This PDF contains a set of carefully selected practice questions for the

MS-102 exam. These questions are designed to reflect the structure,

difficulty, and topics covered in the actual exam, helping you reinforce
your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some MS-102 exam online questions below.
1.HOTSPOT
Your on-premises network contains an Active Directory domain and a Microsoft Endpoint
Configuration Manager site.
You have a Microsoft 365 E5 subscription that uses Microsoft Intune.
You use Azure AD Connect to sync user objects and group objects to Azure Directory (Azure AD)
Password hash synchronization is disabled.
You plan to implement co-management.
You need to configure Azure AD Connect and the domain to support co-management.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.

Answer:

2.DRAG DROP
You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2.
You need to ensure that each group can perform the tasks shown in the following table.
The solution must use the principle of least privilege.
Which role should you assign to each group? To answer, drag the appropriate roles to the correct
groups. Each role may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Answer:
Explanation:
Box 1: Billing admin
manage service request
Purchase new services
Etc.
Assign the Billing admin role to users who make purchases, manage subscriptions and service
requests, and monitor service health.
Box 2: User admin
User admin
Assign the User admin role to users who need to do the following for all users:
- Add users and groups
- Assign licenses
- Manage most users properties
- Create and manage user views
- Update password expiration policies
- Manage service requests
- Monitor service health
Reference: https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles

3.You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to compare your company's security configurations to Microsoft best practices and review
improvement actions to increase the security posture.
What should you use?
A. Microsoft Secure Score
B. Cloud discovery
C. Exposure distribution
D. Threat tracker
E. Exposure score
Answer: A
4.You have a Microsoft 365 E5 tenant.
industry regulations require that the tenant comply with the ISO 27001 standard.
You need to evaluate the tenant based on the standard
A. From Policy in the Azure portal, select Compliance, and then assign a pokey
B. From Compliance Manager, create an assessment
C. From the Microsoft J6i compliance center, create an audit retention policy.
D. From the Microsoft 365 admin center enable the Productivity Score.
Answer: B

5.HOTSPOT
You have a Microsoft 365 subscription.
You deploy the anti-phishing policy shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic. NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: Enable users to protect
Anti-phishing policies in Defender for Office 365 also have impersonation settings where you can
specify individual sender email addresses or sender domains that will receive impersonation
protection.
User impersonation protection
User impersonation protection prevents specific internal or external email addresses from being
impersonated as message senders. For example, you receive an email message from the Vice
President of your company asking you to send her some internal company information.
Would you do it? Many people would send the reply without thinking.
You can use protected users to add internal and external sender email addresses to protect from
impersonation. This list of senders that are protected from user impersonation is different from the list
of recipients that the policy applies to (all recipients for the default policy; specific recipients as
configured in the Users, groups, and domains setting in the Common policy settings section).
When you add internal or external email addresses to the Users to protect list, messages from those
senders are subject to impersonation protection checks. The message is checked for impersonation if
the message is sent to a recipient that the policy applies to (all recipients for the default policy; Users,
groups, and domains recipients in custom policies). If impersonation is detected in the sender's email
address, the action for impersonated users is applied to the message.
Box 2: Add trusted senders and domains
Trusted senders and domains
Trusted senders and domain are exceptions to the impersonation protection settings. Messages from
the specified senders and sender domains are never classified as impersonation-based attacks by
the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence
protection aren't applied to these trusted senders or sender domains. The maximum limit for these
lists is 1024 entries.
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-
policies-about

6.Your company has three main offices and one branch office. The branch office is used for research.
The company plans to implement a Microsoft 365 tenant and to deploy multi-factor authentication.
You need to recommend a Microsoft 365 solution to ensure that multi-factor authentication is
enforced only for users in the branch office.
What should you include in the recommendation?
A. Azure AD password protection
B. a Microsoft Intune device configuration profile
C. a Microsoft Intune device compliance policy
D. Azure AD conditional access
Answer: D

7.HOTSPOT
You have a Microsoft 365 E5 subscription that uses Microsoft Intune.
You have devices enrolled in Intune as shown in the following table.

You create the device configuration profiles shown in the following table.
Which profiles will be applied to each device? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.

Answer:
8.You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com.
Corporate policy states that user passwords must not include the word Contoso.
What should you do to implement the corporate policy?
A. From Azure AD Identity Protection, configure a sign-in risk policy.
B. From the Microsoft Entra admin center, create a conditional access policy.
C. From the Microsoft 365 admin center, configure the Password policy settings.
D. From the Microsoft Entra admin center, configure the Password protection settings.
Answer: D

9.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain. The domain contains domain
controllers that run Windows Server 2019. The functional level of the forest and the domain is
Windows Server 2012 R2.
The domain contains 100 computers that run Windows 10 and a member server named Server1 that
runs Windows Server 2012 R2.
You plan to use Server1 to manage the domain and to configure Windows 10 Group Policy settings.
You install the Group Policy Management Console (GPMC) on Server1.
You need to configure the Windows Update for Business Group Policy settings on Server1.
Solution: You upgrade Server1 to Windows Server 2019.
Does this meet the goal?
A. yes
B. No
Answer: B

10.HOTSPOT
You have a Microsoft 365 E5 subscription.
You have an Azure AD tenant named contoso.com that contains the following users:
• Admin1
• Admin2
• User1
Contoso.com contains an administrative unit named AIM that has no role assignments. User1 is a
member of AU1. You create an administrative unit named AU2 that does NOT have any members or
role assignments.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:

11.HOTSPOT
You have device compliance policies shown in the following table.
The device compliance state for each policy is shown in the following table.

NOTE: Each correct selection is worth one point.

Answer:
12.Your network contains an Active Directory forest named Contoso. Local.
You have a Microsoft 365 subscription.
You plan to implement a directory synchronization solution that will use password hash
synchronization.
From the Microsoft 365 admin center, you successfully verify the contoso.com domain name.
You need to prepare the environment for the planned directory synchronization solution.
What should you do first?
A. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix.
B. From the Microsoft 365 admin center verify the Contoso. Local domain name.
C. From the public DNS zone of contoso.com, add a new mail exchanger (MX) record.
D. From Active Directory Users and Computers, modify the UPN suffix for all users.
Answer: A

13.You have a Microsoft 365 subscription.

You need to configure a compliance solution that meets the following requirements:
Defines sensitive data based on existing data samples
Automatically prevents data that matches the samples from being shared externally in Microsoft
SharePoint or email messages
Which two components should you configure? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a trainable classifier
B. a sensitive info type
C. an insider risk policy
D. an adaptive policy scope
E. a data loss prevention (DLP) policy
Answer: A, E
Explanation:
A: Classifiers
This categorization method is well suited to content that isn't easily identified by either the manual or
automated pattern-matching methods. This method of categorization is more about using a classifier
to identify an item based on what the item is, not by elements that are in the item (pattern matching).
A classifier learns how to identify a type of content by looking at hundreds of examples of the content
you're interested in identifying.
Where you can use classifiers
Classifiers are available to use as a condition for:
Office auto-labeling with sensitivity labels
Auto-apply retention label policy based on a condition
Communication compliance
Sensitivity labels can use classifiers as conditions, see Apply a sensitivity label to content
automatically.
Data loss prevention
E: Organizations have sensitive information under their control such as financial data, proprietary
data, credit card numbers, health records, or social security numbers. To help protect this sensitive
data and reduce risk, they need a way to prevent their users from inappropriately sharing it with
people who shouldn't have it. This practice is called data loss prevention (DLP).
Reference:
https://learn.microsoft.com/en-us/microsoft-365/compliance/classifier-learn-about
https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp

14.HOTSPOT
You have an Azure AD tenant that contains the users shown in the following table.

Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint contains the
roles shown in the following table.

Microsoft Defender for Endpoint contains the device groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE;
Each correct selection is worth one point.
Answer:

15.You have an Azure AD tenant that contains the users shown in the following table

You need to compare the permissions of each role. The solution must minimize administrative effort.
Which portal should you use?
A. the Microsoft Purview compliance portal
B. the Microsoft 365 admin center
C. the Microsoft 365 Defender portt1
D. the Microsoft Entra admin center
Answer: A
16. Enable policy: On
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:
Box 1: No
User1 is member of Group1 and has Device1.
Device1 is not Azure AD joined.
Note: Requiring a hybrid Azure AD joined device is dependent on your devices already being hybrid
Azure AD joined.
Box 2: Yes
User2 is member of Group1 and has devices Device2 and Device3.
Device2 is Azure AD joined.
Device2 is excluded from CAPolicy1 (which would block access to Site1).
Box 3: Yes
User2 is member of Group1 and has devices Device2 and Device3.
Device3 is Android and is Azure AD registered.
Device3 is excluded from CAPolicy1 (which would block access to Site1).
Note: On Windows 7, iOS, Android, macOS, and some third-party web browsers, Azure AD identifies
the device using a client certificate that is provisioned when the device is registered with Azure AD.
When a user first signs in through the browser the user is prompted to select the certificate. The end
user must select this certificate before they can continue to use the browser.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-
policy-compliant-device

17.HOTSPOT
You have a Microsoft 365 E5 subscription that uses Microsoft intune.
The subscription contains the resources shown in the following table.

User1 is the owner of Device1.

You add Microsoft 365 Apps Windows 10 and later app types to Intune as shown in the following
table.
On Thursday, you review the results of the app deployments.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.
Answer:

18.DRAG DROP
Your company has an Azure AD tenant named contoso.onmicrosoft.com.
You purchase a domain named contoso.com from a registrar and add all the required DNS records.
You create a user account named User1. User1 is configured to sign in as
userl@contoso.onmicrosoft.com.
You need to configure User1 to sign in as user1@contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.
Answer:

19.You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365 and contains a
mailbox named Mailbox1.
You plan to use Mailbox1 to collect and analyze unfiltered email messages.
You need to ensure that Defender for Office 365 takes no action on any inbound emails delivered to
Mailbox1.
What should you do?
A. Configure a retention policy for Mailbox1.
B. Create a mail flow rule.
C. Configure Mailbox! as a SecOps mailbox.
D. Place a litigation hold on Mailbox1.
Answer: C

20. When you're finished on the Name your policy page, select Next.

21.You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
A Built-in protection preset security policy is applied to the subscription.
Which two policy types will be applied by the Built-in protection policy? Each correct answer presents
a complete solution. NOTE: Each correct selection is worth one point.
A. Anti-malware
B. Anti-phishing
C. Safe Attachments
D. Anti-spam
E. Safe Links
Answer: C, E

22.HOTSPOT
Your company has a Microsoft 365 tenant
You plan to allow users that are members of a group named Engineering to enroll their mobile device
in mobile device management (MDM)
The device type restriction are configured as shown in the following table.
The device limit restriction are configured as shown in the following table.

Answer:

23.You have a Microsoft 365 E5 subscription.

Users access Microsoft 365 from both their laptop and a corporate Virtual Desktop Infrastructure
(VDI) solution.
From Azure AD Identity Protection, you enable a sign-in risk policy.
Users report that when they use the VDI solution, they are regularly blocked when they attempt to
access Microsoft 365.
What should you configure?
A. the Tenant restrictions settings in Azure AD
B. a trusted location
C. a Conditional Access policy exclusion
D. the Microsoft 365 network connectivity settings
Answer: B
Explanation:
There are two types of risk policies in Azure Active Directory (Azure AD) Conditional Access you can
set up to automate the response to risks and allow users to self-remediate when risk is detected:
Sign-in risk policy
User risk policy
Configured trusted network locations are used by Identity Protection in some risk detections to reduce
false positives.
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-
configure-risk-policies
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

24.You have a Microsoft 365 subscription that uses Microsoft Defender for Cloud Apps.
You configure a session control policy to block downloads from SharePoint Online sites.
Users report that they can still download files from SharePoint Online sites.
You need to ensure that file download is blocked while still allowing users to browse SharePoint
Online sites.
What should you configure?
A. an access policy
B. a data loss prevention (DLP) policy
C. an activity policy
D. a Conditional Access policy
Answer: D

25.You have a Microsoft 365 E5 subscription that uses Azure Advanced Threat Protection (ATP).
You need to create a detection exclusion in Azure ATP.
Which tool should you use?
A. the Security & Compliance admin center
B. Microsoft Defender Security Center
C. the Microsoft 365 admin center
D. the Azure Advanced Threat Protection portal
E. the Cloud App Security portal
Answer: D
Explanation:
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/what-is
https://docs.microsoft.com/en-us/defender-for-identity/excluding-entities-from-detections
26.You have a Microsoft 365 subscription.
From Microsoft 365 Defender, you create a role group named US eDiscovery Managers by copying
the eDiscovery Manager role group.
You need to ensure that the users in the new role group can only perform content searches of
mailbox content for users in the United States.
Solution: From Windows PowerShell, you run the New-complianceSecurityFilter cmdlet with the
appropriate parameters.
Does this meet the goal?
A Yes
B. No
Answer: A

27.Your on-premises network contains an Active Directory domain named Contoso.com and 500
devices that run either macOS, Windows 8.1. Windows 10, or Windows 11. All the devices are
managed by using Microsoft Endpoint Configuration Manager. The domain syncs with Azure Active
Directory (Azure AD).
You plan to implement a Microsoft 365 E5 subscription and enable co-management.
Which devices can be co-managed after the implementation?
A. Windows 11 and Windows 10 only
B. Windows 11, Windows 10-Windows8.1.andmacOS
C. Windows 11 and macOS only
D. Windows 11 only
E. Windows 11. Windows 10, and Windows8.1 only
Answer: C

28.You have a Microsoft 365 E5 subscription.

You onboard all devices to Microsoft Defender for Endpoint
You need to use Defender for Endpoint to block access to a malicious website at www.contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE:
Each correct answer is worth one point.
A. Create a web content filtering policy.
B. Configure an enforcement scope.
C. Enable Custom network indicators.
D. Create an indicator.
E. Enable automated investigation.
Answer: C,D

29.Your company has a Microsoft 365 E5 tenant that contains a user named User1.
You review the company’s compliance score.
You need to assign the following improvement action to User1: Enable self-service password reset.
What should you do first?
A. From Compliance Manager, turn off automated testing.
B. From the Azure Active Directory admin center, enable self-service password reset (SSPR).
C. From the Microsoft 365 admin center, modify the self-service password reset (SSPR) settings.
D. From the Azure Active Directory admin center, add User1 to the Compliance administrator role.
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-
improvement-actions?view=o365-worldwide
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-
role-azure-portal

30.You need to create the Safe Attachments policy to meet the technical requirements.
Which option should you select?
A. Replace
B. Enable redirect
C. Block
D. Dynamic Delivery
Answer: D
Explanation:
Reference: https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/off
ice-365-security/safe-attachments.md

31.HOTSPOT
You have a Microsoft 365 E5 subscription.
You plan to use a mailbox named Mailbox1 to analyze malicious email messages.
You need to configure Microsoft Defender for Office 365 to meet the following requirements:
• Ensure that incoming email is NOT filtered for Mailbox1.
• Detect impersonation and spoofing attacks on all other mailboxes in the subscription.
Which two settings should you configure? To answer, select the appropriate settings in the answer
area.

Answer:
Explanation:
Safe Attachments policy: This policy allows you to specify how to handle email attachments that might
contain malware. You can create a custom policy for Mailbox1 and set the action to Do not scan
attachments. This will ensure that incoming email is not filtered for Mailbox1. You can also enable the
Redirect attachment option to send a copy of the original attachment to another mailbox for analysis1.
Anti-phishing policy: This policy helps you protect your organization from impersonation and spoofing
attacks. You can create a default policy for all other mailboxes in the subscription and enable the
following features: Impersonation protection, Spoof intelligence, and Domain authentication. These
features will help you detect and block emails that try to impersonate your users, domains, or trusted
senders2.

32.HOTSPOT
You have a new Microsoft 365 E5 tenant.
Enable Security defaults is set to Yes.
A user signs in to the tenant for the first time.
Which multi-factor authentication (MFA) method can the user use, and how many days does the user
have to register for MFA? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
Answer:

Explanation:
Box 1: Notification to Microsoft Authenticator app
Do users have 14 days to register for Azure AD Multi-Factor Authentication?
Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones,
which begins from the first time they sign in after security defaults has been enabled. After 14 days
have passed, the user won't be able to sign in until MFA registration is completed.
Box 2: 14
Azure AD Identity Protection will prompt your users to register the next time they sign in interactively
and they'll have 14 days to complete registration. During this 14-day period, they can bypass
registration if MFA isn't required as a condition, but at the end of the period they'll be required to
register before they can complete the sign-in process.
Reference:
https://learn.microsoft.com/en-us/microsoft-365/solutions/empower-people-to-work-remotely-secure-
sign-in
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-
configure-mfa-policy

33.You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.

You need to configure an incident email notification rule that will be triggered when an alert occurs
only on a Windows 10 device. The solution must minimize administrative effort.
What should you do first?
A. From the Microsoft 365 admin center, create a mail-enabled security group.
B. From the Microsoft 365 Defender portal, create a device group.
C. From the Microsoft Endpoint Manager admin center, create a device category.
D. From the Azure Active Directory admin center, create a dynamic device group.
Answer: D

34.You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You need to ensure that users are prevented from opening or downloading malicious files from
Microsoft Teams, OneDrive, or SharePoint Online.
What should you do?
A. Create a newAnti-malware policy
B. Configure the Safe Links global settings.
C. Create a new Anti-phishing policy
D. Configure the Safe Attachments global settings.
Answer: D
Explanation:
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
In organizations with Microsoft Defender for Office 365, Safe Attachments for SharePoint, OneDrive,
and Microsoft Teams provides an additional layer of protection against malware. After files are
asynchronously scanned by the common virus detection engine in Microsoft 365, Safe Attachments
opens files in a virtual environment to see what happens (a process known as detonation). Safe
Attachments for SharePoint, OneDrive, and Microsoft Teams also helps detect and block existing files
that are identified as malicious in team sites and document libraries.
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-
attachments-for-spo-odfb-teams-about
35.Note: This question is part of a series of questions that present the same scenario. Each question
in the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com that is synced to Microsoft
Azure Active Directory (Azure AD).
You manage Windows 10 devices by using Microsoft System Center Configuration Manager (Current
Branch).
You configure a pilot for co-management.
You add a new device named Device1 to the domain. You install the Configuration Manager client on
Device1.
You need to ensure that you can manage Device1 by using Microsoft Intune and Configuration
Manager.
Solution: Define a Configuration Manager device collection as the pilot collection. Add Device1 to the
collection.
Does this meet the goal?
A. Yes
B. NO
Answer: A
Explanation:
Device1 has the Configuration Manager client installed so you can manage Device1 by using
Configuration Manager. To manage Device1 by using Microsoft Intune, the device has to be enrolled
in Microsoft Intune. In the Co-management Pilot configuration, you configure a Configuration Manager
Device Collection that determines which devices are auto-enrolled in Microsoft Intune. You need to
add Device1 to the Device Collection so that it auto-enrols in Microsoft Intune. You will then be able to
manage Device1 using Microsoft Intune.
Reference: https://docs.microsoft.com/en-us/configmgr/comanage/how-to-enable

36.HOTSPOT
You have a Microsoft 365 subscription.
You need to review metrics for the following:
The daily active users in Microsoft Teams
Recent Microsoft service issues
What should you use? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
Answer:

Explanation:
Box 1: Usage reports
The daily active users in Microsoft Teams
Microsoft 365 Reports in the admin center - Microsoft Teams usage activity
The brand-new Teams usage report gives you an overview of the usage activity in Teams, including
the number of active users, channels and messages so you can quickly see how many users across
your organization are using Teams to communicate and collaborate. It also includes other Teams
specific activities, such as the number of active guests, meetings, and messages.
Box 2: Service Health
Recent Microsoft service issues
You can view the health of your Microsoft services, including Office on the web, Yammer, Microsoft
Dynamics CRM, and mobile device management cloud services, on the Service health page in the
Microsoft 365 admin center. If you are experiencing problems with a cloud service, you can check the
service health to determine whether this is a known issue with a resolution in progress before you call
support or spend time troubleshooting.
Reference:
https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/microsoft-teams-usage-activity
https://learn.microsoft.com/en-us/microsoft-365/enterprise/view-service-health

37.HOTSPOT
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You plan to provide User4 with early access to Microsoft 365 feature and service updates.
You need to identify which Microsoft 365 setting must be configured, and which user can modify the
setting. The solution must use the principle of least privilege.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.
Answer:
38.HOTSPOT
Your company has a hybrid deployment of Microsoft 365.
An on-premises user named User1 is synced to Azure AD.
Azure AD Connect is configured as shown in the following exhibit
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic. NOTE: Each correct selection is worth one point.

Answer:
39.You have a Microsoft 365 subscription that contains the users shown in the following table.

You need to configure group-based licensing to meet the following requirements:

To all users, deploy an Office 365 E3 license without the Power Automate license option.
To all users, deploy an Enterprise Mobility + Security E5 license.
To the users in the research department only, deploy a Power BI Pro license.
To the users in the marketing department only, deploy a Visio Plan 2 license.
What is the minimum number of deployment groups required?
A. 1
B. 2
C. 3
D. 4
E. 5
Answer: C
Explanation:
One for all users, one for the research department, and one for the marketing department.
Note: What are Deployment Groups?
With Deployment Groups, you can orchestrate deployments across multiple servers and perform
rolling updates, while ensuring high availability of your application throughout. You can also deploy to
servers on-premises or virtual machines on Azure or any cloud, plus have end-to-end traceability of
deployed artifact versions down to the server level.
Reference: https://devblogs.microsoft.com/devops/deployment-groups-is-now-generally-available-
sharing-of-targets-and-more
40.HOTSPOT
You have a Microsoft 365 subscription.
You need to create two groups named Group! and Group2.
The solution must meet the following requirements:
• Group1 must be mail-enabled and have an associated Microsoft SharePoint Online site.
• Group2 must support dynamic membership and role assignments but must NOT be mail-enabled.
Which types of groups should you create? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.

Answer:
41.You have a Microsoft 365 tenant.
You plan to enable BitLocker Disk Encryption (BitLocker) automatically for all Windows 10 devices
that enroll in Microsoft Intune.
What should you use?
A. an attack surface reduction (ASR) policy
B. an app configuration policy
C. a device compliance policy
D. a device configuration profile
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices

42.HOTSPOT
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint site named Site1 and
a data loss prevention (DLP) policy named DLP1.
DLP1 contains the rules shown in the following table.
Site1 contains the files shown in the following table.

Which policy tips are shown for each file? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.
Answer:
43.HOTSPOT
You have a Microsoft 365 E5 tenant that contains 500 Windows 10 devices and a Windows 10
compliance policy.
You deploy a third-party antivirus solution to the devices.
You need to ensure that the devices are marked as compliant.
Which three settings should you modify in the compliance policy? To answer, select the appropriate
settings in the answer area. NOTE: Each correct selection is worth one point.
Answer:

Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows

44.HOTSPOT
You have a Microsoft 365 E3 subscription.
You plan to launch Attack simulation training for all users.
Which social engineering technique and training experience will be available? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:
Explanation:
Box 1: Credential Harvest
Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering
contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or
'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering.
Note: In Attack simulation training, multiple types of social engineering techniques are available:
Credential Harvest
Malware Attachment
Link to Malware
Etc.
Box 2: Mass Market Phishing
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-
simulation-training-get-started

45.You have a Microsoft 365 tenant.

Company policy requires that all Windows 10 devices meet the following minimum requirements:
Require complex passwords.
Require the encryption of data storage devices.
Have Microsoft Defender Antivirus real-time protection enabled.
You need to prevent devices that do not meet the requirements from accessing resources in the
tenant.
Which two components should you create? Each correct answer presents part of the solution. NOTE:
Each correct selection is worth one point.
A. a configuration policy
B. a compliance policy
C. a security baseline profile
D. a conditional access policy
E. a configuration profile
Answer: BD
Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

46.HOTSPOT
You have a Microsoft 365 tenant that contains devices enrolled in Microsoft Intune.
The devices are configured as shown in the following table.

You plan to perform the following device management tasks in Microsoft Endpoint Manager:
Deploy a VPN connection by using a VPN device configuration profile.
Configure security settings by using an Endpoint Protection device configuration profile.
You support the management tasks.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.

Answer:

Explanation:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-macos

47.HOTSPOT
You have a Microsoft 365 E5 subscription.
From Azure AD Identity Protection on August 1, you configure a Multifactor authentication registration
policy that has the following settings:
Assignments: All users
Controls: Require Azure AD multifactor authentication registration
Enforce Policy: On
On August 3, you create two users named User1 and User2.
Users authenticate by using Azure Multi-Factor Authentication (MFA) for the first time on the dates
shown in the following table.

By which dates will User1 and User2 be forced to complete their Azure MFA registration? To answer,
select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: August 19
Note: Security defaults will trigger a 14 day grace period for registration after a user's first login and
security defaults being enabled. After 14 days users will be required to register for MFA and will not
be able to skip.
Conditional Access by itself without Azure Identity Protection does not allow for the 14 day grace
period. Identity Protection includes the registration policy that allows registration on its own with no
apps assigned to the policy. If a Conditional Access policy requires Multi-Factor Authentication, then
the user must be able to pass that MFA request.
Box 2: August 21
Reference: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-
identity-protection
48.You have a Microsoft 365 tenant.
You plan to implement Endpoint Protection device configuration profiles.
Which platform can you manage by using the profile?
A. Android
B. CentOS Linux
C. iOS
D. Window 10
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure

49.HOTSPOT
You have an Azure AD tenant named contoso.com that contains the users shown in the following
table.

Multi-factor authentication (MFA) is configured to use 131.107.5.0/24 as trusted IPs.

The tenant contains the named locations shown in the following table.

You create a conditional access policy that has the following configurations:
Users or workload identities assignments: All users
Cloud apps or actions assignment: App1
Conditions: Include all trusted locations
Grant access: Require multi-factor authentication
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.
Answer:

Explanation:
Box 1: Yes

50.HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users
shown in the following table.

You integrate Microsoft Intune and contoso.com as shown in the following exhibit.
You purchase a Windows 10 device named Device1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.
Answer:

Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll

51.Note: This question is part of a series of questions that present the same scenario. Each question
in the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Office 365 Advanced Threat Protection (ATP)
settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Azure Active Directory admin center, you assign SecAdmin1 the Security
administrator role.
Does this meet the goal?
A. Yes
B. No
Answer: A

52.HOTSPOT
Your company has a Microsoft 365 E5 subscription.
You need to perform the following tasks:
View the Adoption Score of the company.
Create a new service request to Microsoft.
Which two options should you use in the Microsoft 365 admin center? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Reports
View the Adoption Score of the company.
How to enable Adoption Score
To enable Adoption Score:
Sign in to the Microsoft 365 admin center as a Global Administrator and go to Reports > Adoption
Score
Select enable Adoption Score. It can take up to 24 hours for insights to become available.
Box 2: Support
Create a new service request to Microsoft.
Sign in to Microsoft 365 with your Microsoft 365 admin account, and select Support > New service
request. If you're in the admin center, select Support > New service request.
Reference:
https://learn.microsoft.com/en-us/microsoft-365/admin/adoption/adoption-score
https://support.microsoft.com/en-us/topic/contact-microsoft-office-support-
fd6bb40e-75b7-6f43-d6f9-c13d10850e77

53.HOTSPOT
You have a Microsoft 365 E5 tenant that contains the users shown in the following table.

You perform the following actions:

- Provision the private store in Microsoft Store for Business.
- Add an app named App1 to the private store.
- Set Private store availability for App1 to Specific groups, and then select Group3.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-store/app-inventory-management-microsoft-
store-for-business#private-store-availability

54.You have a Microsoft E5 subscription.

You need to ensure that administrators who need to manage Microsoft Exchange Online are
assigned the Exchange Administrator role for five hours at a time.
What should you implement?
A. Azure AD Privileged Identity Management (PIM)
B. a conditional access policy
C. a communication compliance policy)
D. Azure AD Identity Protection
E. groups that have dynamic membership
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-
management/pim-how-to-change-default-settings

55.DRAG DROP
You have an Azure subscription that is linked to a hybrid Microsoft Entra tenant.
All users sync from Active Directory Domain Services (AD DS) to the tenant by using Express
Settings in Microsoft Entra Connect.
You plan to implement self-service password reset (SSPR).
You need to ensure that when a user resets or changes a password, the password syncs with AD DS.
Which actions should you perform in sequence? To answer, drag the appropriate actions to the
correct order. Each action may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Answer:

56.HOTSPOT
You have a Microsoft 365 E5 tenant that connects to Microsoft Defender for Endpoint.
You have devices enrolled in Microsoft Intune as shown in the following table.

You plan to use risk levels in Microsoft Defender for Endpoint to identify whether a device is
compliant. Noncompliant devices must be blocked from accessing corporate resources.
You need to identify which devices can be onboarded to Microsoft Defender for Endpoint, and which
Endpoint security policies must be configured.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.

Answer:
57. On the Protection settings page, configure the following settings:
Protection settings section:
Enable the common attachments filter: If you select this option, messages with the specified
attachments are treated as malware and are automatically quarantined. You can modify the list by
clicking Customize file types and selecting or deselecting values in the list.

58.You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You plan to perform device discovery and authenticated scans of network devices.
You install and register the network scanner on a device named Device1.
What should you do next?
A. Connect Defender for Endpoint to Microsoft Intune.
B. Apply for Microsoft Threat Experts - Targeted Attack Notifications.
C. Create an assessment job.
D. Download and run an onboarding package.
Answer: C

59.You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

Which users can review the Adoption Score in the Microsoft 365 admin center?
A. User! only
B. User2onry
C. User1 and User2 only
D. User! and User3 only
E. User1, User2. and User3
Answer: E

60.HOTSPOT
You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.

At 08:00. you create an incident notification rule that has the following configurations:
• Name: Notification!
• Notification settings
o Notify on alert seventy: Low
o Device group scope: All (3)
o Details: First notification per incident
• Recipients: Userl@contoso.com, User2@contoso.com
At 08:02. you create an incident notification rule that has the following configurations:
• Name: Notification
• Notification settings
o Notify on alert severity: Low. Medium
o Device group scope: DevtceGroup1, DeviceGroup2
• Recipients: Userl@contoso.com
in Microsoft 365 Defender, alerts are logged as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No1.
NOTE: Each correct selection is worth one point.

Answer:
61.You have a Microsoft 365 tenant that contains a Windows 10 device named Device1 and the
Microsoft Endpoint Manager policies shown in the following table.

A. only the settings of Policy!

B. only the settings of Policy2
C. only the settings of Policy3
D. no settings
Answer: C

62.HOTSPOT
You have a Microsoft 365 E5 subscription that contains two users named Admin1 and Admin2.
All users are assigned a Microsoft 365 Enterprise E5 license and auditing is turned on.
You create the audit retention policy shown in the exhibit. (Click the Exhibit tab.)
After Policy1 is created, the following actions are performed:
- Admin1 creates a user named User1.
- Admin2 creates a user named User2.
How long will the audit events for the creation of User1 and User2 be retained? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-retention-
policies?view=o365-worldwide

63.HOTSPOT
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You create an administrative unit named AU1 that contains the members shown in the following
exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE;
Each correct selection is worth one point.
Answer:

64.DRAG DROP
You have a Microsoft 365 E5 subscription.
Several users have iOS devices.
You plan to enroll the iOS devices in Microsoft Endpoint Manager.
You need to ensure that you can create an iOS/iPadOS enrollment profile in Microsoft Endpoint
Manager.
Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.
Answer:

Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-mdm-push-certificate-get

65.Your network contains an on-premises Active Directory domain named contoso.local. The domain
contains five domain controllers.
Your company purchases Microsoft 365 and creates an Azure AD tenant named
contoso.onmicrosoft.com.
You plan to install Azure AD Connect on a member server and implement pass-through
authentication.
You need to prepare the environment for the planned implementation of pass-through authentication.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE:
Each correct selection is worth one point.
A. From a domain controller install an Authentication Agent
B. From the Microsoft Entra admin center, confiqure an authentication method.
C. From Active Director,' Domains and Trusts add a UPN suffix
D. Modify the email address attribute for each user account.
E. From the Microsoft Entra admin center, add a custom domain name.
F. Modify the User logon name for each user account.
Answer: C, E, F

66.HOTSPOT
Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint includes the
device groups shown in the following table.

You onboard a computer named computer1 to Microsoft Defender for Endpoint as shown in the
following exhibit.
Use the drop-down menus to select the answer choice that completes each statement. NOTE: Each
correct selection is worth one point.

Answer:

67.HOTSPOT
You need to configure the information governance settings to meet the technical requirements.
Which type of policy should you configure, and how many policies should you configure? To answer,
select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
 Answer:

Get MS-102 exam dumps full version.

Powered by TCPDF (www.tcpdf.org)