Back to Microsoft 365 Administrator MS-102 questions

Scenario-based practice

Hard Difficulty Questions

Practise Microsoft 365 Administrator MS-102 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
MS-102
exam code
Microsoft
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related MS-102 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A company uses Microsoft Entra ID Governance to automate the lifecycle of user access. They want to automatically remove a user's group membership for a critical application 30 days after the user's employment end date is captured from the HR system. Which feature should be configured to meet this requirement?

Question 2hardmultiple choice
Full question →

A company invites external partners as B2B guest users in Microsoft Entra ID. The partners' home tenants do not support MFA. The company wants to require MFA when guests access an internal application. What should the company configure?

Question 3hardmultiple choice
Full question →

A security administrator needs to block users from running portable executable files (e.g., .exe, .scr) that were downloaded from the internet on Windows devices. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

Question 4hardmultiple choice
Full question →

A development team builds a background service that needs to read all users' calendars via Microsoft Graph without a signed-in user. The service will run on a server with a client secret. Which OAuth 2.0 grant flow should the application use?

Question 5hardmultiple choice
Read the full Ansible explanation →

A security administrator needs to configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender that will automatically isolate a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook must run without requiring manual approval. Which configuration must the administrator set to achieve automatic device isolation?

Question 6hardmultiple choice
Full question →

A security analyst wants to automatically create a Microsoft Teams message in a dedicated security channel whenever a Microsoft 365 Defender incident with severity 'High' is created. Which automation approach should the analyst use?

Question 7hardmultiple choice
Full question →

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

Question 8hardmulti select
Full question →

A security administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps features must be configured to meet these requirements? (Select all that apply.)

Question 9hardmultiple choice
Study the full multicast explanation →

A company wants to require approval for any activation of the Global Administrator role in Privileged Identity Management (PIM). The approvers are predefined as members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify to meet these requirements?

Question 10hardmultiple choice
Full question →

An organization has multiple Microsoft Entra ID tenants and wants to allow partner users to access internal applications using their own corporate credentials. Which feature should be used to enable this?

Question 11hardmultiple choice
Full question →

An organization with Microsoft Entra ID P2 licenses needs to enforce that all users accessing the Azure portal must use FIDO2 security keys for multi-factor authentication. Which configuration should be implemented?

Question 12hardmultiple choice
Full question →

A security administrator needs to block outbound network connections from a compromised Windows device to command-and-control servers. The solution must work at the network layer and be centrally managed via Microsoft 365 Defender. Which feature should the administrator enable?

Question 13hardmultiple choice
Full question →

A company uses Microsoft Entra ID P2 licenses and wants to implement just-in-time (JIT) privileged access for administrators. Security requirements state that Global Administrator role members must request approval and provide a business justification before their role activation expires after 4 hours. Which Microsoft Entra feature should be configured?

Question 14hardmultiple choice
Full question →

A user with an E5 license is unable to use Azure Information Protection (AIP). The admin confirms the license is assigned. What is the most likely cause?

Question 15hardmultiple choice
Full question →

An organization needs to restrict access to Microsoft 365 admin center to only specific users. Which approach should be used?

Question 16hardmulti select
Full question →

Which THREE steps are required to enable group-based licensing?

Question 17hardmultiple choice
Full question →

You are a Microsoft 365 administrator for a medium-sized company with 500 users. The company uses Microsoft 365 E3 licenses. Recently, the company acquired a small subsidiary with 50 users who already have their own Microsoft 365 tenant with E3 licenses. You need to migrate the subsidiary's users to the main tenant while minimizing downtime and ensuring that users retain their existing email and OneDrive data. You plan to use cross-tenant migration. However, after setting up the migration, you notice that the subsidiary's users cannot access the main tenant's SharePoint Online sites. They receive an access denied error. You verify that the users have been added to the main tenant's Azure AD and are assigned licenses. What should you do to resolve the issue?

Question 18hardmultiple choice
Full question →

You are troubleshooting a user who reports that they cannot access Microsoft Teams. The user has an E3 license assigned, but Teams is grayed out in the app launcher. You verify that the user is assigned the correct license and that the service plan for Teams is enabled. What is the most likely cause?

Question 19hardmultiple choice
Full question →

A company has 500 users across Sales, Marketing, and IT departments. User objects are synced from on-premises Active Directory to Microsoft Entra ID using Azure AD Connect. Each department requires different Microsoft 365 license plans (e.g., Sales needs E3, Marketing needs Business Premium, IT needs E5). The administrator wants to automatically assign the appropriate license based on the department attribute without manual intervention. Which approach should the administrator use?

Question 20hardmulti select
Full question →

A company uses Microsoft Entra ID with conditional access policies. They need to ensure that all external users who are invited via B2B collaboration must perform multi-factor authentication (MFA) when accessing the corporate SharePoint Online site. Which two configurations are required? (Choose two.)

These MS-102 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style MS-102 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.