CCNA Deploy and manage a Microsoft 365 tenant Questions

23 of 248 questions · Page 4/4 · Deploy and manage a Microsoft 365 tenant · Answers revealed

226
MCQhard

Your company is required to retain all emails sent to and from executives for 7 years due to regulatory compliance. You need to implement this with minimal administrative overhead. What should you use?

A.Create a Microsoft Purview retention policy for the executive mailboxes
B.Configure Exchange journaling to export to an external system
C.Place each executive mailbox on Litigation Hold
D.Enable the archive mailbox for each executive
AnswerA

Retention policies automatically retain emails for the specified duration with minimal overhead.

Why this answer

Microsoft Purview retention policies and retention labels can automatically retain emails for a specified period. Option B (Litigation Hold) is a manual process for specific users. Option C (Journaling) exports emails to an external system, adding complexity.

Option D (Archive mailbox) provides storage but not automatic retention enforcement. A retention policy or label is the most efficient way.

227
MCQhard

Refer to the exhibit. You are reviewing the service principal for Microsoft Graph in your tenant. The passwordCredentials array is empty. What does this indicate?

A.The service principal is using federated credentials.
B.The service principal uses certificate-based authentication.
C.The Microsoft Graph application is disabled.
D.No client secret is configured for the service principal.
AnswerD

An empty passwordCredentials array means no secrets are set.

Why this answer

The passwordCredentials array being empty indicates that no client secret (password) has been configured for the service principal. Client secrets are one method of authentication for service principals, and their absence means that this particular authentication method is not set up. This does not imply the service principal is disabled or that other authentication methods like certificates or federated credentials are in use.

Exam trap

Microsoft often tests the misconception that an empty passwordCredentials array means the service principal is disabled or that no authentication is possible, when in fact other authentication methods like certificates or federated credentials may still be configured.

How to eliminate wrong answers

Option A is wrong because federated credentials are stored in the federatedIdentityCredentials array, not in passwordCredentials; an empty passwordCredentials array does not indicate federated credentials are being used. Option B is wrong because certificate-based authentication is indicated by the keyCredentials array, not passwordCredentials; an empty passwordCredentials array does not imply certificates are configured. Option C is wrong because the Microsoft Graph application being disabled is a separate property (accountEnabled) and is not indicated by the passwordCredentials array being empty.

228
MCQeasy

After adding a custom domain name to a Microsoft 365 tenant, what is the first step the administrator must complete before users can sign in using the custom domain?

A.Add the domain as an accepted domain in Exchange Online
B.Set the custom domain as the default domain for new users
C.Verify domain ownership by adding a DNS TXT record
D.Create user accounts with usernames ending with the custom domain
AnswerC

Microsoft requires a TXT record verification to prove control over the domain. This is the first mandatory step. After verification, other configurations like email setup become possible.

Why this answer

Before a custom domain can be used for user sign-ins or email routing in Microsoft 365, the administrator must prove ownership of the domain. This is done by adding a specific DNS TXT record provided by the Microsoft 365 domain setup wizard. Until the TXT record is verified, the domain remains unverified and cannot be used for any Microsoft 365 services.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking they can add the domain to Exchange Online or create users first, but Microsoft 365 strictly enforces domain verification as the prerequisite for all subsequent domain-related configurations.

How to eliminate wrong answers

Option A is wrong because adding the domain as an accepted domain in Exchange Online is a later step that requires the domain to already be verified; you cannot add an unverified domain as an accepted domain. Option B is wrong because setting the custom domain as the default domain for new users also requires the domain to be verified first; the system will not allow an unverified domain to be set as default. Option D is wrong because creating user accounts with usernames ending with the custom domain is only possible after the domain is verified; the Microsoft 365 authentication system will reject unverified domains during user creation.

229
MCQmedium

Your organization has a hybrid identity deployment with Microsoft Entra Connect. You have synchronized all on-premises Active Directory users to Microsoft Entra ID. You need to enable Microsoft Entra ID Password Protection to automatically block weak passwords. You have installed the Password Protection proxy on a server and registered it. You also need to enforce the password protection policy for on-premises users. What additional step is required?

A.Install the Password Protection DC agent on each domain controller.
B.Install the Password Protection proxy on all domain controllers.
C.Enable the password filter in the Microsoft Entra Connect configuration.
D.Configure a Group Policy to require password complexity.
AnswerA

The DC agent enforces the policy on-premises.

Why this answer

The Password Protection DC agent is required on each domain controller to intercept and validate password changes against the Microsoft Entra ID Password Protection policy. Without this agent, the proxy server alone cannot enforce the policy for on-premises users, as the DC agent is the component that applies the password filter during password change operations.

Exam trap

The trap here is that candidates often assume the proxy server alone enforces the policy, but the proxy only facilitates communication, while the DC agent is the enforcement point on each domain controller.

How to eliminate wrong answers

Option B is wrong because the Password Protection proxy is not installed on domain controllers; it is installed on a separate server to communicate with Microsoft Entra ID, while the DC agent is installed on domain controllers to enforce the policy. Option C is wrong because Microsoft Entra Connect does not include a password filter for on-premises password protection; the password filter is part of the DC agent, not the Connect configuration. Option D is wrong because configuring a Group Policy for password complexity does not enable Microsoft Entra ID Password Protection; it only enforces local Windows password policies, which are separate from the cloud-based weak password detection.

230
MCQmedium

Your organization uses Microsoft 365 and wants to ensure that only compliant devices can access Exchange Online. You have Microsoft Intune for device management. What should you configure?

A.Configure devices to be Azure AD Joined
B.Create a Conditional Access policy with 'Require device to be marked as compliant'
C.Create an app protection policy in Intune
D.Create a device compliance policy in Intune
AnswerB

This enforces that only compliant devices can access Exchange Online.

Why this answer

To enforce that only compliant devices can access Exchange Online, you need a Conditional Access policy that includes the 'Require device to be marked as compliant' grant control. This policy evaluates the device compliance status reported by Intune and blocks or grants access accordingly. Without this Conditional Access policy, even compliant devices are not forced to meet compliance requirements before accessing Exchange Online.

Exam trap

The trap here is that candidates often confuse creating a device compliance policy (which only defines rules) with the Conditional Access policy that actually enforces those rules, leading them to select Option D instead of B.

How to eliminate wrong answers

Option A is wrong because Azure AD Join alone does not enforce compliance; it only registers the device in Azure AD, and without a Conditional Access policy, any joined device can access Exchange Online regardless of compliance. Option C is wrong because an app protection policy (MAM) manages data protection at the app level without requiring device enrollment or compliance, and it does not block access from non-compliant devices. Option D is wrong because a device compliance policy defines the compliance rules (e.g., encryption, OS version) but does not enforce access control; it is the Conditional Access policy that uses the compliance status to grant or deny access.

231
MCQmedium

A company wants to allow users to log in to Microsoft 365 using their existing on-premises Active Directory credentials and ensure that password changes are reflected immediately in the cloud. Which authentication method should be implemented?

A.Password Hash Synchronization (PHS)
B.Pass-through Authentication (PTA)
C.Federation with AD FS
D.Azure AD Seamless SSO
AnswerC

AD FS federates authentication so that Microsoft 365 trusts the on-premises system; any password change in on-prem AD is immediately reflected.

Why this answer

Federation with AD FS is correct because it allows users to authenticate directly against on-premises Active Directory, and password changes made on-premises are immediately reflected in the cloud since authentication never passes the password hash to Azure AD. This meets the requirement for instant password change propagation without any synchronization delay.

Exam trap

The trap here is that candidates often confuse Pass-through Authentication (PTA) with federation, assuming PTA also provides instant password change reflection, but PTA still requires password hash synchronization for cloud services like Azure AD Password Protection, and on-premises password changes are not instantly reflected in Azure AD without additional sync.

How to eliminate wrong answers

Option A is wrong because Password Hash Synchronization (PHS) synchronizes password hashes on a schedule (typically every 2 minutes), so password changes are not reflected immediately in the cloud. Option B is wrong because Pass-through Authentication (PTA) validates passwords on-premises but still relies on password writeback for cloud password changes, and on-premises password changes are not instantly reflected in Azure AD without additional synchronization. Option D is wrong because Azure AD Seamless SSO is not an authentication method itself; it is a feature that works on top of PHS or PTA to provide single sign-on, and it does not handle password change propagation.

232
Multi-Selecteasy

Which TWO are valid methods to add users to a Microsoft 365 tenant?

Select 2 answers
A.Create users by adding a DNS record.
B.Add users in the Azure portal.
C.Create users in the Exchange admin center.
D.Add users individually in the Microsoft 365 admin center.
E.Synchronize users from on-premises Active Directory using Microsoft Entra ID Connect.
AnswersD, E

Admins can add users manually in the admin center.

Why this answer

Option D is correct because the Microsoft 365 admin center provides a native web interface to add users individually, which is the most straightforward method for small-scale user provisioning. Option E is correct because synchronizing users from on-premises Active Directory using Microsoft Entra ID Connect (formerly Azure AD Connect) is the standard hybrid identity method for large-scale user management, ensuring directory objects are replicated to Azure AD.

Exam trap

The trap here is that candidates may confuse the Azure portal (which can create Azure AD users) with the Microsoft 365 admin center, or think the Exchange admin center can create users, when in fact it only manages mailbox-enabled users that already exist in Azure AD.

233
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Microsoft 365 resources. What should you configure?

A.Configure an app protection policy in Intune.
B.Create a device compliance policy in Intune.
C.Configure a Windows Hello for Business policy in Intune.
D.Create a conditional access policy in Microsoft Entra ID requiring compliant devices.
AnswerD

Conditional access policies enforce access control based on device compliance.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID (formerly Azure AD) are the mechanism that enforces access controls based on signals such as device compliance. By creating a policy that requires compliant devices, you ensure that only devices meeting your compliance standards can access Microsoft 365 resources. This works in conjunction with Intune compliance policies, but the enforcement point is the Conditional Access policy.

Exam trap

The trap here is that candidates often confuse the role of Intune compliance policies (which only define and report compliance) with Conditional Access policies (which enforce access decisions), leading them to select Option B instead of D.

How to eliminate wrong answers

Option A is wrong because app protection policies (MAM) manage data protection at the application level without requiring device enrollment or compliance; they do not block access to Microsoft 365 resources based on device compliance. Option B is wrong because a device compliance policy in Intune defines the compliance requirements (e.g., encryption, OS version) but does not itself enforce access restrictions; it only marks the device as compliant or non-compliant. Option C is wrong because Windows Hello for Business policy configures biometric or PIN-based authentication on devices, but it does not control access to Microsoft 365 resources based on device compliance.

234
MCQeasy

Refer to the exhibit. You have a Conditional Access policy configured as shown. What is the effect of this policy?

A.It requires multi-factor authentication for trusted IPs.
B.It blocks access from all locations.
C.It blocks access from untrusted IP addresses.
D.It blocks access from trusted IP addresses.
AnswerD

The policy includes AllTrusted locations and applies a block control.

Why this answer

The policy is configured to 'Block access' for 'All users' and 'All cloud apps' when the location condition is set to 'Trusted IPs'. This means that when a user attempts to access from an IP address defined as trusted in the organization's named locations, access is explicitly blocked. The effect is that trusted IP addresses are blocked, not untrusted ones.

Exam trap

The trap here is that candidates mistakenly think 'Block access' combined with 'Trusted IPs' blocks untrusted IPs, when in fact the policy explicitly blocks the trusted IPs, leaving untrusted IPs unaffected by this policy.

How to eliminate wrong answers

Option A is wrong because the policy is set to 'Block access', not 'Grant access requiring multi-factor authentication', so it does not enforce MFA for any location. Option B is wrong because the policy only applies to the 'Trusted IPs' location condition, not to 'All locations' or 'Any location', so it does not block access from all locations. Option C is wrong because the policy targets 'Trusted IPs', not 'Untrusted IPs'; untrusted IPs are not affected by this policy and would fall through to other policies or default behavior.

235
Multi-Selectmedium

You are a Microsoft 365 Administrator for a multinational organization that is deploying a new Microsoft 365 tenant. The organization has strict compliance and security requirements. Which four of the following actions should you take to properly deploy and manage the tenant? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Configure password hash synchronization (PHS) from the on-premises Active Directory to Microsoft Entra ID to enable Hybrid Identity.
.Create and assign custom administrative roles using Role-Based Access Control (RBAC) to delegate specific management tasks without granting global admin privileges.
.Enable Microsoft Defender for Office 365 and configure Safe Attachments and Safe Links policies to protect against advanced threats in email and collaboration tools.
.Configure a Microsoft 365 usage location for each user before assigning licenses to comply with regional licensing and data residency requirements.
.Use the Microsoft 365 admin center to directly edit and manage all user objects in the on-premises Active Directory to ensure synchronization consistency.
.Disable multi-factor authentication (MFA) for all users during the initial deployment to simplify onboarding, and enable it after 30 days.

Why this answer

Configuring password hash synchronization (PHS) from on-premises Active Directory to Microsoft Entra ID is a foundational step for hybrid identity. It synchronizes user password hashes, enabling users to use the same credentials for cloud and on-premises resources, and is required for features like Identity Protection and leaked credential detection.

Exam trap

The trap here is that candidates may think disabling MFA temporarily is acceptable for deployment simplicity, but Microsoft explicitly requires MFA to be enabled from day one for all users, especially privileged roles, and the exam tests this security-first mindset.

236
MCQhard

You are a Microsoft 365 administrator for Contoso Corporation, a multinational company with 20,000 users. The company uses Microsoft 365 E5, Microsoft Entra ID P2, Microsoft Defender XDR, Microsoft Purview, and Microsoft Intune. The security team wants to implement a zero-trust access model. Requirements: 1. All access to corporate resources must require multifactor authentication (MFA) and device compliance. 2. Users must register for MFA before accessing any app. 3. Legacy authentication protocols must be blocked for all users. 4. External collaboration must be governed by identity governance. 5. Sensitive data in SharePoint Online must be protected by DLP. 6. All administrative actions must be audited. You need to design the configuration. Which combination of actions should you take?

A.Enable Security defaults, configure SharePoint DLP, and use Microsoft Purview Audit for admin actions
B.Create a Conditional Access policy requiring MFA, block legacy auth, and use Microsoft Defender for Cloud Apps to monitor admin actions
C.Use Microsoft Intune compliance policies, enable MFA per-user, and deploy Microsoft Sentinel for auditing
D.Create Conditional Access policies requiring MFA and compliant devices, block legacy auth, enforce MFA registration via Identity Protection, set up Microsoft Entra ID Governance for external users, configure Purview DLP for SharePoint, and enable Purview Audit
AnswerD

This combination meets all requirements.

Why this answer

Option C is correct. A Conditional Access policy requiring MFA and compliant devices, blocking legacy auth, and using Entra ID Identity Protection to enforce MFA registration meets requirements 1,2,3. Microsoft Entra ID Governance (Entitlement Management) handles external collaboration (requirement 4).

Microsoft Purview DLP protects SharePoint (requirement 5). Microsoft Purview Audit (Standard or Premium) audits admin actions (requirement 6). Option A is wrong because Security defaults are less granular and may not block legacy auth for all users.

Option B is wrong because Intune compliance policies alone do not enforce MFA. Option D is wrong because Microsoft Sentinel is for SIEM, not primary audit logging for admin actions (Purview Audit is correct).

237
MCQhard

A company has a Microsoft 365 E5 tenant with 10,000 users. You need to delegate the ability to manage Microsoft Entra ID roles to a group of support engineers. The solution must follow the principle of least privilege and allow engineers to assign only specific roles to users. What should you do?

A.Assign the engineers the Privileged Role Administrator role
B.Add the engineers to the Global Administrator role in Microsoft Entra ID
C.Create a group in Microsoft Entra ID and assign it the User Administrator role, then use PIM to elevate
D.Create a custom role in Microsoft Entra ID with permissions to assign specific roles, and use PIM to enable just-in-time access
AnswerD

Custom roles with PIM provide least-privilege delegation.

Why this answer

Option D is correct because it follows the principle of least privilege by creating a custom role that grants only the specific permissions needed to assign designated roles, and using Privileged Identity Management (PIM) for just-in-time (JIT) access ensures engineers are elevated only when required. This approach avoids granting standing administrative privileges and allows granular control over which roles can be assigned, meeting the requirement to delegate role management without over-provisioning.

Exam trap

The trap here is that candidates often confuse the Privileged Role Administrator role (which can assign any role) with a custom role that limits assignments to specific roles, or mistakenly think that adding engineers to a built-in role like User Administrator with PIM elevation is sufficient, when in fact PIM does not change the underlying permissions of the role itself.

How to eliminate wrong answers

Option A is wrong because the Privileged Role Administrator role grants full control over all role assignments in Microsoft Entra ID, including the ability to assign any role (including Global Administrator), which violates the principle of least privilege by providing excessive permissions. Option B is wrong because the Global Administrator role has unrestricted access to all tenant settings and resources, far exceeding the need to manage only specific role assignments, and is a classic over-privileged assignment. Option C is wrong because the User Administrator role only allows management of users and groups, not the assignment of Microsoft Entra ID roles to users; it does not include permissions to delegate role management, and using PIM with this role does not grant the ability to assign other roles.

238
MCQmedium

Refer to the exhibit. An administrator runs the KQL query in Microsoft Defender for Endpoint. The result set is empty. What is the most likely reason?

A.The device is not onboarded to Microsoft Defender for Endpoint.
B.The query is case-sensitive and the account name is 'Admin' with a capital A.
C.No logon events with the account name 'admin' exist in the past 7 days.
D.There are no logon events in the last 7 days.
AnswerC

The query filters on AccountName == "admin"; if no events match, the result set is empty.

Why this answer

The KQL query filters for logon events where the AccountName equals 'admin' (lowercase). If no such events occurred in the last 7 days, the result set will be empty. This is the most likely reason because the query explicitly restricts the time range and account name, and an empty result does not indicate a broader issue with onboarding or case sensitivity.

Exam trap

The trap here is that candidates may assume an empty result set always indicates a configuration or onboarding problem, rather than recognizing that the query's specific filter (account name and time range) simply returned no matching data.

How to eliminate wrong answers

Option A is wrong because if the device were not onboarded to Microsoft Defender for Endpoint, the query would return an error or no data at all, but the question states the result set is empty, which is consistent with a valid query returning zero matching records. Option B is wrong because KQL is case-sensitive by default, but the query uses 'admin' (lowercase) and the exhibit shows the account name is 'admin' (lowercase), so case sensitivity is not the issue; the query would match 'admin' exactly. Option D is wrong because the query specifically filters for the account name 'admin', so even if there are other logon events in the last 7 days, they would not appear unless they match the account name; an empty result does not imply no logon events at all.

239
MCQeasy

An administrator needs to configure email notifications for Exchange Online service health incidents to be sent to a specific IT support mailbox. Where should the administrator configure these notifications in the Microsoft 365 admin center?

A.Health > Service health > Customize notifications
B.Organization profile > Notifications > Service health
C.Mail flow connectors
D.Settings > Service settings
AnswerA

Navigate to Health > Service health, then select 'Customize notifications' to set up specific email recipients for Exchange Online alerts.

Why this answer

Option A is correct because the 'Customize notifications' link under Health > Service health in the Microsoft 365 admin center is the dedicated interface for configuring email notifications for service health incidents, including Exchange Online. This allows administrators to specify which email addresses (such as an IT support mailbox) receive alerts for service incidents, advisories, and other health events, with granular control over which services and severity levels trigger notifications.

Exam trap

The trap here is that candidates confuse the 'Notifications' section under Organization profile (which handles admin email notifications for password resets or license assignments) with the service health notification settings, leading them to select Option B instead of navigating to the correct Health > Service health path.

How to eliminate wrong answers

Option B is wrong because 'Organization profile > Notifications > Service health' is not a valid path in the Microsoft 365 admin center; the actual notification settings for service health are located under Health > Service health, not under Organization profile. Option C is wrong because 'Mail flow connectors' are used to configure email routing between Exchange Online and on-premises or third-party email systems, not for setting up service health notifications. Option D is wrong because 'Settings > Service settings' is a generic path that does not exist in the current Microsoft 365 admin center UI; service health notifications are managed under the Health section, not under Settings.

240
MCQeasy

A company purchases Microsoft 365 E5 licenses for 500 users. The administrator wants to automatically assign licenses to new users based on their group membership. Which method should the administrator use?

A.Run a PowerShell script to assign licenses individually
B.Configure group-based licensing in Microsoft Entra ID
C.Manually assign licenses in the Microsoft 365 admin center for each user
D.Use a volume licensing product key to activate licenses
AnswerB

Group-based licensing assigns licenses automatically to members of a group, including new members.

Why this answer

Group-based licensing in Microsoft Entra ID (formerly Azure AD) allows automatic assignment and removal of licenses based on group membership. When a user is added to a licensed group, the license is automatically assigned; when removed, the license is revoked. This eliminates manual effort and ensures consistent licensing for all 500 users.

Exam trap

The trap here is that candidates often confuse group-based licensing with manual or scripted methods, assuming that PowerShell or the admin center are the only ways to assign licenses, but Microsoft Entra ID's group-based licensing is the correct automated solution for this scenario.

How to eliminate wrong answers

Option A is wrong because running a PowerShell script to assign licenses individually is a manual, scripted approach that does not scale well for 500 users and lacks the automatic, membership-driven assignment required. Option C is wrong because manually assigning licenses in the Microsoft 365 admin center for each user is time-consuming and error-prone, not leveraging automation. Option D is wrong because volume licensing product keys are used for on-premises or subscription activation, not for assigning Microsoft 365 E5 licenses to users in a cloud tenant.

241
Multi-Selecthard

Your organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. You need to block users from sharing credit card numbers via email. Which THREE components are required to implement this policy?

Select 3 answers
A.The built-in 'Credit Card Number' sensitive info type.
B.A sensitivity label that identifies credit card information.
C.Microsoft Defender for Cloud Apps.
D.Microsoft Entra ID P2 licenses.
E.A DLP policy configured in the Microsoft Purview compliance portal.
AnswersA, B, E

DLP policies use sensitive info types to detect patterns like credit card numbers.

Why this answer

The built-in 'Credit Card Number' sensitive info type is required because Microsoft Purview DLP policies rely on predefined or custom sensitive information types to detect specific data patterns, such as credit card numbers, using regular expressions and checksums. Without this type, the DLP policy would not know what content to scan for in emails.

Exam trap

The trap here is that candidates often confuse the requirement for a sensitivity label (which is optional for DLP and used for classification, not detection) with the mandatory sensitive info type, or they assume Defender for Cloud Apps is needed for email DLP, when it is only for cloud app shadow IT scenarios.

242
MCQeasy

Refer to the exhibit. You run this PowerShell command in your Microsoft 365 tenant. What is the purpose of the command?

A.To list all users with sign-in blocked
B.To list all unlicensed users with a specific usage location
C.To list all unlicensed users in the tenant
D.To list all users who have a license assigned
AnswerC

The filter selects users without a license.

Why this answer

The PowerShell command `Get-MgUser -Filter 'assignedLicenses/$count eq 0' -ConsistencyLevel eventual` retrieves all users in the Microsoft 365 tenant who have no licenses assigned. The `assignedLicenses/$count eq 0` filter checks that the count of assigned licenses is zero, and `-ConsistencyLevel eventual` is required for advanced queries on directory objects. This directly corresponds to listing all unlicensed users in the tenant.

Exam trap

The trap here is that candidates may confuse the `assignedLicenses/$count eq 0` filter with a filter for unlicensed users in a specific location or with sign-in status, but the command lacks any additional filters for usage location or account status.

How to eliminate wrong answers

Option A is wrong because the command does not filter by `accountEnabled` or `SignInActivity`, which are required to identify users with sign-in blocked. Option B is wrong because the command does not include any filter for `usageLocation`; it only checks for unlicensed users without specifying a location. Option D is wrong because the command explicitly filters for users where `assignedLicenses/$count eq 0`, meaning it returns users without licenses, not those with licenses assigned.

243
MCQhard

You are reviewing a Conditional Access policy in Microsoft Entra ID. The exhibit shows the policy configuration. You need to allow users to access Office 365 applications from personal devices that are not enrolled in Microsoft Intune. However, the policy currently blocks access because it requires a compliant device. Users are prompted for MFA but then blocked due to device compliance. What should you modify in the policy?

A.Add a session control for sign-in frequency.
B.Remove "compliantDevice" from the builtInControls grant control list.
C.Remove the cloudAppSecurity session control.
D.Change cloudAppSecurityType to "blockDownloads".
AnswerB

Removing the compliant device requirement allows access from any device.

Why this answer

Option C is correct because the policy requires both MFA and compliant device (grantControls). To allow access from non-compliant devices, you can remove the compliantDevice requirement and only require MFA. Alternatively, you can add an exception for personal devices, but modifying the grant controls is straightforward.

Option A is wrong because changing session controls does not affect grant requirements. Option B is wrong because cloud app security is a session control, not a grant control. Option D is wrong because sign-in frequency is a session control.

244
MCQmedium

You are a Microsoft 365 administrator. A user reports that they cannot send emails to a specific external domain. You check the Exchange Admin Center and see that the domain is not blocked. What should you check next?

A.Verify that the user has a full mailbox and is not over the send limit.
B.Review the outbound spam filter policy.
C.Check the mail flow rules (transport rules) in Exchange Online.
D.Check the spam filter policy to see if the domain is on the blocked sender list.
AnswerC

A mail flow rule could be blocking messages to that domain.

Why this answer

Mail flow rules (transport rules) in Exchange Online can block or redirect messages based on conditions like sender, recipient domain, or message content, even if the domain is not listed in any block list. Since the domain is not blocked in the spam filter or outbound policies, a transport rule is the most likely cause of the issue, as it can silently reject or quarantine messages without appearing in the standard block lists.

Exam trap

The trap here is that candidates often assume domain blocking only occurs in the spam filter or outbound policies, overlooking that transport rules can enforce granular domain-based restrictions that are invisible in those sections.

How to eliminate wrong answers

Option A is wrong because send limits (e.g., 10,000 recipients per day) apply to all external domains equally, not to a specific domain, and the user would typically receive a non-delivery report (NDR) if over the limit. Option B is wrong because the outbound spam filter policy controls bulk email thresholds and sending limits for outbound spam, not the ability to send to a specific domain. Option D is wrong because the spam filter policy's blocked sender list applies to inbound messages (from external senders to your users), not outbound messages sent by your users to external domains.

245
MCQeasy

Your company uses Microsoft 365 Business Premium. You need to ensure that all company-owned Windows 10 devices are automatically enrolled in Microsoft Intune when users sign in with their work account. The devices are Azure AD joined. You have configured automatic enrollment in Intune. However, some devices are not enrolling. You need to troubleshoot the issue. What should you check first?

A.Ensure that devices are Azure AD joined and not domain joined.
B.Check the Windows 10 version; version 1607 or later is required.
C.Verify that each user has an appropriate Microsoft Intune license assigned.
D.Check that the MDM authority is set to Microsoft Intune in Microsoft Entra ID.
AnswerC

Without a license, devices cannot enroll in Intune even if automatic enrollment is configured.

Why this answer

Option C is correct because automatic enrollment in Microsoft Intune requires each user to have an appropriate Intune license (e.g., Microsoft 365 Business Premium includes Intune). Without a license, the device will not be able to enroll even if all other prerequisites are met. The license is checked during the enrollment process, and if missing, enrollment fails silently.

Exam trap

The trap here is that candidates often assume device-level prerequisites (like Azure AD join or OS version) are the most common cause, but Microsoft Intune enrollment is user-license-driven, and missing licenses are a frequent real-world issue that is easy to overlook.

How to eliminate wrong answers

Option A is wrong because the question states the devices are already Azure AD joined, so this is not a missing prerequisite; checking this again would not resolve the issue. Option B is wrong because Windows 10 version 1607 or later is a requirement, but the question does not indicate that devices are running an older version; this is a secondary check, not the first step. Option D is wrong because the MDM authority is automatically set to Microsoft Intune when you configure automatic enrollment in the Microsoft Entra admin center; if it were not set, no devices would enroll, but the question states that some devices are enrolling, so this is not the immediate issue.

246
MCQmedium

An organization uses a third-party SaaS application that supports SAML-based single sign-on. The application is not in the Azure AD gallery. What is the first step to configure SSO?

A.Create a new enterprise application from the 'Non-gallery application' option in Azure AD
B.Configure Azure AD Connect to sync on-premises users
C.Add the application in the Microsoft 365 admin center under 'Integrated apps'
D.Create a custom role in Azure AD for the application
AnswerA

This is the standard first step for integrating a custom SAML application that is not pre-listed in the gallery.

Why this answer

The correct first step is to create a new enterprise application from the 'Non-gallery application' option in Azure AD. This allows you to configure SAML-based SSO for any third-party application that supports SAML 2.0, even if it is not listed in the Azure AD gallery. The non-gallery application template provides the necessary endpoints and metadata to establish trust between Azure AD and the SaaS application.

Exam trap

The trap here is that candidates often confuse the 'Integrated apps' section in the Microsoft 365 admin center with Azure AD enterprise applications, but the former is for managing add-ins and the latter is the correct location for SAML SSO configuration.

How to eliminate wrong answers

Option B is wrong because Azure AD Connect is used to synchronize on-premises Active Directory users to Azure AD, not to configure SSO for a third-party SaaS application. Option C is wrong because the Microsoft 365 admin center 'Integrated apps' section is for managing Microsoft 365 add-ins and integrations, not for configuring SAML-based SSO with external applications. Option D is wrong because custom roles in Azure AD are for managing administrative permissions, not for configuring application SSO.

247
MCQhard

Your organization has a Microsoft 365 E5 tenant. You want to ensure that all users are automatically signed in to Microsoft 365 apps using single sign-on (SSO) when they are on the corporate network. You have Azure AD joined the devices. What additional configuration is required?

A.Enable Azure AD Seamless Single Sign-On.
B.No additional configuration is required; Azure AD joined devices provide SSO automatically.
C.Configure Azure AD Application Proxy for each app.
D.Deploy a trusted certificate for the corporate network.
AnswerB

The PRT on Azure AD joined devices provides automatic SSO.

Why this answer

Azure AD joined devices are already registered with Azure AD and use the Primary Refresh Token (PRT) to enable seamless SSO for Microsoft 365 apps without any additional configuration. When a user signs into a Windows 10/11 device that is Azure AD joined, the PRT is obtained during the initial authentication and is automatically used for browser and app sign-ins on the corporate network. Therefore, no extra steps like enabling Seamless SSO or deploying certificates are needed.

Exam trap

The trap here is that candidates often confuse Azure AD Seamless SSO (which is for non-Azure AD joined devices) with the built-in SSO capability of Azure AD joined devices, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because Azure AD Seamless Single Sign-On is a separate feature for non-Azure AD joined devices (e.g., domain-joined or non-joined devices) that relies on Kerberos delegation; it is unnecessary when devices are already Azure AD joined, as the PRT handles SSO natively. Option C is wrong because Azure AD Application Proxy is designed for publishing on-premises apps externally, not for enabling SSO on the corporate network for Microsoft 365 apps. Option D is wrong because deploying a trusted certificate is not required for SSO on Azure AD joined devices; the PRT-based SSO uses Azure AD's token infrastructure and does not depend on a locally trusted certificate for authentication.

248
MCQmedium

An administrator wants to prevent users from inviting guest users from the domain 'contoso.com' to the tenant. The administrator needs to block all invitations for that specific domain while allowing invitations from all other external domains. Which setting in Microsoft Entra ID should be configured?

A.Cross-tenant access settings
B.External collaboration settings
C.User settings
D.Domain federation
AnswerB

External collaboration settings allow you to block invitations to specific domains by adding them to the blocked domains list.

Why this answer

External collaboration settings in Microsoft Entra ID (formerly Azure AD) allow administrators to configure domain-based restrictions for B2B collaboration invitations. By adding 'contoso.com' to the 'Deny list' under 'Cross-tenant access settings' or specifically within the 'External collaboration settings' blade, invitations to that domain are blocked while all other external domains remain allowed. This setting directly controls the guest invitation behavior at the domain level.

Exam trap

The trap here is that candidates often confuse 'Cross-tenant access settings' (which manage tenant-to-tenant trust and access) with 'External collaboration settings' (which control domain-level invitation restrictions), leading them to select Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because Cross-tenant access settings control inbound and outbound access for specific tenants, not domain-based invitation blocking for all external domains; they are used for granular trust and access policies between tenants. Option C is wrong because User settings in Entra ID manage user permissions like self-service group creation or sign-in restrictions, not domain-level guest invitation blocking. Option D is wrong because Domain federation configures trust relationships for authentication (e.g., SAML/WS-Fed) with external identity providers, not invitation restrictions for specific domains.

← PreviousPage 4 of 4 · 248 questions total

Ready to test yourself?

Try a timed practice session using only Deploy and manage a Microsoft 365 tenant questions.