Microsoft 365 Tenant Administration (24 questions)
Go deeper on this topic in Microsoft 365 Tenant Administration Field Guide.
An administrator reviews the group-based licensing report and finds several users showing 'Errors and issues' for a license assigned through a security group. One specific error states the user cannot be assigned the license because of a conflicting service plan. What is the FIRST step the administrator should take to resolve this?
Correct answer: C. Open the Microsoft 365 admin center, navigate to Billing then Licenses, select the affected product, view the group's error details, identify the conflicting service plan, and resolve the dependency or conflict for the affected users.
When group-based licensing encounters a conflicting service plan error, the resolution path is: navigate to Billing, then Licenses in the Microsoft 365 admin center, select the affected product license, locate the group, view users in error state, and review the specific error type. A conflicting service plan error means two service plans from different licenses cannot be simultaneously enabled for the same user. The administrator must identify and resolve the conflict - for example by removing one conflicting service plan from the assignment - then reprocess the affected users.
Why the other options are wrong:
- A. Service plan conflicts are a configuration issue within the tenant that the administrator controls. Microsoft support cannot automatically reconcile these; the admin must identify and resolve conflicting plan assignments.
- B. The Exchange admin center does not control which service plans within a Microsoft 365 license are assigned to users. License and service plan management flows through the Microsoft 365 admin center.
- D. Deleting and recreating the group removes all licensing assignments temporarily and does not fix the underlying service plan conflict. It would also cause service interruptions for users who had valid licenses.
Memory hook: Billing, then Licenses, then the group - read the error, fix the conflict. The error is always on the USER object, not the group.
Microsoft Learn: https://learn.microsoft.com/entra/fundamentals/licensing-groups-resolve-problems
An administrator assigns the User Administrator role to a scoped admin for an administrative unit (AU) that contains a security group. The group itself is added as a member of the AU. A new employee joins and is added to that group. Can the scoped admin reset that new employee's password?
Correct answer: B. No, because adding a group to an AU brings only the group object into scope, not the group's individual members. The user must also be added directly as an AU member.
A critical AU scoping rule: adding a group to an administrative unit places the GROUP OBJECT in scope, but NOT the group's individual members. A User Administrator scoped to the AU can manage the group's name and membership, but cannot reset passwords or manage user properties of individual group members unless those users are also added directly to the administrative unit as members.
Why the other options are wrong:
- A. The Groups Administrator role would allow managing group properties, but the core issue here is about user management scope, not group management. The absence of direct user membership in the AU is what blocks the action.
- C. User Administrator can reset passwords for users within their scope. The issue is scope, not role capability. User Administrator is explicitly listed as a role that can be scoped to administrative units.
- D. This is the most common misconception about administrative units. Group membership does NOT flow through to AU membership automatically. Users must be explicitly added to the AU for the scoped admin to manage them.
Memory hook: Group in AU = manage the box, not the contents. To manage the people inside, put the PEOPLE in the AU directly.
Microsoft Learn: https://learn.microsoft.com/entra/identity/role-based-access-control/administrative-units#groups
A tenant-wide sign-in problem prevents all your admins from signing in to the Microsoft 365 admin center, so you can't open the Service health page. What is the recommended way to check whether Microsoft is aware of a broad outage?
Correct answer: B. Check the unauthenticated Microsoft 365 service status page at status.cloud.microsoft.
When the admin portals themselves are unreachable, Microsoft publishes status on the unauthenticated Service health status page at status.cloud.microsoft, which doesn't require signing in - exactly for the 'can't sign in' scenario.
Why the other options are wrong:
- A. Contacting a user doesn't confirm whether Microsoft has acknowledged a service incident.
- C. The Entra admin center also requires a successful sign-in, which is failing here.
- D. The weekly digest covers planned change notices and arrives on a schedule, not real-time outage confirmation.
Memory hook: Locked out? status.cloud.microsoft needs no login.
Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/view-service-health?view=o365-worldwide
An analyst used Threat Explorer's Take action wizard to propose a soft-delete on a cluster of malicious emails, selecting 'Create new' (two-step approval). Where in the Microsoft Defender portal does an authorized admin go to approve or reject that pending remediation and review its history?
Correct answer: D. The Action center (Actions & submissions, then Action center)
Manual remediations proposed with two-step approval, along with pending automated investigation and response (AIR) actions, are approved or rejected in the unified Action center (Actions & submissions, then Action center) on the Pending tab. After approval, they move to the History tab, which shows remediation actions for the past 30 days.
Why the other options are wrong:
- A. The Submissions page is for reporting suspected spam, phish, URLs, and files to Microsoft, not for approving remediation actions.
- B. The Incidents queue is for triaging and investigating incidents and their alerts, not for approving pending remediation actions.
- C. The Campaigns view in Threat Explorer groups related malicious email into campaigns for analysis; it does not host the pending-approval queue for remediation actions.
Memory hook: Two-step approval = one analyst proposes, another approves - both happen in the Action center (Pending tab, then History tab).
Microsoft Learn: https://learn.microsoft.com/defender-office-365/remediate-malicious-email-delivered-office-365
You grant a help-desk agent Full Access to 30 shared mailboxes but do NOT want all 30 to auto-load in their Outlook profile. How do you grant Full Access without automapping?
Correct answer: A. Use Add-MailboxPermission with the -AutoMapping $false parameter.
Automapping (which auto-loads the mailbox in Outlook via Autodiscover) is on by default when Full Access is granted. Running Add-MailboxPermission with -AutoMapping $false grants Full Access without auto-loading the mailboxes (assigning Full Access to a mail-enabled security group also avoids automapping).
Why the other options are wrong:
- B. The EAC delegation page grants Full Access with automapping enabled and exposes no toggle to disable it.
- C. Send As is a send permission; it doesn't grant the ability to open the mailbox at all.
- D. -GrantSendOnBehalfTo grants Send on Behalf (a send permission), not Full Access, and doesn't control automapping.
Memory hook: Full Access auto-maps by default; -AutoMapping $false to stop it.
Microsoft Learn: https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-permissions-for-recipients
An administrator adds the custom domain contoso.com to Microsoft 365 and starts to enable DKIM signing. On the DKIM tab in the Microsoft Defender portal the domain status shows CnameMissing. To publish DKIM in DNS at the registrar, what records must the administrator create?
Correct answer: A. Two CNAME records (selector1._domainkey and selector2._domainkey), only one of which is active at any given time
When DKIM is enabled for a custom domain, Microsoft 365 generates two key pairs and requires two CNAME records, selector1._domainkey and selector2._domainkey, which point to Microsoft-hosted public keys. Only one selector is active at a time; the second becomes active only after a future key rotation. DKIM uses CNAME records, unlike SPF and DMARC, which are TXT records.
Why the other options are wrong:
- B. DKIM in Microsoft 365 uses CNAME records that point to Microsoft-managed keys, not a self-hosted TXT public key, and two selectors are required rather than one.
- C. DKIM records are CNAME, not TXT, and only one selector signs mail at a time rather than both simultaneously.
- D. The required hostnames are selector1._domainkey and selector2._domainkey (two separate records), not a single _domainkey CNAME.
Memory hook: DKIM = two CNAMEs, one live selector; SPF and DMARC = TXT.
Microsoft Learn: https://learn.microsoft.com/defender-office-365/email-authentication-dkim-configure
A new admin was told to open the Microsoft Purview compliance portal at compliance.microsoft.com to manage DLP and sensitivity labels, but that portal has been retired. Where do these compliance solutions now live, and what happened to the Classification area?
Correct answer: C. They live in the unified Microsoft Purview portal (purview.microsoft.com); Classification was renamed to Classifiers and moved into each solution's left navigation.
Microsoft Learn refers to 'the retired Microsoft Purview compliance portal' and directs admins to the unified Microsoft Purview portal at purview.microsoft.com. Among the relocated features, Learn notes 'Classification is renamed to Classifiers and moved to the left-navigation area for each solution.'
Why the other options are wrong:
- A. Wrong: DLP and sensitivity-label configuration lives in the Purview portal, not the Defender (security) portal, although DLP alerts can be investigated in Defender.
- B. Wrong: the Microsoft 365 admin center is not where Purview compliance solutions are configured, and Classification was renamed to Classifiers, not Sensitivity.
- D. Wrong: the Entra admin center manages identity, not Purview compliance solutions.
Memory hook: compliance.microsoft.com is gone. Go to purview.microsoft.com. Classification is now Classifiers.
Microsoft Learn: https://learn.microsoft.com/purview/purview-portal
A non-IT change-management lead needs to view ONLY the tenant-level and group-level Adoption Score aggregates - no individual reports and no other admin data. Which single role best follows the principle of least privilege?
Correct answer: A. Usage Summary Reports Reader
The Usage Summary Reports Reader role can see only tenant-level aggregates and group-level aggregates in Microsoft 365 usage analytics and Adoption Score. That is the narrowest role that satisfies the requirement.
Why the other options are wrong:
- B. Global Reader can read almost all admin settings and data across the tenant - far more than needed.
- C. Reports Reader is broader - it can view full usage reporting data, the reports dashboard, and the adoption content pack in Power BI.
- D. Global Administrator is maximum privilege and directly violates least privilege for a reporting-only need.
Memory hook: Only aggregates? Usage Summary Reports Reader.
Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/adoption/privacy
A content designer must be able to build phishing payloads for later Attack simulation training campaigns, but must NOT be able to launch or manage simulations. Which role assignment follows the principle of least privilege?
Correct answer: C. Attack Payload Author
The Attack Payload Author role lets a user create attack payloads that an admin can initiate later, without granting the ability to launch simulations. Attack Simulation Administrator can create and manage all aspects of campaigns (including launching), and Security Administrator is far broader, so both violate least privilege.
Why the other options are wrong:
- A. Security Administrator is a broad role that can also manage simulations; it violates least privilege for a payload author.
- B. Attack Simulation Administrator can create and manage all campaigns, including launching simulations, which exceeds the requirement.
- D. Security Operator (and Security Reader) can only view campaigns; it does not permit authoring payloads.
Memory hook: Payload Author writes the bait; Simulation Administrator pulls the trigger.
Microsoft Learn: https://learn.microsoft.com/defender-office-365/attack-simulation-training-get-started
An analyst opens Activity explorer to investigate a sensitivity-label downgrade a user says happened 45 days ago, but the event does not appear even after widening the date filter. What is the most likely reason?
Correct answer: D. Activity explorer reports on up to 30 days of data, so a 45-day-old event is outside its window.
Microsoft Learn states that 'Activity explorer reports on up to 30 days worth of data.' A 45-day-old event falls outside that window. For older look-back, the analyst should use the audit log search, which has its own, longer retention.
Why the other options are wrong:
- A. Wrong: Activity explorer automatically ingests unified audit log data; no manual export is needed to populate it.
- B. Wrong: Global Administrator is not required to use Activity explorer, and a missing role would block the whole view rather than hide a single old event.
- C. Wrong: Activity explorer does show sensitivity-label activities (applied, changed, and removed), not just Endpoint DLP events.
Memory hook: Activity explorer looks back 30 days. Older than that? Go to the audit log.
Microsoft Learn: https://learn.microsoft.com/purview/data-classification-activity-explorer
A team lead should be able to assign and remove Microsoft 365 licenses for users and edit their usage location, but must not be able to create or delete user accounts or reset passwords. Which single role follows least privilege?
Correct answer: B. License Administrator
License Administrator can assign/remove licenses, edit usage location, and reprocess or assign group-based licenses - but can't create/delete users or reset passwords, which matches the requirement exactly.
Why the other options are wrong:
- A. User Administrator can assign licenses but also creates/deletes users and resets some passwords - more than allowed.
- C. Billing Administrator manages purchases, subscriptions, and invoices, not per-user license assignment.
- D. Global Administrator is far broader than needed and violates least privilege.
Memory hook: Only licenses + usage location, nothing else = License Administrator.
Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide
Your organization still manages authentication methods in the legacy multifactor authentication policy and the legacy SSPR Authentication methods policy. Which statement about these legacy policies is accurate?
Correct answer: C. Beginning September 30, 2025, authentication methods can no longer be managed in the legacy MFA and SSPR policies; management should move to the converged Authentication methods policy.
Microsoft announced deprecation of managing authentication methods in the legacy MFA and SSPR policies. Beginning September 30, 2025, methods can no longer be managed in those legacy policies, and organizations should migrate method management to the converged Authentication methods policy (a migration wizard is available to help).
Why the other options are wrong:
- A. The migration is fully reversible - you can set the migration status back to In Progress at any time.
- B. Security questions aren't yet manageable in the Authentication methods policy; they remain in the legacy SSPR settings.
- D. Only the ability to manage methods in the legacy policies is retired; users' registered method data isn't deleted.
Memory hook: Sept 30, 2025: legacy method management retires - converge to the Authentication methods policy.
Microsoft Learn: https://learn.microsoft.com/entra/identity/authentication/concept-authentication-methods-manage
A custom quarantine policy that grants Full access (including the release permission) is assigned to the high confidence phishing verdict in an anti-spam policy. A user opens a message that was quarantined as high confidence phishing and tries to release it. What happens?
Correct answer: A. The user can only request release; an admin must approve it, regardless of the Full access permission granted by the policy.
As part of secure by default, recipients can never release their own messages quarantined as high confidence phishing by anti-spam policies (also malware by anti-malware policies, or malware/phishing by Safe Attachments), regardless of how the quarantine policy is configured. If the policy allows releasing, users can only request release, which requires admin approval.
Why the other options are wrong:
- B. Because the policy grants the release permission, the user is offered Request release, not merely Preview.
- C. There is no release-then-rescan-then-requarantine loop; the self-release action is simply unavailable.
- D. The Full access release permission is overridden for high confidence phishing; self-release is never allowed for that verdict.
Memory hook: High confidence phishing / malware / Safe Attachments quarantine = request-only for users, forever. Secure by default trumps Full access.
Microsoft Learn: https://learn.microsoft.com/defender-office-365/quarantine-policies
Following a divestiture, an administrator tries to remove the custom domain fabrikam.com from the Microsoft 365 tenant, but the removal fails with an error. Which set of conditions must be true before Microsoft 365 will allow the domain to be removed?
Correct answer: A. No users, shared or resource mailboxes, contacts, Microsoft 365 groups, distribution lists, or teams can still use the domain; it must not be the default domain; and no admin accounts can be signing in with it.
Microsoft's remove-a-domain documentation lists the preconditions: the domain must not be the default domain; no users, shared mailboxes, resource mailboxes, or contacts may use it; no Microsoft 365 groups, distribution lists, or teams may use it; and it must not be used for sign-in by any admin account. Every remaining reference blocks removal. Once cleared, removal can take as little as five minutes for a lightly referenced domain, or up to a day when many references existed. When a domain is removed, affected accounts revert to the .onmicrosoft.com fallback address as their primary SMTP/UPN. For tenants with hundreds or thousands of users, Learn recommends moving users with PowerShell (Update-MgUser) rather than the UI, because a single missed account blocks the removal.
Why the other options are wrong:
- B. Standard domain removal does not automatically rename remaining accounts; existing references cause the removal to fail with an error identifying what is still attached. The administrator must move users, groups, and mailboxes off the domain first.
- C. No support ticket or mailbox archiving is required for routine domain removal. The administrator clears the references and removes the domain directly from Settings, then Domains.
- D. Registrar-side DNS and domain registration are independent of Microsoft 365's directory. The blockers are references inside the tenant - users, groups, mailboxes, defaults, and admin sign-ins - not external DNS records.
Memory hook: A domain leaves only when nothing still wears it: no users, no groups, no mailboxes, not default, no admin sign-ins - then UPNs fall back to onmicrosoft.com.
Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/get-help-with-domains/remove-a-domain
Legal needs a 20-GB, currently unlicensed shared mailbox placed on Litigation Hold. What is required to do this?
Correct answer: C. Assign the shared mailbox an Exchange Online Plan 2 license (or Exchange Online Plan 1 plus an Exchange Online Archiving add-on).
A shared mailbox needs no license for basic storage up to 50 GB, but placing it on Litigation Hold requires an Exchange Online Plan 2 license, or an Exchange Online Plan 1 license with the Exchange Online Archiving add-on.
Why the other options are wrong:
- A. Mailbox size (50 GB is the unlicensed cap) is unrelated to the license needed for Litigation Hold.
- B. Business Basic isn't the qualifying SKU; Litigation Hold specifically requires EXO Plan 2 (or Plan 1 + EOA).
- D. Litigation Hold is a licensed capability; an unlicensed shared mailbox can't be placed on hold.
Memory hook: Unlicensed shared mailbox = storage only; hold/archive needs Plan 2 (or Plan 1 + EOA).
Microsoft Learn: https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes
A user belongs to two Microsoft Entra groups. Group one is targeted by the Cloud Policy configuration 'Sales-Baseline' (priority 3), which sets an Office security setting to Disabled. Group two is targeted by 'Security-Strict' (priority 1), which sets the same setting to Enabled. A domain Group Policy Object on the user's Windows PC also configures the same setting with a third value. Which value applies when the user opens Excel?
Correct answer: A. The 'Security-Strict' value, because in a conflict the highest-priority Cloud Policy configuration wins - lower numbers are higher priority, with 0 the highest assignable - and Cloud Policy settings take precedence over Group Policy.
Two precedence rules from the Cloud Policy documentation resolve this. First, when a user is in multiple Microsoft Entra groups with conflicting policy settings, priority determines which setting applies: the highest priority wins, and 0 is the highest priority you can assign - so 'Security-Strict' at priority 1 beats 'Sales-Baseline' at priority 3. Priorities are managed with Reorder priority on the Policy configurations page. Second, policy settings implemented through Cloud Policy take precedence over settings implemented by Group Policy on Windows Server, and over preference or locally applied settings - so the GPO's value loses regardless. The user gets the 'Security-Strict' Enabled value.
Why the other options are wrong:
- B. Learn states the opposite: Cloud Policy settings take precedence over policy settings implemented by using Group Policy on Windows Server. The cloud-delivered value wins on this device.
- C. Priority ordering runs the other way - lower numbers outrank higher ones, with 0 as the highest assignable priority. Priority 1 defeats priority 3.
- D. Cloud Policy does not error out on conflicts; conflict resolution by priority is the designed behavior, and the winning configuration's setting is applied silently.
Memory hook: Cloud Policy conflicts: think golf - lowest priority number wins (0 is best) - and the cloud outranks the GPO.
Microsoft Learn: https://learn.microsoft.com/microsoft-365-apps/admin-center/overview-cloud-policy
An admin has added contoso.com in the Microsoft 365 admin center and must prove the organization owns the domain before it can be used. An external registrar hosts the DNS. Which DNS record does Microsoft 365 have the admin create to verify ownership?
Correct answer: B. A TXT record at the domain root with a value like MS=ms########.
Domain ownership is verified by adding the TXT record Microsoft supplies (value MS=ms########) at the root/@. This TXT method is the default and doesn't affect mail flow; once verified you add the service records (MX, CNAME, etc.).
Why the other options are wrong:
- A. The autodiscover CNAME is a service record for Outlook auto-configuration, not domain-ownership verification.
- C. That MX record routes mail after setup; it isn't the verification record you add to prove ownership.
- D. The _sipfederationtls SRV record supports Teams/Skype federation, not ownership verification.
Memory hook: Prove you own it with a TXT that says MS=ms...
Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/get-help-with-domains/information-for-dns-records?view=o365-worldwide
An enterprise plans a Microsoft 365 multitenant organization (MTO) to unify collaboration across several of its Microsoft Entra tenants. What is the supported maximum number of active tenants (including the owner tenant), and which license is required?
Correct answer: C. 100 tenants; Microsoft Entra ID P1.
A multitenant organization supports a maximum of 100 active tenants, including the owner tenant. It requires Microsoft Entra ID P1 (one P1 per employee per MTO, and at least one P1 per tenant). To exceed 100 tenants you must submit a support request.
Why the other options are wrong:
- A. The limit is 100 (not 5) and the requirement is P1 (not P2).
- B. It is not unlimited (a 100-tenant cap applies) and Free is insufficient - P1 is required.
- D. The cap is 100, not 50, and the requirement is Entra ID P1, not Microsoft 365 E5.
Memory hook: MTO: 100 tenants max, P1 per person.
Microsoft Learn: https://learn.microsoft.com/entra/identity/multi-tenant-organizations/multi-tenant-organization-overview
A Microsoft Defender for Office 365 Plan 1 admin wants to investigate email from three weeks ago and then use the Take action wizard to soft-delete malicious messages that were already delivered. They can view detections but cannot perform post-delivery remediation. Why?
Correct answer: D. Real-time detections (Plan 1) shows detections at the time of delivery only; post-delivery hunting and the Take action remediation wizard require Threat Explorer in Plan 2
Real-time detections (Plan 1) surfaces detections at the time of delivery only and lacks the Take action remediation wizard. Threat Explorer (Plan 2) adds post-delivery views and remediation actions such as soft delete and hard delete, which also require the Search and Purge role.
Why the other options are wrong:
- A. Both tools support querying up to 30 days of data, so retention is not the blocker.
- B. Global Reader is read-only and would not grant remediation; the gating factor here is Plan 1 versus Plan 2 (remediation also needs the Search and Purge role).
- C. ZAP is not the reason remediation is unavailable; Plan 1 simply lacks the Take action wizard.
Memory hook: Plan 1 sees it at delivery; Plan 2 (Threat Explorer) hunts post-delivery and can Take action.
Microsoft Learn: https://learn.microsoft.com/defender-office-365/threat-explorer-real-time-detections-about
A messaging specialist must manage Exchange Online mail flow (transport) rules, mailbox settings, and Microsoft 365 group mail settings, but must not manage SharePoint, Teams, or user accounts. A colleague who holds only the Teams Administrator role finds they cannot edit transport rules at all. Following least privilege, which single role best fits the messaging specialist?
Correct answer: A. Exchange Administrator
The Exchange Administrator role maps to the Organization Management role group in Exchange Online, granting full management of mail flow (transport) rules, mailbox settings, and group mail settings, without SharePoint, Teams, or user rights. Service-admin roles are siloed - a Teams Administrator maps to no Exchange Online role group, which is why they cannot edit transport rules.
Why the other options are wrong:
- B. Global Administrator is far broader than needed and violates least privilege.
- C. Teams Administrator grants no Exchange Online permissions, which is exactly why the colleague cannot edit transport rules.
- D. Exchange Recipient Administrator maps to Recipient Management - it manages recipients such as mailboxes and groups, but not organization-level mail flow/transport rules, so it cannot fully meet the requirement.
Memory hook: Mail flow rules need Exchange Administrator (Organization Management); Recipient Admin stops at mailboxes, Teams Admin has zero Exchange rights.
Microsoft Learn: https://learn.microsoft.com/exchange/permissions-exo/permissions-exo
Group A and Group B are both assigned the same Microsoft 365 E5 license through group-based licensing. You must move a user from Group A to Group B with no interruption to their licensed services. What is the correct order of operations?
Correct answer: C. Add the user to Group B, confirm the license shows as applied on the user's Licenses page, then remove them from Group A.
Microsoft's documented method is to add the user to the destination group first, confirm the inherited license has applied, and only then remove them from the source group. Removing from the source first leaves the user unlicensed until group-based licensing finishes processing the new assignment - a gap that can be longer in large tenants.
Why the other options are wrong:
- A. Adding a direct license introduces unnecessary churn and isn't the documented no-interruption method.
- B. Even in one operation, the source removal can momentarily deprovision before the destination assignment processes; sequence and confirmation matter.
- D. Removing first creates a deliberate licensing gap while deprovisioning/reprocessing runs - the exact interruption you're trying to avoid.
Memory hook: Add, confirm, remove - land the new license before dropping the old group.
Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/manage/manage-group-licenses
A vendor engineer needs to view Service health, open and manage service requests (support tickets), and read and share Message center posts - but must not be able to reset passwords or change any other settings. Following least privilege, which single role should you assign?
Correct answer: B. Service Support Administrator
The Service Support Administrator role is scoped exactly to opening and managing service requests, viewing and sharing Message center posts, and monitoring Service health, without password-reset or configuration rights - the least-privileged fit for this task.
Why the other options are wrong:
- A. Helpdesk Administrator's defining capability is resetting passwords and forcing sign-out, which the requirement forbids, and it does not grant Message center post sharing.
- C. Reports Reader only sees usage and activity reports; it cannot manage service requests or view Service health.
- D. Global Reader is read-only across the tenant and cannot create or manage service requests.
Memory hook: Support tickets + Message center + service health, nothing else = Service Support Admin.
Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/add-users/about-admin-roles
An administrator must stop group owners from adding any NEW guests to Microsoft 365 Groups, while ensuring guests already in existing groups keep their current access. In the Microsoft 365 admin center, at Settings, then Org settings, then Services, then Microsoft 365 Groups, which configuration achieves this?
Correct answer: A. Turn off 'Let group owners add people outside the organization to groups,' and leave 'Let people outside the organization access group content' on.
The Microsoft 365 Groups service exposes two guest toggles: AllowToAddGuests ('Let group owners add people outside the organization to groups') and AllowGuestsToAccessGroups ('Let people outside the organization access group content'). Turning off AllowToAddGuests blocks adding new guests, while leaving AllowGuestsToAccessGroups on lets existing guests keep accessing group content.
Why the other options are wrong:
- B. Turning off both settings also removes existing guests' access to group content, which the requirement forbids.
- C. Deleting guest accounts is unnecessary and destroys existing access; the two toggles satisfy the requirement.
- D. This reverses the toggles - it would cut existing guests' access while still allowing owners to add new guests.
Memory hook: Two Groups guest switches: 'add guests' (stop new) vs 'access content' (keep existing). Flip only the first.
Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/create-groups/manage-guest-access-in-groups
A security analyst must create and modify Microsoft Defender for Office 365 anti-phishing, anti-spam, and Safe Links/Safe Attachments policies in the Defender portal. You want to grant this through a single Microsoft Entra role using least privilege. Which role is appropriate?
Correct answer: C. Security Administrator.
Microsoft Learn's 'before you begin' guidance for anti-phishing, anti-spam, and Safe Links policies lists the Security Administrator Entra role as granting add/modify/delete rights for these threat policies. The same guidance explicitly steers admins away from Global Administrator in favor of least privilege, which is exactly the trade this question tests.
Why the other options are wrong:
- A. Wrong: Global Administrator can do this, but it is a highly privileged role Microsoft recommends limiting to emergency scenarios; that is not least privilege.
- B. Wrong: Exchange Administrator doesn't grant management of Defender for Office 365 threat policies; that needs Security Administrator (or Organization Management in the Email & collaboration/Exchange RBAC).
- D. Wrong: Security Reader provides read-only access to these policies; it cannot create or modify them.
Memory hook: Manage Defender for Office 365 threat policies (least privilege) = Security Administrator.
Microsoft Learn: https://learn.microsoft.com/defender-office-365/anti-phishing-policies-mdo-configure#what-do-you-need-to-know-before-you-begin