CCNA Manage users, groups, licensing, and support Questions

29 questions · Manage users, groups, licensing, and support · All types, answers revealed

1
MCQmedium

A company is deploying Microsoft 365 and wants to ensure that users in the finance department have access to only the apps they need. You need to recommend a licensing strategy that minimizes administrative overhead while enforcing access restrictions. What should you do?

A.Create a security group with explicit membership and assign licenses to the group.
B.Create a dynamic Azure AD group based on department attribute and assign licenses using group-based licensing.
C.Assign licenses to users one by one in the Microsoft 365 admin center.
D.Use PowerShell to assign licenses based on user department attribute.
AnswerB

This automates license assignment and removal when users change departments.

Why this answer

Option B is correct because using a dynamic Azure AD group based on the department attribute automates membership updates as users change departments, and group-based licensing assigns the appropriate licenses to all members without manual intervention. This minimizes administrative overhead by eliminating the need to manually add or remove users from the group or assign licenses individually, while enforcing access restrictions by ensuring only finance users receive the licensed apps.

Exam trap

The trap here is that candidates often choose Option A (security group with explicit membership) because they think it provides more control, but they overlook the administrative overhead of manual membership management and the fact that group-based licensing works with any Azure AD group type, including security groups, as long as the group is used for license assignment.

How to eliminate wrong answers

Option A is wrong because a security group with explicit membership requires manual updates when users join or leave the finance department, increasing administrative overhead and risking stale memberships. Option C is wrong because assigning licenses one by one in the Microsoft 365 admin center is highly manual and does not scale, nor does it enforce dynamic access restrictions based on department changes. Option D is wrong because using PowerShell to assign licenses based on department attribute requires scripting, scheduled runs, and error handling, which adds complexity and overhead compared to the built-in dynamic group and group-based licensing feature.

2
MCQhard

You are the Microsoft 365 administrator for Contoso Ltd., a company with 500 users. The company uses a hybrid identity with Azure AD Connect. You have a dynamic group named 'SalesGroup' that includes all users with department attribute equal to 'Sales'. Recently, the HR system updated the department for 20 users from 'Sales' to 'Marketing'. The Azure AD Connect sync completed successfully, and the attribute changes are reflected in Azure AD. However, after 48 hours, these users are still members of 'SalesGroup'. You need to ensure that the group membership accurately reflects the department attribute within the next hour. The solution must use minimal administrative effort. What should you do?

A.Remove the users from the group manually
B.Delete and recreate the dynamic group with the same rule
C.Trigger a manual evaluation of the dynamic group in Azure AD
D.Wait another 24 hours for the next automatic evaluation
AnswerC

Forces immediate membership update.

Why this answer

Option C is correct because Azure AD dynamic groups are not automatically re-evaluated immediately after a sync; they rely on a periodic background evaluation process that can take up to 24 hours. By triggering a manual evaluation in the Azure AD admin center or via PowerShell (using the `Invoke-MgGraphRequest` or `Update-MgGroup` cmdlet), you force an immediate recalculation of group membership based on the current attribute values, ensuring the 20 users are removed from SalesGroup within the hour with minimal administrative effort.

Exam trap

The trap here is that candidates assume dynamic groups are evaluated immediately after an attribute sync, but Microsoft deliberately tests the understanding that dynamic group membership evaluation is asynchronous and can take up to 24 hours unless manually triggered.

How to eliminate wrong answers

Option A is wrong because manually removing users defeats the purpose of a dynamic group and requires ongoing administrative effort, which contradicts the 'minimal administrative effort' requirement and does not fix the underlying evaluation delay. Option B is wrong because deleting and recreating the dynamic group would cause temporary loss of the group object, potentially breaking assigned permissions or licenses, and still requires waiting for the new group to be evaluated; it is an unnecessary and disruptive workaround. Option D is wrong because waiting another 24 hours does not meet the requirement to resolve the issue within the next hour, and the automatic evaluation could take up to 24 hours from the last evaluation, not from the sync completion.

3
Multi-Selecteasy

Which TWO actions can a Microsoft 365 global administrator perform in the Microsoft 365 admin center to manage user accounts? (Choose two.)

Select 2 answers
A.Recover a deleted user account.
B.Assign admin roles to a user.
C.Reset a user's password.
D.Manage the service health of Microsoft 365.
E.Create mailbox delegation permissions.
AnswersB, C

Roles can be assigned from the admin center user management.

Why this answer

In the Microsoft 365 admin center, a global administrator can assign admin roles to a user by navigating to Active users, selecting the user, and choosing 'Manage roles'. This is a core identity management task that allows delegation of administrative privileges within the tenant. Option C is also correct because resetting a user's password is a standard user management action available in the same interface.

Exam trap

The trap here is that candidates confuse the Microsoft 365 admin center's scope with other specialized admin centers (e.g., Exchange admin center, Azure AD admin center) and select actions like mailbox delegation or service health management, which are not part of the core user account management tasks in the Microsoft 365 admin center.

4
Multi-Selecthard

Which THREE steps are required to enable group-based licensing?

Select 3 answers
A.Configure Azure AD Connect
B.Add members to the group
C.Create a security group
D.Ensure group is mail-enabled
E.Assign a license to the group
AnswersB, C, E

Members inherit license.

Why this answer

Option B is correct because group-based licensing in Azure AD requires that you add members to the security group that will have the license assigned. Without members, the license assignment has no effect, as the license is applied to all users in the group. This step ensures that the intended users receive the license automatically based on group membership.

Exam trap

The trap here is that candidates often think Azure AD Connect is required for any group-based operation, but group-based licensing is a cloud-native feature that does not require hybrid synchronization; the only prerequisites are an Azure AD tenant, a security group, and a valid license SKU.

5
Multi-Selecthard

Which THREE conditions can be used in a dynamic group rule for a device?

Select 3 answers
A.deviceModel
B.deviceCategory
C.deviceOSVersion
D.lastLogonTimestamp
E.passwordLastSet
AnswersA, B, C

Valid device attribute.

Why this answer

Option A is correct because `deviceModel` is a valid attribute that can be used in a dynamic group rule for devices in Microsoft Entra ID (formerly Azure AD). Dynamic group rules for devices support attributes such as `deviceModel`, `deviceCategory`, and `deviceOSVersion` to automatically include or exclude devices based on their hardware or software characteristics.

Exam trap

The trap here is that candidates confuse user attributes (like `lastLogonTimestamp` and `passwordLastSet`) with device attributes, leading them to incorrectly select options that are valid only for user-based dynamic groups.

6
MCQeasy

A company needs to ensure that only users from specific IP ranges can access Exchange Online. Which tool should be used?

A.Azure AD Conditional Access with Named Locations
B.Security & Compliance Center
C.Multi-factor authentication
D.Azure AD Connect
AnswerA

Named locations define trusted IPs.

Why this answer

Azure AD Conditional Access with Named Locations is the correct tool because it allows administrators to define trusted IP ranges as named locations and then enforce access policies that restrict Exchange Online access to only those IP ranges. This integrates directly with Azure AD authentication, evaluating the user's IP address during sign-in to grant or block access based on the policy.

Exam trap

The trap here is that candidates often confuse the Security & Compliance Center's transport rules or mailbox policies with network-level access control, or they assume MFA alone can restrict access by IP, when in fact Conditional Access is the dedicated feature for location-based policies.

How to eliminate wrong answers

Option B is wrong because the Security & Compliance Center is used for data governance, threat management, and compliance features like retention policies and eDiscovery, not for controlling network-level access to Exchange Online. Option C is wrong because Multi-Factor Authentication (MFA) adds a second verification factor but does not restrict access based on source IP addresses; it can be combined with Conditional Access but alone does not enforce IP range restrictions. Option D is wrong because Azure AD Connect is a tool for synchronizing on-premises directory objects to Azure AD and enabling hybrid identity, not for configuring access policies based on IP ranges.

7
MCQeasy

A user reports they cannot access SharePoint Online but can access Outlook. The admin verifies the user has an E3 license assigned. What is the most likely cause?

A.License not assigned
B.MFA challenge failing
C.User account is disabled
D.SharePoint Online service plan is disabled
AnswerD

A service plan can be disabled per user.

Why this answer

The user can access Outlook (Exchange Online) but not SharePoint Online, which indicates that the user's E3 license is assigned and the account is active. The most likely cause is that the SharePoint Online service plan within the E3 license is disabled. Each Microsoft 365 license includes multiple service plans (e.g., Exchange Online, SharePoint Online, Teams), and an admin can disable individual plans while keeping the license assigned.

If the SharePoint Online service plan is disabled, the user will be blocked from accessing SharePoint Online despite having a valid license.

Exam trap

The trap here is that candidates assume a licensed user has full access to all services included in the license, overlooking that individual service plans can be disabled independently.

How to eliminate wrong answers

Option A is wrong because the user can access Outlook, which requires a valid license; if no license were assigned, the user would be blocked from all services, not just SharePoint Online. Option B is wrong because an MFA challenge failure would block access to all Microsoft 365 services, including Outlook, not just SharePoint Online. Option C is wrong because a disabled user account would prevent access to all services, including Outlook, but the user can access Outlook, so the account is active.

8
Multi-Selectmedium

You are the Microsoft 365 Administrator for a multinational organization. You need to manage user accounts, groups, licensing, and support. Which four of the following actions are valid and recommended practices? (Choose four.)

Select 4 answers
.Assign licenses to a security group to automatically license all current and future members.
.Use Microsoft Entra ID (formerly Azure AD) dynamic group membership rules to automatically add or remove users based on department or job title attributes.
.Create a Microsoft 365 group in the Exchange admin center to provide a shared mailbox and calendar for a project team.
.Enable self-service password reset (SSPR) for all users and require registration of authentication methods.
.Permanently delete a user account immediately after the user leaves the company to free up the license.
.Convert a distribution group to a security group by editing its properties in the Microsoft 365 admin center.

Why this answer

Assigning licenses to a security group is a valid and recommended practice because it automates license assignment for all current and future members of the group, reducing manual overhead and ensuring compliance. This leverages group-based licensing in Microsoft Entra ID, which supports both direct and dynamic group membership.

Exam trap

The trap here is that candidates may think permanently deleting a user account immediately is the fastest way to free a license, but Microsoft recommends a phased approach (block sign-in, convert mailbox, then delete after 30 days) to avoid data loss and compliance issues.

9
MCQmedium

A user reports that after changing their department in HR system, the change did not reflect in Azure AD dynamic group membership. The sync from HR to Azure AD is working. What is the most likely issue?

A.License not assigned
B.Group is a mail-enabled security group
C.Dynamic group membership evaluation delay
D.Attribute not synced to Azure AD
AnswerC

Membership update can take up to 24 hours.

Why this answer

Dynamic group membership in Azure AD is not updated in real time; it can take up to 30 minutes for a user attribute change to trigger a membership reevaluation. Since the HR-to-Azure AD sync is confirmed working, the delay is the most likely cause, not a failure in attribute synchronization or licensing.

Exam trap

The trap here is that candidates assume a working HR sync means group membership should update instantly, overlooking the built-in evaluation delay that Azure AD enforces for dynamic groups.

How to eliminate wrong answers

Option A is wrong because a license assignment is not required for dynamic group membership evaluation; licenses affect service access, not group rule processing. Option B is wrong because mail-enabled security groups can be dynamic groups in Azure AD; the group type does not inherently block membership updates. Option D is wrong because the question states the sync from HR to Azure AD is working, meaning the attribute change has already been synced; the issue is the subsequent evaluation delay, not a missing attribute.

10
Multi-Selectmedium

A multinational company uses Microsoft 365 E5 licenses for all employees. Due to a recent cost optimization initiative, the IT department must remove Microsoft Entra ID Plan 2 and Microsoft Defender for Office 365 Plan 2 from a subset of users, while retaining the core Microsoft 365 E5 functionality (Exchange Online, SharePoint Online, Teams, and Microsoft 365 Apps). The company uses group-based licensing with dynamic groups. You need to recommend a licensing strategy that minimizes administrative effort and avoids service disruption. Which three of the following steps should you include in your strategy? (Choose three.)

Select 3 answers
.Create a new Microsoft 365 E5 license SKU that excludes the add-on services and assign this custom SKU to the affected users via a dynamic group.
.Identify the GUIDs of the service plans to be disabled (Microsoft Entra ID Plan 2 and Defender for Office 365 Plan 2) and use the Set-MgUserLicense cmdlet with the -RemoveLicenses parameter to remove specific service plans from existing licenses.
.Use a dynamic group to assign the standard Microsoft 365 E5 license but configure the group’s license assignment to disable the unwanted service plans by specifying the disabled service plan GUIDs in the license assignment configuration.
.Remove the Microsoft 365 E5 license from all users in the affected group and then assign a new, lower-cost license such as Microsoft 365 E3 to those users.
.Use Microsoft Entra ID Governance’s Access Reviews to automatically remove the unwanted service plans from the affected users’ licenses on a recurring basis.
.Use Microsoft Graph PowerShell to bulk-update the existing group-based licensing assignment for the affected dynamic group, specifying the service plans to disable in the -DisabledServicePlans parameter.

Why this answer

The correct approach is to keep the existing Microsoft 365 E5 license but disable specific service plans (Microsoft Entra ID Plan 2 and Defender for Office 365 Plan 2) within the license assignment. This is done by identifying the service plan GUIDs and using either the Set-MgUserLicense cmdlet with the -RemoveLicenses parameter, configuring the dynamic group’s license assignment to disable those service plans, or using Microsoft Graph PowerShell with the -DisabledServicePlans parameter. These methods minimize administrative effort by leveraging group-based licensing and avoid service disruption because the core E5 functionality remains intact.

Exam trap

The trap here is that candidates may think custom SKUs or license downgrades are necessary, but Microsoft 365 E5 licenses are monolithic and must be assigned as-is, with service plan disabling handled at the assignment level rather than by creating new SKUs.

11
MCQmedium

Refer to the exhibit. A user reports that they cannot activate Microsoft 365 Apps. The user has an E3 license assigned and the UsageLocation is set to US. The output shows the license details. What is the most likely cause of the issue?

A.The user's UsageLocation is set to a region where Microsoft 365 Apps is not available.
B.The user's license does not include the Microsoft 365 Apps for enterprise service plan.
C.The tenant has exceeded the maximum number of licensed users.
D.The user has not been assigned a license.
AnswerB

The exhibit does not show that the license includes the Office service plan (e.g., OFFICESUBSCRIPTION).

Why this answer

The exhibit shows that the user has an E3 license assigned, but the license details indicate that the Microsoft 365 Apps for enterprise service plan (commonly represented as 'O365_PRO_PLUS' or 'OFFICESUBSCRIPTION') is not enabled or included in the assigned SKU. Without this specific service plan, the user cannot activate Microsoft 365 Apps, even though the base E3 license is present. The UsageLocation being set to US is valid and does not block activation.

Exam trap

Microsoft often tests the misconception that any E3 license automatically includes all service plans, but in reality, admins can disable individual service plans, and the exam expects you to recognize that the missing service plan is the root cause.

How to eliminate wrong answers

Option A is wrong because the user's UsageLocation is set to US, where Microsoft 365 Apps is fully available, and the exhibit does not indicate any regional restriction. Option C is wrong because the tenant license count is unrelated to an individual user's activation failure; the error would be a global provisioning issue, not a per-user activation problem. Option D is wrong because the exhibit clearly shows that a license is assigned to the user; the issue is that the required service plan within that license is missing.

12
MCQmedium

A company has a Microsoft 365 E5 subscription. The security team requires that all guest users must have terms of use acceptance before accessing resources. Which Azure AD feature should be configured?

A.Azure AD Terms of Use
B.Conditional Access policy
C.Azure AD Identity Protection
D.Self-service password reset
AnswerA

Azure AD Terms of Use allows creating and requiring acceptance.

Why this answer

Azure AD Terms of Use (ToU) is the correct feature because it allows administrators to present a document to guest users that they must accept before accessing resources. This directly meets the security team's requirement for mandatory terms of use acceptance. Conditional Access policies can enforce ToU acceptance, but the ToU document itself is created and managed under the Azure AD Terms of Use blade.

Exam trap

The trap here is that candidates often confuse the 'Terms of Use' feature with 'Conditional Access policies' because Conditional Access is the enforcement mechanism, but the question specifically asks which feature should be configured to have the terms of use document itself, not the policy that enforces it.

How to eliminate wrong answers

Option B (Conditional Access policy) is wrong because while a Conditional Access policy can enforce the requirement to accept Terms of Use, it is not the feature that creates or hosts the terms of use document; the Terms of Use feature is the prerequisite. Option C (Azure AD Identity Protection) is wrong because it is designed to detect and respond to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs), not to enforce terms of use acceptance. Option D (Self-service password reset) is wrong because it allows users to reset their own passwords and does not involve presenting or accepting terms of use.

13
MCQhard

You are troubleshooting a user who reports that they cannot access Microsoft Teams. The user has an E3 license assigned, but Teams is grayed out in the app launcher. You verify that the user is assigned the correct license and that the service plan for Teams is enabled. What is the most likely cause?

A.The user has been blocked from signing in to Microsoft Teams in the Microsoft 365 admin center.
B.The user does not have a valid email address.
C.The Teams service plan is disabled in the license.
D.The user's license has expired.
AnswerA

Admins can block specific services for a user under user settings.

Why this answer

Option A is correct because even if the license and service plan are enabled, the user might be blocked from the service via the admin center's user settings. Option B is wrong because the license is assigned. Option C is wrong because the service plan is enabled.

Option D is wrong because the issue is specific to Teams, not all services.

14
MCQmedium

An admin needs to bulk assign licenses to 200 users based on department. Which method is most efficient?

A.Use Azure AD PowerShell script
B.Use Azure admin center bulk operations
C.Use group-based licensing in Azure AD
D.Assign licenses one by one in admin center
AnswerC

Automatically assigns licenses to group members.

Why this answer

Group-based licensing in Azure AD is the most efficient method for bulk-assigning licenses to 200 users based on department because it automates license assignment and removal based on group membership. Once a user is added to or removed from a department-specific group, Azure AD automatically applies or revokes the corresponding license, eliminating manual intervention and ensuring consistency across large-scale deployments.

Exam trap

The trap here is that candidates often choose PowerShell (Option A) because they assume scripting is always the most efficient for bulk operations, but they overlook that group-based licensing is a fully automated, policy-driven solution that requires no ongoing script execution or manual triggers.

How to eliminate wrong answers

Option A is wrong because using an Azure AD PowerShell script, while automated, requires manual execution, maintenance, and error handling for 200 users, making it less efficient than a fully managed, policy-driven approach like group-based licensing. Option B is wrong because the Azure admin center bulk operations (e.g., CSV upload) are a one-time manual process that does not scale well for ongoing changes in department membership or license requirements. Option D is wrong because assigning licenses one by one in the admin center is highly inefficient and error-prone for 200 users, violating the principle of least effort and automation for bulk tasks.

15
Drag & Dropmedium

Drag and drop the steps to configure a custom sensitivity label in Microsoft Purview into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sensitivity labels are created in the Purview portal, configured with protection settings, and then published via a label policy.

16
MCQeasy

A company has a hybrid identity setup. A new employee is created in on-premises AD but does not appear in Azure AD after sync. What should the admin check first?

A.Organizational unit filtering
B.DNS configuration
C.License assignment
D.Azure AD Connect synchronization status
AnswerD

Sync may be failing or not scheduled.

Why this answer

When a new user is created in on-premises Active Directory but does not appear in Azure AD after synchronization, the first troubleshooting step is to check the Azure AD Connect synchronization status. This is because Azure AD Connect is the service responsible for synchronizing objects from on-premises AD to Azure AD, and any sync failure, delay, or misconfiguration (such as a stopped sync cycle or filtering rules) would prevent the user from appearing. Checking the sync status via the Azure AD Connect wizard or the Synchronization Service Manager can immediately reveal whether the object was exported, skipped, or errored.

Exam trap

The trap here is that candidates often jump to license assignment (Option C) because they think a user must have a license to appear in Azure AD, but in reality, unlicensed users still appear in Azure AD after sync; the license only enables service access, not directory presence.

How to eliminate wrong answers

Option A is wrong because organizational unit (OU) filtering is a configuration within Azure AD Connect that controls which OUs are synchronized, but it is not the first thing to check; if the user's OU is excluded, the user would never sync, but the admin should first verify the sync status to see if the user is being processed at all. Option B is wrong because DNS configuration is unrelated to user synchronization; DNS is used for name resolution in network connectivity, but Azure AD Connect communicates over HTTPS and does not rely on DNS for object-level sync issues. Option C is wrong because license assignment is a post-sync step; a user must first appear in Azure AD before licenses can be assigned, so checking licenses would be premature and irrelevant if the user has not synced.

17
MCQmedium

You are the Microsoft 365 administrator for Fabrikam Inc., a company with 1,000 users. You have been asked to delegate the ability to reset passwords for all users to the help desk team. The help desk team consists of five users. You want to grant them the minimum necessary permissions. Additionally, you need to ensure that the help desk team can only reset passwords for users in the 'Users' organizational unit (OU) in on-premises Active Directory. The company uses Azure AD Connect with password hash sync. You create a security group named 'HelpDeskGroup' and add the help desk users to it. What should you do next?

A.Assign the Global Administrator role to the group
B.Assign the User Administrator role to the group
C.Assign the Helpdesk Administrator role to the group and create an administrative unit scoped to the Users OU
D.Assign the Password Administrator role to the group and configure Azure AD Connect to restrict OU
AnswerC

Scoped role assignment via administrative unit.

Why this answer

Option C is correct because the Helpdesk Administrator role provides the least-privilege permissions for password resets, and creating an administrative unit (AU) scoped to the 'Users' OU allows you to restrict the role's management scope to only those users synced from that specific on-premises OU. This combination meets the requirement to delegate password reset with minimal permissions and scope limitation.

Exam trap

The trap here is that candidates often confuse the Password Administrator role (which can reset passwords but cannot be scoped) with the Helpdesk Administrator role (which can be scoped via administrative units), or incorrectly believe that Azure AD Connect can restrict administrative permissions based on on-premises OUs.

How to eliminate wrong answers

Option A is wrong because the Global Administrator role grants full access to all Azure AD and Microsoft 365 settings, far exceeding the minimum necessary permissions for password resets. Option B is wrong because the User Administrator role can manage all users and groups, including creating and deleting users, which is more than the required password reset capability. Option D is wrong because the Password Administrator role cannot be scoped to an on-premises OU via Azure AD Connect; Azure AD Connect synchronizes objects but does not restrict administrative role scope, and administrative units are the correct mechanism for scoping Azure AD roles.

18
Drag & Dropmedium

Drag and drop the steps to configure Microsoft 365 Groups expiration policy in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Groups expiration policy is set in the admin center with a duration, notification owner, and deletion behavior.

19
MCQhard

You are a Microsoft 365 administrator for a medium-sized company with 500 users. The company uses Microsoft 365 E3 licenses. Recently, the company acquired a small subsidiary with 50 users who already have their own Microsoft 365 tenant with E3 licenses. You need to migrate the subsidiary's users to the main tenant while minimizing downtime and ensuring that users retain their existing email and OneDrive data. You plan to use cross-tenant migration. However, after setting up the migration, you notice that the subsidiary's users cannot access the main tenant's SharePoint Online sites. They receive an access denied error. You verify that the users have been added to the main tenant's Azure AD and are assigned licenses. What should you do to resolve the issue?

A.Re-run the cross-tenant migration and select the option to convert users to mail-in-contact.
B.In the SharePoint admin center, add the subsidiary's domain as an allowed domain for sharing.
C.Assign the users a new license from the main tenant's subscription.
D.Configure cross-tenant access settings in Azure AD to allow the subsidiary's tenant to access the main tenant's resources.
AnswerD

Cross-tenant access policies control how external users access resources.

Why this answer

Option D is correct because cross-tenant migration in Microsoft 365 requires explicit cross-tenant access settings in Azure AD to allow users from the subsidiary's tenant to access resources in the main tenant, such as SharePoint Online. Without configuring these settings, the subsidiary's users will receive access denied errors even after being added to the main tenant's Azure AD and assigned licenses, as SharePoint enforces tenant-level access policies.

Exam trap

The trap here is that candidates often confuse cross-tenant migration with simple user addition and assume that assigning a license or adjusting sharing settings resolves access, when in fact Azure AD cross-tenant access settings are mandatory for SharePoint Online resource access after migration.

How to eliminate wrong answers

Option A is wrong because re-running the migration with the 'convert users to mail-in-contact' option would remove the users from Azure AD and break their ability to access any resources, including SharePoint, and is not a valid step for resolving access issues. Option B is wrong because adding the subsidiary's domain as an allowed domain for sharing in the SharePoint admin center only controls external sharing policies, not cross-tenant authentication or authorization for migrated users. Option C is wrong because the users already have licenses assigned from the main tenant's subscription, and assigning a new license does not address the underlying cross-tenant access control issue.

20
MCQeasy

An admin needs to provide a vendor with temporary access to a SharePoint site. What should the admin create?

A.Guest user in Azure AD
B.Anonymous sharing link
C.Security group
D.New user in your domain
AnswerA

Allows external access with B2B collaboration.

Why this answer

A is correct because creating a guest user in Azure AD is the proper method to grant external users access to SharePoint Online resources with controlled permissions. Guest users are invited via Azure AD B2B collaboration, which allows the admin to assign specific SharePoint site permissions while maintaining oversight and the ability to revoke access. This approach ensures the vendor has a distinct identity for auditing and conditional access policies.

Exam trap

The trap here is that candidates often confuse anonymous sharing links (which are easy to create) with proper external user management, overlooking the need for identity-based access control and auditability required for vendor access.

How to eliminate wrong answers

Option B is wrong because an anonymous sharing link provides unrestricted access to anyone with the link, bypassing authentication and auditing, which violates the requirement for temporary, controlled vendor access. Option C is wrong because a security group is used to manage permissions for existing users within the organization, not to invite external vendors; it cannot create an external identity. Option D is wrong because creating a new user in your domain would require the vendor to have a mailbox and identity within your on-premises or cloud directory, which is unnecessary and introduces administrative overhead for temporary access.

21
MCQhard

A company uses dynamic groups based on department attribute. A user moved from Sales to Marketing but the group membership did not update after 48 hours. What should the admin do first?

A.Delete and recreate the group
B.Run a PowerShell script to update membership
C.Wait another 24 hours
D.Manually refresh the dynamic group in Azure AD
AnswerD

Manual refresh forces recalculation.

Why this answer

Option D is correct because Azure AD dynamic group membership evaluation is not instantaneous; it occurs on a periodic schedule. When a user's attribute changes, the admin can manually trigger a refresh by selecting 'Refresh' on the dynamic group's overview page in the Azure portal, which forces an immediate evaluation of the membership rules. This is the first troubleshooting step before waiting longer or using other methods.

Exam trap

The trap here is that candidates assume dynamic group membership updates are instantaneous or that PowerShell can force a refresh, when in fact the only supported manual trigger is through the Azure portal or Graph API, and waiting is not the first recommended action.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the group would cause loss of group settings, assigned licenses, and policies, and is an unnecessary destructive action when a manual refresh can resolve the delay. Option B is wrong because there is no native PowerShell cmdlet to force a dynamic group membership refresh; the only supported method is through the Azure portal or Microsoft Graph API. Option C is wrong because waiting another 24 hours is not a proactive troubleshooting step; the admin should first attempt a manual refresh to expedite the evaluation.

22
Multi-Selectmedium

You are a Microsoft 365 Administrator for a company that is implementing a hybrid identity solution with Active Directory Federation Services (AD FS) for single sign-on (SSO). The company has recently acquired a subsidiary with its own on-premises Active Directory domain. You need to ensure that the identity lifecycle for users from the subsidiary is managed effectively through Microsoft Entra ID (formerly Azure AD) and that licensing is assigned efficiently. Which three of the following actions should you take? (Choose three.)

Select 3 answers
.Configure Microsoft Entra Connect to synchronize identities from the subsidiary’s Active Directory domain, and use group-based licensing to automatically assign Microsoft 365 licenses to synced users based on their department attribute.
.Create a new Microsoft Entra tenant for the subsidiary and configure cross-tenant synchronization to bring users into the main tenant.
.Use Microsoft Entra Connect to implement a filtered synchronization scope so that only users from the subsidiary’s sales department are synchronized initially.
.Configure Microsoft Entra cloud sync for the subsidiary domain to synchronize users, then assign licenses manually through PowerShell scripts to avoid any inheritance issues.
.Enable Microsoft Entra ID Governance’s Entitlement Management to create access packages that include Microsoft 365 licenses and automatically assign them to users based on their membership in dynamic groups.
.Configure password hash synchronization (PHS) for the subsidiary domain because AD FS cannot coexist with directory synchronization on separate domains.

Why this answer

Option A is correct because Microsoft Entra Connect can synchronize identities from multiple on-premises AD forests into a single Microsoft Entra tenant, and group-based licensing allows automatic assignment of Microsoft 365 licenses based on directory attributes like department, ensuring efficient lifecycle management. Option C is correct because filtered synchronization scope (e.g., using OU or attribute filtering) lets you initially synchronize only a subset of users (like sales) to control the rollout and test the hybrid identity configuration. Option E is correct because Microsoft Entra ID Governance’s Entitlement Management can create access packages that include licenses and assign them via dynamic group membership, providing automated, policy-driven license assignment that integrates with identity lifecycle.

Exam trap

The trap here is that candidates often assume a separate tenant is required for an acquired subsidiary (Option B) or that cloud sync is equivalent to Entra Connect for AD FS scenarios (Option D), when in fact multi-forest sync with a single tenant and group-based licensing is the recommended approach for hybrid identity lifecycle management.

23
Matchingmedium

Match each Microsoft 365 service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Email and calendar

Document management and collaboration

Chat, meetings, and collaboration

Personal cloud storage

Enterprise social networking

Why these pairings

These are core Microsoft 365 workloads.

24
Multi-Selectmedium

Which TWO roles can manage user licenses without being able to create users?

Select 2 answers
A.License Administrator
B.Billing Administrator
C.Global Administrator
D.User Administrator
E.Helpdesk Administrator
AnswersA, B

Can assign/remove licenses.

Why this answer

The License Administrator role in Microsoft 365 is specifically designed to allow users to manage licenses assigned to users and groups without having permissions to create new user accounts. This role grants access to the Microsoft 365 admin center's Billing > Licenses section and the Azure AD Licenses blade, enabling license assignment, removal, and consumption monitoring, but it explicitly excludes user creation or deletion capabilities.

Exam trap

The trap here is that candidates often confuse the License Administrator with the User Administrator, assuming that license management inherently includes user creation, but Microsoft explicitly separates these permissions to enforce least-privilege access.

25
MCQmedium

An organization wants to delegate user creation to help desk staff without granting global admin rights. Which role should be assigned?

A.Global Administrator
B.Helpdesk Administrator
C.License Administrator
D.User Administrator
AnswerD

Can create users and manage licenses.

Why this answer

The User Administrator role is the correct choice because it grants the specific permissions needed to create and manage users and groups, including resetting passwords, without the broad privileges of Global Administrator. This role aligns with the principle of least privilege for help desk staff who need to perform user creation tasks.

Exam trap

The trap here is that candidates often confuse Helpdesk Administrator with User Administrator because both can reset passwords, but only User Administrator can create users, which is the specific task required in the question.

How to eliminate wrong answers

Option A is wrong because Global Administrator has unrestricted access to all Azure AD and Microsoft 365 settings, which is excessive and violates security best practices for delegating user creation. Option B is wrong because Helpdesk Administrator can reset passwords and manage service requests but cannot create users or modify user attributes beyond password resets. Option C is wrong because License Administrator can only assign and manage licenses for users and groups, not create new user accounts.

26
MCQhard

A user with an E5 license is unable to use Azure Information Protection (AIP). The admin confirms the license is assigned. What is the most likely cause?

A.AIP requires an additional subscription
B.AIP client is not installed
C.AIP service plan is disabled in the license
D.User account is blocked
AnswerC

Service plans can be toggled per user.

Why this answer

Even with an E5 license assigned, the Azure Information Protection (AIP) service plan must be explicitly enabled for the user. By default, some service plans within an E5 license may be disabled, and the AIP service plan (commonly labeled as 'Azure Information Protection' or 'Information Protection for Office 365') must be toggled on in the user's license settings in the Microsoft 365 admin center. Without this, the user cannot activate AIP features regardless of license assignment.

Exam trap

The trap here is that candidates assume an E5 license automatically grants full access to all included features, but Microsoft requires each service plan to be individually enabled, and the exam tests this granular licensing behavior.

How to eliminate wrong answers

Option A is wrong because E5 already includes AIP; no additional subscription is needed. Option B is wrong because the AIP client is only required for on-premises labeling or unified labeling client scenarios, but the core AIP service (e.g., protection, labeling in Office apps) works via the cloud service plan. Option D is wrong because a blocked user account would prevent all access, not just AIP, and the question states the user is unable to use AIP specifically, not that they are blocked from all services.

27
Matchingmedium

Match each Microsoft 365 networking port to its protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTPS

SMTP

SMTP (submission)

IMAP

IMAP over SSL

Why these pairings

These ports are commonly used for Microsoft 365 connectivity.

28
Multi-Selectmedium

Which TWO actions can an admin take to reduce the number of passwords in use for end users?

Select 2 answers
A.Enforce complex password policies
B.Enable Windows Hello for Business
C.Configure self-service password reset
D.Implement password hash sync
E.Deploy Microsoft Authenticator for passwordless sign-in
AnswersB, E

Passwordless sign-in.

Why this answer

Windows Hello for Business replaces traditional password authentication with strong two-factor authentication tied to a user's device, using biometrics or a PIN. This directly reduces the reliance on passwords for end users by enabling passwordless sign-in to Windows devices and integrated applications.

Exam trap

The trap here is that candidates often confuse password reduction with password management improvements, such as SSPR or password policies, which do not actually decrease the number of passwords users must remember.

29
MCQhard

An organization needs to restrict access to Microsoft 365 admin center to only specific users. Which approach should be used?

A.Enable MFA for all admins
B.Create a Conditional Access policy targeting the Microsoft Admin Portals cloud app
C.Assign Global Admin role only to required users
D.Use Privileged Identity Management
AnswerB

Can block access to admin portals for specified users.

Why this answer

Option B is correct because a Conditional Access policy targeting the 'Microsoft Admin Portals' cloud app allows granular control over which users can access the Microsoft 365 admin center. This policy can enforce conditions such as user/group membership, device compliance, or location to restrict access, ensuring only specific authorized users can reach the admin portals.

Exam trap

The trap here is that candidates often confuse role-based access control (assigning Global Admin) with access control to the admin center itself, assuming limiting role assignments is sufficient, but Conditional Access policies are required to explicitly block or allow access to the admin portals regardless of role membership.

How to eliminate wrong answers

Option A is wrong because enabling MFA for all admins enhances authentication security but does not restrict which users can access the admin center; any user with admin roles can still sign in after MFA. Option C is wrong because assigning the Global Admin role only to required users limits administrative privileges but does not prevent those users from accessing the admin center; the goal is to restrict access to the admin center itself, not just the role assignment. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time role activation and approval workflows, but it does not directly block access to the admin center; users with eligible roles can still activate and access it unless combined with a Conditional Access policy.

Ready to test yourself?

Try a timed practice session using only Manage users, groups, licensing, and support questions.