Microsoft 365 Administrator Expert Practice Test (MS-102)
Use the form below to configure your Microsoft 365 Administrator Expert Practice Test (MS-102). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft 365 Administrator Expert MS-102 Information
The Microsoft 365 Administrator Expert certification proves that you can manage Microsoft 365 for a business or school. It shows you understand how to set up accounts, manage identities, handle security, and keep data safe across Microsoft 365 services like Teams, Exchange, and SharePoint. You’ll also learn about managing compliance and using tools to protect sensitive information.
This exam is for IT professionals who already have experience with Microsoft 365 workloads and want to take on larger, organization-wide responsibilities. It covers everything from managing users and groups to configuring policies and monitoring system health. You’ll need to understand both the big picture and the details that keep a Microsoft 365 environment running smoothly every day.
To earn this certification, you’ll take the MS-102 exam, which replaces the older MS-100 and MS-101 tests. The exam focuses on tenant management, identity, security, and compliance. Passing it shows that you can manage Microsoft 365 across multiple services while ensuring a secure and efficient setup for users.
Practice tests and exam preparation
Taking practice tests, practice exams, and using practice questions can make a big difference when preparing for the Microsoft 365 Administrator Expert exam. Practice exams help you learn the format, timing, and difficulty level of real test questions. They also help identify areas where you need more study, such as compliance tools or identity management. At Crucial Exams, you can use Microsoft 365 Administrator Expert practice tests and practice questions to build confidence and improve your score before test day.
Free Microsoft 365 Administrator Expert MS-102 Practice Test
- 20 Questions
- Unlimited
- Deploy and manage a Microsoft 365 tenantImplement and manage Microsoft Entra identity and accessManage security and threats by using Microsoft Defender XDRManage compliance by using Microsoft Purview
Contoso uses Microsoft Defender for Cloud Apps integrated with Microsoft Purview sensitivity labels. You are asked to alert SecOps and automatically quarantine any file labeled "Highly Confidential" when a user creates a sharing link that allows anonymous (Anyone) access in SharePoint Online or OneDrive. Which type of policy should you configure in Defender for Cloud Apps, and which action must the policy include to meet the requirement?
Create an Activity policy that filters on the Share activity and configure the Send alert action.
Enable the built-in Anomaly detection policy for Suspicious sharing to automatically generate alerts.
Create a Session policy that monitors downloads from SharePoint Online and applies a Block control.
Create a File policy that targets the "Highly Confidential" label and public sharing links, then configure the Put in quarantine governance action.
Answer Description
A file policy is designed to inspect files at rest in Microsoft 365, evaluate attributes such as sensitivity label and sharing level, and apply governance actions. By adding a condition that the file's label equals "Highly Confidential" and that sharing level is "Anyone with the link", the policy can trigger an alert and enforce a governance action. The "Put in quarantine" action moves the offending file to a secure admin-controlled location, ensuring immediate protection. Activity policies can only alert on events; they cannot quarantine files. Session policies provide real-time session controls but cannot retroactively quarantine a stored file. Anomaly detection policies are pre-defined heuristics that cannot target specific labels or guarantee quarantine.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between an Activity policy and a File policy in Defender for Cloud Apps?
How does the 'Put in quarantine' governance action work in Defender for Cloud Apps?
What are Purview sensitivity labels, and how are they integrated with Defender for Cloud Apps?
Your company uses Microsoft 365 E5. A standard Teams channel that includes guest users must prevent any file containing a U.S. Social Security number (SSN) from being posted or downloaded in that channel. Text-only messages in the channel can remain unregulated. You will create a Microsoft Purview DLP policy to meet the requirement. Which workload locations should you include in the policy?
Microsoft Teams and SharePoint sites
Microsoft Teams and OneDrive accounts
SharePoint sites and OneDrive accounts only
SharePoint sites only
Answer Description
Files uploaded to a Teams channel are stored in the underlying SharePoint site, but the act of sharing the file occurs in Microsoft Teams. To block the file before guests can access it and to restrict the stored copy, the DLP policy must target both Microsoft Teams (to evaluate the share action and block it in real time) and SharePoint Online (to continue to restrict access to the underlying file). OneDrive for Business is not required because channel files are not stored there.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Microsoft Purview DLP policy?
Why are files in Teams stored in SharePoint?
How does DLP work with real-time actions in Teams?
You are investigating a series of suspicious PowerShell executions reported in the Microsoft Defender portal. You craft an advanced hunting query that reliably returns the suspicious events. To ensure that similar activity automatically generates alerts and appears in future incidents-without relying on Microsoft Sentinel or any other external product-what should you do in the Microsoft 365 Defender portal?
Export the hunting query to Microsoft Sentinel and create an analytics rule from it.
Convert the hunting query into a custom detection rule that runs hourly and raises an alert when a match is found.
Save the hunting query as a bookmark and enable incident grouping for the bookmark.
Add the PowerShell command to a Safe Links policy as a blocked URL indicator.
Answer Description
The most direct way to create continuous, in-portal alerting from an advanced hunting query is to save it as a custom detection rule. Custom detections let you set a schedule (for example, hourly) and define the alert title, severity, and impacted entities. Each time the scheduled query returns results, Microsoft 365 Defender raises an alert that is automatically correlated into the relevant incident timeline. Bookmarks only save individual query results for later review and do not generate alerts. Exporting the query to Microsoft Sentinel would require additional configuration in a different product and is outside the scope of creating an alert entirely inside Microsoft 365 Defender. Safe Links policies protect against malicious URLs and have no effect on PowerShell telemetry.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is advanced hunting in Microsoft 365 Defender?
How do custom detection rules work in Microsoft 365 Defender?
What is the difference between bookmarks and custom detection rules in advanced hunting?
Your company stores contracts in a SharePoint Online document library. Compliance rules require any file that contains the word "Confidential" to be kept for seven years and then permanently deleted. The retention period must restart whenever the file is edited. End users should not have to label the documents themselves. What should you configure to meet these requirements?
Create an auto-apply retention label that searches for the keyword "Confidential," sets retention to seven years based on last modified date, and deletes items afterward.
Create a retention label that users manually apply; set it to delete items seven years after they are labeled.
Create a sensitivity label with automatic labeling for keyword matches and configure it to delete items after seven years.
Create a retention policy scoped to the contract library that retains content for seven years and then deletes it.
Answer Description
Only an auto-apply retention label can detect specific keywords and automatically assign a label without user action. A retention label lets you set a disposition action of permanent deletion after a specified period and can start the retention period from the item's last modified date, ensuring it resets on every edit. A standard retention policy cannot filter by keyword, a manually applied label would rely on users, and a sensitivity label controls protection settings rather than lifecycle management. Therefore, creating and publishing an auto-apply retention label that searches for the word "Confidential" and deletes content seven years after last modification is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a retention label in Microsoft 365?
How is an auto-apply retention label different from a manually applied label?
Why is a sensitivity label not suitable for retention management?
Your Microsoft 365 tenant currently only uses its onmicrosoft.com domain. You purchased proseware.com and need to add it for future Exchange Online, Teams, and SharePoint Online use. The proseware.com DNS zone is hosted by a third-party registrar and already routes all production email to an on-premises mail system. You must verify the domain in Microsoft 365 without disrupting current mail flow or altering other public DNS records.
Which DNS change should you make?
Add the _sip._tls SRV record that directs SIP traffic to sipdir.online.lync.com.
Publish the unique TXT record supplied by Microsoft 365 in the proseware.com DNS zone.
Replace the existing MX record with the Microsoft 365-provided MX record that ends with mail.protection.outlook.com.
Create a CNAME record named autodiscover that points to autodiscover.outlook.com.
Answer Description
To prove that you own a custom domain, Microsoft 365 looks for a unique verification record in public DNS. The recommended and least disruptive method is to create a TXT record that contains the verification token provided in the Microsoft 365 admin center. Because TXT records are used only for informational purposes, adding one does not affect MX routing or any other service.
Creating or modifying an MX record would immediately direct inbound email to Microsoft 365, interrupting the current on-premises mail flow. CNAME and SRV records are required later for service configuration but do not satisfy ownership verification. Therefore, adding the prescribed TXT record is the appropriate step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of a TXT record in DNS verification?
Why is modifying an MX record disruptive to current mail flow?
What are CNAME and SRV records used for in Microsoft 365?
Your organization just completed the Microsoft 365 sign-up wizard, using ContosoEU as the initial domain name and Germany as the tenant's country/region. Management now asks you to accomplish several post-deployment changes. Which task can you perform directly in the Microsoft 365 admin center without opening a support request to Microsoft?
Change the tenant's country/region from Germany to United States.
Rename the default ContosoEU.onmicrosoft.com domain to Contoso.onmicrosoft.com.
Add Contoso.com as a custom domain and set it as the default domain for new users.
Move all tenant data from the German datacenter to the Microsoft 365 EU multi-tenant geography.
Answer Description
The Microsoft 365 admin center lets you add verified custom DNS domains at any time and designate one of them as the default domain for new user accounts and groups. By contrast, you cannot change the country/region that was chosen during tenant creation, and the default *.onmicrosoft.com domain assigned at sign-up is fixed and cannot be renamed. Moving data residency from one Microsoft 365 geography or datacenter region to another is only possible through specialized Microsoft programs and requires submitting a request to Microsoft or working with support. Therefore, the only task that can be completed entirely through self-service in the admin center is adding a custom domain and setting it as the default.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a custom DNS domain in Microsoft 365 and how do you verify it?
Why can't the default *.onmicrosoft.com domain be renamed?
How does data residency work in Microsoft 365, and what programs can achieve a tenant geography move?
You are preparing to deploy Microsoft Entra Connect Sync for about 80,000 on-premises Active Directory objects and you run the IdFix tool. The report shows Blank, Duplicate, Format, and MailMatch error types. You want to postpone fixing any issues that will not immediately disrupt the first synchronization, but you also want to avoid having critical attributes quarantined in Microsoft Entra ID after the sync finishes. Which IdFix error type should you prioritize and resolve before you start the initial synchronization because the conflicting attribute will be quarantined if it remains?
Format
Blank
Duplicate
MailMatch
Answer Description
Duplicate errors appear when two or more directory objects share a value that must be unique in Microsoft Entra ID-for example, the same userPrincipalName, mail, or proxyAddresses entry. During synchronization, Microsoft Entra ID places the conflicting attribute value in quarantine, leaving the object without that value. Because the missing attribute can prevent users from signing in or receiving mail, duplicates should be remediated before the first sync. Blank, Format, and MailMatch errors usually allow the object and its attributes to synchronize, so they can be addressed later (though Microsoft still recommends fixing them as soon as possible).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the IdFix tool used for?
Why are duplicate errors critical to resolve before synchronization?
What happens if a critical attribute is quarantined in Microsoft Entra ID?
Your organization uses Microsoft Entra ID Protection. You must ensure that when an account is assessed as High user risk, the user can continue the sign-in only after completing a secure password reset. The sign-in must not be blocked outright. Which remedial action should you configure in the User risk policy to meet the requirement?
Require multifactor authentication
Require password change
Block access
Set sign-in frequency to 1 hour
Answer Description
In a User risk policy, the remedial action "Require password change" prompts the affected user to perform a secure password reset (protected by MFA) before access is granted. This allows the user to continue the sign-in flow after successful password change, rather than blocking the sign-in completely. The "Block access" option would stop the sign-in with no opportunity for remediation, while "Require multifactor authentication" and settings such as sign-in frequency are not available remediation actions in a User risk policy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID Protection and how does it assess user risk?
How does requiring a password change mitigate High user risk in Microsoft Entra ID Protection?
Why isn’t blocking access or requiring multifactor authentication sufficient for addressing High user risk in this scenario?
You are configuring a Microsoft Entra dynamic Microsoft 365 group. The group must automatically include every internal user who currently has Microsoft Teams enabled and must exclude all guest accounts. Which membership rule should you configure to meet the requirement?
(user.assignedPlans -any (assignedPlan.servicePlanId -eq "57ff2da0-773e-42df-b2af-ffb7a2317929" -and assignedPlan.capabilityStatus -eq "Enabled")) -and (user.userType -ne "Guest")
(user.assignedPlans -all (assignedPlan.servicePlanId -eq "57ff2da0-773e-42df-b2af-ffb7a2317929")) -and (user.userType -eq "Member")
(user.assignedPlans -any (assignedPlan.servicePlanId -eq "57ff2da0-773e-42df-b2af-ffb7a2317929" -and assignedPlan.capabilityStatus -eq "Disabled")) -and (user.userType -ne "Guest")
(user.license -contains "Teams1") -and (user.userType -ne "Guest")
Answer Description
Dynamic group rules can reference the assignedPlans collection, which lists every service plan enabled for the user. A rule that checks for the specific Microsoft Teams service plan GUID and verifies that the plan's capabilityStatus is Enabled will include only users who actively have Teams. Adding a condition that the userType is not Guest prevents guest accounts from being added. The correct rule therefore combines the two conditions with -and. Rules that reference non-existent properties such as user.license, that look for capabilityStatus Disabled, or that use -all rather than -any will fail to capture the required set of users.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the assignedPlans property in Microsoft Entra Dynamic Groups?
How does the capabilityStatus property affect dynamic group rules?
What is the difference between userType 'Guest' and 'Member' in Microsoft Entra ID?
Your organization wants designated administrators to receive an email every time any Microsoft Teams service incident is opened or updated. You sign in to the Microsoft 365 admin center and open Health > Service health > Preferences. Which built-in role is the minimum required to create the email notification rule without granting unnecessary additional permissions?
Service support admin
Helpdesk admin
Message center reader
Global reader
Answer Description
Only users who hold either the Global admin or Service support admin role can create or edit Service health email notification rules. The Service support admin role is the least-privileged of the two because it is limited to viewing service-related information and opening support requests, whereas Global admin grants full tenant-wide control. Roles such as Helpdesk admin or Message center reader can view some information but cannot configure notification rules.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Service support admin role in Microsoft 365?
Why can’t the Helpdesk admin role configure Service health email notifications?
What is the difference between Global admin and Service support admin roles?
You plan to create a custom alert policy in the Microsoft 365 Defender portal to notify your security operations team when Zero-hour Auto Purge (ZAP) removes email that contained malware after it was already delivered to any mailbox.
Which Activity should you select when you configure the alert policy so that it meets this requirement?
Malware detected in email at time of delivery
Phish detected after delivery in email
Malware detected after delivery in email
User reported malware in email
Answer Description
The alert policy Activity determines which event in Microsoft 365 generates the alert. The event that records ZAP removing a malicious message after delivery is "Malware detected after delivery in email". This activity is logged whenever ZAP re-scans a previously delivered message, identifies malware, and moves the message to quarantine. Selecting other activities would monitor different events: phishing ZAP actions, initial malware detection at time-of-delivery, or user-reported messages, none of which satisfy the requirement to alert only when ZAP removes malware post-delivery.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Zero-hour Auto Purge (ZAP)?
How does ZAP differ from real-time email scanning?
What types of events can generate alerts in Microsoft 365 Defender?
You administer a Microsoft Entra tenant that is synchronized with an on-premises Active Directory Domain Services (AD DS) forest by using Microsoft Entra Connect Sync with password hash synchronization. Self-Service Password Reset (SSPR) is enabled for a pilot group. Cloud-only users can reset their passwords, but synchronized users receive an error stating that password writeback is unavailable. You confirm that the Azure AD Connect server is online and healthy. To ensure synchronized users can reset their on-premises passwords, which action should you perform first?
Switch the synchronization topology from password hash synchronization to pass-through authentication.
Install and register Microsoft Entra Connect Health agents on all domain controllers.
Run Microsoft Entra Connect and enable the Password writeback optional feature.
Grant the pilot users the Password Reset Administrator role in the Microsoft Entra tenant.
Answer Description
SSPR must be able to write the new password back to the on-premises AD DS. This capability is disabled unless the Password writeback optional feature is selected in the Microsoft Entra Connect configuration. Enabling this feature registers the connector with the Microsoft Entra service bus and allows password change requests that originate in the cloud to be applied to AD DS. Assigning Entra roles, changing the authentication method, or installing health agents does not activate password writeback, so none of those actions resolves the error.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra Connect Password Writeback?
Why is Password Hash Synchronization different from Pass-through Authentication?
What role does the Microsoft Entra service bus play in Self-Service Password Reset (SSPR)?
In Microsoft Defender Exposure Management, you find an improvement action that recommends disabling legacy authentication. Because a critical line-of-business app still relies on legacy authentication, you mark the improvement action as "Risk accepted - will not fix" for 12 months. Which outcome should you expect immediately after saving the exception?
The recommendation is removed from Secure Score and Exposure Score computations, and it appears only under the exceptions filter.
All devices that rely on legacy authentication are moved to a restricted network segment by Microsoft Defender Firewall rules.
Secure Score remains unchanged, but the recommendation is highlighted in red as an acknowledged risk on every device timeline.
Defender automatically creates a remediation task in Microsoft Intune but freezes the score impact until the task is completed.
Answer Description
When an improvement action is set to Risk accepted - will not fix, Defender Exposure Management (formerly Threat & Vulnerability Management) excludes the recommendation from both Secure Score and Exposure Score calculations during the exception period. The recommendation and its related CVEs are still retained in the portal, but they are visible only when you filter for exceptions. Device exposure and pending improvement actions lists refresh within minutes to reflect the revised scores. No quarantine, enforcement, or automatic remediation is triggered; only the scoring and visibility change. Choosing to postpone or approve remediation would instead keep the item in scope and affect score differently.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is legacy authentication?
What is Microsoft Defender Secure Score?
What happens when an improvement action is marked as 'Risk accepted - will not fix'?
A company that holds a Microsoft 365 E5 subscription needs to add several external suppliers. Internal users must find the suppliers in the global address list and send them email. The suppliers must not be able to sign in or use any Microsoft 365 services. Administrators should be able to place the suppliers into mail-enabled distribution lists through the Microsoft 365 admin center without using PowerShell. Which type of directory object should you create for each supplier?
Mail-enabled user
Mail contact
Shared mailbox
Guest user (B2B collaboration)
Answer Description
Mail contacts meet every requirement. They are mail-enabled objects that appear in the global address list and can be added to distribution lists, yet they have no credentials in Microsoft Entra ID, so the external suppliers cannot sign in or consume Microsoft 365 services. Guest users and mail-enabled users create sign-in identities, while shared mailboxes require internal licensing and are intended for team access, not individual external contacts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a mail contact in Microsoft 365?
How do mail contacts differ from guest users?
What is the benefit of using mail contacts over mail-enabled users?
You run Microsoft Entra Connect Sync on Server1 to synchronize an on-premises Active Directory forest with an Azure AD tenant. You need to rebuild Server1 on new hardware without interrupting directory synchronization or creating duplicate exports to Azure AD. Which approach should you use to transition synchronization to the new server?
Pause the export run profiles on Server1, perform an Express installation of Microsoft Entra Connect Sync on the new server, and resume the export run profiles once the new server is operational.
Install a second Microsoft Entra Connect Sync server in staging mode, allow it to finish a full import and synchronization, then disable staging mode on the new server and enable it on the original server.
On Server1, disable the synchronization scheduler, export the current configuration, import that configuration when installing Microsoft Entra Connect Sync on the new hardware, and then uninstall the old server.
Replace Microsoft Entra Connect Sync with Microsoft Entra Cloud Sync on the new hardware and remove the existing synchronization installation.
Answer Description
Installing a second Microsoft Entra Connect Sync server in staging mode allows the new server to run all import and synchronization steps without exporting any data. After the initial sync cycle is completed, disabling staging mode on the new server starts exports, while enabling staging mode (or decommissioning) on the original server prevents duplicate exports. Simply stopping the scheduler, pausing run profiles, or switching to Microsoft Entra Cloud Sync does not provide the same seamless cut-over with full configuration fidelity and minimal risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is staging mode in Microsoft Entra Connect Sync?
How do you disable staging mode in Microsoft Entra Connect Sync?
What is the difference between Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync?
You manage an on-premises Active Directory forest that is synchronized to Microsoft Entra ID by using Microsoft Entra Connect Sync. After you remove several organizational units from the synchronization scope, the next delta sync stops during the export step of the Azure AD connector with status stopped-deletion-threshold-exceeded. You confirm that the pending 1,200 deletions are expected and must be processed immediately. Which PowerShell cmdlet should you run on the Azure AD Connect server to let the export complete as soon as possible?
Set-ADSyncScheduler -OverrideDeletionThreshold $true
Invoke-ADSyncRunProfile -ConnectorName "Azure AD" -RunProfileName "Export"
Disable-ADSyncExportDeletionThreshold
Set-ADSyncScheduler -SyncCycleEnabled $false
Answer Description
The prevent accidental deletes feature in Microsoft Entra Connect Sync blocks an export when the number of deletions exceeds the configured threshold (500 by default). To allow the deletions to proceed, you must temporarily disable this protection and then re-enable it afterward. The cmdlet Disable-ADSyncExportDeletionThreshold turns off the deletion threshold so the current export can run. The other options do not change the deletion-threshold setting: Set-ADSyncScheduler -SyncCycleEnabled $false only pauses the scheduler, Set-ADSyncScheduler -OverrideDeletionThreshold $true is not a valid parameter combination, and Invoke-ADSyncRunProfile merely starts a run profile but the export would still be blocked.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'stopped-deletion-threshold-exceeded' mean in Microsoft Entra ID synchronization?
How do you re-enable 'prevent accidental deletes' after using the Disable-ADSyncExportDeletionThreshold cmdlet?
What is the purpose of Microsoft Entra Connect Sync in hybrid environments?
Your organization manages Windows 10 endpoints that are already onboarded to Microsoft Defender for Endpoint. You must stop users from copying files that contain the Azure Secret Key sensitive information type to USB drives. However, users should be able to proceed after providing a business justification. The rule must not affect files copied to corporate network shares. In a Microsoft Purview data loss prevention (DLP) policy, which configuration satisfies the requirement?
Select the Devices location and configure both Copy to removable storage and Copy to network share activities with the action Block (no override).
Select the Exchange email location and configure Send email with attachments and Copy to removable storage activities with Block with override.
Select the Devices location, configure the activity Copy to removable storage, and set the action to Block with override while requiring a business justification; leave Copy to network share unconfigured.
Select SharePoint and OneDrive for Business locations and set the action Restrict access to the content with user override.
Answer Description
To meet the requirement you must build an Endpoint DLP rule that targets only the Devices location. Within the rule's advanced settings, you select the activity Copy to removable storage and set the action to Block with override while also requiring users to enter a business justification. Because the activity Copy to network share is not selected, the rule never triggers when files are moved to corporate shares, ensuring the policy applies only to USB exfiltration. Choosing SharePoint, Exchange, or a pure Block action without override would fail either to scope the location correctly or to give users the required ability to proceed with justification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Endpoint DLP in Microsoft Purview?
How does 'Block with override' work in DLP policies?
What is Azure Secret Key sensitive information type?
Contoso has a single Microsoft 365 tenant and a Microsoft Entra ID configuration that includes an administrative unit named SalesAU. The Sales service desk staff must be able to reset passwords only for users who belong to the Sales department. They must not be able to reset passwords for administrators or for users in other departments, and they must not receive any additional administrative permissions. Which built-in role assignment should you use to meet the requirement?
Assign the Helpdesk Administrator role scoped to SalesAU.
Assign the Password Administrator role scoped to SalesAU.
Assign the Authentication Administrator role scoped to SalesAU.
Assign the User Administrator role scoped to SalesAU.
Answer Description
The Helpdesk Administrator role permits password resets for non-administrator accounts but not for privileged roles. When the role is scoped to an administrative unit, holders can act only on objects in that unit. Assigning Helpdesk Administrator scoped to SalesAU therefore provides the exact capability required-password resets for sales users only-with no broader privileges.
Password Administrator can also reset passwords for several administrator roles, which exceeds the requirement. Authentication Administrator can update multifactor and passwordless settings in addition to performing password resets, providing unnecessary permissions. User Administrator grants broad user management capabilities (create, update, delete users) that are not needed in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Microsoft Entra ID administrative unit?
What tasks does the Helpdesk Administrator role allow?
Why is the Password Administrator role unsuitable for this requirement?
Your organization created its Microsoft 365 tenant as contoso.onmicrosoft.com several years ago. After a corporate re-branding, management requires that every new user you create automatically receives a user principal name (UPN) and primary SMTP address that ends with fabrikam.com. Existing addresses that end with contoso.com must continue to receive mail, and administrators should not have to change the domain suffix manually each time they provision a new account. What should you do in the Microsoft 365 admin center to meet the requirement?
Add fabrikam.com as a verified domain, complete DNS validation, and set it as the tenant's default domain.
Rename the initial contoso.onmicrosoft.com domain to fabrikam.onmicrosoft.com so that new accounts inherit the new suffix automatically.
Delete the contoso.onmicrosoft.com domain, then add and verify fabrikam.com as the only remaining domain in the tenant.
Create a new Microsoft 365 tenant named fabrikam.onmicrosoft.com and migrate users and data from the existing tenant.
Answer Description
The initial *.onmicrosoft.com domain assigned to a tenant cannot be renamed or deleted. Instead, you add the new vanity domain, complete DNS verification, and then make that domain the default. When a domain is set as the default, the Microsoft 365 admin center automatically assigns it to the UPN and primary SMTP address of every new user that is created, while existing proxy addresses on other verified domains continue to function for mail flow. Deleting the original domain, renaming the *.onmicrosoft.com domain, or creating a new tenant would either be impossible or require a full migration effort and therefore do not satisfy the stated constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a verified domain in Microsoft 365?
What is a vanity domain and why is it used?
How does setting a default domain in Microsoft 365 affect new users?
You are preparing the on-premises Active Directory for Microsoft Entra Connect by running the IdFix tool. After the first scan you export the results to a CSV file so that you can edit them offline. For several objects IdFix reports a Duplicate error for the proxyAddresses attribute, but you confirm that the duplicates are intentional and must remain unchanged. Which value should you enter in the Action column of the CSV file before you re-import it into IdFix?
IGNORE
LEAVE
EDIT
REMOVE
Answer Description
IdFix looks at the Action column in the CSV you re-import to decide what to do with each directory object.
- EDIT - apply the value you place in the Update column.
- REMOVE - delete the attribute value so that it is blank.
- IGNORE - leave the object unchanged and suppress the warning on subsequent scans.
Because the duplicate proxyAddresses are valid and should not be modified, you should specify IGNORE.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the IdFix tool do in Microsoft Entra Connect?
What are proxyAddresses and why do duplicates matter in synchronization?
How does the Action column in IdFix operate during CSV re-import?
Wow!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.