Sample questions
Microsoft 365 Administrator MS-102 practice questions
A company has a hybrid identity with password hash synchronization. They want to ensure that any user whose account is disabled in on-premises Active Directory is automatically prevented from signing in to Microsoft 365. How can this be achieved?
Trap 1: Create a dynamic group based on accountEnabled attribute and apply…
Incorrect. While possible, this is unnecessary and adds complexity; the sync already blocks sign-ins for disabled accounts.
Trap 2: Run a PowerShell script daily to disable matching accounts in…
Incorrect. Manual scripting is error-prone and not required because synchronization handles it automatically.
Trap 3: Enable cloud HR provisioning.
Incorrect. Cloud HR provisioning is used for HR-driven scenarios, not for synchronizing disabled status from on-premises AD.
- A
Ensure Microsoft Entra Connect is configured to synchronize the disabled status; this happens automatically.
Correct. The sync of the accountEnabled attribute is automatic, and disabling the on-premises account will propagate to the cloud, blocking sign-in.
- B
Create a dynamic group based on accountEnabled attribute and apply a Conditional Access policy to block access.
Why wrong: Incorrect. While possible, this is unnecessary and adds complexity; the sync already blocks sign-ins for disabled accounts.
- C
Run a PowerShell script daily to disable matching accounts in Microsoft Entra ID.
Why wrong: Incorrect. Manual scripting is error-prone and not required because synchronization handles it automatically.
- D
Enable cloud HR provisioning.
Why wrong: Incorrect. Cloud HR provisioning is used for HR-driven scenarios, not for synchronizing disabled status from on-premises AD.
A company is deploying Microsoft 365 and wants to ensure that users in the finance department have access to only the apps they need. You need to recommend a licensing strategy that minimizes administrative overhead while enforcing access restrictions. What should you do?
Trap 1: Create a security group with explicit membership and assign…
Explicit membership groups require manual updates when users join or leave finance.
Trap 2: Assign licenses to users one by one in the Microsoft 365 admin…
This is manual and does not scale for a department of many users.
Trap 3: Use PowerShell to assign licenses based on user department…
PowerShell scripts require ongoing maintenance and are not the simplest approach.
- A
Create a security group with explicit membership and assign licenses to the group.
Why wrong: Explicit membership groups require manual updates when users join or leave finance.
- B
Create a dynamic Azure AD group based on department attribute and assign licenses using group-based licensing.
This automates license assignment and removal when users change departments.
- C
Assign licenses to users one by one in the Microsoft 365 admin center.
Why wrong: This is manual and does not scale for a department of many users.
- D
Use PowerShell to assign licenses based on user department attribute.
Why wrong: PowerShell scripts require ongoing maintenance and are not the simplest approach.
An administrator wants to add a custom domain 'fabrikam.com' to a new Microsoft 365 tenant. What is the first step the administrator should perform?
Trap 1: Create an SPF record for the domain.
SPF records are configured after the domain is verified and you start sending email, not as a first step.
Trap 2: Create a MX record pointing to Exchange Online.
MX records are created after the domain is verified and you want to route email to Exchange Online.
Trap 3: Assign Microsoft 365 licenses to users with @fabrikam.com addresses.
Licenses are assigned after the domain is verified and users are created with that domain.
- A
Add the domain in the Microsoft 365 admin center.
Adding the domain initiates the verification process and is required before any other DNS or licensing steps.
- B
Create an SPF record for the domain.
Why wrong: SPF records are configured after the domain is verified and you start sending email, not as a first step.
- C
Create a MX record pointing to Exchange Online.
Why wrong: MX records are created after the domain is verified and you want to route email to Exchange Online.
- D
Assign Microsoft 365 licenses to users with @fabrikam.com addresses.
Why wrong: Licenses are assigned after the domain is verified and users are created with that domain.
A company wants to implement just-in-time (JIT) privileged access for the Global Administrator role in Microsoft Entra ID. Users must request activation and provide a business justification. The request must be approved by a separate group of approvers, and the role activation should expire after 4 hours. Which Microsoft Entra feature should the administrator configure?
Trap 1: Identity Protection
Incorrect. Identity Protection handles risk detection and remediation, not privileged role management.
Trap 2: Conditional Access
Incorrect. Conditional Access controls sign-in conditions but does not provide JIT role activation with approval.
Trap 3: Access Reviews
Incorrect. Access Reviews are for periodic certification of existing access, not for on-demand activation.
- A
Privileged Identity Management (PIM)
Correct. PIM enables just-in-time activation with approval and time-bound assignments.
- B
Identity Protection
Why wrong: Incorrect. Identity Protection handles risk detection and remediation, not privileged role management.
- C
Conditional Access
Why wrong: Incorrect. Conditional Access controls sign-in conditions but does not provide JIT role activation with approval.
- D
Access Reviews
Why wrong: Incorrect. Access Reviews are for periodic certification of existing access, not for on-demand activation.
A company recently added the custom domain 'contoso.com' to their Microsoft 365 tenant. Users report that they cannot receive external email sent to their new domain addresses. The administrator confirmed that the domain status shows 'Active' in the Microsoft 365 admin center. What is the most likely cause of this issue?
Trap 1: The domain was not verified with a TXT record.
The domain status shows 'Active', which means verification was completed. Verification requires a TXT record, but that only proves ownership; it does not affect email delivery.
Trap 2: The SPF record for the domain is missing or incorrectly configured.
SPF helps prevent spoofing but does not affect the ability to receive email. SPF is for outbound mail authentication.
Trap 3: The custom domain was not added to the user's primary email address.
User email addresses can be set to the custom domain after it is verified. However, this setting affects sending, not receiving. The root cause is DNS for inbound mail.
- A
The domain was not verified with a TXT record.
Why wrong: The domain status shows 'Active', which means verification was completed. Verification requires a TXT record, but that only proves ownership; it does not affect email delivery.
- B
The MX record for the domain is missing or points to an incorrect mail server.
The MX record directs email to the correct mail server. If it is missing or incorrectly configured, external email will not reach Exchange Online mailboxes.
- C
The SPF record for the domain is missing or incorrectly configured.
Why wrong: SPF helps prevent spoofing but does not affect the ability to receive email. SPF is for outbound mail authentication.
- D
The custom domain was not added to the user's primary email address.
Why wrong: User email addresses can be set to the custom domain after it is verified. However, this setting affects sending, not receiving. The root cause is DNS for inbound mail.
A company uses Azure AD Connect with password hash synchronization. They want to enable Azure AD Seamless Single Sign-On (SSO) for users accessing Microsoft 365 from domain-joined devices on the corporate network. Which configuration is required on the on-premises Active Directory?
Trap 1: Install Azure AD Connect on a separate server
Azure AD Connect is already installed; no separate server is required for Seamless SSO.
Trap 2: Enable Passthrough Authentication
Passthrough Authentication is a different authentication method, not required for Seamless SSO.
Trap 3: Set the service connection point in Active Directory
Service connection points are used for Azure AD Connect configuration, not for Seamless SSO.
- A
Create a computer account named AZUREADSSOACC in each AD forest
This account is used by Azure AD Connect to sign users in silently.
- B
Install Azure AD Connect on a separate server
Why wrong: Azure AD Connect is already installed; no separate server is required for Seamless SSO.
- C
Enable Passthrough Authentication
Why wrong: Passthrough Authentication is a different authentication method, not required for Seamless SSO.
- D
Set the service connection point in Active Directory
Why wrong: Service connection points are used for Azure AD Connect configuration, not for Seamless SSO.
A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing a critical cloud application. However, they have a group of service accounts that cannot perform MFA and must be excluded. What is the recommended approach?
Trap 1: Enable per-user MFA for all users, then disable it for each service…
Per-user MFA is deprecated and less manageable; it also does not support app-specific policies.
Trap 2: Enable Security Defaults
Security Defaults enforces MFA for all users uniformly and does not allow exclusion of specific groups.
Trap 3: Use Identity Protection risk policies
Risk policies address risky sign-ins, not access control for a specific app.
- A
Create a Conditional Access policy that targets the application, requires MFA, and excludes the service account group
This provides granular control and allows exclusion of service accounts.
- B
Enable per-user MFA for all users, then disable it for each service account
Why wrong: Per-user MFA is deprecated and less manageable; it also does not support app-specific policies.
- C
Enable Security Defaults
Why wrong: Security Defaults enforces MFA for all users uniformly and does not allow exclusion of specific groups.
- D
Use Identity Protection risk policies
Why wrong: Risk policies address risky sign-ins, not access control for a specific app.
A company uses Azure AD Identity Protection. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. Which policy should be configured?
Trap 1: User risk policy
User risk policy focuses on compromised accounts, not on IP-based threats.
Trap 2: MFA registration policy
MFA registration policy requires users to register MFA but does not block sign-ins based on IP reputation.
Trap 3: Identity Protection vulnerabilities policy
There is no such policy; vulnerabilities are handled differently.
- A
User risk policy
Why wrong: User risk policy focuses on compromised accounts, not on IP-based threats.
- B
Sign-in risk policy
Sign-in risk policy evaluates the risk of each sign-in and can block access from known malicious IP addresses or high-risk sign-ins.
- C
MFA registration policy
Why wrong: MFA registration policy requires users to register MFA but does not block sign-ins based on IP reputation.
- D
Identity Protection vulnerabilities policy
Why wrong: There is no such policy; vulnerabilities are handled differently.
A company uses Microsoft Entra ID P1 licenses. They want to allow access to a sensitive cloud application only from the company's trusted office IP ranges (10.0.0.0/24). However, the executive team (group "Execs") must be able to access the app from any location. Which Conditional Access policy configuration should the administrator use?
Trap 1: A: Include all users, exclude Execs group, and grant access with…
Granting access would allow all users from untrusted locations, which is the opposite of the requirement.
Trap 2: C: Include Execs group, exclude all others, and grant access with…
This would only apply the policy to Execs, requiring them to be in trusted locations, which contradicts the requirement.
Trap 3: D: Include all users, include Execs group as an additional…
Including Execs as an additional condition does not exclude them; granting access with trusted location requirement would block them from untrusted locations.
- A
A: Include all users, exclude Execs group, and grant access with condition 'Location not in trusted locations'.
Why wrong: Granting access would allow all users from untrusted locations, which is the opposite of the requirement.
- B
B: Include all users, exclude Execs group, and block access with condition 'Location not in trusted locations'.
This blocks non-Execs from accessing the app when they are not from trusted locations, while Execs are excluded and thus allowed from anywhere.
- C
C: Include Execs group, exclude all others, and grant access with condition 'Location in trusted locations'.
Why wrong: This would only apply the policy to Execs, requiring them to be in trusted locations, which contradicts the requirement.
- D
D: Include all users, include Execs group as an additional condition, and grant access with condition 'Location in trusted locations'.
Why wrong: Including Execs as an additional condition does not exclude them; granting access with trusted location requirement would block them from untrusted locations.
A company plans to enable Self-Service Password Reset (SSPR) for all users. The administrator must ensure that users are required to register at least two authentication methods: one from the 'mobile app' category and one from the 'phone call' category. Which combination of methods should the administrator select in the SSPR registration settings?
Trap 1: Mobile app notification and mobile app code
Both are from the mobile app category; no phone call method is included.
Trap 2: Office phone and mobile phone
Both are phone-related; mobile phone can be used for SMS or phone call, but the requirement specifies one must be from 'phone call', which office phone covers, but mobile phone could be SMS, not necessarily a call. However, the bigger issue is missing a mobile app method.
Trap 3: Mobile phone and email
Mobile phone can be used for SMS or phone call, but email is not from the phone call or mobile app category.
- A
Mobile app notification and office phone
Mobile app notification is from the mobile app category, and office phone is from the phone call category, satisfying both requirements.
- B
Mobile app notification and mobile app code
Why wrong: Both are from the mobile app category; no phone call method is included.
- C
Office phone and mobile phone
Why wrong: Both are phone-related; mobile phone can be used for SMS or phone call, but the requirement specifies one must be from 'phone call', which office phone covers, but mobile phone could be SMS, not necessarily a call. However, the bigger issue is missing a mobile app method.
- D
Mobile phone and email
Why wrong: Mobile phone can be used for SMS or phone call, but email is not from the phone call or mobile app category.
A company uses Azure AD Privileged Identity Management (PIM) to manage role activations. They have an Azure AD Premium P2 license. The security team wants to require that any activation of the Exchange Administrator role must be approved by a specific group named 'Exchange Approvers'. Additionally, activations must require a ticket number and expire after 6 hours. Which PIM configuration should the administrator modify?
Trap 1: Add the Exchange Administrator role to the 'Exchange Approvers'…
Incorrect. Eligible assignments determine who can activate the role, not who approves activations.
Trap 2: Create a PIM alert for activations without a ticket number and set…
Incorrect. Alerts notify about suspicious activities but do not enforce requirements like approval or ticket numbers.
Trap 3: Define an access review for the Exchange Administrator role with a…
Incorrect. Access reviews are for periodic reviews of active assignments, not for controlling activation requirements.
- A
Configure the 'Role settings' for the Exchange Administrator role to require approval and set the approvers group
Correct. The activation settings include toggle for approval, approver selection, justification requirements (ticket number), and maximum activation duration.
- B
Add the Exchange Administrator role to the 'Exchange Approvers' group's eligible assignments
Why wrong: Incorrect. Eligible assignments determine who can activate the role, not who approves activations.
- C
Create a PIM alert for activations without a ticket number and set a 6-hour alert threshold
Why wrong: Incorrect. Alerts notify about suspicious activities but do not enforce requirements like approval or ticket numbers.
- D
Define an access review for the Exchange Administrator role with a 6-hour review duration
Why wrong: Incorrect. Access reviews are for periodic reviews of active assignments, not for controlling activation requirements.
A company has just purchased Microsoft 365 E3 licenses. They want to configure the default mailbox storage limit for all new users. Which setting should they modify?
Trap 1: Exchange admin center -> recipients -> mailboxes -> default mailbox…
This setting is per-mailbox, not a global default for new users.
Trap 2: Microsoft 365 admin center -> Users -> Active users -> default…
The Microsoft 365 admin center does not have a global default storage limit setting for mailboxes.
Trap 3: Microsoft 365 admin center -> Org settings -> Mailbox storage
There is no 'Mailbox storage' option under Org settings in the Microsoft 365 admin center.
- A
Exchange admin center -> recipients -> mailboxes -> default mailbox quota
Why wrong: This setting is per-mailbox, not a global default for new users.
- B
Microsoft 365 admin center -> Users -> Active users -> default storage limit
Why wrong: The Microsoft 365 admin center does not have a global default storage limit setting for mailboxes.
- C
Exchange Online PowerShell: Set-OrganizationConfig -DefaultMailboxSize
This cmdlet sets the default mailbox size for all new users in the organization.
- D
Microsoft 365 admin center -> Org settings -> Mailbox storage
Why wrong: There is no 'Mailbox storage' option under Org settings in the Microsoft 365 admin center.
A company uses Microsoft Entra ID P2 licenses and wants to block all authentication attempts from an internal legacy application that uses POP3 and SMTP protocols. The application cannot be updated and must be blocked from accessing Exchange Online. Which Conditional Access policy setting should the administrator configure?
Trap 1: Under 'Grant', select 'Block access'
Grant controls are applied after authentication. Block access is a valid grant but does not specifically target only legacy protocols; it would block all access. More precise to use client apps condition.
Trap 2: Under 'Conditions' > 'Device platforms', select 'Android' and 'iOS'…
Device platform condition does not address the protocol used. Legacy auth can occur from any platform; this would not block POP3/SMTP from Windows.
Trap 3: Under 'Conditions' > 'Locations', select 'All trusted locations'…
Locations condition is about network locations, not authentication protocols. It would not block legacy auth from inside the network.
- A
Under 'Grant', select 'Block access'
Why wrong: Grant controls are applied after authentication. Block access is a valid grant but does not specifically target only legacy protocols; it would block all access. More precise to use client apps condition.
- B
Under 'Conditions' > 'Client apps', configure to block 'Exchange ActiveSync clients and other clients'
This setting explicitly targets legacy authentication clients (including POP3/SMTP). By setting the action to block, all attempts from those clients are denied.
- C
Under 'Conditions' > 'Device platforms', select 'Android' and 'iOS' and block them
Why wrong: Device platform condition does not address the protocol used. Legacy auth can occur from any platform; this would not block POP3/SMTP from Windows.
- D
Under 'Conditions' > 'Locations', select 'All trusted locations' and block
Why wrong: Locations condition is about network locations, not authentication protocols. It would not block legacy auth from inside the network.
A company is planning to migrate from on-premises Exchange to Exchange Online and needs to ensure that mail flow can coexist between the two environments during the transition. Which tool should the administrator use to configure this hybrid deployment?
Trap 1: Azure AD Connect
Azure AD Connect synchronizes on-premises directories with Microsoft Entra ID but does not handle hybrid mail flow configuration.
Trap 2: Microsoft 365 Admin Center
The admin center allows management of users and services but does not include tools for configuring hybrid mail routing.
Trap 3: Exchange Admin Center
While the EAC can manage many Exchange settings, the hybrid configuration is performed via the dedicated Hybrid Configuration Wizard.
- A
Azure AD Connect
Why wrong: Azure AD Connect synchronizes on-premises directories with Microsoft Entra ID but does not handle hybrid mail flow configuration.
- B
Exchange Hybrid Configuration Wizard
This wizard guides through the steps to establish a hybrid relationship between on-premises Exchange and Exchange Online, including mail flow and free/busy sharing.
- C
Microsoft 365 Admin Center
Why wrong: The admin center allows management of users and services but does not include tools for configuring hybrid mail routing.
- D
Exchange Admin Center
Why wrong: While the EAC can manage many Exchange settings, the hybrid configuration is performed via the dedicated Hybrid Configuration Wizard.
A company uses Microsoft Entra ID P2 licenses. The security team wants to require multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'BreakGlass' must be excluded from MFA requirements. Additionally, the company wants to block legacy authentication protocols. Which approach should the administrator use?
Trap 1: Create a single Conditional Access policy that grants access only…
Incorrect. Combining different controls in one policy can lead to complex logic and unintended behavior; best practice is to separate.
Trap 2: Enable Security defaults in Entra ID
Incorrect. Security defaults do not allow custom exclusions or granular location conditions.
Trap 3: Use baseline Conditional Access policies
Incorrect. Baseline policies are deprecated and do not offer the same flexibility as custom policies.
- A
Create one Conditional Access policy for MFA (targeting all users, excluding BreakGlass, with location condition) and another policy to block legacy authentication (targeting all users, with client apps condition)
Correct. Separate policies allow independent management and clear condition targeting.
- B
Create a single Conditional Access policy that grants access only if MFA is performed and block legacy client apps in the same policy
Why wrong: Incorrect. Combining different controls in one policy can lead to complex logic and unintended behavior; best practice is to separate.
- C
Enable Security defaults in Entra ID
Why wrong: Incorrect. Security defaults do not allow custom exclusions or granular location conditions.
- D
Use baseline Conditional Access policies
Why wrong: Incorrect. Baseline policies are deprecated and do not offer the same flexibility as custom policies.
A company uses Microsoft Entra ID Governance to automate the lifecycle of user access. They want to automatically remove a user's group membership for a critical application 30 days after the user's employment end date is captured from the HR system. Which feature should be configured to meet this requirement?
Trap 1: Access Reviews
Access Reviews require recurring attestation by reviewers; they do not automatically remove access based solely on an HR attribute date.
Trap 2: Entitlement management
Entitlement management manages access packages and can expire assignments, but it typically requires user action or review processes.
Trap 3: Privileged Identity Management
PIM manages just-in-time privileged access, not lifecycle-based removal of group memberships.
- A
Access Reviews
Why wrong: Access Reviews require recurring attestation by reviewers; they do not automatically remove access based solely on an HR attribute date.
- B
Entitlement management
Why wrong: Entitlement management manages access packages and can expire assignments, but it typically requires user action or review processes.
- C
Lifecycle Workflows
Lifecycle Workflows can be triggered by HR events (e.g., termination) and execute tasks like removing group memberships automatically.
- D
Privileged Identity Management
Why wrong: PIM manages just-in-time privileged access, not lifecycle-based removal of group memberships.
A company uses Microsoft Entra ID P2 licenses. A security administrator needs to grant a user temporary elevation to the Global Administrator role for a specific task. The elevation should require approval from a designated group and be time-limited. Which Microsoft Entra feature should be configured?
Trap 1: Conditional Access
Conditional Access controls access based on conditions, not role elevation with approval.
Trap 2: Identity Protection
Identity Protection handles risk detection and remediation, not role elevation.
Trap 3: Access Reviews
Access Reviews are for reviewing group memberships or application access, not on-demand role elevation.
- A
Conditional Access
Why wrong: Conditional Access controls access based on conditions, not role elevation with approval.
- B
Privileged Identity Management
PIM enables just-in-time privileged access with approval and time limits.
- C
Identity Protection
Why wrong: Identity Protection handles risk detection and remediation, not role elevation.
- D
Access Reviews
Why wrong: Access Reviews are for reviewing group memberships or application access, not on-demand role elevation.
A company invites external partners as B2B guest users in Microsoft Entra ID. The partners' home tenants do not support MFA. The company wants to require MFA when guests access an internal application. What should the company configure?
Trap 1: Ask the partners to configure MFA in their home tenant, then trust…
The scenario states the home tenants do not support MFA, so this is not feasible.
Trap 2: Use a Per-User MFA policy for guest users, but guests cannot…
Per-User MFA is outdated, and guests actually can register for MFA in the resource tenant via Conditional Access.
Trap 3: Create a Conditional Access policy requiring MFA for all external…
Excluding guests from known networks would not enforce MFA, which is the requirement.
- A
Configure a Conditional Access policy that targets all guest users, require MFA, and enable MFA registration for guests in the resource tenant.
This is correct: the resource tenant can enforce MFA for guests and provide MFA registration, independent of the home tenant.
- B
Ask the partners to configure MFA in their home tenant, then trust their MFA claims.
Why wrong: The scenario states the home tenants do not support MFA, so this is not feasible.
- C
Use a Per-User MFA policy for guest users, but guests cannot register for MFA in the resource tenant.
Why wrong: Per-User MFA is outdated, and guests actually can register for MFA in the resource tenant via Conditional Access.
- D
Create a Conditional Access policy requiring MFA for all external users, but exclude guests from known networks.
Why wrong: Excluding guests from known networks would not enforce MFA, which is the requirement.
A company uses Microsoft Entra ID with password hash synchronization. The security team wants to prevent users from setting passwords that include their username or common terms from a custom dictionary (e.g., company name, product names). Which feature should be configured?
Trap 1: Enable Azure AD Identity Protection with user risk policies.
Identity Protection detects risky sign-ins and users but does not enforce password complexity rules.
Trap 2: Set a fine-grained password policy in on-premises Active Directory…
Fine-grained password policies are for on-premises AD; they do not apply to cloud-only users and do not support custom banned word lists.
Trap 3: Enable MFA registration campaign to force users to register for MFA.
MFA registration is about authentication, not password strength.
- A
Enable Azure AD Identity Protection with user risk policies.
Why wrong: Identity Protection detects risky sign-ins and users but does not enforce password complexity rules.
- B
Configure a custom banned passwords list in Microsoft Entra ID Password Protection.
This allows adding a custom list of banned passwords that users cannot use, meeting the requirement.
- C
Set a fine-grained password policy in on-premises Active Directory and sync it to Azure AD.
Why wrong: Fine-grained password policies are for on-premises AD; they do not apply to cloud-only users and do not support custom banned word lists.
- D
Enable MFA registration campaign to force users to register for MFA.
Why wrong: MFA registration is about authentication, not password strength.
A security administrator needs to block users from running portable executable files (e.g., .exe, .scr) that were downloaded from the internet on Windows devices. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?
Trap 1: Block credential stealing from the Windows local security authority…
This rule prevents credential theft via LSASS, not blocking executed downloads.
Trap 2: Block Adobe Reader from creating child processes
This rule prevents Adobe Reader from spawning other processes, not blocking downloaded executables.
Trap 3: Block persistence through WMI event subscription
This rule blocks WMI-based persistence, not the execution of downloaded files.
- A
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This ASR rule blocks executables that are not trusted based on Microsoft's reputation and prevalence data.
- B
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Why wrong: This rule prevents credential theft via LSASS, not blocking executed downloads.
- C
Block Adobe Reader from creating child processes
Why wrong: This rule prevents Adobe Reader from spawning other processes, not blocking downloaded executables.
- D
Block persistence through WMI event subscription
Why wrong: This rule blocks WMI-based persistence, not the execution of downloaded files.
A company wants to allow users to reset their own forgotten passwords using a mobile app notification as the verification method. Which Microsoft Entra feature should be enabled and configured?
Trap 1: Azure AD Password Protection
Incorrect. Password Protection blocks common weak passwords but does not allow users to reset their own passwords.
Trap 2: Privileged Identity Management
Incorrect. PIM manages just-in-time access for privileged roles, not general user password resets.
Trap 3: Identity Protection
Incorrect. Identity Protection detects risks and can automate remediation but does not provide self-service password reset.
- A
Azure AD Password Protection
Why wrong: Incorrect. Password Protection blocks common weak passwords but does not allow users to reset their own passwords.
- B
Self-service password reset
Correct. SSPR can be configured to allow mobile app notification as a verification method for password resets.
- C
Privileged Identity Management
Why wrong: Incorrect. PIM manages just-in-time access for privileged roles, not general user password resets.
- D
Identity Protection
Why wrong: Incorrect. Identity Protection detects risks and can automate remediation but does not provide self-service password reset.
A security administrator needs to block unsanctioned cloud apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps components must be configured?
Trap 1: Cloud Discovery
Cloud Discovery identifies app usage but does not enforce real-time blocks.
Trap 2: App governance
App governance manages OAuth app compliance, not traffic blocking.
- A
Cloud Discovery
Why wrong: Cloud Discovery identifies app usage but does not enforce real-time blocks.
- B
Conditional Access App Control
This component enables the reverse proxy for real-time session control.
- C
App governance
Why wrong: App governance manages OAuth app compliance, not traffic blocking.
- D
Session control policies
Session policies define actions like blocking or limiting activities within the app.
A company uses Microsoft Entra ID with Pass-through Authentication. The security team wants to block all sign-ins from countries that are not approved (e.g., high-risk regions). Which feature should they use?
Trap 1: Identity Protection sign-in risk policy
Incorrect. Sign-in risk policies react to risk events, not geographic locations.
Trap 2: Identity Protection user risk policy
Incorrect. User risk policies are based on user risk level, not location.
Trap 3: Named locations with blocked countries
Incorrect. Named locations are a configuration block, not a policy by themselves; they must be used in a Conditional Access policy to enforce blocking.
- A
Conditional Access policy with country location condition
Correct. Conditional Access allows blocking or allowing access based on country using Named Locations.
- B
Identity Protection sign-in risk policy
Why wrong: Incorrect. Sign-in risk policies react to risk events, not geographic locations.
- C
Identity Protection user risk policy
Why wrong: Incorrect. User risk policies are based on user risk level, not location.
- D
Named locations with blocked countries
Why wrong: Incorrect. Named locations are a configuration block, not a policy by themselves; they must be used in a Conditional Access policy to enforce blocking.
A security administrator wants to configure Microsoft Defender for Cloud Apps to block downloads of sensitive files from Salesforce to unmanaged devices in real time. Which Defender for Cloud Apps component must be configured?
Trap 1: Cloud Discovery
Cloud Discovery identifies cloud app usage but does not provide real-time blocking.
Trap 2: App Connectors
App Connectors provide API-based governance, not real-time session control.
Trap 3: Activity policies
Activity policies trigger alerts and can automatically take actions like suspend user, but not real-time block in session.
- A
Cloud Discovery
Why wrong: Cloud Discovery identifies cloud app usage but does not provide real-time blocking.
- B
App Connectors
Why wrong: App Connectors provide API-based governance, not real-time session control.
- C
Conditional Access App Control
Conditional Access App Control uses a reverse proxy to monitor and control sessions in real time, enabling block actions.
- D
Activity policies
Why wrong: Activity policies trigger alerts and can automatically take actions like suspend user, but not real-time block in session.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.