to require MFA for all users. However, you need to ensure that users who have not yet registered for MFA are not blocked. What should you do to handle unregistered users?

A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices that have a BitLocker encryption status of 'fully encrypted' are allowed to access corporate resources. They create a device compliance policy that requires BitLocker. However, some devices are still accessing resources even though they are not fully encrypted. What should you check?

Which TWO of the following are required to implement Azure AD Join for Windows 10 devices in a hybrid environment with on-premises Active Directory?

Which THREE of the following are valid methods for deploying Microsoft Intune compliance policies to devices?

Refer to the exhibit. The JSON snippet shows the Azure AD Identity Protection MFA registration policy configuration for the Contoso tenant. A new user, Jane, joins the company and is assigned a license. Jane attempts to access the Azure portal and is prompted to register for MFA. She registers successfully. However, the next day, she is again prompted to register for MFA. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "identityProtection": {
    "mfaRegistrationPolicy": {
      "state": "enabled",
      "excludeUsers": ["admin@contoso.com"],
      "includeUsers": ["allUsers"],
      "policySettings": {
        "blockOnUnregister": false,
        "remindRegistrationInDays": 14
      }
    }
  }
}```

Refer to the exhibit. A Windows 10 device is showing as non-compliant. The compliance policy 'Require BitLocker' is assigned to all devices. The device does not have BitLocker enabled. However, the user is able to access corporate email on the device. What is the most likely reason for this?

Exhibit

Refer to the exhibit.

```
Device ID: 12345
Compliance Status: Non-compliant
Last Check-in: 2024-03-15 14:32:00

Policy assignments:
- Compliance Policy: 'Require BitLocker' (assigned to all devices)
- Configuration Profile: 'Device Restrictions' (assigned to group 'Sales')

Device details:
- OS: Windows 10 Pro 22H2
- BitLocker: Not enabled
- User: user@contoso.com
- Group membership: 'Sales' group
```

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing the company's SaaS applications. However, they need to exclude a group of service accounts that use legacy authentication protocols. What is the recommended approach?

An organization has deployed Microsoft Entra Connect Sync to synchronize on-premises Active Directory to Microsoft Entra ID. Users report that some cloud-only user accounts cannot be assigned licenses. The admin checks the provisioning logs and finds that the cloud accounts have a source of authority of 'Microsoft Entra ID'. What is the most likely cause?

A company is planning to implement Microsoft Intune for mobile device management. They want to ensure that only compliant devices can access Exchange Online. Which technology should they use?

An administrator is configuring Microsoft Entra ID Protection. They want to create a policy that automatically blocks sign-ins when the risk level is high. However, they notice that the policy is not triggering for some users who have high risk. What is the most likely reason?

A company uses Microsoft 365 E3 licenses. They need to enforce that all users must use the Microsoft Authenticator app for MFA instead of SMS or phone call. What should the administrator configure?

A company uses Microsoft Intune to manage Windows 10 devices. They want to ensure that devices have BitLocker enabled and are compliant before accessing corporate resources. Which TWO actions should the administrator take? (Choose two.)

An organization is planning to implement a zero-trust security model. They need to evaluate the following capabilities in Microsoft 365. Which THREE are essential for a zero-trust architecture? (Choose three.)

Refer to the exhibit. A user attempts to sign in to Microsoft Graph PowerShell and receives the error shown. What is the most likely cause?

Exhibit

Exhibit: The following is a snippet from a Microsoft Entra ID audit log for a user sign-in event:

{
  "id": "12345678-1234-1234-1234-123456789012",
  "createdDateTime": "2025-03-01T14:30:00Z",
  "userPrincipalName": "user@contoso.com",
  "appDisplayName": "Microsoft Graph PowerShell",
  "status": {
    "errorCode": 50058,
    "failureReason": "The user does not have an eligible license for this application."
  },
  "conditionalAccessStatus": "notApplied",
  "riskLevel": "none",
  "deviceDetail": {
    "deviceId": "00000000-0000-0000-0000-000000000000",
    "operatingSystem": "Windows 10",
    "browser": "Other"
  }
}

A company uses Microsoft 365 with hybrid identity. Users report that after changing their on-premises passwords, they cannot access SharePoint Online for up to 30 minutes, but Outlook on the web works immediately. You need to reduce the delay for SharePoint Online access. What should you do?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization uses Microsoft 365 E5 licenses. The compliance officer wants to ensure that all documents containing credit card numbers are automatically classified and protected with a label that applies encryption. You configure auto-labeling policies in Microsoft Purview. After 24 hours, the compliance officer reports that no documents have been labeled. The policy scope is set to 'All locations' and the policy is enabled. What is the most likely cause of the issue?

You are configuring Microsoft Entra Conditional Access for a company that requires all employees to use multi-factor authentication (MFA) when accessing the Azure portal. The company also wants to block access from devices that are not compliant. You create a Conditional Access policy. Which two assignments must you configure to meet these requirements? (Choose two.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Manage identity and compliance sessions

Start a Manage identity and compliance only practice session

Every question in these sessions is drawn from the Manage identity and compliance domain — nothing else.

Related practice questions

Related MD-102 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the MD-102 exam test about Manage identity and compliance?
Manage identity and compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Manage identity and compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Manage identity and compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other MD-102 topics?
Use the topic links above to move to related areas, or go back to the MD-102 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the MD-102 exam covers. They are not copied from any real exam or dump site.