Back to Microsoft 365 Administrator MS-102 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Microsoft 365 Administrator MS-102 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
MS-102
exam code
Microsoft
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related MS-102 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

Refer to the exhibit. A user reports that they cannot activate Microsoft 365 Apps. The user has an E3 license assigned and the UsageLocation is set to US. The output shows the license details. What is the most likely cause of the issue?

Exhibit

Refer to the exhibit.

```
Get-AzureADUser -ObjectId user@contoso.com | Select-Object -Property AssignedLicenses

AssignedLicenses
---------------
{@{DisabledPlans=System.Object[]; SkuId=contoso:ENTERPRISEPACK}}

Get-AzureADSubscribedSku | Where-Object {$_.SkuId -eq 'contoso:ENTERPRISEPACK'} | Select-Object -Property ServicePlans

ServicePlans
------------
{@{ServicePlanId=...; ServiceName=EXCHANGE_S_ENTERPRISE; ProvisioningStatus=Success; AppliesTo=User}, ...}

Get-AzureADUser -ObjectId user@contoso.com | Select-Object -Property UsageLocation

UsageLocation
-------------
US
```
Question 2hardmulti select
Full question →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should fire when a Windows device exhibits this sequence of events within 3 minutes: 1) A PowerShell process runs with an encoded command, 2) A service is created with a random name, and 3) An outbound network connection to a suspicious IP address is observed. Which three Advanced Hunting tables must be joined in the KQL query to create this detection?

Question 3mediummultiple choice
Full question →

A Global Administrator signs in to the Microsoft 365 admin center but is not prompted for MFA. The policy in the exhibit is the only Conditional Access policy. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "MFA for Admins",
  "state": "enabled",
  "conditions": {
    "users": {
      "includeRoles": ["Global Administrator", "Exchange Administrator"]
    },
    "applications": {
      "includeApplications": ["All"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa"]
  }
}
```
Question 4easymultiple choice
Full question →

Refer to the exhibit. You run the PowerShell command in a Microsoft 365 tenant. What does the output indicate?

Exhibit

Refer to the exhibit.
```powershell
Get-MgOrganization | Select-Object DisplayName, TechnicalNotificationMails
```
Output:
```
DisplayName     TechnicalNotificationMails
-----------     -------------------------
Contoso Ltd.    {admin@contoso.com, it@contoso.com}
```
Question 5easymultiple choice
Full question →

Refer to the exhibit. You run this PowerShell command in your Microsoft 365 tenant. What is the purpose of the command?

Exhibit

Refer to the exhibit.
```
Get-MsolUser -All | Where-Object {$_.isLicensed -eq $false} | Select-Object UserPrincipalName
```
Question 6hardmultiple choice
Full question →

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?

Exhibit

Refer to the exhibit.
```json
{
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "platforms": {
      "includePlatforms": ["iOS", "Android"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa", "compliantDevice"]
  }
}
```
Question 7hardmultiple choice
Full question →

You are reviewing a Conditional Access policy in Microsoft Entra ID. The exhibit shows the policy configuration. You need to allow users to access Office 365 applications from personal devices that are not enrolled in Microsoft Intune. However, the policy currently blocks access because it requires a compliant device. Users are prompted for MFA but then blocked due to device compliance. What should you modify in the policy?

Exhibit

Refer to the exhibit.

```json
{
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "locations": {
      "includeLocations": ["All"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa", "compliantDevice"]
  },
  "sessionControls": {
    "applicationEnforcedRestrictions": null,
    "cloudAppSecurity": {
      "cloudAppSecurityType": "monitorOnly"
    }
  }
}
```
Question 8easymultiple choice
Full question →

Refer to the exhibit. You run the KQL query in Microsoft Sentinel. The query returns zero results even though you know user@contoso.com has had failed sign-in attempts in the last 30 days. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
SigninLogs
| where TimeGenerated > ago(30d)
| where UserPrincipalName == "user@contoso.com"
| summarize TotalAttempts = count(), FailedAttempts = countif(ResultType != 0), Locations = make_set(Location) by AppDisplayName
| where FailedAttempts > 0
```
Question 9hardmultiple choice
Full question →

You are reviewing a Conditional Access session control configuration in Microsoft Entra ID. Based on the exhibit, what is the expected behavior when a user signs in?

Exhibit

Refer to the exhibit.

{
  "signInFrequency": "EveryTime",
  "sessionControls": [
    {
      "applicationEnforcedRestrictions": null,
      "cloudAppSecurity": {
        "cloudAppSecurityType": "monitorOnly",
        "isEnabled": true
      },
      "persistentBrowser": null,
      "signInFrequency": {
        "type": "everyTime",
        "value": null
      }
    }
  ]
}
Question 10mediummultiple choice
Full question →

You are examining the default cross-tenant access policy for your Microsoft Entra ID tenant. Based on the exhibit, which statement is true?

Exhibit

Refer to the exhibit.

PowerShell Output:
Get-MgPolicyCrossTenantAccessPolicyDefault -Default

Id                                   : default
DisplayName                          : Default policy
IsServiceDefault                     : True
B2BCollaborationInbound              : @{Applications=; UsersAndGroups=; Organizations=}
B2BCollaborationOutbound             : @{Applications=; UsersAndGroups=; Organizations=}
B2BDirectConnectInbound              : @{Applications=; UsersAndGroups=; Organizations=}
B2BDirectConnectOutbound             : @{Applications=; UsersAndGroups=; Organizations=}
InboundTrust                          : @{IsMfaAccepted=$false; IsCompliantDeviceAccepted=$false; IsHybridAzureADJoinedDeviceAccepted=$false}
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The conditional access policy JSON shown above is applied to all users. A user authenticates from a trusted location and wants to access a cloud app. Which combination of controls will be enforced?

Exhibit

{
  "conditions": {
    "users": {
      "includeUsers": ["All"]
    },
    "applications": {
      "includeApplications": ["All"]
    },
    "locations": {
      "includeLocations": ["AllTrusted"]
    },
    "clientAppTypes": ["browser", "mobileAppsAndDesktopClients"]
  },
  "grantControls": {
    "builtInControls": ["mfa"],
    "termsOfUse": ["termsOfUseId1"]
  },
  "sessionControls": {
    "signInFrequency": {
      "value": 1,
      "type": "hours"
    },
    "persistentBrowser": {
      "mode": "never"
    }
  }
}
Question 12mediummultiple choice
Full question →

Refer to the exhibit. You have a Conditional Access policy as shown. A Global Administrator reports that they are not prompted for MFA when accessing the Azure portal. Which is the most likely reason?

Exhibit

{
  "ConditionalAccessPolicies": [
    {
      "displayName": "Require MFA for admins",
      "conditions": {
        "users": {
          "includeRoles": ["Global Administrator", "Exchange Administrator"]
        },
        "applications": {
          "includeApplications": ["Office 365 Exchange Online", "Microsoft Azure Management"]
        }
      },
      "grantControls": {
        "builtInControls": ["mfa"]
      }
    }
  ]
}
Question 13hardmultiple choice
Full question →

Refer to the exhibit. You run the KQL query in advanced hunting. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.

```kusto
// KQL query in Microsoft Defender XDR advanced hunting
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| summarize Count = count() by DeviceName
| where Count > 10
```
Question 14mediummultiple choice
Full question →

Refer to the exhibit. What is the effect of this session policy?

Exhibit

Refer to the exhibit.

```json
// Microsoft Defender for Cloud Apps session policy configuration snippet
{
  "policyType": "session",
  "name": "Block Download for Unmanaged Devices",
  "conditions": {
    "clientType": {
      "include": ["browser", "nativeClient"]
    },
    "deviceTag": {
      "include": ["unmanaged"]
    },
    "app": {
      "include": ["SharePoint Online", "OneDrive for Business"]
    }
  },
  "actions": {
    "block": ["download"]
  }
}
```
Question 15easymultiple choice
Full question →

Refer to the exhibit. You deploy this configuration profile to Windows devices. What is the most likely outcome?

Network Topology
Microsoft Defender for Endpoint device configuration profile<!>Refer to the exhibit.```xml<DeviceConfiguration><DefenderForEndpoint><EnableAutomatedInvestigation>true</EnableAutomatedInvestigation><AlertSeverityForAutomatedInvestigation>Medium</AlertSeverityForAutomatedInvestigation><EmailNotification><Enabled>true</Enabled><Recipients>admin@contoso.com</Recipients></EmailNotification></DefenderForEndpoint></DeviceConfiguration>```

These MS-102 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style MS-102 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.