CCNA Deploy Manage M365 Tenant Questions

75 of 248 questions · Page 1/4 · Deploy Manage M365 Tenant topic · Answers revealed

1
MCQeasy

An administrator adds the custom domain 'contoso.com' to a new Microsoft 365 tenant and needs to verify domain ownership. Which type of DNS record must be added to the public DNS zone to complete verification?

A.MX record
B.TXT record
C.CNAME record
D.record
AnswerB

A TXT record with a unique verification string from Microsoft is the standard method to prove domain ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record with a specific verification string provided by the Microsoft 365 admin center to the public DNS zone. The TXT record is used because it can store arbitrary text data, which the Microsoft 365 domain verification service queries to confirm that you control the domain. This is the standard method defined in RFC 1035 for domain ownership verification.

Exam trap

The trap here is that candidates often confuse the TXT record used for domain verification with other DNS records like MX or CNAME, which are used for different purposes (mail routing or service aliasing) in Microsoft 365 configuration, but only the TXT record is required for the initial ownership proof.

How to eliminate wrong answers

Option A is wrong because an MX record is used for mail routing (specifying mail exchange servers), not for domain ownership verification; it does not carry the required verification token. Option C is wrong because a CNAME record is used to alias one domain name to another (canonical name mapping), and while it can be used for some Microsoft 365 services like autodiscover, it is not the record type used for initial domain ownership verification. Option D is wrong because 'record' is an incomplete and non-specific DNS record type; the actual required record is a TXT record, and a generic 'record' does not exist in DNS standards.

2
MCQmedium

A company has a Microsoft 365 tenant with the domain contoso.com. They acquire a subsidiary with the domain fabrikam.com and want to add it as an additional domain to the same tenant. The domain is already purchased and DNS management is available. What is the first step the administrator should take in the Microsoft 365 admin center?

A.Add the domain and verify ownership by adding a TXT record
B.Create a new tenant for fabrikam.com
C.Set up email forwarding from contoso.com to fabrikam.com
D.Convert fabrikam.com to a federated domain
AnswerA

Domain verification via TXT record is always the first step when adding a custom domain.

Why this answer

To add an existing domain like fabrikam.com to a Microsoft 365 tenant, the first step is to add the domain in the Microsoft 365 admin center and then verify ownership by adding a TXT record to the domain's DNS zone. This verification proves the administrator controls the domain, which is a prerequisite for using it with Microsoft 365 services such as Exchange Online or SharePoint.

Exam trap

The trap here is that candidates may confuse the order of operations and attempt to configure advanced features like federation or email routing before completing the mandatory domain verification step, which is always the first action required when adding a new domain to a tenant.

How to eliminate wrong answers

Option B is wrong because creating a new tenant for fabrikam.com would isolate the subsidiary's users and resources from the existing contoso.com tenant, defeating the purpose of consolidating domains under one tenant. Option C is wrong because email forwarding from contoso.com to fabrikam.com is a post-verification routing configuration, not a domain addition step, and it does not establish domain ownership. Option D is wrong because converting fabrikam.com to a federated domain requires the domain to first be added and verified in the tenant; federation is an advanced authentication configuration that cannot be performed as the initial step.

3
Multi-Selectmedium

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP). You need to ensure that sensitive data such as credit card numbers cannot be shared externally via email. Which THREE components should you configure?

Select 3 answers
A.Define sensitive information types for credit card numbers
B.Enable Microsoft Purview Insider Risk Management
C.Configure DLP rule actions to block external sharing
D.Configure a retention policy for email
E.Create a DLP policy in Microsoft Purview
AnswersA, C, E

Sensitive info types are used to detect credit card numbers.

Why this answer

A is correct because sensitive information types (SITs) are predefined or custom patterns that detect specific data like credit card numbers (e.g., regex matching major credit card formats). Defining the SIT for credit card numbers allows the DLP policy to identify this sensitive content in emails, which is the first step before any action can be taken.

Exam trap

The trap here is that candidates may confuse Insider Risk Management (a behavior-based tool) with DLP (a content-based policy), or think a retention policy is needed to block sharing, when in fact DLP policies alone handle detection and enforcement via SITs and rule actions.

4
MCQeasy

A company has purchased Microsoft 365 Business Premium and added a custom domain 'contoso.com' to the tenant. They want all new users to have email addresses like user@contoso.com instead of the default onmicrosoft.com domain. What should the administrator do in the Microsoft 365 admin center?

A.Set the custom domain as the default domain in the Domains settings.
B.Add a DNS TXT record for the custom domain.
C.Change the primary domain in the tenant's organization profile.
D.Update the MX record for the custom domain to point to Exchange Online.
AnswerA

Setting a custom domain as default assigns that domain to new user email addresses automatically.

Why this answer

Setting the custom domain as the default domain in the Domains settings ensures that any new user created in the Microsoft 365 admin center automatically receives an email address ending with @contoso.com instead of the default @<tenant>.onmicrosoft.com. This is the correct administrative action because the default domain setting controls the domain suffix applied to new user principal names (UPNs) and email addresses during user creation.

Exam trap

The trap here is that candidates confuse the default domain for new users with domain verification (TXT records) or mail routing (MX records), leading them to select options that are necessary for domain setup but not for controlling the email address assigned to new users.

How to eliminate wrong answers

Option B is wrong because adding a DNS TXT record is used for domain ownership verification, not for setting the default email domain for new users. Option C is wrong because changing the primary domain in the tenant's organization profile affects the initial onmicrosoft.com domain used for the tenant itself, not the default domain for new user email addresses. Option D is wrong because updating the MX record controls mail routing for the domain, not the default domain assigned to new users' email addresses.

5
MCQmedium

A company with 200 on-premises Exchange mailboxes plans to migrate to Exchange Online. They want to use a Microsoft-provided tool that supports granular control over mailbox migrations, allows batch migrations, and provides detailed reporting. Which migration method should the administrator choose?

A.Azure AD Connect
B.Exchange Admin Center (EAC) migration dashboard
C.Third-party migration tool (e.g., BitTitan MigrationWiz)
D.IMAP migration
AnswerB

The EAC migration dashboard supports several migration types (cutover, staged, hybrid) and provides batch management, status reports, and error logs. It is the recommended Microsoft tool for migrating on-premises mailboxes to Exchange Online.

Why this answer

The Exchange Admin Center (EAC) migration dashboard is the correct choice because it is a Microsoft-provided tool that supports granular control over mailbox migrations (e.g., selecting specific users, setting migration endpoints, and configuring throttling), allows batch migrations with the ability to start, stop, and monitor multiple batches simultaneously, and provides detailed reporting on migration status, errors, and sync progress. This method is specifically designed for migrating on-premises Exchange mailboxes to Exchange Online in a controlled, staged manner, making it ideal for the scenario described.

Exam trap

The trap here is that candidates often confuse Azure AD Connect (identity sync) with a migration tool, or they assume any Microsoft tool (like IMAP migration) is sufficient, but the question specifically requires granular control, batch support, and detailed reporting, which only the EAC migration dashboard provides for on-premises Exchange to Exchange Online migrations.

How to eliminate wrong answers

Option A is wrong because Azure AD Connect is a directory synchronization tool that syncs on-premises Active Directory objects to Azure AD, but it does not perform mailbox migration, provide granular control over mailbox moves, or offer batch migration reporting; it handles identity only. Option C is wrong because while third-party tools like BitTitan MigrationWiz can offer granular control and reporting, the question explicitly asks for a 'Microsoft-provided tool,' so a third-party solution does not meet that requirement. Option D is wrong because IMAP migration only migrates email data (folders, messages) from an IMAP-enabled source, not full mailbox items like calendar, contacts, or tasks, and it lacks granular control over individual mailboxes, batch management, and detailed reporting; it is a basic cutover method, not suitable for a controlled, staged migration from on-premises Exchange.

6
MCQmedium

An administrator has configured group-based licensing in Azure AD. After adding users to the group, some users do not receive licenses. The users are in the group and have an assigned usage location. What is a possible reason?

A.The group is a mail-enabled security group, which is not supported for group-based licensing
B.The license product name in the group setting does not match the available licenses in the tenant
C.The users have conflicting license assignments from another source
D.The users have not accepted the Microsoft Online Service Terms
AnswerC

Conflicting license assignments (e.g., direct assignment or another group) can cause group-based licensing to skip those users. The licensing status in Azure AD will show an error.

Why this answer

Option C is correct because group-based licensing in Azure AD can fail when a user already has a license assigned from another source, such as direct assignment or another group. Azure AD's group-based licensing processes assignments in a deterministic order, and if a conflict arises (e.g., different service plans or SKUs), the system may skip the user and log an error in the audit logs. This is a common scenario when users are migrated from direct licensing to group-based licensing without removing the existing assignments.

Exam trap

The trap here is that candidates often assume group-based licensing always works if the user is in the group and has a usage location, overlooking the common real-world scenario where pre-existing direct license assignments cause silent failures that require manual conflict resolution.

How to eliminate wrong answers

Option A is wrong because mail-enabled security groups are fully supported for group-based licensing in Azure AD, as long as the group is a security group (mail-enabled or not). Option B is wrong because if the license product name in the group setting does not match an available license in the tenant, the group-based licensing assignment would fail for all users, not just some, and the administrator would receive a clear error during configuration. Option D is wrong because Microsoft Online Service Terms acceptance is a tenant-wide prerequisite that must be completed before any licensing can be applied; if it were not accepted, no users in the tenant would receive licenses at all, not just some users in a group.

7
MCQeasy

An administrator wants to add a custom domain 'fabrikam.com' to a new Microsoft 365 tenant. What is the first step the administrator should perform?

A.Add the domain in the Microsoft 365 admin center.
B.Create an SPF record for the domain.
C.Create a MX record pointing to Exchange Online.
D.Assign Microsoft 365 licenses to users with @fabrikam.com addresses.
AnswerA

Adding the domain initiates the verification process and is required before any other DNS or licensing steps.

Why this answer

The first step to add a custom domain to a Microsoft 365 tenant is to add the domain in the Microsoft 365 admin center. This initiates the domain verification process, where Microsoft provides a TXT record or MX record that the administrator must add to the domain's DNS hosting provider to prove ownership. Without completing this verification step, no other domain-related configurations (such as SPF, MX records, or user licensing) can proceed.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking that DNS records like SPF or MX must be configured before the domain is added, when in fact the domain must first be verified via a TXT record in the admin center before any other DNS changes can be applied.

How to eliminate wrong answers

Option B is wrong because creating an SPF record is a post-verification step that helps prevent email spoofing, but it is not required to initially add or verify the domain. Option C is wrong because creating an MX record pointing to Exchange Online is only possible after the domain has been verified and added to the tenant; attempting to set it beforehand would fail as the domain is not yet recognized by Microsoft 365. Option D is wrong because assigning Microsoft 365 licenses to users with @fabrikam.com addresses requires the domain to first be verified and added to the tenant; otherwise, the domain is not available for user creation.

8
MCQhard

You are configuring Microsoft Purview Information Protection for your tenant. You need to ensure that documents containing credit card numbers are automatically labeled as 'Highly Confidential' and encrypted. Which two components must you configure?

A.A data loss prevention (DLP) policy.
B.A sensitive info type for credit card numbers.
C.An auto-labeling policy for sensitivity labels.
D.A retention label.
AnswerB, C

Correct: Required to detect the sensitive data.

Why this answer

Sensitive info types detect credit card numbers, and auto-labeling policies apply the label and encryption automatically. Option A is wrong because DLP policies alert but don't label. Option B is wrong because retention labels are for retention, not classification.

Option D is wrong because the sensitivity label must be published first.

9
MCQmedium

A company wants to display a custom help desk phone number and email on the Microsoft 365 sign-in page so that users can contact support easily. Which area of the Microsoft 365 admin center should the administrator use to configure this?

A.Settings > Org settings > Security & privacy
B.Settings > Org settings > Organization profile
C.Billing > Licenses
D.Health > Service Health
AnswerB

Organization profile contains custom branding settings for the sign-in page, including help desk contact info.

Why this answer

Option B is correct because the custom help desk contact information (phone number and email) for the Microsoft 365 sign-in page is configured under Settings > Org settings > Organization profile, specifically in the 'Custom branding' section. This setting allows administrators to add custom support contact details that appear on the sign-in page, enhancing user self-service and support accessibility.

Exam trap

The trap here is that candidates often confuse the 'Security & privacy' settings (Option A) with branding customization, mistakenly thinking that support contact details are a security-related configuration rather than a branding and user experience setting.

How to eliminate wrong answers

Option A is wrong because Settings > Org settings > Security & privacy is used for configuring security policies, data loss prevention, and privacy-related settings, not for customizing the sign-in page branding or support contact information. Option C is wrong because Billing > Licenses is used to manage user licenses, subscriptions, and billing details, not for tenant-wide branding or support contact configuration. Option D is wrong because Health > Service Health provides real-time service status and incident information, but does not allow customization of the sign-in page or support contact details.

10
MCQmedium

A user reports that they cannot access Microsoft Teams from their mobile device. Other Microsoft 365 services work fine. You verify that the device is compliant with Intune policies. What is the most likely cause?

A.The user's authentication method is not registered for Microsoft Entra ID
B.The Microsoft Teams service is degraded
C.A Conditional Access policy requires an approved client app for Teams
D.The device is not enrolled in Microsoft Intune
AnswerC

If the Teams app is not approved or protected, access is blocked.

Why this answer

Option C is correct because a Conditional Access policy requiring an approved client app for Microsoft Teams would block access from a mobile device even if the device is Intune-compliant, as the policy specifically checks for the use of an approved app (e.g., the official Microsoft Teams app) rather than just device compliance. Since the user can access other Microsoft 365 services, the issue is isolated to Teams, and the device compliance status rules out broader device-level blocks.

Exam trap

The trap here is that candidates assume device compliance alone guarantees access, overlooking that Conditional Access policies can impose app-level requirements that are separate from device health checks.

How to eliminate wrong answers

Option A is wrong because authentication method registration for Microsoft Entra ID affects sign-in capabilities across all services, not just Teams, and the user can access other Microsoft 365 services, indicating authentication is functional. Option B is wrong because a degraded Microsoft Teams service would impact all users and devices, not just a single user on a mobile device, and the user can access other services, ruling out a widespread service issue. Option D is wrong because the device is explicitly stated to be compliant with Intune policies, which implies it is enrolled in Microsoft Intune; non-enrollment would prevent compliance evaluation entirely.

11
Multi-Selecteasy

You are configuring Microsoft 365 tenant-to-tenant migration. Which THREE tasks must be completed before migrating users?

Select 3 answers
A.Change MX records to point to the target tenant
B.Obtain tenant consent for data migration (e.g., via admin consent)
C.Delete source tenant user mailboxes
D.Verify domain ownership in the target tenant
E.Set up directory synchronization between tenants (if needed)
AnswersB, D, E

Required for accessing source data.

Why this answer

Options A, C, and E are correct. You need to verify the target domain, ensure directory synchronization is set up, and obtain consent for data migration. Option B is wrong because MX record changes happen after migration.

Option D is wrong because you should not delete existing mailboxes until after migration.

12
MCQhard

The exhibit shows the output of a PowerShell command for a user. The user reports that they cannot access Microsoft Teams, although they have an E3 license (ENTERPRISEPACK). What is the most likely cause?

A.The Teams service plan is disabled in the user's license.
B.The user's license is suspended.
C.The user's license has expired.
D.The user does not have a license assigned.
AnswerA

The license may have Teams service plan turned off.

Why this answer

The PowerShell output shows the user has an E3 license (ENTERPRISEPACK) assigned, but the Teams service plan is disabled. Even with an active E3 license, if the Teams service plan is explicitly turned off in the license assignment, the user cannot access Microsoft Teams. This is a common configuration where an admin disables specific service plans to control feature access.

Exam trap

The trap here is that candidates assume an assigned E3 license grants access to all included services by default, overlooking that individual service plans can be disabled within the license, which is a common configuration tested in MS-102.

How to eliminate wrong answers

Option B is wrong because a suspended license would typically show a status of 'Suspended' or 'Disabled' in the output, and the user would lose access to all licensed services, not just Teams. Option C is wrong because an expired license would also affect all services under that license, and the output would likely show an expiration date or a 'Disabled' status; the E3 license shown is still active. Option D is wrong because the output clearly shows the user has an ENTERPRISEPACK license assigned, so they do have a license.

13
MCQmedium

You need to ensure that all users in your Microsoft 365 tenant are automatically enrolled in Microsoft Intune when they sign up for Microsoft 365. You want to use the default enrollment policy. What should you do?

A.Set the MDM authority to Microsoft Intune and configure automatic MDM enrollment via Azure AD.
B.Create a conditional access policy that requires device compliance and block access if not enrolled.
C.Configure a PowerShell script to run daily that adds all users to Intune.
D.Ensure that the Microsoft Intune license is assigned to each user and enable the 'Enroll automatically' setting in the Microsoft 365 admin center.
AnswerA

This enables automatic device enrollment when users sign in.

Why this answer

Option A is correct because setting the MDM authority to Microsoft Intune and configuring automatic MDM enrollment via Azure AD enables the default enrollment policy. This ensures that when users sign up for Microsoft 365, they are automatically enrolled in Intune without manual intervention, leveraging Azure AD's built-in MDM enrollment integration.

Exam trap

The trap here is that candidates often confuse the 'Enroll automatically' concept with a setting in the Microsoft 365 admin center, when in reality it is configured through Azure AD's MDM enrollment settings, not a simple toggle in the admin center.

How to eliminate wrong answers

Option B is wrong because a conditional access policy that requires device compliance and blocks access if not enrolled does not automatically enroll users; it only enforces compliance after enrollment, leaving users to manually enroll or be blocked. Option C is wrong because running a PowerShell script daily to add users to Intune is not a supported or reliable method for automatic enrollment; Intune enrollment is managed via Azure AD policies, not direct user addition scripts. Option D is wrong because while assigning Intune licenses is necessary, the 'Enroll automatically' setting does not exist in the Microsoft 365 admin center; automatic enrollment is configured via Azure AD's MDM enrollment settings, not through a separate admin center toggle.

14
MCQeasy

You are a Microsoft 365 administrator. Users report that they cannot access Microsoft Teams. You check the Microsoft 365 admin center and see that the service health for Microsoft Teams shows a 'Service degradation' incident. What is the most appropriate initial action?

A.Contact the Microsoft regional escalation engineer immediately.
B.Open a support request with Microsoft to report the outage.
C.Review the incident details in the service health dashboard for an estimated resolution time and workaround.
D.Restart the Microsoft Teams service on all client machines.
AnswerC

The dashboard provides updates and guidance for ongoing incidents.

Why this answer

Option C is correct because the most appropriate initial action when a service degradation incident is already visible in the Microsoft 365 admin center is to review the incident details in the service health dashboard. This provides the estimated resolution time, current status, and any available workarounds published by Microsoft, allowing you to inform users and mitigate impact without immediately escalating or opening a support request.

Exam trap

The trap here is that candidates assume a service degradation requires immediate escalation or a support ticket, but the correct first step is to check the service health dashboard for existing incident details and workarounds before taking any further action.

How to eliminate wrong answers

Option A is wrong because contacting a Microsoft regional escalation engineer is a premature escalation step; this should only be done after reviewing the incident details and if the issue is critical and not being addressed. Option B is wrong because opening a support request to report the outage is redundant when Microsoft has already acknowledged the incident in the service health dashboard; support requests are for issues not yet recognized or requiring tenant-specific troubleshooting. Option D is wrong because restarting the Microsoft Teams service on client machines is a client-side action that cannot resolve a service-wide degradation incident that originates from Microsoft's infrastructure.

15
MCQeasy

An administrator is setting up a new Microsoft 365 tenant and has added the custom domain 'contoso.com'. The domain status shows 'Pending verification'. Which type of DNS record must the administrator add to the public DNS zone to complete domain ownership verification?

A.MX record
B.TXT record
C.CNAME record
D.SPF record
AnswerB

A TXT record containing the unique verification token provided by Microsoft proves domain ownership.

Why this answer

To verify domain ownership in Microsoft 365, you must add a TXT record containing the unique verification string provided by the Microsoft 365 admin center to the public DNS zone. The TXT record proves you control the domain by allowing Microsoft to query the DNS and match the value. This is the standard method defined by RFC 1035 for domain validation.

Exam trap

The trap here is that candidates often confuse the TXT record used for domain verification with the SPF record, which is also a TXT record but serves a completely different purpose, leading them to select SPF instead of the generic TXT record option.

How to eliminate wrong answers

Option A is wrong because an MX record specifies the mail exchange server for the domain and is not used for domain ownership verification; it would be added later for mail routing. Option C is wrong because a CNAME record maps an alias to a canonical name and is not used for verification; it is typically used for services like autodiscover. Option D is wrong because an SPF record is a TXT record that specifies authorized mail servers to prevent spoofing, but it is not the specific record type used for domain verification; the verification requires a unique TXT record with a specific value, not an SPF policy.

16
MCQeasy

An administrator is planning to migrate from on-premises Exchange to Exchange Online. The current on-premises environment is Exchange 2016. The company has a hybrid deployment with Azure AD Connect. They want to use the cutover migration method. What is a prerequisite for starting a cutover migration?

A.The on-premises Exchange server must be reachable from the Microsoft 365 migration service via a public endpoint
B.The on-premises Exchange server must have the MRS Proxy service installed and running
C.TLS certificate must be bound to the on-premises Exchange server for migration authentication
D.The administrator executing the migration must have on-premises Exchange Organization Management role
AnswerA

Correct. The migration service needs to connect to the on-premises Exchange server to pull mailbox data over a secure connection.

Why this answer

For a cutover migration from on-premises Exchange 2016 to Exchange Online, the Microsoft 365 migration service must be able to connect to the on-premises Exchange server via a public endpoint. This is because cutover migration uses IMAP or Exchange Web Services (EWS) over HTTPS, requiring the on-premises server to be accessible from the internet without a VPN or private connection. Without this public endpoint, the migration service cannot discover mailboxes or synchronize data.

Exam trap

The trap here is that candidates often confuse cutover migration prerequisites with those of a hybrid deployment, incorrectly assuming MRS Proxy or Organization Management role are required, when cutover migration only needs basic EWS/IMAP accessibility and recipient management permissions.

How to eliminate wrong answers

Option B is wrong because the MRS Proxy service is required for hybrid migrations (specifically for moves using the Migration API), not for cutover migrations, which rely on direct EWS or IMAP connectivity. Option C is wrong because while TLS is used for encryption, there is no requirement to bind a specific TLS certificate to the Exchange server for migration authentication; the server's existing certificate (e.g., from a public CA) suffices. Option D is wrong because the administrator executing the cutover migration only needs the Exchange Recipient Management role (or equivalent) in on-premises, not the Organization Management role, which is a higher-privilege role.

17
Multi-Selecteasy

Your organization is deploying Microsoft 365 Copilot. You need to ensure that data security is maintained. Which THREE actions should you take?

Select 3 answers
A.Disable Microsoft 365 Copilot for all users.
B.Block all external sharing for SharePoint and OneDrive.
C.Enable audit logging in Microsoft 365.
D.Configure data loss prevention (DLP) policies.
E.Create sensitivity labels to classify and protect data.
AnswersC, D, E

Audit logging helps monitor Copilot interactions and detect anomalies.

Why this answer

Option C is correct because enabling audit logging in Microsoft 365 is essential for tracking user interactions with Microsoft 365 Copilot, including prompts, responses, and data access events. This provides a forensic trail to detect unauthorized data exposure or misuse, which is a foundational requirement for maintaining data security in AI-powered workloads.

Exam trap

The trap here is that candidates often assume blocking external sharing (Option B) is a primary security control for Copilot, when in fact Copilot's data security risks are more about internal data leakage through AI processing, which requires audit logging, DLP, and sensitivity labels to mitigate.

18
Multi-Selecthard

Which THREE factors are considered when Microsoft Entra ID evaluates a conditional access policy?

Select 3 answers
A.User or group membership
B.Mailbox size
C.User's department attribute in Microsoft Entra ID
D.Location (IP range or country)
E.Device platform (e.g., Windows, iOS)
AnswersA, D, E

Policies can be targeted to specific users or groups.

Why this answer

Microsoft Entra ID evaluates conditional access policies based on signals from the user, device, and location. User or group membership (Option A) is a primary signal because policies are typically assigned to specific users or groups to control access. Location (Option D) is evaluated using IP ranges or country codes to enforce restrictions like blocking access from untrusted networks.

Device platform (Option E) allows policies to target specific operating systems (e.g., Windows, iOS) to enforce compliance requirements like requiring Intune enrollment.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID attributes (like department) with actual conditional access conditions, but Microsoft only supports specific signals (user/group, location, device platform, risk, client apps, and sign-in risk) and not arbitrary directory attributes.

19
Multi-Selectmedium

An administrator needs to open a Microsoft 365 support request because all users are experiencing intermittent service outages for Exchange Online. Before contacting support, which two pieces of information should the administrator have ready to ensure efficient troubleshooting? (Choose two.)

Select 2 answers
A.Tenant ID (or Microsoft 365 tenant domain name)
B.Number of affected users
C.Detailed description of the problem and troubleshooting steps attempted
D.Network bandwidth graph from the past 24 hours
AnswersA, C

Support needs to identify the specific tenant to check service configuration and health.

Why this answer

The Tenant ID (or Microsoft 365 tenant domain name) is required by Microsoft Support to uniquely identify your tenant in their systems, enabling them to pull up your service configuration, subscription details, and relevant health data. This identifier is essential for routing the support request to the correct engineering team and for correlating the issue with backend telemetry.

Exam trap

The trap here is that candidates often confuse 'nice-to-have' diagnostic data (like the number of affected users or network graphs) with the mandatory identification and problem description that Microsoft Support requires to initiate a case.

20
MCQeasy

Your organization has a Microsoft 365 E5 subscription. You want to enable Microsoft Defender for Office 365 to protect against malicious attachments in email. Which policy should you configure?

A.Anti-phishing policy
B.Anti-malware policy
C.Safe Attachments policy
D.Safe Links policy
AnswerC

Safe Attachments scans email attachments for malicious content.

Why this answer

Safe Attachments policy is the correct choice because Microsoft Defender for Office 365's Safe Attachments feature specifically protects against malicious attachments in email by detonating them in a virtual sandbox environment before delivery. This policy allows you to configure actions for detected malware, such as blocking, replacing, or dynamically delivering attachments based on threat analysis.

Exam trap

The trap here is that candidates often confuse the basic Anti-malware policy (which uses signature-based detection) with the advanced Safe Attachments policy (which uses sandbox detonation), leading them to select Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policy protects against phishing attempts by analyzing sender reputation, impersonation, and spoofing, not by scanning attachments for malware. Option B is wrong because Anti-malware policy provides basic malware protection using the built-in malware engine but does not include the advanced sandboxing and detonation capabilities of Safe Attachments. Option D is wrong because Safe Links policy protects users from malicious URLs in email and Office documents by checking links at time of click, not by scanning attachments.

21
MCQhard

You are deploying Microsoft 365 for a new subsidiary. The subsidiary has a single domain subsidiary.com. You need to configure a hybrid identity solution with Microsoft Entra ID. The on-premises Active Directory has a single domain and all user accounts are synchronized using Microsoft Entra Connect. You want to ensure that users can sign in to Microsoft 365 using their on-premises credentials without exposing the password hash to Microsoft. What should you do?

A.Configure password hash synchronization.
B.Create cloud-only user accounts and disable on-premises authentication.
C.Implement Active Directory Federation Services (AD FS) with Microsoft Entra ID.
D.Enable pass-through authentication (PTA) with Microsoft Entra Connect.
AnswerD

PTA validates passwords on-premises without storing hashes in the cloud.

Why this answer

Option D is correct because pass-through authentication (PTA) allows users to sign in to Microsoft 365 using their on-premises credentials without storing password hashes in Microsoft Entra ID. PTA validates passwords directly against on-premises Active Directory via an agent, ensuring no password hash is exposed to Microsoft, which meets the stated requirement.

Exam trap

The trap here is that candidates often confuse pass-through authentication with password hash synchronization, assuming both expose credentials, but PTA avoids any hash storage while still enabling cloud authentication.

How to eliminate wrong answers

Option A is wrong because password hash synchronization stores a hash of the on-premises password in Microsoft Entra ID, which directly exposes the password hash to Microsoft, violating the requirement. Option B is wrong because creating cloud-only user accounts and disabling on-premises authentication would break the hybrid identity requirement, as users would no longer use their on-premises credentials for sign-in. Option C is wrong because while AD FS also avoids storing password hashes in the cloud, it introduces additional infrastructure complexity and is not the simplest solution; PTA is the recommended choice for this specific scenario where password hash exposure must be avoided without deploying federation servers.

22
MCQeasy

An administrator needs to delegate the ability to manage user licenses and assign roles to a junior admin, but without granting them access to the Microsoft 365 admin center's other settings. Which role should the junior admin be assigned?

A.User Administrator
B.License Administrator
C.Global Administrator
D.Helpdesk Administrator
AnswerB

License Administrator can assign and remove licenses, manage license-based groups, and assign other administrative roles (with restrictions).

Why this answer

The License Administrator role is the correct choice because it specifically grants the ability to assign and remove licenses for users, as well as manage their location, without providing access to other Microsoft 365 admin center settings like user creation, role assignment, or security features. This role is designed for delegated license management while maintaining least privilege.

Exam trap

The trap here is that candidates often confuse the License Administrator role with the User Administrator role, mistakenly believing that User Administrator is required for license management, but the License Administrator role is the precise least-privilege role for this task.

How to eliminate wrong answers

Option A is wrong because the User Administrator role can create and manage user accounts, reset passwords, and assign licenses, but it also grants broader user management capabilities, including the ability to create and delete users, which exceeds the requirement to only manage licenses and assign roles. Option C is wrong because the Global Administrator role provides unrestricted access to all Microsoft 365 admin center settings, including security, compliance, and billing, which violates the requirement to limit access to other settings. Option D is wrong because the Helpdesk Administrator role is focused on password resets and service request management, and it does not include the ability to assign licenses or manage user roles.

23
MCQmedium

A company wants to ensure that all new users created in Microsoft 365 are automatically assigned a specific set of licenses based on their department. The company has 200 users across Sales, Marketing, and IT departments. Each department uses different Microsoft 365 license plans. Which approach should the administrator use?

A.A: Create a PowerShell script that runs on a schedule to assign licenses based on department attribute.
B.B: Use group-based licensing and assign each department's users to a security group with the appropriate license.
C.C: Use Azure AD Dynamic Groups to automatically add users to groups based on department, and then assign licenses to those groups.
D.D: Manually assign licenses to each user after creation.
AnswerC

Dynamic groups combined with group-based licensing provide fully automatic license assignment based on user attributes.

Why this answer

Option C is correct because Azure AD Dynamic Groups can automatically add users to groups based on their department attribute (e.g., using a rule like `user.department -eq "Sales"`), and group-based licensing can then assign the appropriate Microsoft 365 license plan to each dynamic group. This ensures that any new user created with the correct department attribute is automatically added to the corresponding group and receives the license without manual intervention or scheduled scripts.

Exam trap

The trap here is that candidates often confuse 'group-based licensing' (which requires groups to be populated) with 'dynamic groups' (which automate group membership), leading them to choose Option B because they think group-based licensing alone is sufficient, but without dynamic groups, the groups must be manually maintained.

How to eliminate wrong answers

Option A is wrong because a scheduled PowerShell script introduces latency (users may not get licenses until the script runs), requires maintenance, and is less reliable than Azure AD's native automatic licensing engine. Option B is wrong because it suggests manually assigning users to security groups, which does not automate the process for new users; group-based licensing requires the groups to be populated automatically (via dynamic groups) to achieve the stated goal. Option D is wrong because manual assignment is not scalable for 200 users and does not meet the requirement of automatic license assignment for new users.

24
MCQeasy

A user reports that they cannot access their Microsoft 365 mailbox from the Outlook desktop client, but they can access it via Outlook on the web. Other users in the same tenant are not experiencing issues. What is the most likely cause?

A.There is a service incident affecting only the Outlook desktop client.
B.The user's Outlook profile is corrupted or needs to be re-created.
C.The user's account has been disabled.
D.The user's Microsoft 365 license has expired.
AnswerB

Correct: A corrupted profile can prevent desktop client access while OWA works fine.

Why this answer

If a user can access via OWA but not Outlook desktop, it often indicates an authentication or client configuration issue rather than a service outage. Disabled MFA would affect both. A service incident would affect many users.

License issues would also affect OWA. The most likely cause is that the user's profile is corrupted or authentication token has expired.

25
MCQeasy

You are a Microsoft 365 administrator for a small business with 50 users. The company is using Microsoft 365 Business Basic. You need to configure email for the custom domain contoso.com. You have added the domain in the Microsoft 365 admin center and verified ownership. Users currently have onmicrosoft.com email addresses. You need to change the primary email address for all users to their custom domain (e.g., user@contoso.com). What should you do?

A.Remove the onmicrosoft.com domain from the tenant.
B.Convert all mailboxes to shared mailboxes and reassign licenses.
C.Change the primary email address for each user to user@contoso.com in the admin center.
D.Configure the MX record for contoso.com to point to Exchange Online.
AnswerC

After domain verification, you can update user email addresses.

Why this answer

Option C is correct because in Microsoft 365, after adding and verifying a custom domain, you must manually update each user's primary email address (User Principal Name and primary SMTP address) from the default onmicrosoft.com domain to the custom domain. This is done in the Microsoft 365 admin center under Users > Active Users, by editing the username and email fields. Simply adding the domain does not automatically change existing user addresses.

Exam trap

The trap here is that candidates assume adding and verifying a custom domain automatically updates existing user email addresses, when in fact it only makes the domain available for use, requiring manual or scripted updates per user.

How to eliminate wrong answers

Option A is wrong because removing the onmicrosoft.com domain is not possible—it is a reserved default domain that cannot be deleted, and doing so would break authentication and routing for users still using it. Option B is wrong because converting mailboxes to shared mailboxes and reassigning licenses does not change the primary email address; shared mailboxes have their own SMTP addresses and are not a mechanism for domain migration. Option D is wrong because configuring the MX record for contoso.com to point to Exchange Online is a DNS step for mail routing, but it does not change the primary email address of existing users; that requires explicit user attribute updates.

26
MCQmedium

An administrator wants to receive real-time notifications for service incidents in Microsoft 365. The notifications must be sent to a Microsoft Teams channel instead of email. Which configuration should the administrator set up?

A.Configure a webhook connector in Microsoft Teams to subscribe to the Office 365 Service Communications API.
B.Configure an email notification rule in the Microsoft 365 admin center and forward it to a Teams email address.
C.Use Power Automate to check service health and post to Teams every 5 minutes.
D.Configure a message center alert to email and then use a third-party integration to post to Teams.
AnswerA

The Office 365 Service Communications API webhook allows Teams to receive service health notifications. Setting up the connector is the standard method.

Why this answer

Option A is correct because the Office 365 Service Communications API provides real-time webhook-based notifications for service incidents. By configuring a webhook connector in Microsoft Teams, the administrator can subscribe to this API and receive incident alerts directly in a Teams channel without polling or email forwarding.

Exam trap

The trap here is that candidates may assume Power Automate or email forwarding is sufficient for real-time needs, but the exam specifically tests the understanding that webhook subscriptions to the Service Communications API are the only method that guarantees real-time, push-based notifications to a Teams channel.

How to eliminate wrong answers

Option B is wrong because forwarding an email notification to a Teams email address does not provide real-time delivery; Teams email integration is asynchronous and subject to delays, and the admin center email rules do not support direct Teams channel posting. Option C is wrong because Power Automate polling every 5 minutes introduces latency and is not real-time; the requirement specifies real-time notifications, which the Service Communications API webhook delivers instantly. Option D is wrong because it adds unnecessary complexity and delay by relying on email as an intermediary and a third-party integration, whereas a native webhook connector directly subscribes to the API for immediate delivery.

27
MCQeasy

You need to ensure that all Microsoft 365 users in your organization have a consistent password policy that requires passwords to be at least 12 characters and include complexity requirements. What should you configure?

A.Device compliance policy in Microsoft Intune
B.Outlook on the web mailbox policy
C.Password policy in Microsoft Entra ID
D.Data loss prevention policy in Microsoft Purview
AnswerC

Entra ID holds the password policy for cloud users.

Why this answer

Microsoft Entra ID (formerly Azure AD) is the identity service that enforces tenant-wide password policies for cloud-only user accounts. Configuring the password policy in Entra ID allows you to set minimum length (e.g., 12 characters) and complexity requirements (e.g., must include uppercase, lowercase, digits, and special characters) that apply to all Microsoft 365 users. This is the correct location because Entra ID is the authoritative source for authentication policies in a Microsoft 365 tenant.

Exam trap

The trap here is that candidates often confuse device-level password policies (Intune compliance) with user-level password policies (Entra ID), leading them to choose Option A when the question specifically asks for a consistent password policy for all Microsoft 365 users, not just for managed devices.

How to eliminate wrong answers

Option A is wrong because Device compliance policy in Microsoft Intune controls device-level settings (e.g., encryption, jailbreak detection) and can enforce password length on the device itself, but it does not set the cloud-based password policy for user accounts in Microsoft 365. Option B is wrong because Outlook on the web mailbox policy manages mailbox features and settings (e.g., message format, retention) and has no influence on password length or complexity requirements. Option D is wrong because Data loss prevention policy in Microsoft Purview is designed to protect sensitive data from being shared or leaked (e.g., credit card numbers, PII) and does not manage user authentication or password policies.

28
MCQeasy

A company recently acquired another company and needs to allow users from the acquired tenant to access its SharePoint Online sites as guest users, but only if those users already have accounts in the acquired Azure AD tenant. Which Microsoft 365 feature should be configured?

A.Cross-tenant access settings for B2B collaboration
B.B2B direct connect
C.Multi-Geo
D.Tenant Restrictions
AnswerA

Cross-tenant access settings for B2B collaboration allow you to control which external tenants can be used for guest access and fine-tune authentication.

Why this answer

Cross-tenant access settings for B2B collaboration allow you to configure inbound and outbound access between two Azure AD tenants. By enabling B2B collaboration with the acquired tenant and setting the appropriate cross-tenant access policies, you can invite users who already have accounts in that tenant as guest users to access SharePoint Online sites. This ensures that only authenticated users from the acquired tenant are granted access, meeting the requirement.

Exam trap

The trap here is that candidates confuse B2B direct connect with B2B collaboration, assuming both provide guest access to SharePoint, but B2B direct connect is limited to Teams shared channels and does not support SharePoint guest invitations.

How to eliminate wrong answers

Option B (B2B direct connect) is wrong because it is designed for Teams Connect shared channels, not for granting guest access to SharePoint Online sites, and it does not support inviting users as guests with Azure AD accounts. Option C (Multi-Geo) is wrong because it addresses data residency and geographic location of tenant data, not cross-tenant user access or guest invitations. Option D (Tenant Restrictions) is wrong because it controls access to SaaS apps based on tenant ID via HTTP headers, but it does not enable inviting external users from another tenant as guests.

29
MCQeasy

A user account was accidentally deleted 10 days ago. The administrator needs to restore the user's mailbox and OneDrive for Business content. Which method should the administrator use?

A.Recreate the user account with the same name, and the data will be automatically restored.
B.Restore the user from the 'Deleted users' page in the Microsoft 365 admin center.
C.Use the Exchange admin center to recover the mailbox only.
D.Submit a support request to Microsoft to recover the deleted data.
AnswerB

This is the correct method to restore a deleted user and their data within the 30-day soft-delete period.

Why this answer

Option B is correct because Microsoft 365 retains deleted user objects, including their Exchange Online mailbox and OneDrive for Business data, for 30 days in the 'Deleted users' list. Restoring the user from this page within the retention period automatically recovers the associated mailbox and OneDrive content without requiring separate tools or support requests.

Exam trap

The trap here is that candidates often confuse the 30-day soft-delete retention with the ability to simply recreate the user account, or they assume that separate admin centers are required for mailbox and OneDrive recovery, when in fact the unified 'Deleted users' restore handles both.

How to eliminate wrong answers

Option A is wrong because simply recreating a user account with the same name does not automatically restore the original mailbox or OneDrive data; the new account receives a fresh mailbox and OneDrive, and the deleted user's data remains in the recycle bin only if the original object is restored. Option C is wrong because the Exchange admin center can recover a soft-deleted mailbox only if the user object still exists or was recently deleted, but it cannot recover OneDrive for Business content, which requires the full user restoration from the Microsoft 365 admin center. Option D is wrong because Microsoft support is not needed for this scenario; the administrator can self-service restore the user from the 'Deleted users' page within the 30-day retention period without submitting a support request.

30
MCQmedium

Your organization has a Microsoft 365 tenant configured with a custom domain contoso.com. Users report they cannot receive email from external senders; internal email works fine. You verify the MX record for contoso.com points to the Microsoft 365 mail exchanger. What should you check next?

A.Check the Exchange admin center for connector configuration.
B.Verify that an SPF TXT record exists for contoso.com.
C.Wait 48 hours for DNS propagation.
D.Verify that the MX record has a priority of 0.
AnswerB

External senders often reject mail if SPF is missing or misconfigured.

Why this answer

The most common cause of external email delivery failure after MX record configuration is a missing or incorrect SPF record. SPF is required to prevent spoofing and ensure delivery. Option B (Sender Policy Framework record) is correct.

Option A is wrong because the MX record is already verified. Option C is wrong because DNS propagation typically completes within minutes to hours; waiting longer is not a diagnostic step. Option D is wrong because Exchange admin center settings do not affect inbound mail flow at the DNS level.

31
MCQeasy

A company has just purchased Microsoft 365 E3 licenses. They want to configure the default mailbox storage limit for all new users. Which setting should they modify?

A.Exchange admin center -> recipients -> mailboxes -> default mailbox quota
B.Microsoft 365 admin center -> Users -> Active users -> default storage limit
C.Exchange Online PowerShell: Set-OrganizationConfig -DefaultMailboxSize
D.Microsoft 365 admin center -> Org settings -> Mailbox storage
AnswerC

This cmdlet sets the default mailbox size for all new users in the organization.

Why this answer

Option C is correct because the default mailbox storage limit for all new users in Exchange Online is configured via the Set-OrganizationConfig cmdlet with the -DefaultMailboxSize parameter. This setting applies to mailboxes created after the change, overriding the default 50 GB limit for Microsoft 365 E3 licenses. The Exchange admin center and Microsoft 365 admin center do not expose this specific default quota setting for new mailboxes.

Exam trap

The trap here is that candidates assume the default mailbox quota can be set via the Exchange admin center's 'default mailbox quota' option, but that setting applies to mailbox databases in on-premises Exchange, not Exchange Online, where the default is controlled at the organization level via PowerShell.

How to eliminate wrong answers

Option A is wrong because the Exchange admin center -> recipients -> mailboxes allows you to modify quotas for individual existing mailboxes, not set the default quota for all new users. Option B is wrong because the Microsoft 365 admin center -> Users -> Active users does not have a 'default storage limit' setting; storage limits are managed via Exchange Online. Option D is wrong because the Microsoft 365 admin center -> Org settings -> Mailbox storage does not exist; mailbox storage defaults are configured only through Exchange Online PowerShell or the Exchange admin center's default mailbox quota settings (which are per-database, not per-tenant).

32
MCQeasy

An administrator has created a new user account in Microsoft Entra ID. To ensure the user has a mailbox in Exchange Online, what is the next step?

A.Assign an Exchange Online license to the user
B.Create an Exchange mailbox manually
C.Run the Microsoft 365 Setup wizard
D.Configure DNS records for the domain
AnswerA

A license that includes Exchange Online (e.g., Office 365 E3) triggers mailbox provisioning.

Why this answer

In Microsoft 365, a user must be assigned an Exchange Online license (part of an E3, E5, or standalone plan) before a mailbox is automatically provisioned in Exchange Online. Without a license, the user object exists in Entra ID but has no mailbox; the license assignment triggers the mailbox creation process within 24 hours.

Exam trap

The trap here is that candidates often think creating the user in Entra ID or configuring DNS automatically provisions a mailbox, but Microsoft 365 requires an explicit license assignment to enable the Exchange Online service plan for that user.

How to eliminate wrong answers

Option B is wrong because Exchange Online does not support manually creating a mailbox; mailboxes are automatically provisioned when a license is assigned, and manual creation is only possible in on-premises Exchange Server. Option C is wrong because the Microsoft 365 Setup wizard is used for initial tenant configuration (e.g., adding a domain or setting up admin accounts), not for provisioning a mailbox for an existing user. Option D is wrong because DNS records (MX, SPF, etc.) are required for mail routing to the tenant, but they do not create a mailbox; the mailbox must exist first via license assignment.

33
MCQmedium

Your organization plans to migrate from on-premises Exchange to Exchange Online. You need to ensure minimal disruption during the migration. Which approach should you recommend?

A.Deploy a hybrid configuration and migrate mailboxes in batches.
B.Perform a cutover migration during a weekend.
C.Use IMAP migration to migrate all mailboxes in parallel.
D.Use a third-party migration tool for a one-time bulk migration.
AnswerA

Hybrid migration allows gradual migration with coexistence.

Why this answer

A hybrid migration allows you to gradually move mailboxes while maintaining coexistence, minimizing disruption. Option A is wrong because a cutover migration is disruptive and only suitable for small orgs. Option B is wrong because IMAP migration does not migrate calendar/contacts fully.

Option D is wrong because a third-party tool is unnecessary for standard migrations.

34
MCQhard

Your company recently acquired a subsidiary that uses a different Microsoft 365 tenant. You are tasked with merging the two tenants into one. The subsidiary has 1,500 users with unique email domains. You need to migrate all users, mailboxes, and SharePoint data while minimizing downtime and preserving data integrity. You have access to both tenants as global admin. What should you do first?

A.Add the subsidiary's domain to the primary tenant, then delete the subsidiary tenant and recreate users
B.Use the Microsoft 365 Merger Center in the admin portal
C.Use a third-party migration tool such as BitTitan MigrationWiz to perform the migration
D.Use Microsoft's native tenant-to-tenant migration by moving mailboxes via PowerShell and exporting SharePoint content
AnswerC

Third-party tools are designed for cross-tenant migrations with minimal downtime and data integrity.

Why this answer

Option C is correct because Microsoft does not provide a native tool for merging two tenants; third-party tools like BitTitan MigrationWiz are designed specifically for cross-tenant migrations, supporting mailbox, SharePoint, and user data migration with minimal downtime and data integrity. These tools handle directory synchronization, mailbox rehydration, and SharePoint content mapping, which are critical for a 1,500-user migration with unique domains.

Exam trap

The trap here is that candidates assume Microsoft provides a native 'merger' tool or that PowerShell alone can handle a full tenant merge, overlooking the lack of built-in cross-tenant SharePoint migration capabilities and the need for specialized third-party solutions.

How to eliminate wrong answers

Option A is wrong because deleting the subsidiary tenant and recreating users would cause permanent data loss (mailboxes, SharePoint content) and cannot preserve data integrity; domain addition alone does not migrate data. Option B is wrong because there is no 'Microsoft 365 Merger Center' in the admin portal; this is a fabricated feature that does not exist. Option D is wrong because native tenant-to-tenant migration via PowerShell is limited to mailbox moves (using New-MoveRequest with cross-tenant prerequisites) and does not support SharePoint data migration; exporting and importing SharePoint content via PowerShell is complex, error-prone, and not designed for large-scale migrations with minimal downtime.

35
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom PowerShell script that runs in the user context after every device restart. Which Intune policy type should you use?

A.Compliance policy
B.PowerShell script as a 'Run this script using the logged on credentials' assignment.
C.Microsoft Intune PowerShell scripts (Devices > Scripts)
D.Device configuration profile
AnswerC

Intune PowerShell scripts can run in user context and on restart.

Why this answer

Option C is correct because Microsoft Intune PowerShell scripts (Devices > Scripts) allow you to deploy custom PowerShell scripts that run in the user context on Windows 10 devices. By configuring the script with 'Run this script using the logged on credentials' and setting the schedule to 'Run once per device' or 'Run on every device restart', you can ensure the script executes after every restart. This is the only Intune policy type designed specifically for deploying and managing custom PowerShell scripts with user context and restart-triggered execution.

Exam trap

The trap here is that candidates confuse the 'Run this script using the logged on credentials' setting (a configuration option within the PowerShell scripts feature) with a separate policy type, leading them to select Option B instead of recognizing that the correct policy type is 'Microsoft Intune PowerShell scripts (Devices > Scripts)'.

How to eliminate wrong answers

Option A is wrong because Compliance policies evaluate device settings against compliance rules and cannot run custom PowerShell scripts; they are used for conditional access and remediation actions, not script deployment. Option B is wrong because 'PowerShell script as a 'Run this script using the logged on credentials' assignment' is not a standalone policy type; it is a configuration option within the Intune PowerShell scripts feature (Devices > Scripts), and the question asks for the policy type, not a setting. Option D is wrong because Device configuration profiles manage settings via CSPs (Configuration Service Providers) and cannot execute arbitrary PowerShell scripts; they are limited to predefined settings and policies.

36
Multi-Selectmedium

You are the Microsoft 365 administrator for a large enterprise. You need to ensure that only users with a valid business justification can access sensitive data stored in SharePoint Online. The solution must enforce access reviews and provide detailed reports for auditors. Which TWO actions should you take?

Select 2 answers
A.Configure access reviews in Microsoft Entra ID Governance for the SharePoint site.
B.Deploy Microsoft Defender for Cloud Apps and create a session policy to monitor access.
C.Enable audit logging in Microsoft Purview and generate detailed access reports.
D.Apply a sensitivity label to the SharePoint site and require justification for label change.
E.Create a data loss prevention (DLP) policy to block unauthorized sharing.
AnswersA, C

Access reviews enable periodic attestation of access, meeting the requirement for business justification and audit reports.

Why this answer

Option A is correct because access reviews in Microsoft Entra ID Governance allow you to require users to attest to their continued need for access. Option C is correct because enabling audit logging in Microsoft Purview captures all access events and generates reports for auditors. Option B is wrong because Microsoft Defender for Cloud Apps is for cloud access security broker (CASB) capabilities, not directly for access reviews.

Option D is wrong because sensitivity labels are for classification and protection, not access reviews. Option E is wrong because data loss prevention (DLP) policies prevent data exfiltration but do not perform access reviews.

37
MCQeasy

Your organization is migrating from on-premises Exchange to Exchange Online. You need to ensure that users can access their mailboxes during the migration with minimal interruption. Which migration method should you use?

A.Minimal hybrid migration.
B.Cutover migration.
C.Staged migration.
D.IMAP migration.
AnswerA

Allows moving mailboxes in batches with minimal user impact.

Why this answer

Option B is correct because a minimal hybrid migration allows you to move mailboxes in batches with minimal downtime. Option A is wrong because cutover migration requires all mailboxes to be moved at once, causing interruption. Option C is wrong because an IMAP migration does not preserve calendar and contacts.

Option D is wrong because a staged migration is for multiple batches but requires coexistence.

38
MCQeasy

Your organization uses Microsoft 365 Business Premium. You need to ensure that all Windows 10 devices are enrolled in Microsoft Intune and comply with a device compliance policy that requires BitLocker encryption and a minimum OS version. What should you do first?

A.Configure automatic enrollment in Microsoft Entra ID for Windows 10 devices.
B.Install the Intune Connector for Active Directory on a domain controller.
C.Deploy a configuration profile to enable BitLocker.
D.Create a device compliance policy in Microsoft Intune.
AnswerA

Automatic enrollment ensures devices are enrolled in Intune when they join Microsoft Entra ID.

Why this answer

To enforce Intune compliance policies on Windows 10 devices, the devices must first be enrolled in Intune. Automatic enrollment in Microsoft Entra ID (formerly Azure AD) is the prerequisite step that enables Windows 10 devices to automatically enroll in Intune when they join or are registered with Entra ID. Without this enrollment configured, no Intune policies—including compliance policies—can be applied to the devices.

Exam trap

The trap here is that candidates often jump to creating a compliance policy or deploying a configuration profile first, forgetting that without automatic enrollment enabled, Intune has no management relationship with the devices to apply those policies.

How to eliminate wrong answers

Option B is wrong because the Intune Connector for Active Directory is used for on-premises AD-joined devices to synchronize with Entra ID and enable hybrid Azure AD join, but it is not the first step required for Intune enrollment and compliance; automatic enrollment must be configured first. Option C is wrong because deploying a configuration profile to enable BitLocker is a subsequent step that can only be applied after devices are enrolled in Intune; it does not cause enrollment itself. Option D is wrong because creating a device compliance policy is also a later step that requires devices to already be enrolled in Intune; the policy cannot be assigned or evaluated until enrollment is established.

39
MCQhard

You are reviewing a conditional access policy in Microsoft Entra ID. The policy is intended to block legacy authentication. However, users are still able to connect using Exchange ActiveSync without modern authentication. What is the most likely reason?

A.The policy does not include the 'All' client apps condition; it only includes specific client app types.
B.The policy is not assigned to the affected users.
C.The grant control 'Block' is not supported for legacy authentication.
D.The policy is in report-only mode.
AnswerA

The policy only blocks 'exchangeActiveSync' and 'otherClients', but some legacy clients (like Outlook for iOS using basic auth) fall under 'mobile apps and desktop clients', which are not blocked.

Why this answer

Option A is correct because Conditional Access policies that block legacy authentication must include the 'All' client apps condition to cover Exchange ActiveSync (EAS). If the policy only targets specific client app types (e.g., browser or mobile apps and desktop clients) but omits 'All', EAS traffic using legacy authentication bypasses the policy. EAS is a separate client app type that requires explicit inclusion via the 'All' option to enforce blocking.

Exam trap

The trap here is that candidates assume selecting 'Mobile apps and desktop clients' covers all non-browser clients, but Exchange ActiveSync is a distinct legacy protocol that requires the 'All' client apps condition to be blocked.

How to eliminate wrong answers

Option B is wrong because if the policy were not assigned to the affected users, no users would be blocked, but the question states users are still able to connect, implying the policy is assigned but not covering EAS. Option C is wrong because the 'Block' grant control is fully supported for legacy authentication protocols, including EAS, when the policy is correctly configured. Option D is wrong because report-only mode would log the policy evaluation but not block access; however, the question states users are still able to connect, which could happen in report-only mode, but the most likely reason given the specific scenario is the missing 'All' client apps condition, not the mode.

40
Multi-Selecteasy

Which TWO are valid methods for adding custom domains to Microsoft 365?

Select 2 answers
A.Using the New-MsolDomain PowerShell cmdlet.
B.Using the Exchange admin center (EAC).
C.Using the Azure AD B2C tenant configuration.
D.Using the 'Add domain' wizard in the Microsoft 365 admin center.
E.Using the Windows DNS Manager console.
AnswersA, D

PowerShell can add and verify domains.

Why this answer

Option A is correct because the `New-MsolDomain` PowerShell cmdlet is a valid method for adding a custom domain to Microsoft 365. This cmdlet, part of the Azure Active Directory Module for Windows PowerShell, registers the domain in the tenant's directory, which is a prerequisite for verifying ownership and configuring services like Exchange Online or SharePoint Online.

Exam trap

The trap here is that candidates confuse the Exchange admin center's ability to manage 'accepted domains' with the initial domain addition process, or they mistakenly think on-premises DNS tools like Windows DNS Manager can directly add domains to Microsoft 365, when in fact they only handle the DNS verification records after the domain is registered in the tenant.

41
MCQeasy

An administrator wants to add custom branding to the Microsoft 365 sign-in page, including company logo and colors. Which section of the Microsoft 365 admin center should they navigate to?

A.Users > Active users
B.Settings > Org settings > Organization profile
C.Admin centers > Azure Active Directory
D.Billing > Licenses
AnswerB

Correct. Organization profile contains the custom branding settings for the sign-in page.

Why this answer

The custom branding for the Microsoft 365 sign-in page, including company logo and colors, is configured under Settings > Org settings > Organization profile in the Microsoft 365 admin center. This section provides a dedicated 'Custom branding' tab where administrators can upload a logo, set a background image, and choose accent colors that are applied to the sign-in page for all users in the tenant.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 admin center path with the Azure Active Directory admin center path, both of which have branding settings, but the question explicitly asks for the Microsoft 365 admin center navigation, making the Azure AD path (Option C) a distractor.

How to eliminate wrong answers

Option A is wrong because Users > Active users is used for managing individual user accounts, passwords, and licenses, not for tenant-wide branding settings. Option C is wrong because Admin centers > Azure Active Directory opens the Azure AD portal, which does contain branding settings (under 'Company branding'), but the question specifically asks for the Microsoft 365 admin center navigation path, not the Azure AD portal. Option D is wrong because Billing > Licenses is used to assign and manage subscription licenses, not to configure sign-in page branding.

42
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?

A.All users accessing all cloud apps are required to use MFA
B.Access to Office 365 from iOS and Android is blocked
C.All users on iOS or Android devices accessing Office 365 must use MFA and a compliant device
D.Users on mobile devices are required to use hybrid Azure AD joined devices
AnswerC

The policy includes both MFA and compliantDevice controls.

Why this answer

Option C is correct because the policy shown in the exhibit explicitly targets 'All users' and 'Office 365' as the cloud app, with conditions for 'iOS' and 'Android' device platforms. The grant controls require both 'Require multi-factor authentication' and 'Require device to be marked as compliant', meaning any user on an iOS or Android device accessing Office 365 must satisfy both MFA and device compliance. This is a common Conditional Access policy to enforce secure access from mobile devices.

Exam trap

The trap here is that candidates may misinterpret 'Require device to be marked as compliant' as requiring hybrid Azure AD join, but compliance is a separate concept managed by Intune and does not mandate hybrid join.

How to eliminate wrong answers

Option A is wrong because the policy does not apply to 'All cloud apps' — it is scoped specifically to 'Office 365' cloud app, not all cloud apps. Option B is wrong because the policy does not block access; it grants access only if MFA and device compliance are satisfied, which is a conditional grant, not a block. Option D is wrong because the policy does not require hybrid Azure AD joined devices; it requires the device to be marked as compliant, which can be achieved through Intune enrollment and compliance policies, not necessarily hybrid join.

43
MCQhard

You are a Microsoft 365 administrator for a multinational company. The security team reports that a large number of failed sign-in attempts are originating from unexpected IP ranges. The company uses Microsoft Entra ID for identity. What should you configure to automatically block these malicious sign-ins?

A.Enable Security defaults in the tenant
B.Configure Identity Protection user risk policy to block high-risk users
C.Enable Azure AD Multi-Factor Authentication for all users
D.Create a Conditional Access policy to block access from those IP ranges
AnswerD

Conditional Access can block sign-ins from specified locations or IP ranges.

Why this answer

The correct solution is a Conditional Access policy with a location condition to block access from those IP ranges. Option A (MFA) does not block by IP. Option B (Identity Protection) can detect risk but does not directly block by IP.

Option D (Security defaults) are basic and may not allow custom IP blocking.

44
MCQeasy

An administrator wants to add a custom domain 'contoso.com' to a new Microsoft 365 tenant. The domain is already registered and available. What is the first step the administrator should perform in the Microsoft 365 admin center?

A.Add the domain and verify ownership by creating a TXT record
B.Create user accounts with the new domain
C.Configure email routing with MX records
D.Set up SharePoint Online with the new domain
AnswerA

Correct. Domain verification is required before using the domain for services.

Why this answer

The first step when adding a custom domain to a Microsoft 365 tenant is to add the domain in the admin center and then verify ownership by creating a TXT record in the domain's DNS zone. This proves you control the domain before any services (like email or SharePoint) can be configured. Without verification, Microsoft 365 will not allow further domain-related setup.

Exam trap

The trap here is that candidates may think MX record configuration is the first step because they associate domains primarily with email, but Microsoft 365 requires ownership verification via TXT record before any service-specific DNS changes are allowed.

How to eliminate wrong answers

Option B is wrong because user accounts cannot be created with the new domain until the domain is verified; attempting to do so will fail. Option C is wrong because configuring email routing with MX records is a later step that requires the domain to be verified first. Option D is wrong because setting up SharePoint Online with the new domain also depends on prior domain verification and is not the initial step.

45
MCQhard

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) policies to protect sensitive data in Microsoft Teams. You need to ensure that DLP policies apply to both chat and channel messages. What should you configure?

A.Configure a DLP policy for Exchange Online to cover Teams messages.
B.Assign a sensitivity label to the Teams with a DLP policy attached.
C.Create two separate DLP policies: one for chat and one for channels.
D.Create a single DLP policy with the Teams location selected.
AnswerD

Selecting Teams location automatically applies to both chat and channel messages.

Why this answer

Option D is correct because Microsoft Purview DLP policies can be configured to include the Teams location, which automatically covers both chat and channel messages. When you select the Teams location in a single DLP policy, it applies to all Teams communications, including 1:1 chats, group chats, and channel conversations, without needing separate policies.

Exam trap

The trap here is that candidates often think chat and channel messages require separate DLP policies due to their different storage locations, but Microsoft Purview abstracts this complexity by allowing a single Teams location selection that covers both.

How to eliminate wrong answers

Option A is wrong because Exchange Online DLP policies only cover email and Teams messages that are stored in Exchange mailboxes (e.g., chat messages), but they do not cover channel messages, which are stored in SharePoint and OneDrive. Option B is wrong because sensitivity labels can be used to classify and protect content, but they are not directly attached to DLP policies; DLP policies can use sensitivity labels as conditions, but assigning a label to a team does not enforce DLP. Option C is wrong because creating two separate DLP policies for chat and channels is unnecessary and inefficient; a single DLP policy with the Teams location selected covers both chat and channel messages automatically.

46
MCQhard

Your organization has a hybrid identity with Microsoft Entra Connect. You need to migrate from federation to password hash synchronization with seamless single sign-on (SSO). The migration must have minimal user impact. Which tool should you use?

A.Microsoft Entra Connect migration tool (Convert domain from federated to managed)
B.IdFix tool
C.AD FS Management console
D.Azure AD Connect wizard
AnswerA

This tool performs the conversion with minimal user impact.

Why this answer

The Microsoft Entra Connect migration tool (Convert domain from federated to managed) is the correct choice because it automates the conversion of federated domains to managed domains while enabling password hash synchronization (PHS) and seamless SSO. This tool minimizes user impact by allowing a staged migration where users can continue authenticating via federation until the conversion is complete, and it handles the necessary configuration changes in Azure AD and on-premises Active Directory.

Exam trap

The trap here is that candidates may confuse the Azure AD Connect wizard (which can enable PHS) with the dedicated migration tool, not realizing that the wizard lacks the specific domain conversion and staged rollback capabilities needed for a low-impact migration from federation.

How to eliminate wrong answers

Option B is wrong because IdFix is a data cleanup tool for synchronizing on-premises Active Directory objects to Azure AD, not a tool for converting authentication methods from federation to PHS. Option C is wrong because the AD FS Management console is used to manage and configure AD FS servers and trusts, not to convert a federated domain to managed authentication in Azure AD. Option D is wrong because the Azure AD Connect wizard (now Microsoft Entra Connect wizard) is used for initial setup and configuration of synchronization, including enabling PHS, but it does not provide a dedicated migration path from federation to managed domains with minimal user impact; the separate migration tool is designed specifically for that purpose.

47
MCQeasy

A company has recently acquired a smaller organization and needs to consolidate both Microsoft 365 tenants. They want to minimize user disruption and retain existing email addresses. Which approach should they use?

A.Configure a hybrid deployment with Exchange Server
B.Perform a cross-tenant mailbox migration
C.Delete all users from the acquired tenant and recreate them in the parent tenant
D.Set up a federation trust between the tenants
AnswerB

Cross-tenant migration moves mailboxes and retains email addresses, minimizing disruption.

Why this answer

Option B is correct because cross-tenant mailbox migration allows you to move mailboxes between two Microsoft 365 tenants while preserving the users' existing email addresses and minimizing disruption. This approach uses the Microsoft 365 native migration capabilities, specifically the cross-tenant mailbox migration feature, which supports moving mailboxes with their primary SMTP addresses and associated data without requiring on-premises Exchange Server.

Exam trap

The trap here is that candidates often confuse cross-tenant mailbox migration with federation trust or hybrid deployment, assuming that any inter-tenant connectivity solution can consolidate mailboxes, but only the cross-tenant migration feature directly moves mailbox data while preserving email addresses.

How to eliminate wrong answers

Option A is wrong because configuring a hybrid deployment with Exchange Server is unnecessary and adds complexity; it is designed for integrating on-premises Exchange with a single tenant, not for migrating mailboxes between two separate Microsoft 365 tenants. Option C is wrong because deleting all users from the acquired tenant and recreating them in the parent tenant would cause significant user disruption, loss of mailbox data, and require new email addresses unless manually reassigned, which contradicts the goal of minimizing disruption and retaining existing email addresses. Option D is wrong because setting up a federation trust between tenants enables authentication and sharing features but does not migrate mailboxes or consolidate tenants; it is used for cross-tenant collaboration, not for moving user data.

48
Multi-Selectmedium

As a Microsoft 365 administrator, you need to manage tenant health and adoption effectively. Which three of the following tools or features should you use to monitor and improve your Microsoft 365 tenant's performance and user engagement? (Choose three.)

Select 3 answers
.Microsoft 365 admin center dashboard to view service health, message center posts, and usage reports.
.Microsoft 365 usage analytics in Power BI to gain deeper insights into adoption trends.
.Azure AD Identity Protection to detect sign-in risks and block compromised accounts.
.Microsoft 365 network connectivity test tool to evaluate network performance for Microsoft 365 services.
.Microsoft 365 Adoption Score (formerly Productivity Score) to track user engagement with Microsoft 365 apps.
.Microsoft Purview compliance portal to enforce data loss prevention policies.

Why this answer

The Microsoft 365 admin center dashboard provides a centralized view of service health, message center posts, and usage reports, enabling administrators to monitor service availability, planned changes, and user activity. This is a core tool for maintaining tenant health and tracking adoption.

Exam trap

The trap here is that candidates may confuse security or compliance tools (like Azure AD Identity Protection or Purview) with health and adoption monitoring tools, or select the network connectivity test tool thinking it measures overall tenant performance rather than just network latency.

49
MCQmedium

You are a Microsoft 365 administrator. You need to allow external users to access a SharePoint Online site without requiring them to sign in. Which sharing setting should you enable?

A.Set the sharing option to 'Existing guests' and send an invitation.
B.Set the sharing option to 'Only people in your organization' and use a direct link.
C.Set the sharing option to 'New and existing guests' and require guest sign-in.
D.Set the sharing option to 'Anyone' (Anonymous) for the site.
AnswerD

This allows anyone with the link to access without sign-in.

Why this answer

Option D is correct because setting the SharePoint Online site sharing option to 'Anyone' (Anonymous) allows external users to access the site without signing in. This creates an anonymous access link that bypasses authentication, meeting the requirement of no sign-in for external users.

Exam trap

The trap here is that candidates often confuse 'Anyone' (anonymous) sharing with guest sharing options, mistakenly thinking that 'New and existing guests' allows anonymous access, but it actually requires sign-in for all external users.

How to eliminate wrong answers

Option A is wrong because 'Existing guests' requires recipients to have a guest account and sign in, which contradicts the 'without requiring them to sign in' requirement. Option B is wrong because 'Only people in your organization' restricts access to internal users only, blocking external users entirely. Option C is wrong because 'New and existing guests' requires all external users to sign in with a Microsoft account or Azure AD guest identity, which does not meet the no-sign-in condition.

50
MCQmedium

Your organization is planning to deploy Microsoft 365 for 500 users. You need to ensure that all users can authenticate using their on-premises Active Directory credentials while also enabling self-service password reset (SSPR) in the cloud. Which configuration should you implement?

A.Pass-through authentication with Microsoft Entra Connect
B.Cloud-only identities with Microsoft Entra ID
C.Federated identity with Active Directory Federation Services (ADFS)
D.Password hash synchronization with Microsoft Entra Connect and SSPR enabled
AnswerD

Password hash sync allows cloud SSPR while using on-premises credentials.

Why this answer

Password hash synchronization (PHS) with Microsoft Entra Connect synchronizes on-premises AD password hashes to Microsoft Entra ID, enabling users to authenticate with their on-premises credentials in the cloud. When SSPR is enabled in Microsoft Entra ID, users can reset their cloud passwords, and with password writeback enabled, the new password is written back to on-premises AD, ensuring both environments remain in sync. This combination meets the requirement for on-premises authentication and cloud SSPR without the complexity of federation.

Exam trap

The trap here is that candidates often assume federated identity (ADFS) is required for on-premises authentication, but password hash synchronization with SSPR and password writeback provides a simpler, fully supported solution that meets both requirements without the overhead of federation.

How to eliminate wrong answers

Option A is wrong because pass-through authentication validates passwords directly against on-premises AD without storing password hashes in the cloud, which prevents SSPR from functioning since Microsoft Entra ID has no password hash to reset. Option B is wrong because cloud-only identities do not use on-premises Active Directory credentials, failing the requirement to authenticate with on-premises AD credentials. Option C is wrong because federated identity with ADFS relies on on-premises authentication and does not inherently support cloud-based SSPR; while SSPR can be configured with federation, it requires additional components like password writeback and is more complex than the PHS solution, making it not the recommended configuration for this straightforward scenario.

51
Multi-Selecthard

Which THREE settings must be configured to set up a hybrid identity deployment using password hash synchronization?

Select 3 answers
A.Install and configure Microsoft Entra Connect.
B.Configure Seamless Single Sign-On (SSO).
C.Enable password hash synchronization in Entra Connect.
D.Deploy Active Directory Federation Services (AD FS).
E.Configure Pass-Through Authentication.
AnswersA, B, C

Entra Connect synchronizes directories.

Why this answer

Option A is correct because Microsoft Entra Connect (formerly Azure AD Connect) is the essential tool that bridges on-premises Active Directory with Microsoft Entra ID. It must be installed and configured to enable directory synchronization, which is the foundation for any hybrid identity deployment, including password hash synchronization.

Exam trap

The trap here is that candidates often confuse password hash synchronization with Pass-Through Authentication or AD FS, thinking all three are required for hybrid identity, when in fact password hash sync is a standalone method that only needs Entra Connect and the sync feature enabled.

52
MCQeasy

A company recently added the custom domain 'contoso.com' to their Microsoft 365 tenant. Users report that they cannot receive external email sent to their new domain addresses. The administrator confirmed that the domain status shows 'Active' in the Microsoft 365 admin center. What is the most likely cause of this issue?

A.The domain was not verified with a TXT record.
B.The MX record for the domain is missing or points to an incorrect mail server.
C.The SPF record for the domain is missing or incorrectly configured.
D.The custom domain was not added to the user's primary email address.
AnswerB

The MX record directs email to the correct mail server. If it is missing or incorrectly configured, external email will not reach Exchange Online mailboxes.

Why this answer

The domain status 'Active' in the Microsoft 365 admin center indicates that the domain has been successfully verified and added to the tenant. However, for external email to be delivered to users at that domain, the public MX record in DNS must point to Microsoft 365's mail servers (e.g., contoso-com.mail.protection.outlook.com). If the MX record is missing or points to an incorrect server, external senders cannot route email to the tenant, even though the domain is verified and active.

Exam trap

The trap here is that candidates see 'Active' domain status and assume all DNS configurations are correct, but Microsoft 365 separates domain verification (TXT record) from mail routing (MX record), so a verified domain can be 'Active' yet still unreachable for inbound email if the MX record is misconfigured.

How to eliminate wrong answers

Option A is wrong because the domain status shows 'Active', which means the TXT verification record was successfully validated; a missing TXT record would prevent the domain from reaching 'Active' status. Option C is wrong because an SPF record affects sender authentication and deliverability of outbound email, but does not prevent inbound email from being received; missing or incorrect SPF would not block external email from arriving at the mailbox. Option D is wrong because adding the custom domain to a user's primary email address is a separate step that affects the user's email address format, but even if not yet assigned, the domain can still receive email for any alias or accepted domain; the core issue is DNS routing, not user assignment.

53
MCQeasy

A company plans to migrate their email from an on-premises Exchange server to Exchange Online. They want to ensure that during the migration, mail sent to users who have already been migrated is delivered to Exchange Online, while mail for non-migrated users is delivered to on-premises. Which type of domain configuration should they use?

A.Coexistence domain
B.Shared domain
C.Split domain
D.Forwarding domain
AnswerC

Split domain configuration allows the same domain to have mailboxes both on-premises and in Exchange Online, with mail routed appropriately.

Why this answer

A split domain configuration is required when some mailboxes reside on-premises and others in Exchange Online during a migration. It uses MX records pointing to Exchange Online Protection (EOP) and internal mail flow connectors to route messages for migrated users to Exchange Online and non-migrated users to on-premises, ensuring each mailbox receives mail at its current location.

Exam trap

The trap here is that candidates confuse 'split domain' with 'hybrid deployment' or 'coexistence,' but the question specifically asks for the domain configuration type, not the overall migration method; Microsoft often tests the exact terminology for mail flow scenarios during phased migrations.

How to eliminate wrong answers

Option A is wrong because a coexistence domain is not a standard Exchange domain type; coexistence is a state achieved through hybrid configuration, not a specific domain configuration. Option B is wrong because a shared domain is not a recognized Exchange domain configuration; it might be confused with a shared mailbox or shared namespace, but it does not describe the routing logic needed for a phased migration. Option D is wrong because a forwarding domain is not a valid Exchange domain type; forwarding is a mailbox-level or transport rule action, not a domain-level configuration for split mail flow.

54
MCQeasy

Refer to the exhibit. You run the PowerShell command in a Microsoft 365 tenant. What does the output indicate?

A.The users who have the Global Administrator role.
B.The email addresses that receive service health notifications.
C.The members of the default Office 365 group.
D.The email addresses for billing inquiries.
AnswerB

TechnicalNotificationMails property stores notification recipients.

Why this answer

The PowerShell command `Get-ExchangeNotification` retrieves the email addresses configured to receive service health notifications for the Microsoft 365 tenant. The output shown lists these notification recipients, which are separate from administrative roles or billing contacts. Option B correctly identifies this as the set of email addresses that receive service health alerts.

Exam trap

The trap here is that candidates confuse the output of `Get-ExchangeNotification` with the Global Administrator role list or the default Office 365 group members, because service health notifications are often sent to admins, but the cmdlet specifically returns configured notification email addresses, not role assignments.

How to eliminate wrong answers

Option A is wrong because `Get-ExchangeNotification` does not query directory roles; it retrieves notification recipients for service health, not users with the Global Administrator role. Option C is wrong because the default Office 365 group (e.g., all users or a specific distribution group) is not the target of this cmdlet; `Get-ExchangeNotification` specifically returns service health notification settings, not group membership. Option D is wrong because billing inquiries are handled by separate billing contacts or subscriptions, not by the service health notification recipients returned by this cmdlet.

55
MCQeasy

You need to ensure that only users from your organization's on-premises Active Directory can access Microsoft 365 services. You have Microsoft Entra Connect configured. What is the simplest way to prevent cloud-only user accounts from signing in?

A.Configure a conditional access policy that blocks all users.
B.Delete the cloud-only users from Microsoft Entra ID.
C.Set the 'Block sign in' option to 'Yes' for all cloud-only users in the Microsoft Entra admin center.
D.Remove all licenses from cloud-only users.
AnswerC

Correct: This prevents sign-in for cloud-only users while allowing synced users.

Why this answer

Blocking cloud sign-in for cloud-only users through the user's Sign-in settings directly prevents them from accessing services. Option B is wrong because removing licenses doesn't block sign-in, only access to services. Option C is wrong because disabling the user is a manual process and not scalable.

Option D is wrong because this would block all users.

56
MCQeasy

You need to configure Microsoft Teams to allow external access for federation with another organization. The other organization uses a different domain. Which setting must you enable in the Teams admin center?

A.Network roaming policy for the external users.
B.Guest access in Teams settings.
C.Emergency calling policies.
D.External access with the domain of the other organization.
AnswerD

Correct: You enable federation by adding the external domain to the allowed list.

Why this answer

Option D is correct because to enable federation with another organization that uses a different domain, you must configure External access (also known as federation) in the Teams admin center. Specifically, you need to add the external domain to the allowed domain list under Teams > External access. This allows users in your tenant to communicate with users in the other organization via Teams, using the Session Initiation Protocol (SIP) federation protocol.

Exam trap

The trap here is that candidates often confuse Guest access (Azure AD B2B) with External access (federation), leading them to select Option B, but Guest access is for individual external users, not for domain-level federation with another organization.

How to eliminate wrong answers

Option A is wrong because Network roaming policy controls network configuration settings (such as bandwidth and IP ranges) for users when they are on different networks; it does not control cross-tenant federation. Option B is wrong because Guest access is for inviting external users as guests within your tenant (using Azure AD B2B), not for federating with another organization's entire domain. Option C is wrong because Emergency calling policies define how emergency calls (e.g., to 911) are handled and are unrelated to external federation settings.

57
MCQeasy

A new helpdesk administrator needs to be able to reset user passwords and manage user account properties, but should not be able to manage licenses or assign administrative roles. Which built-in role should be assigned?

A.Global Administrator
B.User Administrator
C.License Administrator
D.Helpdesk Administrator
AnswerB

The User Administrator can manage users and groups, reset passwords, and manage user licenses, but not administrative roles. This matches the requirement.

Why this answer

The User Administrator role in Microsoft Entra ID (formerly Azure AD) is the correct choice because it grants permissions to reset passwords and manage user account properties (such as display name, job title, and department) while explicitly excluding the ability to manage licenses or assign administrative roles. This role is designed for helpdesk staff who need to perform user management tasks without elevated privileges over licensing or role assignments.

Exam trap

The trap here is that the Helpdesk Administrator role sounds like the obvious choice for a helpdesk administrator, but it includes license management permissions, which the question explicitly prohibits, making the User Administrator the correct answer.

How to eliminate wrong answers

Option A is wrong because the Global Administrator role has unrestricted access to all administrative features, including managing licenses and assigning administrative roles, which violates the requirement to restrict those actions. Option C is wrong because the License Administrator role can only manage license assignments and subscriptions, but it cannot reset passwords or manage user account properties like job titles or department. Option D is wrong because the Helpdesk Administrator role can reset passwords and manage user properties, but it also includes the ability to manage licenses (via the Microsoft 365 admin center), which exceeds the required restrictions.

58
Multi-Selectmedium

Which TWO actions are required to configure a custom domain for your Microsoft 365 tenant?

Select 2 answers
A.Add an SPF TXT record in the public DNS zone.
B.Add a CNAME record for autodiscover.
C.Add an MX record in the public DNS zone.
D.Add the domain name in the Microsoft 365 admin center.
E.Verify domain ownership by adding a TXT record provided by Microsoft.
AnswersD, E

You must first register the domain in the admin center.

Why this answer

Option D is correct because adding the custom domain name in the Microsoft 365 admin center is the first step to register the domain with the tenant. Option E is correct because Microsoft requires you to prove ownership of the domain by adding a specific TXT record (or sometimes a CNAME or MX record) to the public DNS zone; this verification step ensures only the domain owner can configure it for the tenant.

Exam trap

The trap here is that candidates often confuse optional service-specific DNS records (like SPF, MX, or autodiscover CNAME) with the mandatory domain ownership verification record, leading them to select A, B, or C instead of the correct verification TXT record option.

59
MCQeasy

Your organization wants to use Microsoft Defender for Office 365 to protect against malicious links and attachments in email. Which Defender plan is required?

A.Microsoft Defender for Office 365 Plan 1.
B.Exchange Online Protection.
C.Microsoft Defender for Endpoint.
D.Microsoft Defender for Office 365 Plan 2.
AnswerA

Plan 1 includes Safe Links and Safe Attachments for email protection.

Why this answer

Microsoft Defender for Office 365 Plan 1 includes Safe Links and Safe Attachments, which are the specific features required to protect against malicious links and attachments in email. These features scan URLs and attachments in real time to block malicious content before it reaches users.

Exam trap

The trap here is that candidates often assume Plan 2 is required for any advanced protection, but Microsoft specifically designed Plan 1 to cover Safe Links and Safe Attachments, while Plan 2 adds post-breach investigation and automation features.

How to eliminate wrong answers

Option B is wrong because Exchange Online Protection (EOP) provides baseline anti-malware and anti-spam protection but does not include Safe Links or Safe Attachments, which are the advanced protections needed for malicious links and attachments. Option C is wrong because Microsoft Defender for Endpoint is designed to protect devices (endpoints) from threats, not to scan email links and attachments within Microsoft 365. Option D is wrong because Microsoft Defender for Office 365 Plan 2 includes all features of Plan 1 plus additional capabilities like threat investigation and automated response, but Plan 1 alone is sufficient for the stated requirement of protecting against malicious links and attachments.

60
MCQeasy

Your organization needs to enforce multi-factor authentication (MFA) for all users. You want to use a security default policy. What is the prerequisite?

A.Microsoft Entra ID Privileged Identity Management (PIM) must be enabled
B.The Microsoft Entra ID tenant must be on the Free tier or higher
C.Conditional Access policies must be disabled
D.Azure AD Premium P2 licenses must be assigned
AnswerB

Security defaults are available on all tiers.

Why this answer

Option A is correct because security defaults are available for all Microsoft Entra ID tenants, including Free tier. Option B is wrong because PIM is not required. Option C is wrong because Azure AD Premium P2 is not required.

Option D is wrong because Conditional Access is not used with security defaults.

61
MCQeasy

An administrator wants to configure the company's organization profile in Microsoft 365, including the display name, technical contact, and privacy settings. Where should the administrator go in the Microsoft 365 admin center?

A.User management > Active users
B.Org settings > Organization profile
C.Setup > Onboarding
D.Billing > Licenses
AnswerB

This is the correct location to configure the organization's display name, technical contact, and privacy settings.

Why this answer

The organization profile, which includes the display name, technical contact, and privacy settings, is managed under 'Org settings' in the Microsoft 365 admin center. Specifically, the 'Organization profile' tab within 'Org settings' provides the interface to update these tenant-wide properties, such as the organization's display name (used in Microsoft 365 services and notifications) and the technical contact email (used for service communications). This is the correct location because these settings are tenant-level configurations, not user-specific or billing-related.

Exam trap

The trap here is that candidates often confuse 'Org settings' with 'Setup' or 'User management', mistakenly thinking that tenant-wide profile settings are part of user management or initial onboarding wizards, when in fact they are a distinct configuration area under 'Org settings'.

How to eliminate wrong answers

Option A is wrong because 'User management > Active users' is for managing individual user accounts, passwords, and licenses, not tenant-wide organization profile settings like the display name or technical contact. Option C is wrong because 'Setup > Onboarding' provides guided wizards for initial tenant setup and migration tasks, but does not include the organization profile settings; those are under 'Org settings'. Option D is wrong because 'Billing > Licenses' is for managing subscription licenses and billing details, not for configuring the organization's display name, technical contact, or privacy settings.

62
MCQmedium

An administrator needs to delegate the ability to manage user licenses, assign admin roles, and reset passwords to a group of users, but these users should not be able to modify tenant-level settings or billing. Which built-in role should be assigned?

A.Global Administrator
B.User Administrator
C.Helpdesk Administrator
D.License Administrator
AnswerB

Correct. This role allows managing user accounts, licenses, passwords, and delegating roles (except Global Admin), without modifying tenant settings or billing.

Why this answer

The User Administrator role is the correct choice because it grants the necessary permissions to manage user licenses, assign admin roles (except for a few high-privilege roles like Global Administrator), and reset passwords, while explicitly excluding access to tenant-level settings and billing. This role is designed for delegated user management without granting broader administrative control.

Exam trap

The trap here is that candidates often confuse the User Administrator role with the Helpdesk Administrator role, mistakenly thinking Helpdesk Administrator can assign admin roles, when in fact it lacks that permission entirely.

How to eliminate wrong answers

Option A is wrong because Global Administrator has unrestricted access to all tenant settings, including billing and tenant-level configurations, which violates the requirement to restrict those capabilities. Option C is wrong because Helpdesk Administrator can reset passwords and manage service requests but cannot assign admin roles or manage licenses, so it lacks the required permissions. Option D is wrong because License Administrator can only manage licenses and cannot assign admin roles or reset passwords, making it insufficient for the full set of tasks.

63
MCQmedium

Your organization's Microsoft Intune environment enforces device compliance policies for iOS devices. You need to ensure that only devices with a passcode that is at least 6 characters and have jailbreak detection enabled are considered compliant. What should you configure?

A.Configure a conditional access policy to require compliant devices.
B.Create a device configuration profile for iOS with the required settings.
C.Create an app protection policy for iOS to require passcode.
D.Create a device compliance policy for iOS with required passcode length and jailbreak detection.
AnswerD

Compliance policies define the conditions devices must meet to be compliant.

Why this answer

Device compliance policies in Microsoft Intune define the rules that devices must meet to be considered compliant, such as minimum OS version, passcode length, and jailbreak detection. Option D correctly specifies creating a compliance policy for iOS that requires a passcode of at least 6 characters and enables jailbreak detection, which directly enforces the stated requirements. Compliance policies are evaluated before granting access, and non-compliant devices can be blocked or marked for remediation.

Exam trap

The trap here is that candidates often confuse device compliance policies (which enforce device-level security requirements) with conditional access policies (which use compliance results to control access) or device configuration profiles (which push settings but do not evaluate compliance).

How to eliminate wrong answers

Option A is wrong because a conditional access policy requires compliant devices but does not define the compliance rules themselves; it references an existing compliance policy. Option B is wrong because a device configuration profile manages device settings (e.g., Wi-Fi, VPN, restrictions) but does not enforce compliance checks like passcode length or jailbreak detection. Option C is wrong because an app protection policy manages data protection at the app level (e.g., requiring a PIN for app access) and does not evaluate device-level compliance attributes such as jailbreak status or system passcode length.

64
Multi-Selectmedium

Your organization has a Microsoft 365 E5 tenant with Microsoft Defender for Cloud Apps. You need to discover and control the use of unsanctioned cloud apps. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Define sanctioned and unsanctioned app categories in Microsoft Defender for Cloud Apps
B.Deploy Microsoft Purview Data Loss Prevention policies
C.Configure Microsoft Entra ID App Registrations to log app usage
D.Use Cloud Discovery in Microsoft Defender for Cloud Apps to analyze traffic logs
E.Create a Conditional Access policy to block all unsanctioned apps
AnswersA, D

After discovery, you categorize apps to control access.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps allows you to define sanctioned and unsanctioned app categories within the Cloud Discovery dashboard. By categorizing apps, you can apply governance actions such as blocking or monitoring, which directly controls the use of unsanctioned cloud apps. This is a foundational step in managing app usage, as it enables automated policies to enforce your organization's cloud app governance.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with the ability to block unsanctioned apps, but Conditional Access requires the app to be registered in Entra ID and cannot discover or block apps that are not already known to the tenant.

65
MCQeasy

An organization wants to authenticate users using their on-premises Active Directory without synchronizing passwords to Microsoft Entra ID. Which identity model should they choose?

A.Federated identity
B.Synchronized identity
C.Cloud-only identity
D.Microsoft-managed identity
AnswerA

Federated identity uses on-premises authentication (e.g., AD FS) and does not require password synchronization to the cloud.

Why this answer

Federated identity allows users to authenticate against on-premises Active Directory using protocols such as WS-Federation, SAML 2.0, or AD FS, without synchronizing password hashes to Microsoft Entra ID. This model relies on a trust relationship between the on-premises identity provider and Entra ID, ensuring passwords never leave the local environment.

Exam trap

Microsoft often tests the distinction between 'synchronized' and 'federated' identity, where candidates mistakenly think pass-through authentication (which still syncs user objects) qualifies as 'without synchronizing passwords'.

How to eliminate wrong answers

Option B is wrong because synchronized identity requires password hash synchronization or pass-through authentication, which either stores password hashes in Entra ID or validates them against on-prem AD but still involves synchronization of user objects. Option C is wrong because cloud-only identity creates and manages all user accounts solely in Entra ID, with no connection to on-premises Active Directory. Option D is wrong because Microsoft-managed identity is not a standard identity model for Microsoft 365; it refers to managed identities for Azure resources, not user authentication.

66
MCQeasy

A company has registered the custom domain 'contoso.com' and wants to host email for the subdomain 'sales.contoso.com' in Exchange Online. They have already verified the root domain. What additional step is required?

A.No additional step; subdomains are automatically verified after the root domain is verified.
B.Add 'sales.contoso.com' as a custom domain and verify ownership by adding a DNS TXT record.
C.Create a subdomain in Exchange Online using the Exchange admin center.
D.Modify the SPF record for the root domain to include 'sales.contoso.com'.
AnswerB

To use a subdomain, it must be added as a custom domain in the Microsoft 365 admin center and verified via a DNS TXT record or other allowed methods.

Why this answer

In Microsoft 365, verifying a root domain (e.g., contoso.com) does not automatically verify its subdomains. Each subdomain must be added as a separate custom domain in the Microsoft 365 admin center and verified by adding a unique DNS TXT record provided by Microsoft. This ensures that the organization proves ownership of the subdomain before it can be used for services like Exchange Online.

Exam trap

The trap here is that candidates assume domain verification in Microsoft 365 is hierarchical (like DNS delegation), but in reality, each subdomain is treated as an independent domain that must be explicitly added and verified.

How to eliminate wrong answers

Option A is wrong because subdomains are not automatically verified after the root domain is verified; each subdomain requires its own verification process via a DNS TXT record. Option C is wrong because you cannot create a subdomain in Exchange Online using the Exchange admin center; subdomains are managed as custom domains in the Microsoft 365 admin center, not within Exchange-specific tools. Option D is wrong because modifying the SPF record for the root domain is not a required step for hosting email on a subdomain; SPF records are used for sender authentication, not for domain verification.

67
MCQeasy

Your company is implementing Microsoft 365 Copilot for Microsoft 365. You need to ensure that Copilot can access data from across the organization, but only for users who have the appropriate permissions. What is the primary security boundary for Copilot data access?

A.Microsoft 365 permissions and sensitivity labels
B.A dedicated Copilot security group in Microsoft Entra ID
C.Microsoft Purview Information Protection labels
D.The geographic location of the data
AnswerA

Copilot respects existing permissions and labels to determine data access.

Why this answer

Option B is correct because Copilot uses the existing Microsoft 365 permissions model. Users can only access data they have permissions to see. Option A is wrong because there is no separate Copilot security group.

Option C is wrong because Copilot does not use Azure Information Protection labels as the primary boundary. Option D is wrong because Copilot respects user permissions, not data location.

68
MCQhard

Refer to the exhibit. You are reviewing an app registration in Microsoft Entra ID for the Microsoft Teams Admin Center. The permission shown is for another resource. What is the consequence of this permission configuration?

A.The app can access Microsoft Graph data without a signed-in user, and admin consent is required
B.The app can only be used by users who have consented to the permission
C.The app can access Teams data but not other Microsoft 365 data
D.The app can access Microsoft Graph on behalf of the signed-in user only
AnswerA

Application permissions require admin consent and run without a user context.

Why this answer

The exhibit shows an application permission (not a delegated permission) for Microsoft Graph, which means the app can access data without a signed-in user. Admin consent is required because application permissions grant tenant-wide access and cannot be consented to by individual users. This is why option A is correct.

Exam trap

Microsoft often tests the distinction between delegated permissions (requiring user consent and acting on behalf of a user) and application permissions (requiring admin consent and acting without a user), and the trap here is that candidates may confuse the 'signed-in user' requirement with delegated permissions, incorrectly assuming the app needs user consent or can only run with a user present.

How to eliminate wrong answers

Option B is wrong because application permissions do not require per-user consent; they require tenant-wide admin consent, and the app can be used by any user once admin consent is granted. Option C is wrong because the permission is for Microsoft Graph, which provides access to a broad range of Microsoft 365 data beyond just Teams, including Exchange, SharePoint, and more. Option D is wrong because application permissions are not delegated; they allow the app to act as itself without any signed-in user context, unlike delegated permissions which operate on behalf of the signed-in user.

69
Multi-Selecthard

Which THREE conditions must be met for a tenant-to-tenant migration of SharePoint Online content?

Select 3 answers
A.The destination site collection or OneDrive must already exist in the target tenant.
B.Cross-tenant trust must be established or a third-party migration tool must be used.
C.The source user performing the migration must be a global admin in the target tenant.
D.The target tenant must have an active Microsoft 365 subscription.
E.Both tenants must have at least one user with PowerShell access.
AnswersA, B, D

Content can only be migrated to an existing site.

Why this answer

Option A is correct because SharePoint Online tenant-to-tenant migration requires the destination site collection or OneDrive to already exist in the target tenant. The migration process copies content into a pre-provisioned container; it does not create the site or OneDrive automatically. This ensures that the target structure is ready to receive the migrated data without requiring dynamic provisioning during the migration.

Exam trap

The trap here is that candidates often assume global admin privileges are required across both tenants for migration, but in reality, SharePoint admin or site collection admin permissions suffice, and PowerShell access is not a prerequisite.

70
MCQhard

You manage a Microsoft 365 tenant for a multinational corporation. You need to implement Microsoft Purview Information Protection to automatically classify and protect documents containing credit card numbers. The solution must apply encryption automatically when a document is saved to SharePoint Online. What should you do?

A.Create an auto-labeling policy in Microsoft Purview that uses a sensitivity label configured with encryption.
B.Create a DLP policy in Microsoft Purview that blocks sharing of documents containing credit card numbers.
C.Configure client-side labeling via Microsoft 365 Apps to prompt users to label documents.
D.Set a default sensitivity label for SharePoint Online document libraries.
AnswerA

Auto-labeling can automatically apply a label with encryption based on sensitive info types.

Why this answer

Option B is correct because auto-labeling policies in Microsoft Purview can scan documents for sensitive information types (e.g., credit card numbers) and automatically apply a sensitivity label with encryption. Option A is wrong because DLP policies can block sharing but do not label documents. Option C is wrong because the client-side labeling requires user interaction.

Option D is wrong because the default label applies to all documents without specific conditions.

71
MCQhard

Your Microsoft 365 tenant contains sensitive financial data that must be retained for 7 years. You configure a retention policy in Microsoft Purview compliance portal. After 7 years, the data is still accessible to users. What is the most likely reason?

A.The retention policy does not include a deletion action.
B.A litigation hold is applied to the data.
C.The retention policy is configured to retain data for 7 years and then delete it.
D.The data is marked as a record and requires disposition review.
AnswerA

If the policy only retains data without deleting it, the data remains after the retention period.

Why this answer

Option A is correct because a retention policy in Microsoft Purview can be configured to only retain data without a deletion action. If the policy lacks a deletion action, data will be preserved for the specified period but will not be automatically removed after that period expires, leaving it accessible to users. The scenario describes data still being accessible after 7 years, which directly indicates that no deletion action was configured to remove the data at the end of the retention period.

Exam trap

The trap here is that candidates often assume a retention policy automatically deletes data after the retention period ends, but Microsoft Purview requires an explicit deletion action to be configured for automatic removal; otherwise, the data is retained indefinitely.

How to eliminate wrong answers

Option B is wrong because a litigation hold preserves data indefinitely and prevents deletion, but it does not cause data to remain accessible after a retention period ends if the retention policy itself lacks a deletion action; the hold would keep the data, but the core issue is the missing deletion action. Option C is wrong because if the retention policy were configured to retain data for 7 years and then delete it, the data would be automatically removed after 7 years and would not remain accessible to users. Option D is wrong because marking data as a record and requiring disposition review means the data must be manually reviewed and approved before deletion, but this does not automatically keep the data accessible after the retention period; disposition review can delay deletion but does not explain why data remains accessible without any deletion action.

72
MCQeasy

You need to ensure that only users from your organization can access a SharePoint Online site. Which setting should you configure?

A.Set the SharePoint Online external sharing setting to 'Only people in your organization'
B.Create a Conditional Access policy to block external users
C.Configure the Microsoft Entra ID external collaboration settings
D.Modify the site permissions to remove external users
AnswerA

This restricts access to internal users only.

Why this answer

Option A is correct because the SharePoint Online external sharing setting 'Only people in your organization' explicitly restricts all sharing and access to users who have a valid identity in your Microsoft Entra ID tenant. This setting prevents any external user (including guests) from accessing the site, regardless of how they were invited or authenticated. It is the most direct and effective control for limiting access to internal users only.

Exam trap

The trap here is that candidates often confuse tenant-level external collaboration settings (Microsoft Entra ID) with site-level external sharing settings (SharePoint Online), assuming that blocking external users in Entra ID automatically restricts access to SharePoint sites, which is not the case because SharePoint has its own independent sharing controls.

How to eliminate wrong answers

Option B is wrong because a Conditional Access policy can block external users from signing in, but it does not prevent external users who are already guests from accessing the site if they have been granted permissions through sharing. Option C is wrong because configuring the Microsoft Entra ID external collaboration settings controls the overall guest invitation behavior for the tenant, but it does not override the per-site external sharing setting; a site could still be shared externally if its own sharing setting allows it. Option D is wrong because modifying site permissions to remove external users is a manual, reactive approach that does not prevent future external sharing or access; it does not enforce a policy that blocks external users from being added or accessing the site.

73
MCQeasy

A new employee has been hired and their account already exists in the on-premises Active Directory. The administrator needs to provide the employee with access to Microsoft 365 services as quickly as possible. What is the most efficient way to enable the user?

A.Create a new cloud-only user in the Microsoft 365 admin center and assign a license.
B.Sync the on-premises user using Azure AD Connect and then assign the license.
C.Manually create a user in Microsoft Entra ID with the same name and assign license.
D.Use Azure AD B2B collaboration to invite the on-premises user as a guest.
AnswerB

This leverages existing identity, synchronizes to the cloud, and then a license is assigned to enable services.

Why this answer

Option B is correct because the user already exists in on-premises Active Directory, and the fastest way to enable Microsoft 365 access is to synchronize that identity using Azure AD Connect. Once synchronized, the user object appears in Microsoft Entra ID (formerly Azure AD), and the administrator can immediately assign a license without re-creating the account. This avoids the delays of manual creation or guest invitations and leverages the existing identity lifecycle.

Exam trap

The trap here is that candidates often confuse the speed of creating a new cloud user (Option A) with the efficiency of leveraging an existing synchronized identity, failing to recognize that synchronization is the intended and fastest path for hybrid environments.

How to eliminate wrong answers

Option A is wrong because creating a new cloud-only user would result in a duplicate identity that is not linked to the on-premises AD account, breaking password sync and future management. Option C is wrong because manually creating a user in Microsoft Entra ID with the same name does not establish a source-of-authority connection to the on-premises object, leading to conflicts and no automatic attribute synchronization. Option D is wrong because Azure AD B2B collaboration is designed for external guest access, not for enabling an internal employee with full Microsoft 365 services; it would create a separate guest identity without proper license assignment or directory integration.

74
Multi-Selectmedium

You are planning the initial deployment of a new Microsoft 365 tenant for Contoso Ltd. Which three of the following actions are required or recommended as part of the tenant provisioning and initial configuration process? (Choose three.)

Select 3 answers
.Register a custom domain name (e.g., contoso.com) and verify ownership via DNS TXT record.
.Assign Microsoft 365 licenses to all user accounts before creating the accounts.
.Configure the default tenant-level password expiration policy to 90 days using the Microsoft 365 admin center.
.Create the initial global administrator account with a strong, unique password and enable multi-factor authentication.
.Set up a secondary domain as the default email domain to avoid conflicts with the initial onmicrosoft.com domain.
.Configure tenant-wide service settings such as external sharing for SharePoint and OneDrive.

Why this answer

Registering and verifying a custom domain (e.g., contoso.com) via a DNS TXT record is a required step to use your own domain for email and user identities instead of the default onmicrosoft.com domain. Creating the initial global administrator account with a strong password and enabling multi-factor authentication (MFA) is a critical security best practice and is recommended by Microsoft to protect the highest-privileged role. Configuring tenant-wide service settings, such as external sharing for SharePoint and OneDrive, is recommended during initial setup to align with organizational security and collaboration policies before users begin working.

Exam trap

The trap here is that candidates may think password expiration policies are still relevant in Microsoft 365, but Microsoft deprecated them in favor of modern authentication and MFA, making the 90-day policy option a distractor.

75
MCQeasy

An administrator has added the custom domain 'fabrikam.com' to their Microsoft 365 tenant and is now ready to verify ownership. Which type of DNS record should the administrator create in the public DNS zone to complete the verification?

A.MX record
B.TXT record
C.CNAME record
D.record
AnswerB

TXT records are used to store text data; Microsoft uses them for domain verification.

Why this answer

To verify domain ownership in Microsoft 365, the administrator must create a TXT record in the public DNS zone containing a specific verification string provided by the Microsoft 365 admin center. The TXT record is the standard DNS record type used for domain ownership verification because it can store arbitrary text data without affecting email routing or other services, and Microsoft 365 checks for this record to confirm the domain is under the administrator's control.

Exam trap

The trap here is that candidates may confuse domain verification with email routing or service configuration, leading them to choose MX or CNAME records, but Microsoft 365 explicitly requires a TXT record for ownership proof and uses a unique verification string that must be entered exactly as provided.

How to eliminate wrong answers

Option A is wrong because MX records are used for mail routing, not for domain ownership verification; creating an MX record would not prove control over the domain and could disrupt email flow. Option C is wrong because CNAME records are used to alias one domain to another, such as for autodiscover or www redirection, and Microsoft 365 does not use CNAME records for domain verification; the verification process specifically requires a TXT record. Option D is wrong because 'record' is not a valid DNS record type; the correct record type for verification is TXT, and the answer is incomplete without specifying the type.

Page 1 of 4 · 248 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Deploy Manage M365 Tenant questions.