Free practice questions

MS-102 practice questions, with full explanations

75 free MS-102 (Microsoft 365 Administrator) questions, each with the correct answer, a breakdown of why every other option is wrong, a memory hook, and the Microsoft Learn reference. Prefer to be quizzed? Take the interactive MS-102 quiz, which scores you by topic and points you to the guide that fits your weak spots.

Microsoft 365 Tenant Administration (24 questions)

Go deeper on this topic in Microsoft 365 Tenant Administration Field Guide.

An administrator reviews the group-based licensing report and finds several users showing 'Errors and issues' for a license assigned through a security group. One specific error states the user cannot be assigned the license because of a conflicting service plan. What is the FIRST step the administrator should take to resolve this?

Correct answer: C. Open the Microsoft 365 admin center, navigate to Billing then Licenses, select the affected product, view the group's error details, identify the conflicting service plan, and resolve the dependency or conflict for the affected users.

When group-based licensing encounters a conflicting service plan error, the resolution path is: navigate to Billing, then Licenses in the Microsoft 365 admin center, select the affected product license, locate the group, view users in error state, and review the specific error type. A conflicting service plan error means two service plans from different licenses cannot be simultaneously enabled for the same user. The administrator must identify and resolve the conflict - for example by removing one conflicting service plan from the assignment - then reprocess the affected users.

Why the other options are wrong:

  • A. Service plan conflicts are a configuration issue within the tenant that the administrator controls. Microsoft support cannot automatically reconcile these; the admin must identify and resolve conflicting plan assignments.
  • B. The Exchange admin center does not control which service plans within a Microsoft 365 license are assigned to users. License and service plan management flows through the Microsoft 365 admin center.
  • D. Deleting and recreating the group removes all licensing assignments temporarily and does not fix the underlying service plan conflict. It would also cause service interruptions for users who had valid licenses.

Memory hook: Billing, then Licenses, then the group - read the error, fix the conflict. The error is always on the USER object, not the group.

Microsoft Learn: https://learn.microsoft.com/entra/fundamentals/licensing-groups-resolve-problems

An administrator assigns the User Administrator role to a scoped admin for an administrative unit (AU) that contains a security group. The group itself is added as a member of the AU. A new employee joins and is added to that group. Can the scoped admin reset that new employee's password?

Correct answer: B. No, because adding a group to an AU brings only the group object into scope, not the group's individual members. The user must also be added directly as an AU member.

A critical AU scoping rule: adding a group to an administrative unit places the GROUP OBJECT in scope, but NOT the group's individual members. A User Administrator scoped to the AU can manage the group's name and membership, but cannot reset passwords or manage user properties of individual group members unless those users are also added directly to the administrative unit as members.

Why the other options are wrong:

  • A. The Groups Administrator role would allow managing group properties, but the core issue here is about user management scope, not group management. The absence of direct user membership in the AU is what blocks the action.
  • C. User Administrator can reset passwords for users within their scope. The issue is scope, not role capability. User Administrator is explicitly listed as a role that can be scoped to administrative units.
  • D. This is the most common misconception about administrative units. Group membership does NOT flow through to AU membership automatically. Users must be explicitly added to the AU for the scoped admin to manage them.

Memory hook: Group in AU = manage the box, not the contents. To manage the people inside, put the PEOPLE in the AU directly.

Microsoft Learn: https://learn.microsoft.com/entra/identity/role-based-access-control/administrative-units#groups

A tenant-wide sign-in problem prevents all your admins from signing in to the Microsoft 365 admin center, so you can't open the Service health page. What is the recommended way to check whether Microsoft is aware of a broad outage?

Correct answer: B. Check the unauthenticated Microsoft 365 service status page at status.cloud.microsoft.

When the admin portals themselves are unreachable, Microsoft publishes status on the unauthenticated Service health status page at status.cloud.microsoft, which doesn't require signing in - exactly for the 'can't sign in' scenario.

Why the other options are wrong:

  • A. Contacting a user doesn't confirm whether Microsoft has acknowledged a service incident.
  • C. The Entra admin center also requires a successful sign-in, which is failing here.
  • D. The weekly digest covers planned change notices and arrives on a schedule, not real-time outage confirmation.

Memory hook: Locked out? status.cloud.microsoft needs no login.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/view-service-health?view=o365-worldwide

An analyst used Threat Explorer's Take action wizard to propose a soft-delete on a cluster of malicious emails, selecting 'Create new' (two-step approval). Where in the Microsoft Defender portal does an authorized admin go to approve or reject that pending remediation and review its history?

Correct answer: D. The Action center (Actions & submissions, then Action center)

Manual remediations proposed with two-step approval, along with pending automated investigation and response (AIR) actions, are approved or rejected in the unified Action center (Actions & submissions, then Action center) on the Pending tab. After approval, they move to the History tab, which shows remediation actions for the past 30 days.

Why the other options are wrong:

  • A. The Submissions page is for reporting suspected spam, phish, URLs, and files to Microsoft, not for approving remediation actions.
  • B. The Incidents queue is for triaging and investigating incidents and their alerts, not for approving pending remediation actions.
  • C. The Campaigns view in Threat Explorer groups related malicious email into campaigns for analysis; it does not host the pending-approval queue for remediation actions.

Memory hook: Two-step approval = one analyst proposes, another approves - both happen in the Action center (Pending tab, then History tab).

Microsoft Learn: https://learn.microsoft.com/defender-office-365/remediate-malicious-email-delivered-office-365

You grant a help-desk agent Full Access to 30 shared mailboxes but do NOT want all 30 to auto-load in their Outlook profile. How do you grant Full Access without automapping?

Correct answer: A. Use Add-MailboxPermission with the -AutoMapping $false parameter.

Automapping (which auto-loads the mailbox in Outlook via Autodiscover) is on by default when Full Access is granted. Running Add-MailboxPermission with -AutoMapping $false grants Full Access without auto-loading the mailboxes (assigning Full Access to a mail-enabled security group also avoids automapping).

Why the other options are wrong:

  • B. The EAC delegation page grants Full Access with automapping enabled and exposes no toggle to disable it.
  • C. Send As is a send permission; it doesn't grant the ability to open the mailbox at all.
  • D. -GrantSendOnBehalfTo grants Send on Behalf (a send permission), not Full Access, and doesn't control automapping.

Memory hook: Full Access auto-maps by default; -AutoMapping $false to stop it.

Microsoft Learn: https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-permissions-for-recipients

An administrator adds the custom domain contoso.com to Microsoft 365 and starts to enable DKIM signing. On the DKIM tab in the Microsoft Defender portal the domain status shows CnameMissing. To publish DKIM in DNS at the registrar, what records must the administrator create?

Correct answer: A. Two CNAME records (selector1._domainkey and selector2._domainkey), only one of which is active at any given time

When DKIM is enabled for a custom domain, Microsoft 365 generates two key pairs and requires two CNAME records, selector1._domainkey and selector2._domainkey, which point to Microsoft-hosted public keys. Only one selector is active at a time; the second becomes active only after a future key rotation. DKIM uses CNAME records, unlike SPF and DMARC, which are TXT records.

Why the other options are wrong:

  • B. DKIM in Microsoft 365 uses CNAME records that point to Microsoft-managed keys, not a self-hosted TXT public key, and two selectors are required rather than one.
  • C. DKIM records are CNAME, not TXT, and only one selector signs mail at a time rather than both simultaneously.
  • D. The required hostnames are selector1._domainkey and selector2._domainkey (two separate records), not a single _domainkey CNAME.

Memory hook: DKIM = two CNAMEs, one live selector; SPF and DMARC = TXT.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/email-authentication-dkim-configure

A new admin was told to open the Microsoft Purview compliance portal at compliance.microsoft.com to manage DLP and sensitivity labels, but that portal has been retired. Where do these compliance solutions now live, and what happened to the Classification area?

Correct answer: C. They live in the unified Microsoft Purview portal (purview.microsoft.com); Classification was renamed to Classifiers and moved into each solution's left navigation.

Microsoft Learn refers to 'the retired Microsoft Purview compliance portal' and directs admins to the unified Microsoft Purview portal at purview.microsoft.com. Among the relocated features, Learn notes 'Classification is renamed to Classifiers and moved to the left-navigation area for each solution.'

Why the other options are wrong:

  • A. Wrong: DLP and sensitivity-label configuration lives in the Purview portal, not the Defender (security) portal, although DLP alerts can be investigated in Defender.
  • B. Wrong: the Microsoft 365 admin center is not where Purview compliance solutions are configured, and Classification was renamed to Classifiers, not Sensitivity.
  • D. Wrong: the Entra admin center manages identity, not Purview compliance solutions.

Memory hook: compliance.microsoft.com is gone. Go to purview.microsoft.com. Classification is now Classifiers.

Microsoft Learn: https://learn.microsoft.com/purview/purview-portal

A non-IT change-management lead needs to view ONLY the tenant-level and group-level Adoption Score aggregates - no individual reports and no other admin data. Which single role best follows the principle of least privilege?

Correct answer: A. Usage Summary Reports Reader

The Usage Summary Reports Reader role can see only tenant-level aggregates and group-level aggregates in Microsoft 365 usage analytics and Adoption Score. That is the narrowest role that satisfies the requirement.

Why the other options are wrong:

  • B. Global Reader can read almost all admin settings and data across the tenant - far more than needed.
  • C. Reports Reader is broader - it can view full usage reporting data, the reports dashboard, and the adoption content pack in Power BI.
  • D. Global Administrator is maximum privilege and directly violates least privilege for a reporting-only need.

Memory hook: Only aggregates? Usage Summary Reports Reader.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/adoption/privacy

A content designer must be able to build phishing payloads for later Attack simulation training campaigns, but must NOT be able to launch or manage simulations. Which role assignment follows the principle of least privilege?

Correct answer: C. Attack Payload Author

The Attack Payload Author role lets a user create attack payloads that an admin can initiate later, without granting the ability to launch simulations. Attack Simulation Administrator can create and manage all aspects of campaigns (including launching), and Security Administrator is far broader, so both violate least privilege.

Why the other options are wrong:

  • A. Security Administrator is a broad role that can also manage simulations; it violates least privilege for a payload author.
  • B. Attack Simulation Administrator can create and manage all campaigns, including launching simulations, which exceeds the requirement.
  • D. Security Operator (and Security Reader) can only view campaigns; it does not permit authoring payloads.

Memory hook: Payload Author writes the bait; Simulation Administrator pulls the trigger.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/attack-simulation-training-get-started

An analyst opens Activity explorer to investigate a sensitivity-label downgrade a user says happened 45 days ago, but the event does not appear even after widening the date filter. What is the most likely reason?

Correct answer: D. Activity explorer reports on up to 30 days of data, so a 45-day-old event is outside its window.

Microsoft Learn states that 'Activity explorer reports on up to 30 days worth of data.' A 45-day-old event falls outside that window. For older look-back, the analyst should use the audit log search, which has its own, longer retention.

Why the other options are wrong:

  • A. Wrong: Activity explorer automatically ingests unified audit log data; no manual export is needed to populate it.
  • B. Wrong: Global Administrator is not required to use Activity explorer, and a missing role would block the whole view rather than hide a single old event.
  • C. Wrong: Activity explorer does show sensitivity-label activities (applied, changed, and removed), not just Endpoint DLP events.

Memory hook: Activity explorer looks back 30 days. Older than that? Go to the audit log.

Microsoft Learn: https://learn.microsoft.com/purview/data-classification-activity-explorer

A team lead should be able to assign and remove Microsoft 365 licenses for users and edit their usage location, but must not be able to create or delete user accounts or reset passwords. Which single role follows least privilege?

Correct answer: B. License Administrator

License Administrator can assign/remove licenses, edit usage location, and reprocess or assign group-based licenses - but can't create/delete users or reset passwords, which matches the requirement exactly.

Why the other options are wrong:

  • A. User Administrator can assign licenses but also creates/deletes users and resets some passwords - more than allowed.
  • C. Billing Administrator manages purchases, subscriptions, and invoices, not per-user license assignment.
  • D. Global Administrator is far broader than needed and violates least privilege.

Memory hook: Only licenses + usage location, nothing else = License Administrator.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide

Your organization still manages authentication methods in the legacy multifactor authentication policy and the legacy SSPR Authentication methods policy. Which statement about these legacy policies is accurate?

Correct answer: C. Beginning September 30, 2025, authentication methods can no longer be managed in the legacy MFA and SSPR policies; management should move to the converged Authentication methods policy.

Microsoft announced deprecation of managing authentication methods in the legacy MFA and SSPR policies. Beginning September 30, 2025, methods can no longer be managed in those legacy policies, and organizations should migrate method management to the converged Authentication methods policy (a migration wizard is available to help).

Why the other options are wrong:

  • A. The migration is fully reversible - you can set the migration status back to In Progress at any time.
  • B. Security questions aren't yet manageable in the Authentication methods policy; they remain in the legacy SSPR settings.
  • D. Only the ability to manage methods in the legacy policies is retired; users' registered method data isn't deleted.

Memory hook: Sept 30, 2025: legacy method management retires - converge to the Authentication methods policy.

Microsoft Learn: https://learn.microsoft.com/entra/identity/authentication/concept-authentication-methods-manage

A custom quarantine policy that grants Full access (including the release permission) is assigned to the high confidence phishing verdict in an anti-spam policy. A user opens a message that was quarantined as high confidence phishing and tries to release it. What happens?

Correct answer: A. The user can only request release; an admin must approve it, regardless of the Full access permission granted by the policy.

As part of secure by default, recipients can never release their own messages quarantined as high confidence phishing by anti-spam policies (also malware by anti-malware policies, or malware/phishing by Safe Attachments), regardless of how the quarantine policy is configured. If the policy allows releasing, users can only request release, which requires admin approval.

Why the other options are wrong:

  • B. Because the policy grants the release permission, the user is offered Request release, not merely Preview.
  • C. There is no release-then-rescan-then-requarantine loop; the self-release action is simply unavailable.
  • D. The Full access release permission is overridden for high confidence phishing; self-release is never allowed for that verdict.

Memory hook: High confidence phishing / malware / Safe Attachments quarantine = request-only for users, forever. Secure by default trumps Full access.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/quarantine-policies

Following a divestiture, an administrator tries to remove the custom domain fabrikam.com from the Microsoft 365 tenant, but the removal fails with an error. Which set of conditions must be true before Microsoft 365 will allow the domain to be removed?

Correct answer: A. No users, shared or resource mailboxes, contacts, Microsoft 365 groups, distribution lists, or teams can still use the domain; it must not be the default domain; and no admin accounts can be signing in with it.

Microsoft's remove-a-domain documentation lists the preconditions: the domain must not be the default domain; no users, shared mailboxes, resource mailboxes, or contacts may use it; no Microsoft 365 groups, distribution lists, or teams may use it; and it must not be used for sign-in by any admin account. Every remaining reference blocks removal. Once cleared, removal can take as little as five minutes for a lightly referenced domain, or up to a day when many references existed. When a domain is removed, affected accounts revert to the .onmicrosoft.com fallback address as their primary SMTP/UPN. For tenants with hundreds or thousands of users, Learn recommends moving users with PowerShell (Update-MgUser) rather than the UI, because a single missed account blocks the removal.

Why the other options are wrong:

  • B. Standard domain removal does not automatically rename remaining accounts; existing references cause the removal to fail with an error identifying what is still attached. The administrator must move users, groups, and mailboxes off the domain first.
  • C. No support ticket or mailbox archiving is required for routine domain removal. The administrator clears the references and removes the domain directly from Settings, then Domains.
  • D. Registrar-side DNS and domain registration are independent of Microsoft 365's directory. The blockers are references inside the tenant - users, groups, mailboxes, defaults, and admin sign-ins - not external DNS records.

Memory hook: A domain leaves only when nothing still wears it: no users, no groups, no mailboxes, not default, no admin sign-ins - then UPNs fall back to onmicrosoft.com.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/get-help-with-domains/remove-a-domain

Legal needs a 20-GB, currently unlicensed shared mailbox placed on Litigation Hold. What is required to do this?

Correct answer: C. Assign the shared mailbox an Exchange Online Plan 2 license (or Exchange Online Plan 1 plus an Exchange Online Archiving add-on).

A shared mailbox needs no license for basic storage up to 50 GB, but placing it on Litigation Hold requires an Exchange Online Plan 2 license, or an Exchange Online Plan 1 license with the Exchange Online Archiving add-on.

Why the other options are wrong:

  • A. Mailbox size (50 GB is the unlicensed cap) is unrelated to the license needed for Litigation Hold.
  • B. Business Basic isn't the qualifying SKU; Litigation Hold specifically requires EXO Plan 2 (or Plan 1 + EOA).
  • D. Litigation Hold is a licensed capability; an unlicensed shared mailbox can't be placed on hold.

Memory hook: Unlicensed shared mailbox = storage only; hold/archive needs Plan 2 (or Plan 1 + EOA).

Microsoft Learn: https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes

A user belongs to two Microsoft Entra groups. Group one is targeted by the Cloud Policy configuration 'Sales-Baseline' (priority 3), which sets an Office security setting to Disabled. Group two is targeted by 'Security-Strict' (priority 1), which sets the same setting to Enabled. A domain Group Policy Object on the user's Windows PC also configures the same setting with a third value. Which value applies when the user opens Excel?

Correct answer: A. The 'Security-Strict' value, because in a conflict the highest-priority Cloud Policy configuration wins - lower numbers are higher priority, with 0 the highest assignable - and Cloud Policy settings take precedence over Group Policy.

Two precedence rules from the Cloud Policy documentation resolve this. First, when a user is in multiple Microsoft Entra groups with conflicting policy settings, priority determines which setting applies: the highest priority wins, and 0 is the highest priority you can assign - so 'Security-Strict' at priority 1 beats 'Sales-Baseline' at priority 3. Priorities are managed with Reorder priority on the Policy configurations page. Second, policy settings implemented through Cloud Policy take precedence over settings implemented by Group Policy on Windows Server, and over preference or locally applied settings - so the GPO's value loses regardless. The user gets the 'Security-Strict' Enabled value.

Why the other options are wrong:

  • B. Learn states the opposite: Cloud Policy settings take precedence over policy settings implemented by using Group Policy on Windows Server. The cloud-delivered value wins on this device.
  • C. Priority ordering runs the other way - lower numbers outrank higher ones, with 0 as the highest assignable priority. Priority 1 defeats priority 3.
  • D. Cloud Policy does not error out on conflicts; conflict resolution by priority is the designed behavior, and the winning configuration's setting is applied silently.

Memory hook: Cloud Policy conflicts: think golf - lowest priority number wins (0 is best) - and the cloud outranks the GPO.

Microsoft Learn: https://learn.microsoft.com/microsoft-365-apps/admin-center/overview-cloud-policy

An admin has added contoso.com in the Microsoft 365 admin center and must prove the organization owns the domain before it can be used. An external registrar hosts the DNS. Which DNS record does Microsoft 365 have the admin create to verify ownership?

Correct answer: B. A TXT record at the domain root with a value like MS=ms########.

Domain ownership is verified by adding the TXT record Microsoft supplies (value MS=ms########) at the root/@. This TXT method is the default and doesn't affect mail flow; once verified you add the service records (MX, CNAME, etc.).

Why the other options are wrong:

  • A. The autodiscover CNAME is a service record for Outlook auto-configuration, not domain-ownership verification.
  • C. That MX record routes mail after setup; it isn't the verification record you add to prove ownership.
  • D. The _sipfederationtls SRV record supports Teams/Skype federation, not ownership verification.

Memory hook: Prove you own it with a TXT that says MS=ms...

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/get-help-with-domains/information-for-dns-records?view=o365-worldwide

An enterprise plans a Microsoft 365 multitenant organization (MTO) to unify collaboration across several of its Microsoft Entra tenants. What is the supported maximum number of active tenants (including the owner tenant), and which license is required?

Correct answer: C. 100 tenants; Microsoft Entra ID P1.

A multitenant organization supports a maximum of 100 active tenants, including the owner tenant. It requires Microsoft Entra ID P1 (one P1 per employee per MTO, and at least one P1 per tenant). To exceed 100 tenants you must submit a support request.

Why the other options are wrong:

  • A. The limit is 100 (not 5) and the requirement is P1 (not P2).
  • B. It is not unlimited (a 100-tenant cap applies) and Free is insufficient - P1 is required.
  • D. The cap is 100, not 50, and the requirement is Entra ID P1, not Microsoft 365 E5.

Memory hook: MTO: 100 tenants max, P1 per person.

Microsoft Learn: https://learn.microsoft.com/entra/identity/multi-tenant-organizations/multi-tenant-organization-overview

A Microsoft Defender for Office 365 Plan 1 admin wants to investigate email from three weeks ago and then use the Take action wizard to soft-delete malicious messages that were already delivered. They can view detections but cannot perform post-delivery remediation. Why?

Correct answer: D. Real-time detections (Plan 1) shows detections at the time of delivery only; post-delivery hunting and the Take action remediation wizard require Threat Explorer in Plan 2

Real-time detections (Plan 1) surfaces detections at the time of delivery only and lacks the Take action remediation wizard. Threat Explorer (Plan 2) adds post-delivery views and remediation actions such as soft delete and hard delete, which also require the Search and Purge role.

Why the other options are wrong:

  • A. Both tools support querying up to 30 days of data, so retention is not the blocker.
  • B. Global Reader is read-only and would not grant remediation; the gating factor here is Plan 1 versus Plan 2 (remediation also needs the Search and Purge role).
  • C. ZAP is not the reason remediation is unavailable; Plan 1 simply lacks the Take action wizard.

Memory hook: Plan 1 sees it at delivery; Plan 2 (Threat Explorer) hunts post-delivery and can Take action.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/threat-explorer-real-time-detections-about

A messaging specialist must manage Exchange Online mail flow (transport) rules, mailbox settings, and Microsoft 365 group mail settings, but must not manage SharePoint, Teams, or user accounts. A colleague who holds only the Teams Administrator role finds they cannot edit transport rules at all. Following least privilege, which single role best fits the messaging specialist?

Correct answer: A. Exchange Administrator

The Exchange Administrator role maps to the Organization Management role group in Exchange Online, granting full management of mail flow (transport) rules, mailbox settings, and group mail settings, without SharePoint, Teams, or user rights. Service-admin roles are siloed - a Teams Administrator maps to no Exchange Online role group, which is why they cannot edit transport rules.

Why the other options are wrong:

  • B. Global Administrator is far broader than needed and violates least privilege.
  • C. Teams Administrator grants no Exchange Online permissions, which is exactly why the colleague cannot edit transport rules.
  • D. Exchange Recipient Administrator maps to Recipient Management - it manages recipients such as mailboxes and groups, but not organization-level mail flow/transport rules, so it cannot fully meet the requirement.

Memory hook: Mail flow rules need Exchange Administrator (Organization Management); Recipient Admin stops at mailboxes, Teams Admin has zero Exchange rights.

Microsoft Learn: https://learn.microsoft.com/exchange/permissions-exo/permissions-exo

Group A and Group B are both assigned the same Microsoft 365 E5 license through group-based licensing. You must move a user from Group A to Group B with no interruption to their licensed services. What is the correct order of operations?

Correct answer: C. Add the user to Group B, confirm the license shows as applied on the user's Licenses page, then remove them from Group A.

Microsoft's documented method is to add the user to the destination group first, confirm the inherited license has applied, and only then remove them from the source group. Removing from the source first leaves the user unlicensed until group-based licensing finishes processing the new assignment - a gap that can be longer in large tenants.

Why the other options are wrong:

  • A. Adding a direct license introduces unnecessary churn and isn't the documented no-interruption method.
  • B. Even in one operation, the source removal can momentarily deprovision before the destination assignment processes; sequence and confirmation matter.
  • D. Removing first creates a deliberate licensing gap while deprovisioning/reprocessing runs - the exact interruption you're trying to avoid.

Memory hook: Add, confirm, remove - land the new license before dropping the old group.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/manage/manage-group-licenses

A vendor engineer needs to view Service health, open and manage service requests (support tickets), and read and share Message center posts - but must not be able to reset passwords or change any other settings. Following least privilege, which single role should you assign?

Correct answer: B. Service Support Administrator

The Service Support Administrator role is scoped exactly to opening and managing service requests, viewing and sharing Message center posts, and monitoring Service health, without password-reset or configuration rights - the least-privileged fit for this task.

Why the other options are wrong:

  • A. Helpdesk Administrator's defining capability is resetting passwords and forcing sign-out, which the requirement forbids, and it does not grant Message center post sharing.
  • C. Reports Reader only sees usage and activity reports; it cannot manage service requests or view Service health.
  • D. Global Reader is read-only across the tenant and cannot create or manage service requests.

Memory hook: Support tickets + Message center + service health, nothing else = Service Support Admin.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/add-users/about-admin-roles

An administrator must stop group owners from adding any NEW guests to Microsoft 365 Groups, while ensuring guests already in existing groups keep their current access. In the Microsoft 365 admin center, at Settings, then Org settings, then Services, then Microsoft 365 Groups, which configuration achieves this?

Correct answer: A. Turn off 'Let group owners add people outside the organization to groups,' and leave 'Let people outside the organization access group content' on.

The Microsoft 365 Groups service exposes two guest toggles: AllowToAddGuests ('Let group owners add people outside the organization to groups') and AllowGuestsToAccessGroups ('Let people outside the organization access group content'). Turning off AllowToAddGuests blocks adding new guests, while leaving AllowGuestsToAccessGroups on lets existing guests keep accessing group content.

Why the other options are wrong:

  • B. Turning off both settings also removes existing guests' access to group content, which the requirement forbids.
  • C. Deleting guest accounts is unnecessary and destroys existing access; the two toggles satisfy the requirement.
  • D. This reverses the toggles - it would cut existing guests' access while still allowing owners to add new guests.

Memory hook: Two Groups guest switches: 'add guests' (stop new) vs 'access content' (keep existing). Flip only the first.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/create-groups/manage-guest-access-in-groups

A security analyst must create and modify Microsoft Defender for Office 365 anti-phishing, anti-spam, and Safe Links/Safe Attachments policies in the Defender portal. You want to grant this through a single Microsoft Entra role using least privilege. Which role is appropriate?

Correct answer: C. Security Administrator.

Microsoft Learn's 'before you begin' guidance for anti-phishing, anti-spam, and Safe Links policies lists the Security Administrator Entra role as granting add/modify/delete rights for these threat policies. The same guidance explicitly steers admins away from Global Administrator in favor of least privilege, which is exactly the trade this question tests.

Why the other options are wrong:

  • A. Wrong: Global Administrator can do this, but it is a highly privileged role Microsoft recommends limiting to emergency scenarios; that is not least privilege.
  • B. Wrong: Exchange Administrator doesn't grant management of Defender for Office 365 threat policies; that needs Security Administrator (or Organization Management in the Email & collaboration/Exchange RBAC).
  • D. Wrong: Security Reader provides read-only access to these policies; it cannot create or modify them.

Memory hook: Manage Defender for Office 365 threat policies (least privilege) = Security Administrator.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/anti-phishing-policies-mdo-configure#what-do-you-need-to-know-before-you-begin

Microsoft 365 Identity Synchronization (15 questions)

Go deeper on this topic in Microsoft 365 Identity Synchronization Field Guide.

You configure a Conditional Access policy that requires multifactor authentication for all users accessing SharePoint Online, and you set the policy's Enable state to Report-only. In the Sign-in logs, a user who signed in from an unmanaged browser using only a password shows the policy result 'Report-only: User action required.' What does this result indicate?

Correct answer: B. All policy conditions were satisfied, but because report-only mode never prompts for interactive controls such as MFA, success or failure could not be determined.

In report-only mode, the platform evaluates every configured condition but never enforces interactive grant controls. Because MFA is interactive and the user is never actually prompted, Microsoft Entra cannot know whether the user would have passed, so it logs 'Report-only: User action required' rather than Success or Failure.

Why the other options are wrong:

  • A. An excluded user (a condition not satisfied) logs 'Report-only: Not applied,' not 'User action required.'
  • C. Report-only mode never blocks or interrupts a sign-in; no control is enforced against the user.
  • D. A non-interactive compliance check that failed would log 'Report-only: Failure,' and this policy required MFA, not device compliance.

Memory hook: Report-only plus an interactive control (MFA or Terms of Use) equals 'User action required' - it can't peek behind a prompt it never shows.

Microsoft Learn: https://learn.microsoft.com/entra/identity/conditional-access/concept-conditional-access-report-only

A Microsoft Entra Connect Sync administrator needs to install the tool. The server that will run Connect Sync has a read-only domain controller (RODC) as its only accessible domain controller. What should the administrator know about this configuration?

Correct answer: D. Microsoft Entra Connect Sync does not support RODCs; the domain controller it uses must be writable.

Microsoft's prerequisites documentation for Microsoft Entra Connect explicitly states that the domain controller used by Microsoft Entra ID must be writable, and that using a read-only domain controller (RODC) is not supported. Microsoft Entra Connect does not follow write redirects from an RODC to a writable DC. The administrator must ensure Connect Sync can reach a writable domain controller.

Why the other options are wrong:

  • A. RODCs are a sound security practice for branch offices, but Microsoft Entra Connect Sync cannot use them. Reducing attack surface does not override the writable domain controller requirement.
  • B. FSMO roles on an RODC do not make it writable in the context of Microsoft Entra Connect. The RODC restriction is absolute - no FSMO role combination enables it.
  • C. Microsoft Entra Connect does not promote domain controllers. Domain controller promotion is an AD DS administrative operation separate from synchronization.

Memory hook: Connect Sync needs a writable DC. RODC = read-only = not supported. Period.

Microsoft Learn: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-prerequisites

A company is undergoing an acquisition. The acquired company has an Active Directory forest that is completely disconnected from the parent company's forest, with no forest trust or network connectivity between them. The parent company wants to synchronize users from both forests into a single Microsoft Entra tenant as quickly as possible. Which synchronization approach supports this scenario natively?

Correct answer: A. Microsoft Entra Cloud Sync with provisioning agents deployed in each forest

Microsoft Entra Cloud Sync natively supports synchronization from multiple disconnected Active Directory forests to a single Microsoft Entra tenant without requiring forest consolidation or trust relationships. Lightweight provisioning agents are deployed in each forest independently, and the cloud-based provisioning service orchestrates the synchronization. This is an explicitly stated advantage of Cloud Sync over Connect Sync, which requires forest trusts or separate complex configurations for disconnected forests.

Why the other options are wrong:

  • B. Custom Metaverse join rules in Connect Sync require connectivity between forests; they cannot bridge completely disconnected forests with no network path.
  • C. Staging mode is a high-availability pattern for a single Connect Sync deployment; it does not address multi-forest disconnected scenarios.
  • D. Microsoft Entra Connect Sync does not natively support disconnected forests syncing to a single tenant; the feature comparison table confirms this as a Cloud Sync-only capability.

Memory hook: Disconnected forests + single tenant = Cloud Sync's home turf. Its agents are independent per forest.

Microsoft Learn: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync

Before you deploy a Conditional Access Sign-in frequency policy that forces reauthentication every 8 hours, Microsoft documentation recommends first disabling a legacy tenant setting that can otherwise cause users to be prompted unexpectedly. Which setting should you disable?

Correct answer: C. Remember multifactor authentication on a trusted device

'Remember multifactor authentication on trusted devices' is the legacy setting that collides with Sign-in frequency. Microsoft's Conditional Access session-lifetime guidance says to disable it before deploying a Sign-in frequency policy, because running both at once can prompt users at unexpected intervals.

Why the other options are wrong:

  • A. Persistent browser session is a separate session control and does not need to be disabled to use Sign-in frequency.
  • B. Security defaults cannot be enabled when any Conditional Access policy exists, so it is unrelated to this specific reauthentication conflict.
  • D. The 'Stay signed in?' branding prompt is overridden by a persistent browser policy; it is not the setting that conflicts with Sign-in frequency.

Memory hook: Sign-in frequency and 'Remember MFA' fight - turn off Remember-MFA before you turn on Sign-in frequency.

Microsoft Learn: https://learn.microsoft.com/entra/identity/conditional-access/concept-session-lifetime

An auditor discovers that a user whose on-premises Active Directory password expired three weeks ago can still sign in to Microsoft 365 using that expired password. The environment uses Microsoft Entra Connect Sync with password hash synchronization. Why is this happening, and what is the supported way to change the behavior?

Correct answer: A. By default, users in scope of password hash synchronization have their cloud password set to never expire, so an on-premises-expired password keeps working in the cloud until it is changed on-premises; enabling the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature makes Microsoft Entra ID enforce its password expiration policy for synced users.

Microsoft's PHS documentation states that if a user is in scope of password hash synchronization, the cloud password is set to Never Expire by default - Connect stamps DisablePasswordExpiration into the user's PasswordPolicies attribute every time a hash syncs. The user can continue signing in to cloud services with a password that has expired on-premises, until they change it on-premises and the new hash synchronizes. To enforce expiration in the cloud, the tenant enables the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature via Microsoft Graph PowerShell (Update-MgDirectoryOnPremiseSynchronization); Microsoft recommends enabling it before the initial hash sync so DisablePasswordExpiration is never stamped in the first place.

Why the other options are wrong:

  • B. The scenario is explained entirely by the default cloud-side DisablePasswordExpiration behavior for synced users; it occurs regardless of whether the on-premises PasswordNeverExpires flag is set.
  • C. Nothing is malfunctioning - this is the documented default design of PHS. Reinstalling Connect changes nothing about the cloud-side password policy behavior.
  • D. This is not a token-caching artifact. The user can perform fresh interactive password sign-ins with the on-premises-expired password because Microsoft Entra ID treats the synced password as non-expiring by default.

Memory hook: PHS default: cloud password never expires. Expired in AD still works in the cloud until CloudPasswordPolicyForPasswordSyncedUsersEnabled says otherwise.

Microsoft Learn: https://learn.microsoft.com/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization

Before deploying Microsoft Entra Connect Sync, an administrator wants to identify duplicate UPN values, formatting problems, and missing required attributes in the on-premises Active Directory that would prevent successful synchronization. Which tool should the administrator use?

Correct answer: B. IdFix DirSync Error Remediation Tool

IdFix is the purpose-built tool for scanning an on-premises Active Directory before enabling synchronization. It identifies errors such as duplicate values, formatting problems, and missing attributes (such as blank displayName) that would cause synchronization failures. Microsoft's prerequisites documentation specifically recommends running IdFix before synchronizing to Microsoft Entra ID.

Why the other options are wrong:

  • A. Microsoft Entra Connect Health monitors an already-running synchronization deployment; it does not scan on-premises AD before sync is configured.
  • C. Active Directory Administrative Center is an on-premises management console for AD objects but does not perform automated multi-attribute scanning for sync compatibility.
  • D. Set-MgUser is a Microsoft Graph PowerShell command for modifying cloud user objects in Microsoft Entra ID, not for scanning on-premises AD for sync readiness.

Memory hook: IdFix finds the ID problems in AD before sync starts. Fix, then sync.

Microsoft Learn: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-prerequisites

A Microsoft Entra Cloud Sync configuration is scoped to the OU=Sales organizational unit. To test a new attribute-mapping expression, the administrator runs Provision on demand against a user located in OU=Contractors, which is outside the configured scope. The test completes with four green check marks. What should the administrator conclude?

Correct answer: D. On-demand provisioning deliberately does not apply scoping filters to the selected user, so the successful result validates the attribute mapping and matching logic - but it does not mean this user will be synchronized by the regular sync cycle.

Microsoft's Cloud Sync on-demand provisioning documentation carries an explicit callout: when you use on-demand provisioning, the scoping filters are not applied to the user that you selected, and you can use on-demand provisioning on users who are outside the organizational units you specified. This is by design - it lets you validate attribute transformations and matching against any object without first moving it into scope. The trade-off is that a green on-demand result is not proof the user will flow in the normal scheduled cycle if the user remains out of scope.

Why the other options are wrong:

  • A. The four stages (import the user, determine scope, match between source and target, perform action) show real per-object processing including the attribute values that would be written - far more than a connectivity check.
  • B. On-demand provisioning never modifies the scoping configuration or the object's OU; it only processes the one object you specified through the pipeline.
  • C. Nothing is misconfigured. The bypass is documented behavior, and the regular sync cycle still honors the OU scoping filter, so the contractor OU will not start synchronizing.

Memory hook: Provision on demand ignores scoping filters on purpose - green checks prove your mappings work, not that the user is in scope.

Microsoft Learn: https://learn.microsoft.com/entra/identity/hybrid/cloud-sync/how-to-on-demand-provision

You need a dynamic membership group that contains only the devices whose owner belongs to the Sales department. You try to author a device rule that references the device owner's department attribute, but it won't work. Why?

Correct answer: D. Dynamic device group rules can reference only device attributes; they can't be based on the user attributes of the device owner.

A dynamic membership rule for devices can evaluate only device attributes. You can't build a device membership group based on the user attributes (such as department) of the device's owner. To achieve this you would instead target device attributes, or use a different mechanism to relate users and devices.

Why the other options are wrong:

  • A. Microsoft 365 groups can contain only users, so device membership uses security groups, not Microsoft 365 groups.
  • B. The rule builder supports up to five expressions, not three, and this limit isn't why owner attributes fail.
  • C. Dynamic membership groups require Entra ID P1 per member user, not P2, and licensing isn't the cause.

Memory hook: Device rules see device attributes only - never the owner's user attributes.

Microsoft Learn: https://learn.microsoft.com/entra/identity/users/groups-dynamic-membership

A financial services company is selecting a sign-in method for its Microsoft Entra hybrid identity deployment. Security requirements state that on-premises user account states, password policies, and sign-in hours must be enforced immediately at the moment of every cloud sign-in, and that password validation must never occur in the cloud. The company wants to avoid deploying a federation server farm. Which sign-in method meets all of these requirements?

Correct answer: A. Pass-through authentication

Microsoft's authentication-method decision guide states that companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours should use pass-through authentication. PTA validates the password in real time against on-premises domain controllers through lightweight authentication agents, so the password is never validated or stored in the cloud, and it honors account locked out, account expired, password expired, and sign-in hours states at each sign-in - all without the perimeter-network federation farm that AD FS requires.

Why the other options are wrong:

  • B. AD FS federation does enforce on-premises policies at sign-in time, but it requires federation servers plus Web Application Proxy servers in the perimeter network - exactly the infrastructure the company wants to avoid, when PTA meets the requirement with far less footprint.
  • C. Seamless SSO is not an authentication method at all; it is a Kerberos-based convenience add-on that works alongside PHS or PTA to reduce credential prompts on domain-joined machines.
  • D. PHS authenticates in the cloud against a synchronized hash derivative, so on-premises states are not enforced in real time - the comparison table shows PHS supports only disabled accounts, with up to a 30-minute delay, and does not enforce sign-in hours.

Memory hook: Need on-prem account states, password policy, and sign-in hours enforced at every sign-in without an AD FS farm? That sentence IS the PTA use case.

Microsoft Learn: https://learn.microsoft.com/entra/identity/hybrid/connect/choose-ad-authn

Microsoft Entra Connect Health raises a 'Health service data is not up to date' alert for the Sync service. What does this alert indicate, and at what point does it trigger an email notification to configured recipients?

Correct answer: B. The Health Service has not received any data types from the Sync agent for more than two hours; an Error status alert triggers email notifications to configured recipients.

The 'Health service data is not up to date' alert is generated when the Microsoft Entra Connect Health Service has not received complete data from an agent for the past two hours. There are two severity levels: a Warning status fires when only partial data types were received in the past two hours (no email), and an Error status fires when NO data types at all were received in the past two hours. Only the Error status alert triggers email notifications to configured recipients.

Why the other options are wrong:

  • A. Version freshness and the data freshness alert are separate concerns. The email notification is tied to the Error-level data freshness condition, not version age.
  • C. Password sync latency has its own monitoring. The data freshness alert is about the Health agent's telemetry stream, not sync schedule lag. Email threshold is 2 hours with no data, not 5 minutes.
  • D. Completing a sync cycle is normal and healthy. The alert fires on the absence of data, not on the presence of a completed sync.

Memory hook: 2 hours of partial data = Warning (no email). 2 hours of zero data = Error (email sent). Partial silence warns; total silence emails.

Microsoft Learn: https://learn.microsoft.com/entra/identity/hybrid/connect/how-to-connect-health-data-freshness

A manufacturing company has two hard requirements for its hybrid identity sign-in design: users must be able to sign in with the sAMAccountName format (DOMAIN\username) instead of a UPN, and the company's contract mandates an existing third-party multifactor authentication product that requires a federated identity provider. Which authentication method satisfies both requirements?

Correct answer: C. Federation with AD FS

Microsoft's decision guide lists the advanced scenarios that require a federated authentication solution because Microsoft Entra ID does not support them natively: third-party multifactor providers requiring a federated identity provider, authentication via third-party solutions, and sign-in that requires sAMAccountName (DOMAIN\username) instead of a UPN. The comparison table confirms sAMAccountName + password is a supported sign-in type only under federation with AD FS, and third-party MFA appears only in the AD FS column.

Why the other options are wrong:

  • A. PHS supports UPN + password and alternate login ID sign-ins, but not the DOMAIN\username format, and it cannot integrate an MFA provider that requires a federated identity provider.
  • B. PTA has the same sign-in format limitation as PHS - UPN or alternate login ID, not sAMAccountName - and likewise cannot host a federation-dependent third-party MFA product in its pipeline.
  • D. Conditional Access custom controls do not add sAMAccountName sign-in support, and they are not a substitute for an MFA product that explicitly requires a federated identity provider.

Memory hook: DOMAIN\username sign-in or third-party MFA that demands a federated IdP - both are AD FS-only tickets; PHS and PTA speak UPN.

Microsoft Learn: https://learn.microsoft.com/entra/identity/hybrid/connect/choose-ad-authn

An organization's Microsoft Entra Connect Health report shows an error category of 'Duplicate Attribute' for several users. What type of problem do these errors represent?

Correct answer: D. Microsoft Entra Connect Sync attempts to create or update objects with duplicated values for attributes that must be unique in the tenant, such as proxyAddresses or UserPrincipalName.

'Duplicate Attribute' means Connect Sync tried to create or update an object with a value that must be unique in the tenant - specifically proxyAddresses or UserPrincipalName - and another object already holds it. The trap is reading this as an on-premises AD problem; the uniqueness is enforced in Microsoft Entra ID. These are the most common source of sync errors: catch them with IdFix before sync begins, or diagnose them in Connect Health's object-level synchronization error report once sync is running.

Why the other options are wrong:

  • A. Duplicate objectGUID is an AD internal issue but is not what the 'Duplicate Attribute' category in Connect Health refers to. Connect Health focuses on cloud-attribute conflicts like proxyAddresses and UPN.
  • B. Blank displayName is a 'Blank' error in the IdFix tool, categorized separately. It falls under data validation, not duplicate attribute conflicts.
  • C. Schema version mismatch is a prerequisite/installation issue, not a runtime duplicate attribute error category in Connect Health.

Memory hook: Duplicate Attribute = two users with the same UPN or email address in the tenant. IdFix catches these before they sync.

Microsoft Learn: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-health-sync

A new employee's Active Directory account was just created, and the employee needs to sign in to Microsoft 365 for a meeting that starts in ten minutes. The organization runs Microsoft Entra Connect Sync with the default built-in scheduler. What should the administrator do to get the account into Microsoft Entra ID as quickly as possible?

Correct answer: C. Run Start-ADSyncSyncCycle -PolicyType Delta on the Connect Sync server to trigger an immediate delta sync cycle.

The built-in Connect Sync scheduler runs a delta sync cycle every 30 minutes by default. Microsoft's scheduler documentation states that when you have an urgent change that must be synchronized immediately, you manually run a cycle with Start-ADSyncSyncCycle -PolicyType Delta. A delta cycle performs delta import, delta sync, and export on all connectors - picking up the newly created user and exporting it to Microsoft Entra ID within minutes.

Why the other options are wrong:

  • A. Restarting the ADSync service does not trigger a synchronization cycle; it just restarts the engine and can even interfere with an in-progress cycle. The supported on-demand trigger is the Start-ADSyncSyncCycle cmdlet.
  • B. PolicyType Initial runs a full import and full sync on every connector, which Microsoft warns can be very time consuming on large directories. It is reserved for configuration changes (filter or rule changes), not for pushing one new object quickly.
  • D. The default scheduler interval is 30 minutes, not 24 hours - but even 30 minutes may be too long here, which is why the manual delta cycle exists.

Memory hook: Urgent change? Start-ADSyncSyncCycle -PolicyType Delta. The scheduler's default is 30 minutes; Initial is the heavyweight full pass for config changes.

Microsoft Learn: https://learn.microsoft.com/entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler

Contoso's on-premises Active Directory forest uses the DNS suffix contoso.local, and every user's UPN ends in @contoso.local. The company owns and has verified contoso.com in its Microsoft Entra tenant. If the administrator enables Microsoft Entra Connect Sync without any preparation, what happens to the users' cloud UPNs, and what is the recommended remediation?

Correct answer: A. The users are synchronized with UPNs ending in @contoso.onmicrosoft.com; the administrator should register contoso.com as an alternative UPN suffix in Active Directory Domains and Trusts and update the users' UPN suffixes before synchronizing.

A nonroutable suffix such as .local can never be verified in Microsoft Entra ID, so any UPN carrying it is synchronized to the tenant's fallback domain: billa@contoso.local lands as billa@contoso.onmicrosoft.com. No sync error is thrown; the rewrite is silent. Microsoft's documented fix is to add the verified routable domain (contoso.com) as an alternative UPN suffix on the UPN Suffixes tab in Active Directory Domains and Trusts, then update each user's UPN suffix (via ADUC for a few users or Get-ADUser/Set-ADUser in PowerShell for bulk changes) before synchronizing.

Why the other options are wrong:

  • B. The wizard warns about unverifiable suffixes on the sign-in configuration page but does not block installation; you can proceed and users will land on the fallback domain.
  • C. Synchronization does not fail - the objects sync successfully with the .onmicrosoft.com fallback suffix, which is exactly why the problem is easy to miss. Renaming the AD forest is an extreme, unnecessary measure; adding an alternative UPN suffix solves it.
  • D. A .local domain is not internet-routable, so no public TXT record can ever be published for it. Microsoft Entra ID cannot verify a nonroutable domain under any circumstances.

Memory hook: .local can't be verified, so Connect silently ships users to .onmicrosoft.com - add a routable alternative UPN suffix in AD Domains and Trusts BEFORE the first sync.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization

In a tenant where Duplicate Attribute Resiliency is enabled (the default), Microsoft Entra Connect Sync provisions a new user whose on-premises UPN duplicates the UPN of an already-synced user. The export succeeds, the object is created in Microsoft Entra ID, and Connect Health shows no recurring sync error - yet the help desk reports the new user cannot sign in with the corporate UPN. What happened?

Correct answer: A. Microsoft Entra ID quarantined the conflicting UPN and provisioned the user with a placeholder UPN in the format <OriginalPrefix>+<4DigitNumber>@<InitialTenantDomain>.onmicrosoft.com, recording the conflict in the DirSyncProvisioningErrors attribute; the error notification fires only once at quarantine time, and an hourly background task restores the real UPN automatically once the on-premises duplicate is resolved.

Duplicate Attribute Resiliency changes the failure mode for UPN and SMTP proxyAddress conflicts: instead of blocking the export, Microsoft Entra ID quarantines the conflicting value. Because UPN is required for provisioning, the service assigns a placeholder in the documented format <OriginalPrefix>+<4DigitNumber>@<InitialTenantDomain>.onmicrosoft.com and stores the conflict in the multi-valued DirSyncProvisioningErrors attribute. The export succeeds, so the sync client logs no error and does not retry, and the conflict appears in the error report email only once - at quarantine time. A background timer task runs every hour and automatically removes attributes from quarantine once the duplicate is resolved on-premises. The user exists, may even be licensed, but signs in only with the placeholder UPN - which is why zero sync errors plus a wrong-looking UPN means checking DirSyncProvisioningErrors (Get-EntraDirectoryObjectOnPremisesProvisioningError).

Why the other options are wrong:

  • B. The cloud-side pipeline never writes back or renames anything in on-premises Active Directory; the on-premises UPN still holds the duplicate value until an administrator fixes it.
  • C. A UPN is required for provisioning, so the object is never created without one; the service substitutes the placeholder onmicrosoft.com value instead.
  • D. That describes the pre-resiliency blocking behavior. With resiliency enabled, the export succeeds and there is no per-cycle retry or recurring error - which is exactly why the problem is easy to miss.

Memory hook: Resiliency absorbs UPN conflicts: user lands with prefix+4digits@tenant.onmicrosoft.com, the real UPN sits in DirSyncProvisioningErrors, and an hourly task restores it once you fix AD.

Microsoft Learn: https://learn.microsoft.com/entra/identity/hybrid/connect/how-to-connect-syncservice-duplicate-attribute-resiliency

Implement and manage Microsoft Entra identity and access (6 questions)

You want a recurring access review that automatically removes external guest accounts when reviewers deny them or when no one responds, and that fully deletes the guest's B2B account 30 days later. Which combination of access review settings achieves this?

Correct answer: C. Enable Auto apply results to resource, set 'If reviewers don't respond' to Remove access, and set the action on denied guest users to 'Block from signing in for 30 days then remove user from the tenant.'

To automate stale-guest cleanup you enable Auto apply results to resource, set non-responders to Remove access, and set the denied-guest action to 'Block from signing in for 30 days then remove user from the tenant.' This immediately blocks the guest's sign-in and then deletes the B2B account after 30 days.

Why the other options are wrong:

  • A. Self-review with removal only for non-responders misses denied guests and never deletes the account.
  • B. Manual apply with manual deletion is not automated and does not satisfy the requirement.
  • D. 'No change' for non-responders plus group-only removal neither removes non-responders nor deletes the B2B account.

Memory hook: Auto-apply plus Remove-on-no-response plus Block-30-days-then-delete equals hands-free guest cleanup.

Microsoft Learn: https://learn.microsoft.com/entra/id-governance/manage-guest-access-with-access-reviews

In the legacy multifactor authentication service settings, you configure the 'Trusted IPs' feature so that sign-ins from your corporate network bypass MFA prompts. Which statement about this legacy trusted IPs feature is correct?

Correct answer: C. It accepts only public IPv4 address ranges for cloud-based MFA, supports up to 50 ranges, and requires Microsoft Entra ID P1.

The legacy MFA trusted IPs feature accepts only IPv4 ranges (public ranges for cloud MFA; private ranges only with MFA Server), allows up to 50 IP ranges, and requires Microsoft Entra ID P1. Microsoft recommends named locations instead, largely because they add IPv6 support.

Why the other options are wrong:

  • A. IPv6 is supported only through named locations, not the legacy trusted IPs feature, which also caps at 50 ranges.
  • B. Named locations are the recommended method, and continuous access evaluation has no insight into MFA trusted IPs.
  • D. Trusted IP bypass works only from inside the corporate network, not from arbitrary public internet addresses.

Memory hook: Legacy MFA Trusted IPs: IPv4 only, 50 ranges, needs P1, corporate network only.

Microsoft Learn: https://learn.microsoft.com/entra/identity/authentication/howto-mfa-mfasettings

You are creating IP-based named locations for Conditional Access. Which of the following configurations is NOT allowed by Microsoft Entra named location limits?

Correct answer: B. Creating a 196th IP-based named location in the same tenant.

IP-based named locations are limited to no more than 195 named locations per tenant, no more than 2,000 IP ranges per named location, and CIDR masks greater than /8. A 196th named location exceeds the 195-location cap.

Why the other options are wrong:

  • A. Marking an IP-based location as trusted is a supported option.
  • C. 1,500 ranges is under the 2,000-ranges-per-location limit, so it is allowed.
  • D. IPv6 ranges are supported and must be entered in CIDR notation, so this is allowed.

Memory hook: Named locations: 195 max, 2,000 ranges each, CIDR mask bigger than /8.

Microsoft Learn: https://learn.microsoft.com/entra/identity/conditional-access/concept-assignment-network

An employee wants to access Microsoft 365 email and apps from a personal iPhone. You want the device to receive a Microsoft Entra device identity so Conditional Access can evaluate it, but the organization will not take full ownership or management of the personal device. Which device identity option fits this bring-your-own-device scenario?

Correct answer: A. Microsoft Entra registered

Microsoft Entra registration is designed for personal (BYOD) and mobile devices. It gives the device a Microsoft Entra device identity usable by Conditional Access while the user keeps ownership, without the organization joining the device.

Why the other options are wrong:

  • B. Traditional AD domain join is on-premises only and does not by itself create a Microsoft Entra device identity.
  • C. Hybrid joined is for organization-owned devices that are also joined to on-premises Active Directory.
  • D. Entra joined is for organization-owned devices that are cloud-only, not personal BYOD phones.

Memory hook: Registered = 'my personal device gets an ID'; Joined = 'the company owns the device.'

Microsoft Learn: https://learn.microsoft.com/entra/identity/devices/overview

A junior administrator needs to turn on security defaults in the Microsoft Entra admin center under Entra ID, then Overview, then Properties, then Manage security defaults. Following least privilege, what is the minimum role that can configure the security defaults setting?

Correct answer: D. Conditional Access Administrator

Microsoft documents that you must be assigned at least the Conditional Access Administrator role to configure security defaults. Although Global Administrator can also do it, Conditional Access Administrator is the least-privileged option.

Why the other options are wrong:

  • A. Authentication Administrator manages users' authentication methods, not the security defaults setting.
  • B. Global Administrator can configure it but violates least privilege because a lesser role is sufficient.
  • C. Security Administrator manages many security features but is not the role documented to toggle security defaults.

Memory hook: Security defaults toggle wants a Conditional Access Administrator, not a Global Admin - it is the CA world's on/off switch.

Microsoft Learn: https://learn.microsoft.com/entra/fundamentals/security-defaults

A user's per-user MFA state is set to 'Enabled,' but the user has never registered any authentication methods. What happens the next time the user signs in using modern authentication in a web browser?

Correct answer: D. The user is prompted to register for MFA, and after completing registration their state automatically changes to Enforced.

In the Enabled state, a user with no registered methods is prompted to register the next time they sign in with modern authentication. Completing registration automatically promotes the user from Enabled to Enforced.

Why the other options are wrong:

  • A. The user is prompted to register, not blocked; blocking is not how the Enabled state behaves.
  • B. In the Enabled state, legacy authentication still works; app passwords are only required in the Enforced state.
  • C. Failing to register does not downgrade a user to Disabled; Disabled is an administrator-set state.

Memory hook: Per-user MFA: Enabled prompts you to register; finishing registration bumps you up to Enforced.

Microsoft Learn: https://learn.microsoft.com/entra/identity/authentication/howto-mfa-userstates

Manage security and threat services by using Microsoft Defender XDR (15 questions)

After tagging your CEO and CFO as priority accounts, you want them to receive the differentiated protection with executive-tuned heuristics that priority account protection provides. What is required for this differentiated protection to apply?

Correct answer: C. Microsoft Defender for Office 365 Plan 2, where priority account protection is on by default.

Priority account protection - the differentiated, executive-tuned heuristics - is a Defender for Office 365 Plan 2 capability and is turned on by default. The tag alone isn't enough without Plan 2.

Why the other options are wrong:

  • A. The tag provides reporting visibility in Plan 1/Plan 2, but the differentiated heuristics need Plan 2; EOP alone doesn't provide them.
  • B. Plan 1 provides priority-account visibility in reporting but not the differentiated protection heuristics.
  • D. The 5,000-license threshold applies to priority-account email monitoring in Exchange Online, not to priority account protection.

Memory hook: Differentiated priority protection = Plan 2, on by default.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/priority-accounts-turn-on-priority-account-protection

The group 'Contoso Executives' is included in both the Strict preset security policy and a custom anti-spam policy that you set to priority 0 (the highest custom priority). A bulk email arrives for a member of that group. Which policy's anti-spam settings are actually applied?

Correct answer: B. The Strict preset security policy

Preset security policies always take precedence over custom and default policies. The order of precedence is Strict preset, then Standard preset, then custom policies (by priority), then the Built-in protection preset and default policies. So the Strict preset settings win regardless of the custom policy's priority value.

Why the other options are wrong:

  • A. Policy settings are never merged - only the first applicable policy of that type applies to the recipient.
  • C. The default policy has the lowest precedence and is not a fallback used to resolve conflicts.
  • D. Priority ordering only breaks ties among custom policies; presets are always evaluated before all custom policies.

Memory hook: Strict beats Standard beats custom beats default - presets always jump the line.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/preset-security-policies

Legitimate mail from a business partner is landing in quarantine. The partner sends through a third-party service, so the Authentication-Results header shows spf=pass and dkim=pass for the service's own domain, but dmarc=fail (no alignment with the From-header domain) and compauth=fail. Spoof intelligence is flagging the sender as spoofed. What is the recommended remediation to reliably allow the partner's mail?

Correct answer: D. Create a spoof allow entry for the partner in the Tenant Allow/Block List (Spoofed senders).

The targeted fix for a spoof-intelligence false positive is a spoof allow entry for the spoofed-user/sending-infrastructure domain pair on the Spoofed senders tab of the Tenant Allow/Block List (New-TenantAllowBlockListSpoofItems). The trap is the passing SPF and DKIM: they authenticate the third-party service's own domain, not the partner's From-header domain, so DMARC fails on alignment, composite authentication fails (compauth=fail), and spoof intelligence flags the mail as spoofed. Spoofed-sender allow entries account for intra-org, cross-org, and DMARC spoofing, and they never expire.

Why the other options are wrong:

  • A. Turning off spoof intelligence for the whole organization removes anti-spoofing protection for every sender - far too broad and never the recommended, targeted remediation.
  • B. The Allowed senders list in the anti-spam policy is explicitly discouraged (high spoofing risk) and does not bypass high confidence phishing; it is not the recommended fix for a spoof-intelligence false positive.
  • C. A mail flow rule that sets SCL -1 bypasses spam filtering only; it does not reliably override spoof/high-confidence-phishing verdicts and is a broad, risky override.

Memory hook: Spoof false positive (compauth=fail)? The fix lives on the Spoofed senders tab of the Tenant Allow/Block List, never the anti-spam Allowed senders list.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/tenant-allow-block-list-email-spoof-configure#create-allow-entries-for-spoofed-senders

Your organization wants to protect 420 named executives and VIPs from user (sender) impersonation using a single anti-phishing policy in Microsoft Defender for Office 365. When you try to add all of them to user impersonation protection, you cannot. What is the limitation and the correct remedy?

Correct answer: B. A single anti-phishing policy supports a maximum of 350 users for user impersonation protection; split the users across additional anti-phishing policies.

Each anti-phishing policy in Defender for Office 365 supports a maximum of 350 users for user impersonation protection. To protect more than 350 named users, distribute them across multiple anti-phishing policies (accounting for the order of precedence between those policies).

Why the other options are wrong:

  • A. The 50 limit applies to custom domains for domain impersonation, not user impersonation, and user impersonation is not unlimited.
  • C. 60 is not the limit, and mailbox intelligence is a separate detection mechanism, not a workaround for the protected-user cap.
  • D. 1,024 is the limit for trusted sender/domain exceptions, which is unrelated to the number of protected impersonation users.

Memory hook: 350 protected users per policy - a VIP list overflow needs a second anti-phishing policy.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/anti-phishing-policies-mdo-configure

In Exchange Online PowerShell, which cmdlet searches message trace data across the last 90 days, returns at most 10 days of data per query, and returns only the last 48 hours if run with no parameters?

Correct answer: A. Get-MessageTraceV2

Get-MessageTraceV2 is the current cmdlet for interactive message trace: it searches up to 90 days of data, limits each query to a 10-day window, and defaults to the last 48 hours when run without parameters.

Why the other options are wrong:

  • B. Start-HistoricalSearch queues a new asynchronous historical search (results delivered as a downloadable report), not the interactive 48-hour/10-day query.
  • C. Get-MessageTrace is the older cmdlet being retired in favor of Get-MessageTraceV2.
  • D. Get-HistoricalSearch only lists/returns existing historical searches submitted within the last 10 days; it doesn't run a new 90-day trace.

Memory hook: V2 is the new trace: 90-day window, 10-day bites, 48-hour default.

Microsoft Learn: https://learn.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/message-trace-faq

A user reports that an internal SharePoint URL your team added to the 'Do not rewrite the following URLs' list in a custom Safe Links policy is still blocked when the user clicks it inside a Microsoft Teams chat. Clicking the same URL in an Outlook email works fine. What is the most likely reason?

Correct answer: B. Microsoft Teams and Office web apps don't recognize the 'Do not rewrite the following URLs' list, so the URL can still be blocked at time of click; a universal allow requires the Tenant Allow/Block List.

The 'Do not rewrite the following URLs' list is honored during mail flow for email, but Microsoft Teams and Office web apps don't recognize the list and can still block the URL at time of click based on Safe Links scanning results. A truly universal allow (everywhere) requires an allow entry in the Tenant Allow/Block List.

Why the other options are wrong:

  • A. Trusted senders in anti-phishing policies are impersonation-protection exceptions and have no effect on Safe Links URL handling.
  • C. Safe Links for Teams performs time-of-click checks and explicitly does NOT rewrite URLs.
  • D. Built-in protection is always lowest precedence; any custom Safe Links policy already takes precedence over it, so precedence is not the cause.

Memory hook: Teams and web apps ignore the do-not-rewrite list - only the Tenant Allow/Block List is universal.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/safe-links-about

All inbound internet mail must first pass through a third-party cloud filtering service before reaching Exchange Online. To REJECT any internet message that skips the service and hits EXO directly, the admin wants EXO to accept mail for the org's domains only when it presents the service's TLS certificate. Which connector configuration enforces this?

Correct answer: B. A Partner inbound connector with RestrictDomainsToCertificate set to $true.

The RestrictDomainsToCertificate (and RestrictDomainsToIPAddresses) parameters are honored only on Partner-type inbound connectors. A Partner inbound connector that restricts to the service's certificate rejects mail for your domains that doesn't arrive through the certified source.

Why the other options are wrong:

  • A. Outbound connectors and TlsSettings govern how EXO SENDS mail, not how it restricts inbound acceptance.
  • C. RouteAllMessagesViaOnPremises on an outbound connector controls egress routing, not inbound rejection of non-certified mail.
  • D. On an OnPremises connector the RestrictDomainsToCertificate/IP parameters are ignored - they apply only to Partner connectors.

Memory hook: Restrict-to-cert/IP only bites on a Partner INBOUND connector.

Microsoft Learn: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud

A mail flow rule should act on messages sent to any member of the Executives distribution group. The admin configured the condition 'The recipient is this person' and selected the Executives group, but the rule never matches. What is the correct configuration?

Correct answer: D. Use 'The recipient is a member of this group' (SentToMemberOf) and select Executives.

The 'is this person' predicate (SentTo) matches individual mailboxes, mail users, or contacts - it does not match distribution groups. To target members of a group, use 'is a member of this group' (SentToMemberOf).

Why the other options are wrong:

  • A. The domain includes-match would hit every recipient in that domain, not just Executives members, and isn't the group-membership predicate.
  • B. Group type isn't the issue; SentTo won't match a dynamic group either. The fix is the SentToMemberOf predicate.
  • C. Listing the group twice changes nothing; 'is this person' still won't expand a distribution group.

Memory hook: SentTo = individuals only; SentToMemberOf = group members.

Microsoft Learn: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/test-mail-flow-rules

In the Microsoft Defender portal (security.microsoft.com), under which top-level section do you find Threat Explorer / Real-time detections, Threat policies (Safe Links, Safe Attachments, anti-phishing), and email quarantine?

Correct answer: C. Email & collaboration

Email and collaboration security features (Threat Explorer/Real-time detections, Threat policies under Policies & rules, quarantine, and submissions) are located under the Email & collaboration section of the unified Microsoft Defender portal.

Why the other options are wrong:

  • A. Assets shows the device and identity inventory, not email policies or Threat Explorer.
  • B. Endpoints hosts Microsoft Defender for Endpoint device and vulnerability features, not email threat policies.
  • D. Investigation & response contains Incidents & alerts, Advanced hunting, and the Action center - not the email threat policies.

Memory hook: Email threats and threat policies live under Email & collaboration.

Microsoft Learn: https://learn.microsoft.com/unified-secops/defender-xdr-portal

Recipients at the partner domain fabrikam.com can't see Outlook voting buttons or rich-text formatting sent by your Exchange Online users. You must ensure messages to fabrikam.com preserve this content. Which action resolves it?

Correct answer: A. Create or modify a remote domain for fabrikam.com with TNEFEnabled set to $true.

Transport Neutral Encapsulation Format (TNEF) preserves Rich Text formatting and Outlook-specific features such as voting buttons. Setting TNEFEnabled to $true on a remote domain for fabrikam.com keeps that content intact when messages are sent to that destination.

Why the other options are wrong:

  • B. CharacterSet controls MIME text encoding, not TNEF-encapsulated Rich Text or voting buttons.
  • C. fabrikam.com is an external (remote) domain, not an accepted domain; TNEF is a remote-domain property, so there's no TNEF setting on an accepted domain.
  • D. AllowedOOFType governs which out-of-office reply type is sent to the domain, unrelated to TNEF content.

Memory hook: Voting buttons and RTF survive only with TNEF enabled on the REMOTE domain.

Microsoft Learn: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/remote-domains/remote-domains

To meet a regulatory requirement, an admin creates a journal rule in Exchange Online and sets the journaling mailbox to a licensed Exchange Online user mailbox. Journal reports never arrive. Why?

Correct answer: B. Exchange Online can't deliver journal reports to an Exchange Online mailbox; the journaling mailbox must be an on-premises archiving system or a third-party archiving service.

Exchange Online doesn't support delivering journal reports to an Exchange Online mailbox (this also applies to the alternate journaling mailbox). The journaling mailbox must be an on-premises archiving system or a third-party archiving service.

Why the other options are wrong:

  • A. Litigation Hold is a separate in-place retention feature; it isn't a prerequisite for a journaling target.
  • C. Roles like Quarantine Administrator are unrelated to journal report delivery.
  • D. Journal rules work in cloud-only tenants too; the constraint is only that the journaling target can't be an EXO mailbox.

Memory hook: Journaling exports OUT: never to an Exchange Online mailbox - on-prem or third-party only.

Microsoft Learn: https://learn.microsoft.com/en-us/exchange/security-and-compliance/journaling/configure-journaling

You use custom threat policies and want to audit how their settings have changed over time and see whether each change raised or lowered your overall security posture. Which tab of the Configuration analyzer provides this?

Correct answer: A. Configuration drift analysis and history

The Configuration analyzer has three tabs: Standard recommendations, Strict recommendations, and Configuration drift analysis and history. The Configuration drift analysis and history tab audits and tracks threat-policy changes over a selected timeframe and shows whether each change increased or decreased your posture.

Why the other options are wrong:

  • B. The Strict recommendations tab compares settings to the Strict baseline; it also does not provide historical change tracking.
  • C. The Standard recommendations tab compares current settings to the Standard baseline and lets you apply fixes, but it does not show change history.
  • D. 'Recommended actions' is a tab in Microsoft Secure Score, not in the Configuration analyzer.

Memory hook: Drift and history tab = the audit trail of threat-policy changes.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/configuration-analyzer-for-security-policies

A non-Microsoft spam filter sits in front of Microsoft 365. Spoof intelligence and SPF checks are inaccurate because Microsoft 365 evaluates the filter's IP as the message source instead of the true originating server. Which feature restores the real source IP for filtering, and where is it configured?

Correct answer: C. Enable Enhanced Filtering for Connectors (skip listing) on the inbound connector, under Threat policies, then Rules, then Enhanced filtering.

Enhanced Filtering for Connectors (also called skip listing) skips the intermediary hop's IP so Microsoft 365 evaluates the true source IP, improving spoof intelligence, SPF/DMARC, and post-breach accuracy. It's configured on the inbound connector at security.microsoft.com/skiplisting.

Why the other options are wrong:

  • A. DBEB rejects mail to invalid recipients at the edge; it does nothing to recover the original source IP.
  • B. An IP Allow entry sets SCL = -1 for that hop's IP; it doesn't reveal the true originating source and can pass spoofed mail.
  • D. SCL = -1 bypasses spam scanning entirely, which worsens accuracy rather than fixing source identification.

Memory hook: Skip listing = Enhanced Filtering: skip the last hop, see the real sender.

Microsoft Learn: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors

You are enabling Safe Documents and must ensure that if Safe Documents identifies a file as malicious, users cannot click through and leave Protected View to open it. Where do you configure Safe Documents, and how should the click-through option be set?

Correct answer: A. On the Safe Attachments page, under Global settings: turn on 'Turn on Safe Documents for Office clients' and leave 'Allow people to click through Protected View even if Safe Documents identified the file as malicious' turned off.

Safe Documents is a global setting on the Safe Attachments page under Global settings. You turn on 'Turn on Safe Documents for Office clients' and leave 'Allow people to click through Protected View...' off (AllowSafeDocsOpen $false), which is the default and recommended state.

Why the other options are wrong:

  • B. Safe Documents isn't configured in individual Safe Attachments policies; it's a global setting.
  • C. That is a Safe Links setting for URLs, unrelated to Safe Documents and Protected View.
  • D. Safe Documents isn't part of anti-malware policy or the common attachments filter.

Memory hook: Safe Documents = Safe Attachments Global settings; keep 'click through' OFF.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/safe-documents-in-e5-plus-security-about

When you assign users to the Standard preset security policy in Microsoft Defender for Office 365, which advanced phishing email threshold is applied to those users?

Correct answer: D. 3 - More aggressive

The Standard preset security policy applies phishing email threshold 3 - More aggressive, while the Strict preset applies 4 - Most aggressive. These threshold values are locked and cannot be changed within the preset security policies.

Why the other options are wrong:

  • A. 2 - Aggressive is a valid threshold value but is not used by either the Standard or Strict preset.
  • B. 1 - Standard is the default value in a newly created custom anti-phishing policy, not in the Standard preset.
  • C. 4 - Most aggressive is applied by the Strict preset, not the Standard preset.

Memory hook: Standard preset = threshold 3; Strict preset = threshold 4.

Microsoft Learn: https://learn.microsoft.com/defender-office-365/recommended-settings-for-eop-and-office365

Manage compliance by using Microsoft Purview (15 questions)

You create a Microsoft Purview Insider Risk Management policy from the 'Data theft by departing users' template to catch employees exfiltrating data around their exit, but the policy is not scoring any users. Which triggering event does this template require?

Correct answer: D. A resignation or termination date imported by a Microsoft 365 HR connector, or the built-in 'User account deleted from Microsoft Entra' trigger.

Microsoft Learn's policy-template table lists the 'Data theft by departing users' triggering event as a 'Resignation or termination date indicator from HR connector or Microsoft Entra account deletion.' The HR connector is optional if you instead select the 'User account deleted from Microsoft Entra' trigger. Without a triggering event, in-scope users aren't scored.

Why the other options are wrong:

  • A. Wrong: Communication Compliance disgruntlement signals feed the '...by risky users' templates, not the departing-users template.
  • B. Wrong: Defender for Endpoint is the prerequisite for the Security policy violations templates, not the departing-users template.
  • C. Wrong: a High-severity DLP policy is the triggering prerequisite for the Data leaks template, not Data theft by departing users.

Memory hook: Departing users fire on an EXIT signal: HR resignation/termination date OR Entra account deletion.

Microsoft Learn: https://learn.microsoft.com/purview/insider-risk-management-policy-templates#policy-template-prerequisites-and-triggering-events

During a data-spillage incident, an eDiscovery Manager finds 8 phishing emails per mailbox that must be permanently removed. They run New-ComplianceSearchAction with -Purge and get an error that a parameter matching 'Purge' can't be found. What is the cause, and what is the least-privilege fix?

Correct answer: A. The eDiscovery Manager role group doesn't include the Search And Purge role; add the account to a role group that has it (for example, Organization Management in Purview) to run the purge.

Searching is granted by the eDiscovery Manager role group (Compliance Search), but deleting/purging items requires the Search And Purge role, which is NOT in the eDiscovery Manager role group. Search And Purge is assigned by default to the Organization Management (Purview) role group and to Data Investigator. Without it, New-ComplianceSearchAction -Purge fails with 'a parameter can't be found that matches parameter name Purge'. The 8-item purge is within the 10-items-per-location limit.

Why the other options are wrong:

  • B. Wrong: eDiscovery Administrator grants cross-case access but still doesn't include the Search And Purge role, so it wouldn't resolve the -Purge error.
  • C. Wrong: Purge is an RBAC (Search And Purge role) matter, not an Audit (Premium) licensing matter.
  • D. Wrong: Global Admin isn't required; assigning the specific Search And Purge role via Organization Management is least privilege.

Memory hook: Search = eDiscovery Manager. PURGE = Search And Purge role (Organization Management), not Manager.

Microsoft Learn: https://learn.microsoft.com/purview/edisc-search-mailbox-data

You create a fingerprint-based sensitive information type from a Word template. Which of the following documents will document fingerprinting successfully detect?

Correct answer: C. A 1 MB .docx that contains all of the original form's text plus the filled-in data

Document fingerprinting matches files that are text-based, not password protected, contain all the text from the original form, and are 4 MB or smaller. A 1 MB .docx that retains all the original form text meets every condition, so it's detected.

Why the other options are wrong:

  • A. Files that contain only images have no extractable text pattern, so they aren't detected.
  • B. Files larger than 4 MB aren't detected, so a 5 MB file fails despite containing the form text.
  • D. Password-protected files are a documented limitation - fingerprinting can't read their contents.

Memory hook: Fingerprint fails on: locked, image-only, missing text, or over 4 MB.

Microsoft Learn: https://learn.microsoft.com/purview/sit-document-fingerprinting#how-document-fingerprinting-works

You are configuring multi-stage disposition review on a retention label in Microsoft Purview records management. What is the maximum number of consecutive disposition review stages you can configure?

Correct answer: A. 5 stages

A retention label supports up to five consecutive disposition review stages. Each stage can have up to 10 reviewers, specified as individual users or mail-enabled security groups (Microsoft 365 Groups aren't supported as reviewers).

Why the other options are wrong:

  • B. 3 is below the supported maximum of 5 stages.
  • C. Stages are capped at five; they aren't unlimited.
  • D. 10 is the maximum number of reviewers per stage, not the number of stages.

Memory hook: Disposition: up to 5 stages, 10 reviewers each.

Microsoft Learn: https://learn.microsoft.com/purview/disposition#disposition-reviews

In Compliance Manager, an improvement action is set to Automatic testing. An admin manually uploads evidence files and sets the test status on that action. What happens to automatic testing for the action?

Correct answer: A. Automatic testing is turned off for that action so Compliance Manager doesn't overwrite the data you added

When you bring your own testing data or evidence into an improvement action, Compliance Manager automatically turns off automatic testing for that action so it doesn't overwrite your data. You can choose to turn automatic testing back on later.

Why the other options are wrong:

  • B. The action stays in the assessment; only its testing type changes to manual.
  • C. Your evidence isn't ignored - it's precisely what causes auto-testing to switch off.
  • D. Compliance Manager won't overwrite your manually entered data; it stops auto-testing instead.

Memory hook: Add your own evidence, and Compliance Manager backs off (auto-testing turns off).

Microsoft Learn: https://learn.microsoft.com/purview/compliance-manager-setup#testing-source-for-automated-testing

A sensitivity label is configured with a footer and a watermark. You add it to a service-side auto-labeling policy for SharePoint. After the policy runs, the label is applied to documents but the footer and watermark are missing. What explains this behavior?

Correct answer: C. Auto-labeling policies don't apply visual markings (headers, footers, watermarks); those are added only when the label is applied by Office apps

When a label configured with visual markings (headers, footers, watermarks) is applied through an auto-labeling policy, those markings aren't applied to the documents. Visual markings are inserted by the Office apps when the label is applied client-side, not by the service-side auto-labeling engine.

Why the other options are wrong:

  • A. Check-out/editing doesn't cause auto-labeling to add markings; the client app adds them when it applies the label.
  • B. Simulation mode doesn't remove markings; markings are simply never applied by auto-labeling in any mode.
  • D. Publishing the label affects who can apply it manually, but auto-labeling still won't insert the visual markings.

Memory hook: Auto-label brings the label and encryption, not the ink (no headers/footers/watermarks).

Microsoft Learn: https://learn.microsoft.com/purview/apply-sensitivity-label-automatically#how-to-configure-auto-labeling-policies-for-sharepoint,-onedrive,-and-exchange

A mailbox is already covered by five separate retention policies and eDiscovery holds. You then add a sixth, query-based eDiscovery hold to that mailbox, expecting non-matching items to be trimmed from the hold. What actually happens to content that doesn't match the query?

Correct answer: A. Because more than five holds of any type apply to the location, the query-based hold doesn't clear non-matching content, so all content is preserved

A query-based hold normally clears content that doesn't match the query every 7 to 14 days. However, if more than five holds of any type apply to a content location, the query-based hold does not clear non-matching content - effectively everything in the location is preserved. Partially indexed and unindexed items are always preserved as well.

Why the other options are wrong:

  • B. There's no five-hold cap that blocks additional holds; the sixth hold applies fine.
  • C. The 7-to-14-day clearing only happens when five or fewer holds apply; with six holds it stops.
  • D. Query-based holds are supported on both mailboxes and SharePoint sites.

Memory hook: More than 5 holds on a location = query-based hold stops trimming; keep everything.

Microsoft Learn: https://learn.microsoft.com/purview/edisc-hold-create#create-a-hold

A compliance lead wants to prioritize the improvement actions that raise the compliance score the most per action. In Compliance Manager's scoring model, which single action type is assigned the highest point value?

Correct answer: B. Preventative and mandatory (27 points).

Compliance Manager scores each improvement action on two axes: mandatory vs discretionary, and preventative/detective/corrective. Preventative + mandatory carries the highest value at 27 points. The full model is: Preventative mandatory 27, Preventative discretionary 9, Detective mandatory 3, Detective discretionary 1, Corrective mandatory 3, Corrective discretionary 1. So preventative/mandatory actions move the score most.

Why the other options are wrong:

  • A. Wrong: Preventative discretionary is worth 9 points, not 15.
  • C. Wrong: Detective mandatory is worth 3 points, not 18, and isn't the highest.
  • D. Wrong: Corrective mandatory is worth 3 points, not 9.

Memory hook: Preventative + mandatory = 27, the max. Preventative-discretionary 9; detective/corrective mandatory 3; discretionary 1.

Microsoft Learn: https://learn.microsoft.com/purview/compliance-manager-scoring

You create an adaptive user scope with the attribute Country or region 'is equal to' Europe. Your users have values such as France, Germany, and Spain in that attribute. After a day, the scope shows zero members. What is the most likely cause?

Correct answer: C. The query matches the literal attribute value, and because it runs only once daily with no validation of what you typed, 'Europe' never matches the actual country values stored on the accounts

Adaptive scope queries run once daily against Entra ID and match the exact attribute value you specify. Because the query doesn't run immediately, there's no validation that you typed a valid value. 'Europe' is not a value stored in the Country or region attribute (accounts hold specific countries like France), so nothing matches. You'd use grouped country values or an advanced OPATH query instead.

Why the other options are wrong:

  • A. Adaptive user scopes read Entra ID attributes (name, department, country, custom attributes, etc.); SharePoint properties apply only to the SharePoint sites scope type.
  • B. There is no Start-AdaptiveScope cmdlet; you view membership with Get-AdaptiveScopeMembers, and the query runs automatically each day.
  • D. Administrative units are optional; the default Full directory works fine, so a missing admin unit isn't the cause.

Memory hook: Adaptive scopes match literal values, run daily, and never validate your typo.

Microsoft Learn: https://learn.microsoft.com/purview/purview-adaptive-scopes#configure-adaptive-scopes

A contract in SharePoint has a retention label that marks items as a record, configured to unlock records by default, and record versioning is enabled for the tenant. A user needs to edit the contract while keeping the prior version preserved as a record. Which statement correctly describes record versioning behavior?

Correct answer: A. While the record's status is Unlocked the user can edit it; a new version is preserved as a record only when the record is set back to Locked.

With record versioning (SharePoint/OneDrive only), a record's status toggles between Locked and Unlocked. When Unlocked, the record can be edited; a new version is retained as a record only when the record is set back to Locked. This lock/unlock toggle avoids retaining unnecessary versions. Editing is blocked while Locked. Record versioning isn't supported for regulatory records (which block editing) or for Exchange items.

Why the other options are wrong:

  • B. Wrong: A new version is retained only when the record is Locked, not on every save.
  • C. Wrong: You don't remove the label. Record versioning is the built-in mechanism to update a record via unlock/lock without removing the label.
  • D. Wrong: The opposite is true: record versioning is not available for regulatory records (they block editing); it's for standard records in SharePoint/OneDrive.

Memory hook: Unlock to edit, Lock to save a new record version. Locked = immutable, Unlocked = editable.

Microsoft Learn: https://learn.microsoft.com/purview/record-versioning

An organization opens Microsoft Purview Compliance Manager for the first time, having created no assessments yet, and already sees a non-zero compliance score. What is this initial score based on?

Correct answer: D. The default Data Protection Baseline assessment (the Microsoft 365 data protection baseline) that Compliance Manager provides to all organizations.

On first use, Compliance Manager provides an initial score based on the Microsoft 365 data protection baseline, the default Data Protection Baseline assessment available to all organizations. This baseline draws primarily from NIST CSF and ISO, plus FedRAMP and GDPR, and Compliance Manager immediately evaluates your existing Microsoft 365 settings against it. As you add relevant assessments, the score becomes more tailored.

Why the other options are wrong:

  • A. Wrong: The score measures completion of improvement actions, not user or license counts.
  • B. Wrong: Compliance score and Microsoft Secure Score are separate; the initial compliance score is not a Secure Score import.
  • C. Wrong: GDPR is one of several sources feeding the baseline, but a standalone GDPR assessment isn't run automatically; you add it yourself.

Memory hook: First-run compliance score = the Data Protection Baseline (default assessment for everyone).

Microsoft Learn: https://learn.microsoft.com/purview/compliance-manager-setup

Your organization wants to onboard Windows client devices for Endpoint DLP in Microsoft Purview. What is the minimum Windows 10 version supported for Endpoint DLP?

Correct answer: C. Windows 10, version 1809

Endpoint DLP supports Windows 10 version 1809 and later, Windows 11, and Windows Server 2019 and later (x64), plus the three latest released major versions of macOS.

Why the other options are wrong:

  • A. 2004 is supported but isn't the minimum - support starts at 1809.
  • B. 1607 predates Endpoint DLP entirely; support begins at 1809.
  • D. 1709 is below the supported baseline of 1809.

Memory hook: Endpoint DLP on Windows starts at 10-1809.

Microsoft Learn: https://learn.microsoft.com/purview/endpoint-dlp-learn-about#endpoint-dlp-windows-10-11-and-macos-support

Contoso has Microsoft 365 E5 for all users (Audit Premium). An investigator assumes every audit record is retained one year by default and needs Microsoft Teams administrative activity from 8 months ago. Will it be there by default, and why?

Correct answer: B. No: the Premium default 1-year retention covers only Microsoft Entra ID, Exchange, SharePoint, and OneDrive; other workloads such as Teams are retained 180 days by default unless a custom audit log retention policy extends them.

Audit (Premium)'s default audit log retention policy retains records for one year only for the four workloads whose Workload property is AzureActiveDirectory, Exchange, OneDrive, or SharePoint (for appropriately licensed users). Audit records for all other activities/workloads (for example, Teams) are retained 180 days by default. To keep them longer (up to one year, or 10 years with the add-on) you must create a custom audit log retention policy. So 8-month-old Teams records would already be gone by default.

Why the other options are wrong:

  • A. Wrong: 10-year retention requires an add-on license and a custom retention policy; it isn't automatic.
  • C. Wrong: Teams activity is captured in the unified audit log; the limitation is retention duration, not capture.
  • D. Wrong: The 1-year default does not cover all workloads, only Entra ID, Exchange, SharePoint, and OneDrive.

Memory hook: Premium's 1-year default = Entra + Exchange + SharePoint + OneDrive only. Everything else (Teams, etc.) = 180 days unless you write a custom policy.

Microsoft Learn: https://learn.microsoft.com/purview/audit-log-retention-policies#default-audit-log-retention-policy-in-audit-premium

You are preparing seed content to train a custom trainable classifier in Microsoft Purview. What is the minimum number of positive and negative samples required to train the classifier?

Correct answer: D. At least 50 positive samples and at least 150 negative samples

A custom trainable classifier requires at least 50 positive samples (up to 500) and at least 150 negative samples (up to 1,500). Only text-based files count; image files and image-only PDFs aren't supported, and the classifier processes up to the 2,000 most recently created samples.

Why the other options are wrong:

  • A. 500 and 1,500 are the maximums for positive and negative samples, not required exact counts.
  • B. 200 is the recommended total test-sample set (roughly 50 positive + 150 negative), not the required minimum of each type.
  • C. 10/50 is below the required minimums and would not build a reliable prediction model.

Memory hook: 50 in, 150 out - positives 50+, negatives 150+ to train.

Microsoft Learn: https://learn.microsoft.com/purview/trainable-classifiers-get-started-with#prepare-for-a-custom-trainable-classifier

You must prevent users from copying documents that contain sensitive information types to USB drives on managed Windows 11 endpoints, using Microsoft Purview Endpoint DLP. Your tenant is licensed for Microsoft 365 E3. What is the minimum licensing change required?

Correct answer: C. Upgrade to Microsoft 365 E5 (or add Microsoft 365 E5 Compliance / E5 Information Protection & Governance); Endpoint DLP is an E5-tier capability, whereas E3 covers DLP only for Exchange, SharePoint, and OneDrive.

The trap is assuming E3's DLP coverage extends to devices. Microsoft Learn's licensing guidance draws the line clearly: DLP for Exchange, SharePoint, and OneDrive is available at E3, but Endpoint DLP (activity detection/protection for items on Windows and macOS devices) requires Microsoft 365 E5/A5/G5, E5 Compliance, or E5 Information Protection & Governance.

Why the other options are wrong:

  • A. Wrong: E3 includes DLP for Exchange, SharePoint, and OneDrive, but not Endpoint DLP.
  • B. Wrong: Defender for Endpoint helps onboard devices but doesn't license the Endpoint DLP feature, which is an E5 Purview entitlement.
  • D. Wrong: EMS E3 covers identity and mobility management, not Endpoint DLP.

Memory hook: DLP for Exchange/SPO/ODB = E3. Endpoint DLP (devices) = E5.

Microsoft Learn: https://learn.microsoft.com/purview/endpoint-dlp-getting-started