Microsoft 365 Administrator Expert Practice Test (MS-102)
Use the form below to configure your Microsoft 365 Administrator Expert Practice Test (MS-102). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft 365 Administrator Expert MS-102 Information
The Microsoft 365 Administrator Expert certification proves that you can manage Microsoft 365 for a business or school. It shows you understand how to set up accounts, manage identities, handle security, and keep data safe across Microsoft 365 services like Teams, Exchange, and SharePoint. You’ll also learn about managing compliance and using tools to protect sensitive information.
This exam is for IT professionals who already have experience with Microsoft 365 workloads and want to take on larger, organization-wide responsibilities. It covers everything from managing users and groups to configuring policies and monitoring system health. You’ll need to understand both the big picture and the details that keep a Microsoft 365 environment running smoothly every day.
To earn this certification, you’ll take the MS-102 exam, which replaces the older MS-100 and MS-101 tests. The exam focuses on tenant management, identity, security, and compliance. Passing it shows that you can manage Microsoft 365 across multiple services while ensuring a secure and efficient setup for users.
Practice tests and exam preparation
Taking practice tests, practice exams, and using practice questions can make a big difference when preparing for the Microsoft 365 Administrator Expert exam. Practice exams help you learn the format, timing, and difficulty level of real test questions. They also help identify areas where you need more study, such as compliance tools or identity management. At Crucial Exams, you can use Microsoft 365 Administrator Expert practice tests and practice questions to build confidence and improve your score before test day.
Free Microsoft 365 Administrator Expert MS-102 Practice Test
- 20 Questions
- Unlimited time
- Deploy and manage a Microsoft 365 tenantImplement and manage Microsoft Entra identity and accessManage security and threats by using Microsoft Defender XDRManage compliance by using Microsoft Purview
While configuring a custom alert policy in the Microsoft 365 Defender portal, you need the policy to generate an alert only after a user receives five or more phishing messages within a 30-minute window. However, the fields to define the number of activities and the time interval are not available in the wizard. Which change enables you to expose and configure these threshold settings?
Change the alert category to Malware.
Switch the alert trigger to "When activities match rule conditions" instead of "Every time an activity matches."
Add the mailbox as a scoped entity instead of applying the policy to all users.
Set the policy severity to High.
Answer Description
The ability to enter a numeric threshold and time window is exposed only when the alert policy is set to trigger "when activities match rule conditions" rather than "every time an activity matches." Selecting the threshold-based trigger lets you specify both the minimum number of matching activities (five) and the aggregation window (30 minutes). Adjusting severity, category, or scoping settings does not display the threshold controls; they affect alert prioritization or targeting but not how often the alert fires.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
ELI5: What does 'When activities match rule conditions' mean in Microsoft 365 Defender?
Why are thresholds and time intervals important for alert policies?
How do severity, category, or scoped entities differ from trigger settings in alerts?
Your company has Microsoft 365 E5 licenses and Conditional Access policies that mark devices as compliant. You are creating a sensitivity label named Confidential Project and will publish the label to users. When the label is applied to a new SharePoint Online site, users who connect from unmanaged devices must be blocked from accessing the site. Which label setting should you configure?
Default sharing link type
External sharing for labeled SharePoint sites
Access from unmanaged devices
Privacy (Public or Private)
Answer Description
In the Groups & sites settings of the sensitivity label, the Access from unmanaged devices option evaluates whether the connecting device is hybrid-joined or compliant. Setting this option to Block (or Web-only) prevents access from devices that are not trusted. Privacy controls only whether the site is public or private, external sharing determines if guest users are allowed, and the default sharing link type governs the link created for shared files; none of these examine device state.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'Access from unmanaged devices' mean in Microsoft 365 sensitivity labels?
How does Conditional Access identify if a device is compliant?
What is the difference between 'Block' and 'Web-only' settings for unmanaged devices in sensitivity labels?
Your organization runs two Azure AD Connect servers that perform password hash synchronization from on-premises Active Directory to Microsoft Entra ID. You install the Microsoft Entra Connect Health agents on both servers and wait 24 hours. In the Microsoft Entra admin center you need to verify whether password-hash synchronization latency is within the service-defined threshold for each server. Which blade should you open after selecting Azure AD Connect Health for Sync in the portal?
Alerts
Sync Errors
Password Sync
Directory Sync Status
Answer Description
The Azure AD Connect Health for Sync dashboard contains several blades. The Password Sync blade shows a per-server chart of the time that elapses between a password change in Active Directory and the successful upload of the new hash to Microsoft Entra ID. This metric is called Password Sync Latency and is the only location in Connect Health where the value is surfaced. The Directory Sync Status blade shows overall synchronization cycles, not password-hash latency. The Alerts blade lists threshold breaches but does not display the actual latency metric, and the Sync Errors blade focuses on failed object exports and import errors, not latency.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure AD Connect Health?
What is Password Hash Synchronization?
What is Password Sync Latency?
You manage Contoso's Microsoft 365 tenant. The marketing department will collaborate with 50 employees from partner organization Tailspin Toys. Requirements:
- The partners must sign in by using their existing organizational accounts.
- All partners must immediately become members of a Microsoft 365 group that secures a SharePoint site.
- The entire onboarding process must be completed in one automated operation by using data in a CSV file.
Which approach meets all the requirements?
Upload the CSV by using the Bulk invite wizard in the Entra admin center.
Run a PowerShell script that reads the CSV, calls New-AzureADMSInvitation for each user, and then adds each invited user to the Microsoft 365 group.
Create an Entitlement Management access package and send the package link to the partners.
Import the CSV by using Users → Bulk create in the Microsoft 365 admin center.
Answer Description
A PowerShell script that reads a CSV file, runs New-AzureADMSInvitation to send Azure AD B2B invitations, and then uses Add-AzureADGroupMember (or Microsoft Graph equivalents) to add the resulting guest accounts to the Microsoft 365 group can execute end-to-end in a single script run. The Bulk invite wizard cannot put users in a Microsoft 365 group during the same upload, Bulk create would create internal accounts, and an Entitlement Management access package requires additional interactive configuration rather than a one-step CSV-driven process.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure AD B2B?
What does the PowerShell cmdlet New-AzureADMSInvitation do?
How can Add-AzureADGroupMember be used to automate group membership?
Your organization uses Microsoft Defender for Cloud Apps (MDCA). Security administrators must be notified whenever a SharePoint Online or OneDrive file that carries the Confidential sensitivity label is shared with any external user. The alert must include a direct link to the offending file and automatically revoke the external sharing link. Which MDCA policy configuration should you implement to meet the requirements?
Create an Activity policy that detects the "Sharing invitation created" activity for files labeled Confidential and sends an alert.
Create an Access policy that uses Conditional Access App Control to block downloads when the file sensitivity label equals Confidential.
Enable an Anomaly detection policy that uses the Mass share by user template for files labeled Confidential.
Create a File policy that filters on Classification label = Confidential and Exposure = External, then configure the Remove shared link governance action and send an alert.
Answer Description
A File policy supports granular filters such as Classification label equals Confidential together with Exposure equals External. File policies can also trigger governance actions, including Remove shared link, which revokes the external-sharing link while sending an alert that contains a link to the file. Access policies provide real-time session controls but do not act on already shared content. Activity policies can alert on specific activities but cannot automatically remove sharing links. Anomaly detection policies identify unusual behavior patterns and do not offer targeted governance actions for individual files.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Cloud Apps (MDCA)?
How do File policies work in MDCA?
What is the difference between File policies and Activity policies in MDCA?
You have enabled Microsoft Entra ID Protection for all users in your organization. The security team has provided these requirements:
- If a user's user risk is High, block access until an administrator resets the password.
- If a user's user risk is Medium, force the user to change the password during sign-in.
You set the User risk policy threshold to High = Block access and Medium = Require password change. However, Medium-risk users are still blocked because they have not registered any authentication methods.
Which additional configuration will meet the requirements with the least administrative effort?
Enable the Microsoft Entra multifactor authentication registration policy for all users.
Create a Conditional Access policy that blocks access when Medium user risk is detected.
Modify the Sign-in risk policy so that Medium sign-in risk requires self-service password reset.
Change the User risk policy so that Medium risk allows access and requires multifactor authentication.
Answer Description
The User risk policy action Require password change depends on the self-service password reset (SSPR) flow. Users must already have registered authentication methods before they can reset their own password. Enabling the Microsoft Entra MFA registration policy prompts unregistered users to register security information (used by both MFA and SSPR) at their next sign-in. Once registration is complete, Medium-risk users can satisfy the policy by performing an SSPR-based password change instead of being blocked. Changing the User risk policy to require MFA, altering the Sign-in risk policy, or adding a Conditional Access policy would not meet the stated requirement of forcing a password change at Medium user risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID Protection?
What is the Entra MFA registration policy?
How does the self-service password reset (SSPR) flow work?
You manage a hybrid Microsoft Entra tenant synchronized with an on-premises Active Directory forest. You deployed Microsoft Entra Password Protection by installing the DC agent on every writable domain controller. Several days later, users can still set weak passwords such as Contoso2023, and Event ID 30009 on the DCs indicates that no password policy is available. Which action will enable the domain controllers to download and enforce the banned-password lists?
Turn on password hash synchronization in Microsoft Entra Connect Sync.
Enable password writeback in the self-service password reset (SSPR) configuration.
Install and register the Microsoft Entra Password Protection proxy service on a domain-joined server.
Create a firewall rule that allows outbound LDAP (TCP 389) from the domain controllers to Microsoft Entra ID.
Answer Description
Microsoft Entra Password Protection for on-premises AD requires both the DC agent and the proxy service. The proxy service, installed on at least one domain-joined server, authenticates to Microsoft Entra ID, retrieves the global and custom banned-password lists, and makes them available to the DC agents. Features such as password hash synchronization or writeback do not deliver the banned-password lists, and LDAP traffic to Microsoft Entra ID is not used for this purpose.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Microsoft Entra Password Protection proxy service?
Why can't features like password hash synchronization or writeback enable banned-password enforcement?
What Event ID 30009 indicates in Microsoft Entra Password Protection deployment?
Your company's operations team needs near-real-time notifications in a Microsoft Teams channel whenever Microsoft publishes a new incident or advisory that affects Exchange Online or Microsoft Teams in your tenant. You want to implement the solution from the Microsoft 365 admin center without writing custom code. What should you configure?
Deploy an Azure Logic Apps workflow that uses a Microsoft Graph change-notification subscription for service communications.
Define a network-connectivity health policy scoped to Exchange Online and Microsoft Teams.
Configure Message center preferences to send notifications to the email address of the Teams channel.
Create a service health alert rule and connect it to the Power Automate template that posts notifications to Microsoft Teams.
Answer Description
Service health alert rules let administrators choose the affected services, incident or advisory types, and the delivery method for notifications. When the rule is linked to the built-in Power Automate template, each new service-health post automatically triggers a flow that can deliver the information to a specified Teams channel. Message center preferences are limited to email and RSS and do not post to Teams, Microsoft Graph change-notification subscriptions require custom development, and network-connectivity health policies are unrelated to service-health events.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Service Health Alert Rule in Microsoft 365?
What is Power Automate and how does it work with Service Health notifications?
Why are custom solutions like Azure Logic Apps or Graph subscriptions not ideal for service health notifications?
You manage a Microsoft 365 tenant that has all corporate Windows 10 devices onboarded to Microsoft Defender for Endpoint (MDE). You are asked to provide continuous Cloud Discovery data in Microsoft Defender for Cloud Apps (MDCA) without deploying any new infrastructure or manually uploading logs. What is the first configuration change you must perform to meet the requirement?
Create a Cloud Discovery snapshot report and upload the Microsoft Defender raw events log from each device.
Deploy an MDCA log collector in Azure and configure Windows 10 devices to send their HTTPS proxy logs to it.
In the Azure portal, enable the Microsoft Defender for Cloud Apps app connector for Microsoft 365.
In the MDCA portal, enable the Microsoft Defender for Endpoint toggle under Cloud Discovery automatic log upload.
Answer Description
MDCA can ingest telemetry collected by the MDE sensor and automatically populate continuous Cloud Discovery reports. To activate this flow, you must turn on the Microsoft Defender for Endpoint integration under Settings > Cloud Discovery > Automatic log upload in the MDCA portal. App connectors integrate sanctioned SaaS apps but do not deliver discovery data, a log collector is unnecessary when endpoint telemetry is available, and snapshot reports rely on manual log uploads rather than the desired continuous feed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Endpoint (MDE)?
What is Cloud Discovery in Microsoft Defender for Cloud Apps (MDCA)?
How does the integration between Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps work?
Your organization plans to use Microsoft 365 Backup to protect Exchange Online mailboxes, SharePoint Online sites, and OneDrive accounts. You are assigned the Microsoft 365 Backup Administrator role in Microsoft Entra ID and sign in to the Microsoft 365 admin center.
Which action must you perform before you can create your first backup policy in the Microsoft 365 Backup portal?
Create a default storage location in Azure Blob Storage.
Grant yourself the SharePoint Administrator role in addition to Backup Administrator.
Turn on Microsoft 365 Backup for the tenant in the Microsoft 365 admin center.
Assign the Exchange Online Protection license to all users that will be protected.
Answer Description
Before any policies can be created, Microsoft 365 Backup must be explicitly turned on for the tenant in the Microsoft 365 admin center. Simply having the Backup Administrator role, accessing the Microsoft 365 Backup portal, or choosing a storage location is not enough-the service must first be enabled. Once Microsoft 365 Backup is turned on, you can then define backup policies for Exchange Online, SharePoint Online, and OneDrive.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Microsoft 365 Backup Administrator role?
What does 'turning on Microsoft 365 Backup for the tenant' mean?
Why is a default storage location in Azure Blob Storage not required initially?
Your organization uses Microsoft 365. The EmployeeType attribute in Microsoft Entra ID is set to FTE for all full-time employees. You need to ensure that every full-time employee automatically receives a Microsoft 365 E5 license and that the license is removed immediately if the user is no longer a full-time employee. Which solution should you implement?
Create a static Microsoft 365 group, assign the E5 license to the group, and run a scheduled PowerShell script to keep membership in sync with the EmployeeType attribute.
Configure an entitlement management access package that grants the Microsoft 365 E5 license when a user requests access.
Use the Microsoft 365 admin center to enable automatic license assignment from the Licenses page and manually add full-time employees each month.
Create a dynamic security group in Microsoft Entra ID with a membership rule where EmployeeType equals FTE, and assign the Microsoft 365 E5 license to the group.
Answer Description
Group-based licensing in Microsoft Entra ID supports automatic license management when the license is assigned to a security or Microsoft 365 group. If that group is dynamic, membership is evaluated continuously, so users that meet the rule (EmployeeType equals FTE) are added and are granted the assigned licenses. When a user no longer meets the rule, the user leaves the group and the service automatically revokes the license. Manual assignment from the Microsoft 365 admin center, entitlement management access packages, or maintaining a static group with scripts all require ongoing administrative effort and do not guarantee immediate, attribute-driven removal of licenses.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a dynamic security group in Microsoft Entra ID?
How does group-based licensing work in Microsoft Entra ID?
Why is manual assignment of licenses not ideal for full-time employees in this scenario?
You administer Microsoft Defender for Office 365. The built-in Safe Attachments policy is set to its default values (Block mode, lowest priority). You create a second Safe Attachments policy that:
- Uses Dynamic Delivery mode
- Is scoped to a mail-enabled security group named "Finance"
- Has priority 0.
A user who belongs to the Finance group receives an email that contains a malicious attachment. What will the recipient experience when the message reaches their mailbox?
The message does not appear in the mailbox; both the message and its attachment are quarantined because the built-in Block policy is applied.
The message body is delivered immediately; the attachment is replaced by a placeholder and is never released to the user because the file is detected as malicious.
The entire message is delivered immediately, and the attachment is available because Dynamic Delivery bypasses scanning for the Finance group.
The message and attachment are delivered after scanning completes, causing a delay that is visible to the user.
Answer Description
Safe Attachments policies are processed in order of priority (0 is evaluated first). Because the Finance user is in the scope of the custom policy that has priority 0, that policy is applied instead of the built-in policy. In Dynamic Delivery mode the message body is delivered immediately, but each attachment is replaced by a placeholder until the file is scanned. If the attachment is determined to be malicious, the placeholder is removed and the user never gains access to the file; the message body remains in the mailbox. The built-in policy set to Block mode is ignored because it has lower priority.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Dynamic Delivery in Microsoft Defender for Office 365?
How do Safe Attachments policies prioritize scanning in Microsoft Defender for Office 365?
What happens to malicious attachments in Microsoft Defender for Office 365 if Dynamic Delivery mode is applied?
You manage 25 000 Windows 11 computers that are hybrid Azure AD joined and managed through Microsoft Intune. The devices run Windows 11 22H2 Enterprise (OS build 22621.2134) and are currently not onboarded to Microsoft Defender for Endpoint (MDE).
You must ensure that all existing and future Intune-managed Windows 11 devices are automatically onboarded to MDE without requiring users to run scripts or download onboarding packages. The solution must minimise administrative effort and support centralised off-boarding when devices are retired.
Which Intune configuration profile should you deploy?
Endpoint security - Endpoint detection and response (EDR) profile that sets Microsoft Defender for Endpoint to Enable
Settings catalog profile that deploys the onboarding package through the OMA-URI OnboardingBlob setting
Device configuration - Custom profile that runs WindowsOnboardingScript.cmd as a PowerShell script
Endpoint security - Antivirus profile that sets Real-time protection to On
Answer Description
Because Windows 10 version 2004 and later (including all Windows 11 builds) include the Microsoft Defender for Endpoint sensor natively, you can onboard these devices by simply enabling the Microsoft Defender for Endpoint setting in an Endpoint detection and response policy. Creating and assigning an Endpoint security - Endpoint detection and response profile with Microsoft Defender for Endpoint set to Enable automatically registers each managed Windows 10/11 device with the MDE service without user interaction and also supports centralised off-boarding through Intune.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Endpoint (MDE)?
What is hybrid Azure AD join?
How does the Endpoint detection and response (EDR) policy work in Intune?
You enable the Microsoft 365 Backup (preview) service in your tenant and need to delegate responsibilities to the collaboration team. The team must be able to do the following:
- Create and run restore jobs for Exchange Online mailboxes, SharePoint Online sites, and OneDrive accounts.
- View backup and restore job details, including job history and restore points.
The team must not be able to do any of the following:
- Change tenant-level backup settings.
- Create or modify backup policies.
- Delete backup data.
Which least-privileged Microsoft Entra role meets the requirements?
Global Reader
Microsoft 365 Backup Reader
Microsoft 365 Backup Administrator
Microsoft 365 Backup Operator
Answer Description
The Microsoft 365 Backup Operator role is designed for day-to-day restore operations. Members of this role can create and run restore jobs for all supported workloads and view job history and restore-point details, but they cannot change tenant-level backup configuration, create or edit backup policies, or purge backup data.
- The Backup Administrator role exceeds the requirement because it can configure backup policies and tenant settings.
- The Backup Reader role is insufficient; it provides read-only access and cannot run restores.
- The Global Reader role does not provide any Microsoft 365 Backup permissions.
Therefore, assigning the Microsoft 365 Backup Operator role delivers the required capabilities with the least privilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between the Microsoft 365 Backup Operator and Backup Administrator roles?
Why is the Global Reader role not suitable for Microsoft 365 Backup responsibilities?
What capabilities does the Microsoft 365 Backup Reader role provide?
Your organization uses Microsoft Defender XDR and Microsoft Entra ID. You need to grant several security analysts the ability to investigate incidents, run advanced hunting queries, and take response actions such as isolating devices, but you must prevent them from changing any security settings in the Defender portal. Which built-in role or role group should you assign to meet the requirements?
Security operator role group in Microsoft Defender XDR
Global administrator role in Microsoft Entra ID
Security reader role group in Microsoft Defender XDR
Security administrator role group in Microsoft Defender XDR
Answer Description
The Security operator role group in Microsoft Defender XDR lets users investigate incidents, use advanced hunting, and perform response actions-including device isolation and initiating scans-while blocking access to security settings that could change the organization's configuration. Global administrator and Security administrator can both modify security settings, while Security reader has read-only permissions and cannot take response actions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender XDR?
What are advanced hunting queries in Microsoft Defender XDR?
What are the differences between the Security operator, Security reader, and Security administrator role groups in Microsoft Defender XDR?
Your organization is rolling out passwordless authentication. You want help-desk staff to issue a credential that allows new hires to complete initial sign-in and register their own FIDO2 security keys. The credential must be usable only once and must expire 10 minutes after it is issued. In the Microsoft Entra admin center, which authentication method policy and settings should you configure to meet the requirements?
Create a Temporary Access Pass authentication method policy, set One-time use to Yes, and Default lifetime to 10 minutes.
Enable OATH hardware tokens, upload the seed file, and configure the token lifetime to 10 minutes.
Configure Self-service password reset, force a password change on next sign-in, and set a Conditional Access sign-in frequency of 10 minutes.
Enable the FIDO2 Security Key authentication method policy, set Enforce attestation to Yes, and restrict key validity to 10 minutes.
Answer Description
A Temporary Access Pass (TAP) is designed to bootstrap user sign-in when no other strong credential is available. In a TAP authentication method policy you can enforce One-time use so the pass stops working after the first successful sign-in, and you can set the Default lifetime to any value between 10 minutes and 24 hours. None of the other authentication methods let you define both a single-use limitation and an explicit 10-minute validity period, so they cannot satisfy the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Temporary Access Pass (TAP)?
Why is One-time use important in Temporary Access Pass policies?
What scenarios are best suited for Temporary Access Passes?
Contoso uses Microsoft Defender for Cloud Apps integrated with Microsoft Purview sensitivity labels. You are asked to alert SecOps and automatically quarantine any file labeled "Highly Confidential" when a user creates a sharing link that allows anonymous (Anyone) access in SharePoint Online or OneDrive. Which type of policy should you configure in Defender for Cloud Apps, and which action must the policy include to meet the requirement?
Create a File policy that targets the "Highly Confidential" label and public sharing links, then configure the Put in quarantine governance action.
Enable the built-in Anomaly detection policy for Suspicious sharing to automatically generate alerts.
Create an Activity policy that filters on the Share activity and configure the Send alert action.
Create a Session policy that monitors downloads from SharePoint Online and applies a Block control.
Answer Description
A file policy is designed to inspect files at rest in Microsoft 365, evaluate attributes such as sensitivity label and sharing level, and apply governance actions. By adding a condition that the file's label equals "Highly Confidential" and that sharing level is "Anyone with the link", the policy can trigger an alert and enforce a governance action. The "Put in quarantine" action moves the offending file to a secure admin-controlled location, ensuring immediate protection. Activity policies can only alert on events; they cannot quarantine files. Session policies provide real-time session controls but cannot retroactively quarantine a stored file. Anomaly detection policies are pre-defined heuristics that cannot target specific labels or guarantee quarantine.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between an Activity policy and a File policy in Defender for Cloud Apps?
How does the 'Put in quarantine' governance action work in Defender for Cloud Apps?
What are Purview sensitivity labels, and how are they integrated with Defender for Cloud Apps?
You need to onboard 2,000 domain-joined Windows 10 Enterprise devices to Microsoft Defender for Endpoint. The devices are managed exclusively through Group Policy. After downloading the Group Policy onboarding package from the Microsoft 365 Defender portal, you prepare to create a new Group Policy Object that will deploy the onboarding blob to the computers. Before you can configure the required policy settings, which action must you perform on a Windows Server 2019 domain controller?
Import the WindowsDefenderATPOnboardingScript.cmd file into the Computer Startup Scripts section of the new GPO.
Run the Microsoft Defender for Endpoint onboarding MSI on the domain controller by using the /quiet switch.
Copy the WindowsDefenderATP.admx and corresponding .adml files from the onboarding package to the Central Store for Group Policy.
Enable the Turn off Windows Defender Antivirus policy in the new GPO to prevent engine conflicts during onboarding.
Answer Description
Group Policy can only expose the Microsoft Defender for Endpoint onboarding settings after the relevant administrative templates are available. The Group Policy onboarding package contains the files WindowsDefenderATP.admx and WindowsDefenderATP.adml. Copying these files to the Central Store (SYSVOL\PolicyDefinitions) makes the Defender for Endpoint node and the onboarding setting appear in the Group Policy Management Editor. A startup script is unnecessary, the MSI installer is not used with Group Policy deployment, and disabling Microsoft Defender Antivirus would block the service required by Defender for Endpoint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Central Store in Group Policy and why is it important?
What are .admx and .adml files and how do they function in Group Policy?
What is the Microsoft Defender for Endpoint onboarding blob and how is it used?
When defining a custom sensitive information type (SIT) in the Microsoft Purview compliance portal, you want to trigger detections when the word "prototype" appears within five characters of any value that matches a regular expression for a 10-digit product code. Which element must you configure inside the pattern to achieve this proximity requirement?
Set a proximity value on the supporting keyword element.
Assign a high match accuracy level to the entire pattern.
Include an affinity marker in the product code regular expression.
Apply a classification rule pack to the keyword list.
Answer Description
In a custom SIT pattern, proximity between the primary element and supporting evidence is controlled by the proximity value set on the supporting element. The supporting element-in this case the keyword "prototype"-requires a proximity value that specifies how many characters it can be from the primary element (the regex-based product code) for the match to be counted. Match accuracy levels are assigned to patterns, not individual elements, and an affinity marker would not provide distance logic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a sensitive information type (SIT) in Microsoft Purview?
What is the role of proximity in custom SIT patterns?
How do you define supporting keywords in custom SIT patterns?
You manage Microsoft Entra ID for Contoso. The security team wants to ensure that users who connect from networks that are not part of the company's trusted IP ranges can access Microsoft 365 only if the device is either compliant (Intune-managed) or hybrid Azure AD joined. Access from the trusted IP ranges must remain unrestricted. You create a new Conditional Access policy that targets all users and all cloud apps. Which configuration meets the requirement?
Locations condition: Include Trusted named locations; Grant controls: Require password change on next sign-in.
Locations condition: Include All locations and exclude Trusted named locations; Grant controls: Require device to be marked as compliant or hybrid Azure AD joined.
Locations condition: Include only Trusted named locations; Grant controls: Require device to be marked as compliant or hybrid Azure AD joined.
Locations condition: Include All locations; Device state condition: Include Compliant; Grant controls: Block access.
Answer Description
To enforce device compliance or hybrid Azure AD join only when the connection originates outside the company's trusted ranges, the policy must apply to every location except those trusted ranges. The correct approach is to include All locations and then explicitly exclude the Trusted named locations. Under Grant controls, Require device to be marked as compliant OR Require hybrid Azure AD joined device enforces the device state when the policy is applied. Selecting only the trusted locations, blocking access, or requiring a password change would either ignore untrusted networks or impose the wrong control, so those options do not satisfy the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID?
What are Conditional Access policies?
What is a Trusted Named Location?
That's It!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.