Microsoft 365 Administrator Expert Practice Test (MS-102)
Use the form below to configure your Microsoft 365 Administrator Expert Practice Test (MS-102). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft 365 Administrator Expert MS-102 Information
The Microsoft 365 Administrator Expert certification proves that you can manage Microsoft 365 for a business or school. It shows you understand how to set up accounts, manage identities, handle security, and keep data safe across Microsoft 365 services like Teams, Exchange, and SharePoint. You’ll also learn about managing compliance and using tools to protect sensitive information.
This exam is for IT professionals who already have experience with Microsoft 365 workloads and want to take on larger, organization-wide responsibilities. It covers everything from managing users and groups to configuring policies and monitoring system health. You’ll need to understand both the big picture and the details that keep a Microsoft 365 environment running smoothly every day.
To earn this certification, you’ll take the MS-102 exam, which replaces the older MS-100 and MS-101 tests. The exam focuses on tenant management, identity, security, and compliance. Passing it shows that you can manage Microsoft 365 across multiple services while ensuring a secure and efficient setup for users.
Practice tests and exam preparation
Taking practice tests, practice exams, and using practice questions can make a big difference when preparing for the Microsoft 365 Administrator Expert exam. Practice exams help you learn the format, timing, and difficulty level of real test questions. They also help identify areas where you need more study, such as compliance tools or identity management. At Crucial Exams, you can use Microsoft 365 Administrator Expert practice tests and practice questions to build confidence and improve your score before test day.
Free Microsoft 365 Administrator Expert MS-102 Practice Test
- 20 Questions
- Unlimited
- Deploy and manage a Microsoft 365 tenantImplement and manage Microsoft Entra identity and accessManage security and threats by using Microsoft Defender XDRManage compliance by using Microsoft Purview
Your company allows self-service creation of Microsoft 365 groups from Teams, Outlook, and other workloads. You must enforce the following requirements: Every group name must start with the owner's department abbreviation followed by a hyphen (for example, HR- or FIN-). Users must not be able to include the words "CEO", "Legal", or "M&A" anywhere in a group name. You need to implement the solution with the least administrative effort. Which feature should you configure?
Create a Microsoft Teams messaging policy that bans the specified words and appends a prefix to group names.
Create an Exchange Online transport rule that rewrites subject lines containing the blocked words.
Configure an Azure AD group naming policy that uses the Department attribute and a blocked-words list.
Enable a Microsoft 365 groups expiration policy and set a custom naming convention.
Answer Description
A Microsoft Entra ID (Azure AD) group naming policy lets you automatically add a prefix or suffix to every Microsoft 365 group name by using user attributes such as Department, and it lets you define a custom blocked-words list. The policy is enforced across all workloads that use Microsoft 365 groups, so no additional configuration is required in Teams, Exchange, or SharePoint. Expiration policies, Teams messaging policies, and Exchange transport rules do not prepend attribute-based text to group names, nor can they consistently block specific words during group creation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure AD group naming policy?
How does a blocked-words list work in an Azure AD group naming policy?
Why is it better to use Azure AD group naming policies over other solutions like Exchange transport rules or Teams messaging policies?
You are investigating an incident in the Microsoft Defender portal. From the Incidents & alerts page, you open the incident and launch Guided hunting. The first recommended KQL query returns several devices that attempted to run the same suspicious executable within the last 24 hours. You must immediately contain every affected endpoint without leaving the Guided hunting experience. Which action should you take in the query results pane to achieve this goal?
Select the devices and start a Live Response session from the Device details fly-out.
Select all listed devices and choose Isolate device from the Take action menu.
Export the query to CSV, then bulk-import the device IDs into an Intune dynamic group that enforces network isolation.
Add a unique device tag to each device so automated investigation can quarantine them on the next evaluation cycle.
Answer Description
Guided hunting opens the Advanced hunting interface pre-populated with investigation queries scoped to entities in the incident. Results returned by any of these queries support the same entity-level response actions that are available in standard Advanced hunting. For device entities, selecting the relevant rows and choosing Isolate device from the Take action menu immediately contains the endpoints by blocking all inbound and outbound network traffic except those connections required for Defender communication. The other options either do not exist in the Guided hunting results pane (running Live Response session directly, moving devices to an Intune group) or cannot initiate containment (adding a device tag is only a labeling operation).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Guided hunting in Microsoft Defender?
What does the 'Isolate device' action do in Microsoft Defender?
How does Advanced Hunting complement Guided hunting in Microsoft Defender?
You manage a Microsoft Entra tenant for Contoso Ltd. The SalesGroup users must use either FIDO2 security keys or Windows Hello for Business when signing in to Microsoft 365 from unmanaged devices. Other MFA methods, such as SMS, must not satisfy this requirement. You decide to enforce the requirement by using a single Conditional Access policy. Within the policy's Grant controls, which action should you configure?
Select Require multi-factor authentication.
Select Require authentication strength and choose Phishing-resistant MFA.
Select Block access.
Select Require device to be marked compliant and hybrid Azure AD joined.
Answer Description
The Conditional Access grant control "Require authentication strength" lets administrators specify an authentication strength such as "Phishing-resistant MFA." That strength accepts only phishing-resistant methods-currently FIDO2 security keys, certificate-based authentication, and Windows Hello for Business-so SMS, voice, or app-based OTPs will not satisfy the policy. Selecting the generic "Require multi-factor authentication" would permit any MFA method, and device-based controls or a full block would not meet the scenario requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra?
What is Phishing-resistant MFA?
What are Conditional Access Grant controls?
Your organization uses Microsoft 365 E5. Legal requirements dictate that any Teams chat or channel message containing a U.S. Social Security Number (SSN) must be blocked if the message is addressed to external recipients, while internal communication must be allowed. To reduce false positives, detection should be limited to matches at the High confidence level. Which DLP rule configuration meets the requirements?
Condition: Content contains U.S. Social Security Number (High confidence, minimum 1 occurrence) AND any recipient is outside the organization; Action: Notify the sender only (no block).
Condition: Content contains U.S. Social Security Number (High confidence, minimum 1 occurrence) AND Sender is outside the organization AND any recipient is inside the organization; Action: Block the message.
Condition: Content contains U.S. Social Security Number (High confidence, minimum 1 occurrence) AND Sender is inside the organization AND any recipient is outside the organization; Action: Block the message.
Condition: Content contains U.S. Social Security Number (Low confidence, minimum 1 occurrence) AND Sender is inside the organization AND any recipient is outside the organization; Action: Block the message.
Answer Description
The requirement has two distinct elements:
- Detect only highly accurate SSN matches, so the sensitive information type must be configured with the High confidence level.
- Block delivery only when the recipient is outside the organization. The pre-built rule condition "Recipient is located outside your organization" combined with "Sender is located inside your organization" confines the block to external traffic and leaves internal messages untouched. Therefore the rule that detects U.S. SSNs at High confidence, scopes the sender to inside the tenant and at least one recipient to outside, and sets the action to Block (with Policy Tip or notification as desired) is the only configuration that fully satisfies both accuracy and scoping requirements. The other options either use Low confidence (increasing false positives), scope the sender/recipient in the wrong direction, or fail to block the message, so they do not meet the stated objectives.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does High confidence mean in DLP settings for sensitive information detection?
How does 'Recipient is located outside your organization' work in Microsoft DLP rules?
Why is blocking necessary and preferred for external communication in this DLP policy?
Your organization uses group-based licensing in Microsoft Entra ID. One group assigns Microsoft 365 E3 with every service plan enabled. A second group assigns the same product but with the Exchange Online service plan disabled. A user is a member of both groups. After the group assignments are evaluated, what is the resulting license configuration for the user?
The user is placed in a conflict state and no license is applied until an administrator resolves the mismatch.
Two Microsoft 365 E3 licenses are consumed-one from each group-and Exchange Online remains disabled.
The user receives a single Microsoft 365 E3 license with Exchange Online disabled because the most restrictive assignment is applied.
The user receives a single Microsoft 365 E3 license with Exchange Online enabled because the service plans from the two assignments are combined.
Answer Description
When the same product license is assigned to a user through multiple groups, Microsoft Entra ID resolves any differences by taking the union of the individual assignments. A service plan is enabled if it is enabled in at least one of the assignments. Therefore, the user consumes only one Microsoft 365 E3 license and ends up with Exchange Online (and all other service plans) enabled. No additional licenses are consumed, and the assignment does not enter a conflict state because the union rule eliminates the discrepancy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does group-based licensing in Microsoft Entra ID mean?
What is the union rule in license assignment?
How does Microsoft Entra ID handle conflicting group license assignments?
Your Microsoft 365 tenant already hosts contoso.com. The company acquires Litware, which uses the public domain litware.com and still delivers all email to an on-premises Exchange organization. You must add litware.com to Microsoft 365 so Litware users can sign in with their existing email addresses, without disrupting current mail flow. Which action should you perform first in the Microsoft 365 admin center?
Start the Add Domain wizard for litware.com and select the option to manually add a TXT record for verification only.
Start the Add Domain wizard for litware.com and allow Microsoft 365 to automatically update all required DNS records at the registrar.
Create a mail flow connector in Exchange Online that routes outbound messages for litware.com through the on-premises SMTP gateway.
Create an accepted domain of type Internal Relay for litware.com in Exchange Online.
Answer Description
The initial step in adding a new custom domain is to prove ownership. In the Add Domain wizard you choose the option to add your own DNS records, then create the TXT record that Microsoft 365 supplies. TXT-based verification does not alter any MX or other service-specific records, so existing mail flow remains unaffected. Allowing Microsoft 365 to update DNS could immediately change the MX record, disrupting mail. An accepted domain in Exchange Online cannot be created until the domain is verified, and configuring a mail flow connector is unnecessary for domain verification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is TXT record verification necessary when adding a custom domain in Microsoft 365?
What happens if you allow Microsoft 365 to automatically update DNS records during domain setup?
What is the function of an Internal Relay domain in Exchange Online?
Your organization uses Microsoft 365 E5. You must give an external vendor team permission to review, but not modify, all security incidents in Microsoft Defender XDR and to run searches in the unified audit log in Microsoft Purview. The vendor must have no other security or compliance privileges. Which set of role group assignments meets the requirements?
Security Operator in Microsoft Defender XDR and Compliance Data Administrator in Microsoft Purview
Security Reader in Microsoft Defender XDR and View-Only Audit Logs in Microsoft Purview
Incident Responder in Microsoft Defender XDR and eDiscovery Manager in Microsoft Purview
Security Administrator in Microsoft Defender XDR and Audit Reader in Microsoft Purview
Answer Description
The Security Reader role group in Microsoft Defender XDR provides read-only access to incidents, alerts, and reports without allowing the user to change status or take response actions. In the Microsoft Purview compliance portal, the View-Only Audit Logs role group allows users to run and view audit log searches but prevents them from configuring auditing or performing eDiscovery tasks. Assigning these two role groups meets the read-only requirement across both workloads, whereas the other listed role groups grant additional capabilities (such as changing incident status, configuring policies, or performing eDiscovery) that exceed the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender XDR?
What does the View-Only Audit Logs role in Microsoft Purview allow?
Why is the Security Reader role better than Security Operator for read-only permissions?
Your organization operates a Microsoft 365 tenant. Management wants new Microsoft 365 feature updates to be exposed first only to an internal pilot group before the remainder of the users receive them. You need to configure this behavior by using settings in the Microsoft 365 admin center, without requiring additional tools or licenses. Which configuration meets the requirement?
Create a Windows Update ring in Intune set to the Preview channel and assign it to the pilot group.
Enable Security & privacy → Customer Lockbox and assign the pilot group as approvers.
Turn on Preview features in Message center and subscribe the pilot group to notifications.
Set Organization profile → Release preferences to "Targeted release for selected users" and add the pilot group.
Answer Description
The rollout cadence for Microsoft 365 service updates is controlled from the Organization profile section of the Microsoft 365 admin center. By setting Release preferences to "Targeted release for selected users," you can specify a group of pilot users who will receive new features earlier than everyone else. Customer Lockbox only governs data-access requests, Intune update rings apply to Windows and not Microsoft 365 services, and enabling Preview features in Message center gives administrators early visibility to change information but does not alter when end users receive the features.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'Targeted release for selected users' mean in Microsoft 365?
How do I create a pilot group for targeted release in Microsoft 365?
Why is Customer Lockbox not suitable for controlling feature rollouts in Microsoft 365?
You are a Microsoft 365 administrator for an organization that uses Microsoft Defender XDR. While reviewing the Endpoints report in the Microsoft 365 Defender portal, you notice that the Devices missing critical security updates tile shows several unmanaged Windows 10 clients. You need to start a remediation action directly from the report so that the required updates are deployed without opening separate change-management tickets. What should you do from the report page?
Export the list of affected devices to a CSV file and import it into a Windows Update for Business deployment ring.
Isolate each affected device from the network directly from the report to force patch installation.
Send the result set to Advanced Hunting and run the ExecuteRemediation cmdlet against the returned devices.
Open the tile, then in the filtered Device inventory select Take action and create a remediation activity for the missing updates.
Answer Description
When you select the Devices missing critical security updates tile, the portal opens the Device inventory filtered to the affected endpoints. From the Device inventory you can choose Take action > Create remediation activity, which opens Threat & Vulnerability Management and lets you request remediation for the missing updates. If the tenant is integrated with Intune or Configuration Manager, the remediation task can automatically deploy the needed patches. Exporting to CSV or Advanced Hunting only gathers information and does not trigger remediation. Isolating devices is a containment step that prevents, rather than installs, updates.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender XDR and how does it relate to Threat & Vulnerability Management?
How does integration with Intune or Configuration Manager assist with update deployment?
What is the difference between remediation and isolation in Microsoft Defender?
Your company uses Microsoft 365. Security policy states that only a small set of project managers may invite external users (guests) to the tenant; all other employees must be blocked from sending invitations. Global administrators should retain the ability to invite guests. You plan to implement the change in the Microsoft Entra admin center. What should you do first to meet the requirement?
Disable guest invitations in Organizational relationships and rely on Entitlement Management access packages for the project managers.
Convert the project managers' accounts to privileged role administrators and leave the default guest invite setting unchanged.
Create a Conditional Access policy that blocks the "External user invitation" operation for all users except the project managers.
Set External collaboration "Guest invite settings" to "Admins and users in the Guest Inviter role" and assign the project managers to the Guest Inviter role.
Answer Description
In Microsoft Entra ID, external collaboration settings let you control who can send B2B collaboration invitations. Changing the guest invite setting to "Admins and users in the Guest Inviter role" prevents ordinary employees from inviting guests but still allows global administrators. After selecting that option, you add the selected project managers to the built-in Guest Inviter role so they can continue to send invitations. The other options either do not restrict invitation capability to the required subset or rely on features (conditional access, entitlement management) that do not directly control who can issue invitations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Guest Inviter role in Microsoft Entra ID?
What are external collaboration settings in Microsoft Entra ID?
How does 'Admins and users in the Guest Inviter role' improve security for guest invitations?
You are designing a script to license 800 existing cloud-only users in Microsoft Entra ID. The UPNs are stored in C:\temp\upns.csv, which contains a column named userPrincipalName. You already connected to Microsoft Graph PowerShell and stored the Microsoft 365 E5 SKU ID in the variable $skuId. You must assign this license to every user using a single pipeline that relies only on currently supported modules. Which PowerShell command should you use?
Get-Content C:\temp\upns.csv | Set-MsolUserLicense -AddLicenses $skuId
Import-Csv C:\temp\upns.csv | ForEach-Object { Update-MgUser -UserId $_.userPrincipalName -AssignedLicenses @($skuId) }
Import-Csv C:\temp\upns.csv | ForEach-Object { Grant-AzureADMSLicense -UserId $_.userPrincipalName -SkuId $skuId }
Import-Csv C:\temp\upns.csv | ForEach-Object { Set-MgUserLicense -UserId $_.userPrincipalName -AddLicenses @ -RemoveLicenses @() }
Answer Description
The Microsoft Graph PowerShell SDK is the supported module for user licensing. Import-Csv delivers each UPN to the pipeline, and ForEach-Object invokes Set-MgUserLicense, adding the required SkuId while passing an empty array to -RemoveLicenses. The other options either call deprecated AzureAD/MSOnline cmdlets or misuse Update-MgUser, which cannot assign licenses directly.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Graph PowerShell SDK?
What is the purpose of the '-RemoveLicenses @()' parameter in Set-MgUserLicense?
Why are AzureAD and MSOnline cmdlets considered deprecated?
You administer a hybrid identity environment that uses Microsoft Entra Connect Sync to synchronize an on-premises Active Directory forest to a Microsoft Entra tenant. New users created yesterday in Active Directory are not present in Entra ID. In Synchronization Service Manager on the Azure AD connector, the export step shows several objects with status Error and the message "ConstraintViolationError: attributeValueMustBeUnique (mail)". You need to restore successful synchronization with the least administrative effort. Which action should you perform first?
Start a full synchronization cycle by running Start-ADSyncSyncCycle -PolicyType Initial on the Azure AD Connect server.
Create a custom Azure AD Connect outbound synchronization rule to stop exporting the mail attribute.
Enable staging mode on the current Azure AD Connect server and build a new production server for a fresh full sync.
Run the IdFix tool against Active Directory and correct any duplicate mail or proxyAddresses values.
Answer Description
The attributeValueMustBeUnique error indicates that one or more objects about to be exported contain a mail-related value (mail or proxyAddresses) that is already in use by a different object in the Microsoft Entra directory. Azure AD Connect blocks the export until the duplicate values are removed. IdFix is the Microsoft-provided utility designed to scan on-premises Active Directory, identify such duplicate or invalid attribute values, and assist with their remediation. After running IdFix and correcting the duplicates, the next synchronization cycle will export the affected objects successfully.
Excluding the mail attribute or creating custom sync rules does not address the underlying duplicate data and can create additional issues. Switching to staging mode and rebuilding the server is unnecessary overhead when the problem is data quality. Forcing a full synchronization without fixing the duplicates will simply reproduce the same export errors.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IdFix, and how does it help resolve attribute value issues?
What is the ConstraintViolationError with attributeValueMustBeUnique (mail)?
Why can’t the mail attribute simply be excluded from synchronization to fix this issue?
Contoso wants to automate remediation of risky sign-ins by using Microsoft Entra ID Protection. The security team has agreed on these rules:
- Block access when sign-in risk is High.
- Require multifactor authentication (MFA) when sign-in risk is Medium.
- Allow access without additional requirements when sign-in risk is Low.
You need to configure the environment to meet the requirements while keeping the design as simple as possible. What should you do?
Turn on Microsoft Entra security defaults to enforce MFA and block High-risk sign-ins automatically.
Enable the user risk policy and set the remediation action to require a password change for Medium and above risk.
Enable the built-in sign-in risk policy and configure it to block High risk and require MFA for Medium risk within the same policy.
Create two Conditional Access policies that use the sign-in risk condition: one blocking High risk sign-ins and another requiring MFA for Medium risk sign-ins.
Answer Description
Microsoft Entra ID Protection includes a built-in sign-in risk policy, but that policy applies only one access control (allow, require MFA, or block) to all risk levels at or above a single threshold. It therefore cannot assign different actions to High and Medium risk separately. Conditional Access, however, lets you create multiple policies, each filtered for a specific sign-in risk level, and apply a different grant control per policy. Creating one Conditional Access policy that targets High sign-in risk and blocks access, and a second policy that targets Medium sign-in risk and requires MFA, satisfies the stated requirements. Enabling the user-risk policy, security defaults, or adding a single sign-in risk policy would not provide the necessary per-level controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID Protection?
What is Conditional Access in Microsoft Entra?
How does sign-in risk differ from user risk in Microsoft Entra?
While investigating a phishing campaign, you locate a newly delivered message in Microsoft 365 Defender's Threat Explorer. The tenant is licensed for Microsoft Defender for Office 365 Plan 2 and Automated Investigation and Response (AIR) is enabled. You must remove the message from every affected mailbox and have Microsoft 365 automatically analyze related senders, URLs, and attachments so that similar threats are blocked in the future with the least manual effort. Which action should you take first in Threat Explorer?
Add the sender's domain to the Exchange Online Protection blocked senders list.
Submit the message to Microsoft for analysis in the Submissions portal.
Create a transport (mail flow) rule that deletes messages containing the malicious URL.
Select the message and choose "Trigger automated investigation".
Answer Description
Selecting "Trigger automated investigation" in Threat Explorer immediately launches an AIR playbook against the chosen message. The playbook analyzes the email, any correlated artifacts (such as URLs, sender infrastructure, and attachments), and automatically takes remediation steps-including purging or quarantining related messages-subject to admin approval settings. Other options either require additional configuration (creating a transport rule), only block future messages without touching already-delivered mail (adding a domain to blocked senders), or simply submit the sample to Microsoft without initiating tenant-level remediation (submitting for analysis). Therefore, starting an automated investigation best meets both removal and prevention requirements with minimal effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Threat Explorer in Microsoft 365 Defender?
What is Automated Investigation and Response (AIR) in Microsoft Defender for Office 365?
How does 'Trigger automated investigation' work in Threat Explorer?
Your organization is rolling out passwordless authentication. You want help-desk staff to issue a credential that allows new hires to complete initial sign-in and register their own FIDO2 security keys. The credential must be usable only once and must expire 10 minutes after it is issued. In the Microsoft Entra admin center, which authentication method policy and settings should you configure to meet the requirements?
Enable the FIDO2 Security Key authentication method policy, set Enforce attestation to Yes, and restrict key validity to 10 minutes.
Enable OATH hardware tokens, upload the seed file, and configure the token lifetime to 10 minutes.
Configure Self-service password reset, force a password change on next sign-in, and set a Conditional Access sign-in frequency of 10 minutes.
Create a Temporary Access Pass authentication method policy, set One-time use to Yes, and Default lifetime to 10 minutes.
Answer Description
A Temporary Access Pass (TAP) is designed to bootstrap user sign-in when no other strong credential is available. In a TAP authentication method policy you can enforce One-time use so the pass stops working after the first successful sign-in, and you can set the Default lifetime to any value between 10 minutes and 24 hours. None of the other authentication methods let you define both a single-use limitation and an explicit 10-minute validity period, so they cannot satisfy the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Temporary Access Pass (TAP)?
Why is One-time use important in Temporary Access Pass policies?
What scenarios are best suited for Temporary Access Passes?
Your company manages 5,000 hybrid Azure AD-joined Windows 10 devices by using Microsoft Intune, and every device is onboarded to Microsoft Defender for Endpoint. A recent incident revealed that several users, who had obtained local administrator rights, disabled Microsoft Defender Antivirus real-time protection through registry edits. You must block any local or remote attempts to modify Microsoft Defender Antivirus settings while ensuring that Intune can continue to configure those settings in the future. What should you do?
Create a Settings catalog device restriction that disables Windows Security Center notifications.
Enable Controlled Folder Access in an Endpoint security Attack surface reduction policy.
Deploy an Endpoint security Firewall policy that enables stateful inspection for all profiles.
Deploy an Endpoint security Antivirus policy in Intune that sets Tamper Protection to Enable.
Answer Description
Tamper Protection prevents local administrators, scripts, registry edits, and even Group Policy from changing Microsoft Defender Antivirus settings. However, configuration changes delivered through Microsoft Intune or other supported enterprise management channels remain allowed. Turning on Tamper Protection through an Endpoint security Antivirus policy therefore stops users from disabling real-time protection yet still lets Intune manage Defender Antivirus moving forward. The other choices enable different security features (controlled folder access, device restrictions, or firewall rules) that do not prevent the described tampering scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Tamper Protection in Microsoft Defender Antivirus?
Why use Intune to deploy an Endpoint security Antivirus policy?
How does Tamper Protection interact with other Intune security policies?
Your company has a Microsoft 365 E5 subscription. All corporate Windows 11 devices are onboarded to Microsoft Defender for Endpoint (MDE). After running Cloud Discovery in Microsoft Defender for Cloud Apps, you identify several high-risk services that must be blocked when accessed from managed devices, but employees must remain free to use the same services from personal or unmanaged devices. You need to implement the solution without deploying additional proxies, network appliances, or browser extensions. Which action should you take in Microsoft Defender for Cloud Apps?
Create a Conditional Access policy that applies Conditional Access App Control in Block mode to the identified services.
Deploy the Defender for Cloud Apps log collector appliance to ingest firewall logs and configure an anomaly detection policy for the services.
Create a Defender for Cloud Apps session policy that blocks upload and download traffic for the services and set the apps to Monitored.
Enable the Microsoft Defender for Endpoint integration, turn on automatic blocking of unsanctioned apps, and mark the identified services as Unsanctioned.
Answer Description
Integrating Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps creates a native, client-based enforcement channel. When the integration is enabled and the option to automatically block unsanctioned apps (also known as Enforce network restrictions) is turned on, any app that you tag as Unsanctioned in Defender for Cloud Apps is blocked directly on devices that are managed by Defender for Endpoint. The block relies on the MDE network protection capability and therefore requires no extra infrastructure or browser plug-ins. Conditional Access App Control or session policies can control sanctioned apps in real time but do not selectively block only managed devices without using reverse proxy redirection. Deploying a log collector only imports discovery data and does not provide enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does enabling Microsoft Defender for Endpoint integration achieve?
How does Microsoft Defender for Endpoint block unsanctioned apps?
Why are Conditional Access App Control or session policies not suitable for this scenario?
You manage a hybrid Microsoft Entra tenant synchronized with an on-premises Active Directory forest. You deployed Microsoft Entra Password Protection by installing the DC agent on every writable domain controller. Several days later, users can still set weak passwords such as Contoso2023, and Event ID 30009 on the DCs indicates that no password policy is available. Which action will enable the domain controllers to download and enforce the banned-password lists?
Install and register the Microsoft Entra Password Protection proxy service on a domain-joined server.
Enable password writeback in the self-service password reset (SSPR) configuration.
Create a firewall rule that allows outbound LDAP (TCP 389) from the domain controllers to Microsoft Entra ID.
Turn on password hash synchronization in Microsoft Entra Connect Sync.
Answer Description
Microsoft Entra Password Protection for on-premises AD requires both the DC agent and the proxy service. The proxy service, installed on at least one domain-joined server, authenticates to Microsoft Entra ID, retrieves the global and custom banned-password lists, and makes them available to the DC agents. Features such as password hash synchronization or writeback do not deliver the banned-password lists, and LDAP traffic to Microsoft Entra ID is not used for this purpose.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Microsoft Entra Password Protection proxy service?
Why can't features like password hash synchronization or writeback enable banned-password enforcement?
What Event ID 30009 indicates in Microsoft Entra Password Protection deployment?
Contoso implements Microsoft Entra Connect with Pass-through Authentication (PTA) and Seamless Single Sign-On (SSO). The CIO wants to ensure that users can still sign in to Microsoft 365 services if every PTA agent or the entire corporate network becomes unreachable for several hours. The existing sign-in behavior must remain unchanged while the PTA infrastructure is healthy, and administrators are willing to take manual action if an outage occurs.
Which action should you take to provide a backup authentication method that can be switched to during an extended PTA outage without affecting day-to-day sign-ins?
Enable Password Hash Synchronization and retain Pass-through Authentication as the primary sign-in method.
Enable a Seamless SSO policy that forces Azure AD to fall back to cloud-only authentication when PTA becomes unavailable.
Deploy two additional PTA agents on separate servers and place them in the same Active Directory site.
Configure federation with AD FS and set Azure AD to use federation as a secondary authentication method.
Answer Description
Enabling Password Hash Synchronization (PHS) while retaining Pass-through Authentication keeps PTA as the active sign-in method as long as the agents are healthy, so users experience no change in normal operation. Because user password hashes are continuously synchronized to Microsoft Entra ID, an administrator can quickly switch the tenant's sign-in method to PHS using Microsoft Entra Connect or PowerShell if every PTA agent or the corporate network becomes unreachable. Deploying extra PTA agents does not help when the network itself is down. AD FS introduces additional infrastructure and does not provide an easier fallback path. Seamless SSO does not include an independent setting for cloud-only fallback.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Pass-through Authentication (PTA) in Microsoft Entra Connect?
What is Password Hash Synchronization (PHS) and why is it important?
How does Seamless Single Sign-On (SSO) work in a Microsoft 365 environment?
Your company's Microsoft 365 tenant is on the Standard release track. You want a pilot team of 50 users to receive new Microsoft 365 features before the rest of the organization so they can validate compatibility and update training material. You must meet the following requirements:
- New features must arrive early only for the pilot users.
- Other users must continue to receive features on the default schedule. Which action should you take in the Microsoft 365 admin center to meet these requirements?
Change the release track to "Targeted release for everyone".
Assign Microsoft 365 E5 licenses to the 50 pilot users to place them on the early release ring.
Enable preview messages in the Message center and subscribe the pilot users to Message center emails.
Select "Targeted release for selected users" and add the 50 pilot users.
Answer Description
In the Microsoft 365 admin center, release cadence is controlled in Settings > Org settings > Organization profile > Release preferences. Choosing "Targeted release for selected users" enables early access to features only for the users you specify, while the remainder of the tenant stays on the Standard release track. Switching the entire organization to Targeted release would affect everyone. Enabling targeted experiences in the Message center or assigning additional licenses does not control feature rollout timing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between Standard release and Targeted release in Microsoft 365 tenants?
How do you configure Targeted release for selected users in Microsoft 365 admin center?
Why can't licenses or Message center settings control feature rollout timing?
Wow!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.