Free practice questions

MS-700 practice questions, with full explanations

75 free MS-700 (Managing Microsoft Teams) questions, each with the correct answer, a breakdown of why every other option is wrong, a memory hook, and the Microsoft Learn reference. Prefer to be quizzed? Take the interactive MS-700 quiz, which scores you by topic and points you to the guide that fits your weak spots.

Teams Environment and Security (15 questions)

Go deeper on this topic in Microsoft Teams Environment and Security Field Guide.

A Teams administrator needs to prevent one specific group of employees from organizing meetings that anonymous (unverified) users can join, while all other organizers keep the ability. Anonymous join is currently allowed org-wide. What is the correct configuration?

Correct answer: C. Keep the org-wide 'Anonymous users can join a meeting' setting On, and turn off the 'Anonymous users can join a meeting' setting in a meeting policy assigned to the targeted group.

Anonymous meeting join is governed by two layers. The org-wide meeting setting 'Anonymous users can join a meeting' is the master switch: if it's off, no one in the org can host anonymous-join meetings, regardless of policy. To restrict only specific organizers, leave the org-wide setting On and turn off the per-organizer 'Anonymous users can join a meeting' meeting policy setting for those users (assign that policy to the group). This disables anonymous join only for meetings those users organize while leaving everyone else unaffected.

Why the other options are wrong:

  • A. 'Who can bypass the lobby' controls who waits in the lobby, not whether anonymous users can join at all; setting it to Everyone reduces lobby protection rather than restricting anonymous join for the group.
  • B. The org-wide setting is tenant-wide and not scoped to a group; turning it off blocks anonymous join for every organizer, not just the targeted group.
  • D. External access blocked domains control federation with external organizations by domain; they don't govern anonymous meeting join, and you can't add an internal employee group to that list.

Memory hook: Org-wide anonymous-join setting = master switch (all or nothing). Per-organizer control = the meeting policy toggle. Scope one group? Use the policy, keep the org setting On.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/anonymous-users-in-meetings

Your organization needs a Teams administrator who can troubleshoot individual user call quality issues using the advanced troubleshooting toolset, but who should NOT have the ability to manage meeting policies, configure calling policies, or change org-wide Teams settings. Which role satisfies this requirement?

Correct answer: A. Teams Communications Support Engineer

The Teams Communications Support Engineer role provides access to the advanced troubleshooting toolset and can view user profile pages and troubleshoot call quality problems using advanced tools, including full access to Call Quality Dashboard (CQD) data down to the impacted user level. The Teams Communications Support Specialist uses only basic tools and can only view information for the specific user being searched. The Teams Communications Administrator can manage meeting and calling policies, which exceeds the required scope. Teams Device Administrator manages device configuration and does not have call quality data access.

Why the other options are wrong:

  • B. The Teams Communications Support Specialist uses only basic tools. It cannot access the advanced troubleshooting toolset, and it can only view information for the specific user being searched, not full CQD data down to impacted users.
  • C. The Teams Device Administrator manages device configuration, configuration profiles, firmware, and device health. It does not provide access to call quality data or call analytics.
  • D. The Teams Communications Administrator has broad permissions including managing meeting policies, calling policies, phone number inventory, and voice applications. This exceeds the stated requirement to avoid policy management access.

Memory hook: Support Engineer = advanced tools, full CQD. Support Specialist = basic tools, single user only.

Microsoft Learn: https://learn.microsoft.com/en-us/microsoftteams/using-admin-roles

Contoso must restrict Teams external communication so that its users can chat and meet with people at exactly two partner organizations, fabrikam.com and adatum.com, and with no other external domains. External access is currently at the default. In the Teams admin center under Users, then External access, which configuration achieves this with the least ongoing maintenance?

Correct answer: D. Choose 'Allow only specific external domains' and add fabrikam.com and adatum.com; all other domains are then blocked.

Teams external access uses a mutually exclusive allow/block model. Per Microsoft Learn: if you specify blocked domains, all other domains are allowed; if you specify allowed domains, all other domains are blocked. To limit federation to only two named partner domains, choose 'Allow only specific external domains' and add the two domains, and every other domain is automatically blocked. As an allowlist, no per-domain block entries need maintenance as new external orgs appear. Both organizations must also allow each other's domains and be enabled for external access.

Why the other options are wrong:

  • A. 'Block only specific external domains' blocks the two partners you are trying to allow and leaves every other domain open, the exact opposite of the goal.
  • B. Adding domains to the blocked list blocks only those two and leaves all other domains allowed, which is the opposite of the requirement.
  • C. The default 'Allow all external domains' permits every external organization. Guest access is a separate feature for adding people to teams; it does not restrict which domains users may federate or chat with.

Memory hook: Allow-list = everyone else blocked. Block-list = everyone else allowed. Want only two partners? Allow only specific domains.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/trusted-organizations-external-meetings-chat

Guest access is turned on org-wide because most teams collaborate with vendors. Leadership wants one specific 'Board of Directors' team to never allow guests, without disabling guest access for the rest of the organization. What should you use?

Correct answer: C. A sensitivity label scoped to Groups & sites that blocks external user access, applied to that team

Guest access in Teams is a single org-wide on/off setting; the supported way to control guests for an individual team is a container sensitivity label (scope Groups & sites) whose external-user-access setting is turned off. Applying that label to the Board team blocks adding guests there while guest access stays on everywhere else.

Why the other options are wrong:

  • A. Turning off guest access disables it for the entire organization, which leadership does not want.
  • B. App permission policies control which apps users can use, not guest membership of a team.
  • D. Blocked domains apply to external access (federation), not to guest membership of a specific team.

Memory hook: Org guest switch is all-or-nothing; per-team guest control = sensitivity label.

Microsoft Learn: https://learn.microsoft.com/purview/sensitivity-labels-teams-groups-sites

Following Microsoft's recommended Quality of Service configuration for Teams, which client source port range is used for video media traffic?

Correct answer: A. 50,020-50,039

Video media uses the second block, 50,020-50,039, marked DSCP 34/AF41. The rest of Microsoft's recommended initial layout: audio 50,000-50,019 (DSCP 46/EF), application/screen sharing 50,040-50,059 (DSCP 18/AF21), and calling/meeting signaling 50,070-50,089 (DSCP 40/CS5, which is not configurable).

Why the other options are wrong:

  • B. 50,000-50,019 is the audio range (DSCP 46/EF), not video.
  • C. 50,040-50,059 is the application/screen-sharing range (DSCP 18/AF21).
  • D. 50,070-50,089 is for calling/meeting signaling (DSCP 40/CS5) and can't be customized.

Memory hook: Audio 00s, Video 20s, Sharing 40s, Signaling 70s.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/qos-in-teams

A hybrid organization with Skype for Business Server on-premises is planning its migration to Teams and has not changed any Teams upgrade settings. A Teams administrator is asked what the default coexistence mode is and what it does. Which statement is correct?

Correct answer: B. The default mode is Islands, in which users run Teams and Skype for Business side by side with overlapping capabilities and no interoperability between the two clients.

The default value of TeamsUpgradePolicy (the coexistence mode), including the built-in Global (Org-wide default) policy, is Islands. In Islands mode each client operates as a separate island: Skype for Business talks to Skype for Business and Teams talks to Teams, so users run both clients and there is no interoperability between them. Because there is no interop in Islands mode, Microsoft recommends saturating Teams adoption before upgrading users to Teams Only. Every other mode (Teams Only, Skype for Business only, and the two Skype for Business with Teams collaboration modes) must be explicitly assigned.

Why the other options are wrong:

  • A. Teams Only is not the default for hybrid/on-premises users; it must be assigned, and it can't even be assigned to a user still homed on Skype for Business Server on-premises.
  • C. Skype for Business with Teams collaboration is an explicitly assigned transitional mode; it is not the default coexistence value.
  • D. Skype for Business only is a mode that must be explicitly assigned; it is not the default, and when assigned it disables Teams chat/calling by design.

Memory hook: Default coexistence mode = Islands (both clients, no interop). Every other mode is a deliberate assignment.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-and-skypeforbusiness-coexistence-and-interoperability

After deploying Microsoft Purview Information Barriers, an admin finds that users from incompatible segments can still be added to teams that existed before IB was enabled, while newly created teams correctly block them. What explains the difference, and what is the remediation?

Correct answer: B. Pre-existing teams default to Open mode, in which no IB policies apply; the admin must change them to Implicit mode (for example, Set-UnifiedGroup -InformationBarrierMode Implicit, or the provided PowerShell script).

Microsoft Learn states that Open is the default IB mode for groups provisioned before IB was enabled, and in Open mode no IB policies apply. Implicit is the default for teams created after IB is enabled. To make existing teams IB-compliant, you must change them from Open to Implicit using Set-UnifiedGroup -InformationBarrierMode Implicit or the provided script that bulk-updates all Teams-connected groups.

Why the other options are wrong:

  • A. Explicit is a SharePoint site mode; Teams-connected groups use Open/Implicit/Owner Moderated, and the fix is Open to Implicit, not associating site segments.
  • C. Scoped directory search affects people-picker discoverability, not whether an existing team enforces IB on membership; the team's mode is the cause.
  • D. The issue is the team's IB mode, not a pending sync; Start-InformationBarrierPoliciesApplication applies policies but doesn't flip an existing team out of Open mode.

Memory hook: Old teams = Open (no IB). Flip them to Implicit so IB actually guards membership.

Microsoft Learn: https://learn.microsoft.com/purview/information-barriers-teams#information-barrier-modes-and-teams

Nina has no direct policy assignments. She belongs to two security groups: "Group-A" (TeamsMeetingPolicy "AllOn", group assignment rank 2) and "Group-B" (TeamsMeetingPolicy "Restricted", group assignment rank 1). Which meeting policy is effective for Nina, and which cmdlet confirms it?

Correct answer: C. "Restricted", because rank 1 is the highest-priority group assignment; confirm with Get-CsUserPolicyAssignment.

Among group policy assignments, rank 1 is the highest priority (ranks are normalized to sequential values 1, 2, 3... with 1 highest). Because Nina has no direct assignment, the rank-1 "Restricted" policy wins. Get-CsUserPolicyAssignment shows a user's effective policy and its source (direct vs group and the rank), whereas Get-CsOnlineUser shows only direct assignments.

Why the other options are wrong:

  • A. Precedence is determined by rank, not by which assignment was created most recently.
  • B. A lower rank number means higher priority (rank 1 beats rank 2), and Get-CsOnlineUser wouldn't reflect group-based assignments anyway.
  • D. Two group memberships do not void each other; the ranking determines which group assignment applies.

Memory hook: Rank 1 wins; Get-CsUserPolicyAssignment reveals which group it came from.

Microsoft Learn: https://learn.microsoft.com/powershell/module/microsoftteams/new-csgrouppolicyassignment

A manufacturing company wants a contractor from a partner firm to become a member of a specific team, open and edit the files in its channels, and see other members' availability. The Teams administrator must choose the external collaboration model that grants access to the team's resources. Which model is required?

Correct answer: A. Guest access, because guests receive a Microsoft Entra B2B account and can be added as a team member with access to the team's resources.

External access (federation) only lets people find, call, chat, and meet with users in other organizations; external access users cannot access your Teams resources and cannot share files. Guest access provisions a Microsoft Entra B2B collaboration guest account in your directory, and a guest can be added as a member of a team with access to its channels, conversations, and files. Microsoft's comparison table shows 'Access Teams resources: No' and 'Share files: No' for external access users, versus 'Yes' for guests. The requirement to join the team and edit channel files therefore requires guest access.

Why the other options are wrong:

  • B. Federated (external access) users are never added to your team roster; external access provides no membership or resource access.
  • C. Per the comparison table, external access users can't access Teams resources or share files; external access only covers find/call/chat/meet and grants no team membership.
  • D. B2B direct connect enables shared-channel participation from the user's home tenant, not full team membership; it applies to shared channels rather than adding the contractor as a member of the whole team with file access.

Memory hook: External access = find/call/chat/meet only. Guest access = B2B account, team member, files & resources. Need resources? Use guest access.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/communicate-with-users-from-other-organizations#compare-external-access-and-guest-access

During an eDiscovery investigation, an admin needs to find messages posted in a Microsoft Teams standard channel. Which content location stores the compliance copies of standard channel messages?

Correct answer: A. The Exchange Online (group) mailbox associated with the team.

Microsoft Learn states that all standard channel messages are journaled to the Exchange Online group mailbox that represents the team. In contrast, 1:1 and group (1:N) chats go to the participants' user mailboxes, and files go to SharePoint or OneDrive. So to search standard channel message text, you search the team's group mailbox.

Why the other options are wrong:

  • B. OneDrive stores files a user shares in 1:1/group chats and meeting recordings, not standard channel messages.
  • C. Individual member mailboxes hold 1:1 and group (1:N) chat messages, not standard channel posts.
  • D. The team's SharePoint site stores files and attachments shared in the channel, not the channel message text.

Memory hook: Channel chatter lives in the team's group mailbox; 1:1 chatter lives in each person's mailbox.

Microsoft Learn: https://learn.microsoft.com/purview/edisc-search-teams#where-teams-content-is-stored

A compliance admin wants a single static retention policy in the Microsoft Purview portal to retain both Exchange mailbox email and Teams chat messages for seven years. In the policy wizard, as soon as they toggle on the 'Teams chats' location, every non-Teams location (Exchange, SharePoint, OneDrive) becomes unavailable. What is the correct interpretation and next step?

Correct answer: D. When a static retention policy includes a Teams location, all non-Teams locations are automatically excluded; the admin must create a separate retention policy for Exchange email.

Microsoft Learn states that if you select a Teams (or Viva Engage) location when creating a retention policy, the other locations are automatically excluded. Teams chats and channel messages aren't included in retention policies configured for Exchange user or group mailboxes, so Teams requires its own dedicated retention policy. The admin must build a second policy for Exchange email.

Why the other options are wrong:

  • A. Adaptive scopes let you combine Teams locations with Viva Engage locations in one policy, not with Exchange, SharePoint, or OneDrive; switching to adaptive doesn't enable Teams + Exchange together.
  • B. Retention labels can't be applied to Teams chat or channel messages at all, so this wouldn't re-enable combining Teams with Exchange.
  • C. There is no Purview setting that lets a Teams location share a single policy with Exchange; the mutual exclusion is by design.

Memory hook: Pick a Teams location and every other location greys out - Teams rides in its own retention policy.

Microsoft Learn: https://learn.microsoft.com/purview/create-retention-policies#create-and-configure-a-retention-policy

Amir is a direct member of the "Sales" security group, which has the "Sales-Meetings" Teams meeting policy applied through a group policy assignment (rank 1). You then run Grant-CsTeamsMeetingPolicy to assign the "Executive-Meetings" policy directly to Amir's account. Which meeting policy is now in effect for Amir, and why?

Correct answer: B. Executive-Meetings, because a direct (individual) assignment takes precedence over any group policy assignment.

Direct user assignments are treated as rank 0 and take precedence over all group policy assignments for that policy type. A group assignment only takes effect for a user who has no direct assignment of the same policy type, so the direct "Executive-Meetings" assignment wins.

Why the other options are wrong:

  • A. Rank 1 is only the highest priority among group assignments; a direct assignment (rank 0) still outranks it.
  • C. This reverses the actual precedence: a direct assignment overrides a group assignment, not the other way around.
  • D. Conflicting assignments do not cancel out; the precedence hierarchy (direct > group > global) resolves which one applies.

Memory hook: Direct = rank 0, and 0 beats every group rank.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/assign-policies-users-and-groups

An admin creates a Microsoft Purview DLP policy for the 'Teams chat and channel messages' location and scopes it to a set of individual user accounts. Testing shows sensitive data is correctly blocked in 1:1 and group chats, but the same sensitive data posted in standard, private, and shared channel messages is not blocked. What change makes DLP protect the channel messages?

Correct answer: A. Scope the policy to a security group, distribution group, or Microsoft 365 group instead of (or in addition to) individual user accounts.

The Scope of DLP protection table in Microsoft Learn shows that when a DLP policy is scoped to individual user accounts, only 1:1/N chats are protected - standard, private, and shared channel messages are NOT protected. When the policy is scoped to a security group, distribution group, or Microsoft 365 group, channel messages ARE protected. Re-scoping the policy to a group closes the gap.

Why the other options are wrong:

  • B. The default Teams DLP policy is a starter policy, not a prerequisite that unlocks channel-message coverage for custom policies.
  • C. DLP for Teams chat and channel is licensed via E5 / Microsoft Communications DLP; there is no separate channel-only add-on, and licensing isn't why channels were skipped - the policy scope is.
  • D. DLP evaluates internal and external messages; restricting to external recipients would narrow coverage, and channel messages still require group scoping.

Memory hook: Individual-user DLP scope guards chats only; to guard channels, scope to a group.

Microsoft Learn: https://learn.microsoft.com/purview/dlp-microsoft-teams#scope-of-dlp-protection

A Teams administrator needs to determine the bandwidth required for a new branch office before Teams is deployed there. The office will have 200 users with a mix of office workers and remote workers. Which tool in the Teams admin center should the administrator use to model this requirement?

Correct answer: A. Network planner

Network planner, found under Planning in the Teams admin center, lets administrators create representations of their organization using sites and personas (office workers, remote workers, Teams Rooms), then generate a bandwidth report. It calculates network requirements for deploying Teams and cloud voice across physical locations. The Microsoft 365 network connectivity test tool assesses existing connectivity. The Network Assessment Tool checks media quality from a specific location. Call Quality Dashboard reports on call quality after deployment.

Why the other options are wrong:

  • B. The Microsoft Teams Network Assessment Tool tests network path quality (packet loss, jitter, latency) from a specific location to Microsoft network edges. It does not calculate bandwidth requirements for a given number of users.
  • C. Call Quality Dashboard (CQD) reports on historical and near-real-time call quality data. It is a post-deployment monitoring tool, not a pre-deployment capacity planning tool.
  • D. The Microsoft 365 network connectivity test tool assesses existing network connectivity to Microsoft 365 endpoints from a given location. It does not model future bandwidth needs for a new office population.

Memory hook: Network Planner = 'plan before you deploy' - sites + personas = bandwidth report.

Microsoft Learn: https://learn.microsoft.com/en-us/microsoftteams/network-planner

An organization deployed DSCP marking via Group Policy targeting ms-teams.exe and enabled the QoS tenant toggle. A significant share of meeting joins come from macOS desktops, iOS/Android mobile, and the browser client. Which statement about QoS coverage for these clients is correct?

Correct answer: C. Mac and mobile clients use the recommended source port ranges but hard-code DSCP for audio (EF) and for video and application/screen sharing (AF41), and browser-based join uses dynamic ports outside your QoS policy - but the tenant QoS toggle must still be enabled for any of it to work.

Per Microsoft Learn, all clients (including mobile and Teams devices) use the recommended source port ranges, but Mac and mobile (iOS/Android) clients use hard-coded DSCP values - audio EF and video/application-screen-sharing AF41 - that you cannot override. The only clients that continue to use dynamic ports (1024-65535) are browser-based clients, so browser participants fall outside port-based classification. Regardless of platform, QoS must be enabled globally with the Teams admin center tenant toggle ('Insert Quality of Service (QoS) markers for real-time media traffic') for markings to apply, including for Teams Rooms on Android and Teams phones, which rely on the tenant toggle.

Why the other options are wrong:

  • A. Mac and mobile clients do mark media, but with hard-coded DSCP values (EF/AF41); they don't ignore QoS, and the claim that only Windows can participate is wrong.
  • B. Browser clients use dynamic ports (1024-65535), not the fixed 50,000-50,089 ranges, so port-based ACLs can't reliably classify them.
  • D. Browser-based join uses dynamic ports and is effectively outside your port-based QoS policy, and Mac/mobile hard-code their DSCP values, so they don't honor Group Policy DSCP overrides.

Memory hook: Mac/mobile hard-code DSCP (EF/AF41); browsers use dynamic ports (uncovered); the tenant QoS toggle is still mandatory for all.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/qos-in-teams#step-4-implement-qos-settings

Teams, Channels, and Apps (15 questions)

Go deeper on this topic in Microsoft Teams, Channels, and Apps Field Guide.

An administrator creates a new custom team template in the Teams admin center and it immediately appears in the Team templates list. A user tries to create a team right away but does not see the new template in the Teams gallery. What is the most likely explanation?

Correct answer: B. It can take up to 24 hours for a newly created custom template to appear in the gallery for Teams users.

Microsoft Learn notes that after you create or change a custom team template, 'It can take up to 24 hours for teams users to see a custom template in the gallery.' The template shows in the admin's Team templates list immediately, but end-user visibility in the create-a-team gallery lags up to 24 hours. No additional publishing or policy step is required for it to appear.

Why the other options are wrong:

  • A. The Manage apps page manages apps, not team templates; there is no separate publish step for a custom template.
  • C. Templates policies are exclusion lists that hide templates; new templates are visible by default and do not need to be added to a policy to appear.
  • D. Custom templates are created in the Teams admin center (from scratch, from an existing team, or from an existing template) and do appear in the gallery; PowerShell cmdlets exist but are not the only path.

Memory hook: New custom template = up to 24 hours before users see it in the create-a-team gallery.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/create-a-team-template

A third-party app shows as Allowed in Org-wide app settings and is Allowed at the org level on the Manage apps page, yet one specific user reports the app is missing from their Teams app store and cannot be added. What is the most likely cause?

Correct answer: A. A custom app permission policy (or app centric management assignment) applied to that user blocks the app.

Teams uses a layered model: to let a user actually use an app it must be allowed in Org-wide app settings, allowed at the individual app level, AND allowed for that user via the app permission policy (or the per-user/group assignment in app centric management). The first two gates are open here, so the per-user gate is what is blocking. A custom permission policy that blocks the app (or an ACM assignment that excludes the user) removes it from that single user's store.

Why the other options are wrong:

  • B. Upload custom apps controls side-loading of custom app packages, not the availability of an already-allowed store app.
  • C. The scenario states third-party apps are Allowed org-wide, so this gate is open and cannot be the cause.
  • D. A missing Teams license would block Teams entirely, not selectively remove one app from the store.

Memory hook: Three gates must all open: Org-wide, then App-level, then User (permission policy/ACM). One closed gate = no app.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-app-permission-policies

An admin wants a custom team template that automatically provisions a private channel and a shared channel whenever users create a team from it. Can this be defined in the template?

Correct answer: B. No - private and shared channel creation is not included in team template definitions

Team templates support only standard channels. Private and shared channel creation is not part of template definitions in either the Teams admin center or Microsoft Graph, so those channels must be created manually after the team is provisioned.

Why the other options are wrong:

  • A. Private channels are also excluded from templates, not just shared channels.
  • C. Neither private nor shared channels are supported in team templates.
  • D. Shared channels are also excluded from templates, not just private channels.

Memory hook: Templates provision standard channels only: no private, no shared.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/get-started-with-teams-templates-in-the-admin-console

A Teams administrator creates a templates policy for frontline workers that hides every team template except three approved ones, and assigns it to 4,000 frontline users with New-CsBatchPolicyAssignmentOperation. Weeks later, another administrator publishes a new custom team template intended for the IT department. Frontline workers report they can now see and use this new IT template when creating teams. What is the cause?

Correct answer: D. Any new template is visible by default to all users, including those already assigned restrictive templates policies; the administrator must edit the frontline policy and hide the new template

The Microsoft Learn templates policies FAQ answers this directly: 'Q: If a new template is created, will the template be included in my policies? A: Any new templates are visible by default. You can choose to hide the template in the Teams admin center in the Templates policies section.' A templates policy is an exclusion list of hidden templates, not an allowlist - so any template published after the policy was saved is automatically visible to every user, including populations on restrictive policies. The operational fix is a review step: after each new template is published, revisit each templates policy and hide it where appropriate.

Why the other options are wrong:

  • A. The 24-hour propagation window applies to policy assignments taking effect. Here the policy is working as saved; it simply does not contain the new template in its Hidden templates list, and waiting will not change that.
  • B. Templates policies can hide both prebuilt and custom templates (up to 100 hidden per policy). The issue is default visibility of new templates, not a custom-template limitation.
  • C. Nothing failed - the users still see only the three approved templates plus the new one, which is exactly what an exclusion-based policy produces when a new template appears. A full fallback to the Global policy would expose the entire catalog.

Memory hook: Templates policies hide, they never allow. Every newborn template is visible to everyone until you go hide it - build that into your publishing checklist.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/templates-policies

The communications department needs an announcements channel inside an existing team where only a small set of designated users can start new posts, replies from other members can be limited or blocked, and messages from bots and connectors can be controlled. All team members must still be able to read the channel. Which configuration meets the requirement?

Correct answer: D. A standard channel with channel moderation turned on and the designated users assigned as channel moderators.

Channel moderation is the feature built for this exact scenario, and per the channel feature comparison on Microsoft Learn it is supported only in standard channels (Moderation: Standard = Yes, Private = No, Shared = No). When moderation is set up, team owners designate moderators (owners have moderator capabilities by default), and moderators control who can start new posts, whether team members can reply to existing channel messages, whether bots and connectors can submit messages, and can add or remove other moderators. Because it is a standard channel, every team member can still read the announcements.

Why the other options are wrong:

  • A. A private channel restricts who can see the channel, not who can post in it. The rest of the team could not read the announcements at all, which defeats the purpose, and private channels do not support moderation.
  • B. Shared channels do not support moderation, and using one would also change the audience model - members would need to be explicitly added to the channel rather than all team members reading it by default.
  • C. 'Owners can delete sent messages' is a messaging policy cleanup control that lets owners delete other people's posts after the fact. It does not prevent members from starting new posts or control replies, bots, or connectors.

Memory hook: Moderation = standard channels only. Moderators gate new posts, replies, and bot/connector messages - private and shared channels don't have the feature.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-channels-overview#channel-feature-comparison

Before its tenant was automatically migrated to app-centric management, Contoso used a custom app permission policy assigned to contractors that blocked a specific third-party app, while the Global (Org-wide default) permission policy allowed the same app. After the automatic migration completes, contractors report they can now access the app. What explains this behavior?

Correct answer: A. This is documented migration behavior: when an app is allowed in the global policy but blocked in a custom policy, auto-migration makes the app available to all users of the tenant - the one case where app access changes - and the admin must manually restrict availability afterward

Microsoft Learn documents this exact conflict case for ACM auto-migration: 'There's no change of app permissions during the migration, except where an app is allowed in the global policy but blocked in the custom app permission policy. Here, the app is available to all users of the tenant' (except for EDU customers, where it becomes available to none). This is the only instance where access changes during migration, and Microsoft explicitly says admins can modify the resulting availability as desired post-migration. The fix is to edit the app's 'Available to' assignment on the Manage apps page.

Why the other options are wrong:

  • B. ACM fully supports restricting an app to a subset of users via the 'Specific users or groups' availability option. The migration behavior in this conflict case is a defined rule, not a capability gap.
  • C. Nothing failed - the access change in this specific global-allow/custom-block conflict is the documented, intended migration outcome. Migration also cannot be re-run or reverted once complete.
  • D. Auto-migration does create one security group per custom app permission policy to preserve assignments, but the contractors' new access comes from the documented conflict-resolution rule, not from a deleted group.

Memory hook: ACM migration golden rule: nothing changes - EXCEPT global-allow + custom-block, which migrates to available-to-everyone. Audit that one conflict before April's migration wave hits.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/app-centric-management#considerations-and-known-limitations

A Teams administrator creates a custom app setup policy that pins a single line-of-business app to the app bar and assigns the policy to field technicians. On Teams desktop, the app appears pinned as expected. On the technicians' iOS and Android clients, the app bar remains unchanged even several days later. What is the cause?

Correct answer: A. A setup policy must pin at least two apps for the Teams mobile client to apply it; with fewer, the mobile client ignores the policy and keeps its existing configuration.

Microsoft Learn's app setup policy considerations state that at least two apps must be pinned for the Teams mobile clients (iOS and Android): 'If a policy has fewer than two agents or apps, the mobile client doesn't reflect the policy settings. Instead, the mobile client continues to use the existing configuration.' The desktop client has no such minimum, which explains why the pin works there while mobile appears unaffected. The fix is to pin a second app (for example, a core Microsoft app) in the same policy so mobile honors it.

Why the other options are wrong:

  • B. App policies apply to Teams on web, mobile, and desktop clients. No Intune app configuration policy is needed for policy-based pinning on mobile.
  • C. Admin pins always take precedence whether user pinning is on or off - the toggle only controls whether users can add and reorder their own pins below the admin list. It is not a prerequisite for admin pins on mobile.
  • D. If the app were blocked by the user's permission policy, it would be unusable on desktop as well. The scenario confirms the pin works on desktop, so the app is allowed; the failure is mobile-specific.

Memory hook: Mobile needs a pair: fewer than two pinned apps and the iOS/Android clients ignore the setup policy entirely.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-app-setup-policies

A team owner runs a shared channel for a cross-team project. A consultant already has a Microsoft Entra B2B guest account in your tenant and participates in several teams as a guest. When the shared channel owner tries to add the consultant's guest account to the shared channel, the operation fails. What should the Teams administrator explain?

Correct answer: A. Guests cannot be added to shared channels by design; the consultant must instead be invited as an external participant via B2B direct connect using their home-tenant identity.

Shared channels do not support Microsoft Entra guest accounts at all - this is a hard platform constraint, not a policy setting. Microsoft Learn states that guests (people with Microsoft Entra guest accounts in your organization) can't be added to a shared channel, and that this applies even to guests whose UserType property has been converted to member. The supported model for people outside the organization is Microsoft Entra B2B direct connect: the external person participates using their own home-tenant credentials, with no guest object in your directory. If the person also has a guest account in your tenant, the admin center requires searching on ext:user@domain.com to select the external organization account rather than the guest account.

Why the other options are wrong:

  • B. Sensitivity labels can control whether owners may add guests at the team level, but the shared channel guest restriction is an unconditional platform behavior that applies regardless of any label configuration.
  • C. Converting the guest's UserType to member does not help. Microsoft Learn explicitly notes that guests - including those converted to members in their user type property - can't be added to a shared channel.
  • D. Sharing a channel with an entire team is an alternative sharing mechanism for teams, not a prerequisite for adding individuals, and it still would not allow a guest account to participate in the shared channel.

Memory hook: Shared channels never take guests - not even converted ones. External people come in through B2B direct connect from their own tenant.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/shared-channels#adding-and-removing-owners-and-members

In Org-wide app settings the 'Let users interact with custom apps' setting is turned OFF. For one team, 'Allow members to upload custom apps' is ON, and the app setup policy assigned to that team's members has 'Upload custom apps' set to ON. What can those users do with custom apps?

Correct answer: B. No one can upload custom apps for personal or team use; users can only submit custom apps for admin approval.

The org-wide custom app setting is the master switch. When it is OFF, the Upload custom apps option is unavailable across the organization regardless of team-level or app-setup-policy settings. Users can still submit a custom app for admin approval, but they cannot upload it for their own personal or team use.

Why the other options are wrong:

  • A. Team owners can upload only when the org-wide custom app setting is ON; with it off, upload is unavailable.
  • C. Members uploading to a team requires the org-wide setting ON plus the other toggles; the master switch is off here.
  • D. Personal-scope upload also depends on the org-wide setting being ON; it is off, so this is not possible.

Memory hook: Org-wide custom-app switch OFF = upload dead everywhere; only 'submit for approval' survives.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-custom-app-policies-and-settings

A shared channel owner wants to (1) add the company's org-wide team as a member of the shared channel, and (2) invite an external partner who only has a personal (consumer) Microsoft account. Which statement is correct?

Correct answer: B. Org-wide teams can't be added as members of a shared channel, and only Microsoft Entra work or school accounts (not personal Microsoft accounts) are supported for external participants via B2B direct connect.

Both requests fail. Org-wide teams aren't supported as members of a shared channel, and external participation runs on B2B direct connect, which supports only Microsoft Entra work or school accounts. Personal (consumer) Microsoft accounts and guest accounts can't participate in shared channels at all. Bots, connectors, and message extensions aren't supported either.

Why the other options are wrong:

  • A. Org-wide teams can't be added at all, and shared channels don't use guest accounts - external participation is B2B direct connect with work/school accounts.
  • C. Neither action works: org-wide teams can't be shared-channel members, and personal Microsoft accounts aren't supported for external participants regardless of guest access.
  • D. Personal Microsoft accounts are NOT supported for shared-channel external participants; only Microsoft Entra work/school accounts are.

Memory hook: Shared channels: no org-wide teams as members; external = Entra work/school accounts only (no personal MSAs, no guests).

Microsoft Learn: https://learn.microsoft.com/microsoftteams/limits-specifications-teams#teams-and-channels

An administrator is building a custom team template and tries to add 18 channels, each with several tabs, plus a large set of apps. The template won't accept all 18 channels. What are the team template size limits?

Correct answer: C. 15 channels per template, 20 tabs per channel in a template, 50 apps per template.

Team templates are limited to 15 channels per template, 20 tabs per channel in a template, and 50 apps per template. Users can add more channels, tabs, and apps to a team after it is created from the template, but the template object itself caps at these numbers - which is why 18 channels is rejected at save time.

Why the other options are wrong:

  • A. These numbers are inflated; the template channel limit is 15 (not 200) and apps cap at 50 (not 100).
  • B. 30 is the per-team private channel figure (currently transitioning), not the template channel limit, and the tab/app numbers here are wrong too.
  • D. The tab (20) and app (50) values are right, but the channel limit is 15, not 10.

Memory hook: Template caps: 15 channels, 20 tabs per channel, 50 apps. Add more after the team is created.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/get-started-with-teams-templates-in-the-admin-console

A developer uses the Teams App Submission (Graph) API to submit a line-of-business app. On the Manage apps page in the Teams admin center it shows Publishing status "Submitted" and Status "Blocked," and users still can't find it. What must the Teams admin do to make it available in the org's app store?

Correct answer: B. Open the app details page and select Publish, which changes Publishing status to Published and Status to Allowed.

A user/API-submitted custom app arrives on Manage apps with Publishing status 'Submitted' and Status 'Blocked.' The admin reviews it and selects Publish on the app details page, which flips Publishing status to Published and Status to Allowed. (Admin-uploaded apps skip this because they are published and allowed on upload.)

Why the other options are wrong:

  • A. Graph/API submissions are published directly via the admin center Publish action; re-uploading isn't required.
  • C. The 'Upload custom apps' setup-policy toggle governs user sideloading, not approving an app awaiting publish.
  • D. Granting Graph permission consent doesn't publish the app; publishing is a separate approval step.

Memory hook: Submitted + Blocked = waiting for your Publish click.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/submit-approve-custom-apps

On the Manage apps page you open a third-party app's Permissions tab to grant org-wide consent to the Microsoft Graph permissions it requests. As a Teams Administrator you can view the permissions, but the option to grant (Accept) consent is unavailable. Which role is required to grant this consent?

Correct answer: B. Global Administrator

Only Global Administrators can grant org-wide consent to the Microsoft Graph permissions an app requests from the Teams admin center. A Teams Administrator can view the required permissions on the Permissions tab but cannot grant consent, which is why the Accept option is unavailable for that role.

Why the other options are wrong:

  • A. The Teams Administrator role can view the permissions but cannot grant consent - that is the exact limitation described in the scenario.
  • C. Teams Communications Administrator manages calling and meeting features and cannot grant app permission consent.
  • D. Teams Devices Administrator manages Teams-certified devices, not app permission consent.

Memory hook: Viewing app permissions = Teams Admin; GRANTING org-wide consent = Global Admin only.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/manage-consent-app-permissions

Fabrikam hosts a Teams shared channel and invites several Contoso users through B2B direct connect. Cross-tenant access settings are correctly configured in both tenants, and Fabrikam's channel owners have no policy restrictions. The invited Contoso users, however, cannot participate in the external shared channel. Contoso's Teams administrator must resolve this with a teams policy change. Which setting must be turned On, and where?

Correct answer: B. 'Join external shared channels' in the teams policy assigned to the affected users in Contoso's tenant

The 'Join external shared channels' setting (PowerShell parameter -AllowUserToParticipateInExternalSharedChannel on CsTeamsChannelsPolicy) controls whether users can 'participate in shared channels created by other organizations where a cross-organization trust has been configured.' It is a per-user policy evaluated in the participating user's home tenant - here, Contoso. Because the Contoso users are the ones joining an externally hosted channel, Contoso's Teams administrator must ensure the policy assigned to them has this setting On.

Why the other options are wrong:

  • A. 'Create shared channels' controls whether team owners can create shared channels at all. The scenario involves participating in an external channel, not creating one.
  • C. 'Invite external users to shared channels' governs the outbound hosting direction - whether owners and members of shared channels in YOUR tenant can invite external participants. It does not control your users' ability to join channels hosted elsewhere.
  • D. 'Join external shared channels' applies to the users doing the joining, in their home tenant. Assigning it in Fabrikam (the hosting tenant) has no effect on Contoso users' ability to participate.

Memory hook: Two directions, two toggles: INVITE external users = host side. JOIN external channels = participant's home tenant. Fix the policy where the blocked user lives.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-policies

A Teams administrator is auditing SharePoint site sprawl. A single team contains the General channel, four additional standard channels, two private channels, and one shared channel. How many SharePoint sites are associated with this team in total?

Correct answer: D. 4

One SharePoint team site is created when the team is provisioned, and ALL standard channels (General plus the four others) share that single site, each mapping to a folder in its document library. Each private channel and each shared channel gets its own dedicated SharePoint site that only channel members can access. So the total is 1 (team site) + 2 (private channel sites) + 1 (shared channel site) = 4 sites. These channel sites carry the custom template ID TEAMCHANNEL#0 or TEAMCHANNEL#1, which SharePoint admins can use to filter them.

Why the other options are wrong:

  • A. Eight assumes every channel gets its own site. Standard channels never get individual sites - they are folders within the one shared team site.
  • B. Three undercounts by omitting the shared channel's site. Shared channels, like private channels, each get a dedicated SharePoint site scoped to channel membership.
  • C. One site would be correct only if the team had nothing but standard channels. Private and shared channels each provision their own separate SharePoint site.

Memory hook: Site math: 1 for the team (all standard channels are just folders) + 1 per private channel + 1 per shared channel.

Microsoft Learn: https://learn.microsoft.com/sharepoint/teams-connected-sites

Teams Meetings and Phone (15 questions)

Go deeper on this topic in Microsoft Teams Meetings and Phone Field Guide.

An organization still schedules Microsoft Teams live events for company-wide broadcasts. Following current Microsoft guidance, which Teams event type is the designated replacement for Teams live events?

Correct answer: B. Teams town halls

Microsoft is retiring Teams live events in 2026 (already-scheduled events are honored through February 28, 2027) and recommends upgrading to Teams town halls. Town halls are the successor for large-scale, one-to-many broadcast events and provide comparable capabilities and Graph APIs.

Why the other options are wrong:

  • A. Regular meetings with view-only overflow are not positioned as the live events successor for broadcast events.
  • C. Viva Engage can surface events, but the named replacement for Teams live events is Teams town halls.
  • D. Webinars are registration-based structured events (up to 1,000 attendees) for smaller interactive audiences, not the designated replacement for broadcast-scale live events.

Memory hook: Live events are retiring; move to TOWN HALLS.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/plan-town-halls

An auto attendant offers dial-by-name so external callers can reach employees, but the security team requires that executives never appear in the directory that callers can search, while all other employees remain reachable by name. Which auto attendant configuration accomplishes this?

Correct answer: B. On the auto attendant's Dial scope page, set Exclude to a group that contains the executives

The auto attendant Dial scope controls which users are available in the directory for dial-by-name and dial-by-extension. The default is all online users, and you can Include or Exclude specific Microsoft 365 groups, distribution lists, or security groups. Excluding an executives group removes them from the searchable directory while keeping dial-by-name working for everyone else.

Why the other options are wrong:

  • A. Dial-by-name searches users, not just numbers, so removing phone numbers won't hide them from directory search and would break their own calling.
  • C. Emergency calling policies govern emergency-call routing and security-desk notifications, not auto attendant directory visibility.
  • D. Setting Directory search to None disables dial-by-name entirely, which defeats the requirement to let callers reach other employees.

Memory hook: Auto attendant directory visibility = Dial scope Include/Exclude groups (default = all online users).

Microsoft Learn: https://learn.microsoft.com/microsoftteams/aa-cq-setup-auto-attendant

You want to re-run remote provisioning (upload MAC address, issue a verification code) on a Teams panel that a technician already signed in last month, so you can move it to a different resource account. In the Teams admin center the device no longer appears under 'Waiting on activation.' What must happen before remote provisioning can be used on this device again?

Correct answer: D. The device must be reset to factory default settings.

Remote provisioning is only available before a Teams Android device's first sign-in. Once a device has signed in, the feature is unavailable; to use it again the device must be reset to factory default settings. Remote sign-out changes the signed-in account but does not re-enable provisioning.

Why the other options are wrong:

  • A. Wrong - deleting the Intune object doesn't reset the device state that governs provisioning availability.
  • B. Wrong - verification codes can't be issued to an already-provisioned/signed-in device; it's no longer on the activation tab.
  • C. Wrong - remote sign-out lets you change or clear the account, but it does not return the device to 'Waiting on activation' or re-enable provisioning.

Memory hook: Provision once; to provision again, factory-reset the slate.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/devices/remote-provision-remote-login

A company on Microsoft 365 E3 has 40 project managers who schedule Teams meetings that frequently include external partners dialing in from a phone. The other 600 employees only ever join from the Teams app and never host dial-in meetings. To minimize cost, to which users must the administrator assign Audio Conferencing add-on licenses?

Correct answer: C. Only to the 40 project managers who schedule the dial-in meetings; attendees who dial in need no license.

Audio Conferencing requires an add-on license only for each user who schedules or leads dial-in meetings; attendees who dial in need no license and no other setup. Microsoft 365 E3 does not include Audio Conferencing (E5/A5 do), so the add-on must be purchased and assigned to the 40 organizers - not to every user, and not to attendees.

Why the other options are wrong:

  • A. External dial-in attendees never need an Audio Conferencing license, and you cannot assign Microsoft 365 add-ons to people outside your tenant anyway. The license belongs to the meeting host.
  • B. E3 does not bundle Audio Conferencing; only E5/A5 include it. On E3 you must buy and assign the add-on to the users who lead dial-in meetings.
  • D. Dial-in numbers are shared at the tenant level, but the license is per organizer, not per participant. Licensing all 640 users wastes money on people who never host dial-in meetings.

Memory hook: Audio Conferencing = license the host, not the dial-in crowd. E5 includes it; E3 buys the add-on.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/audio-conferencing-in-office-365

An organization uses Microsoft Calling Plan for PSTN. Security wants a security desk conferenced in (muted) and notified whenever anyone dials 911. A Teams engineer insists they must first build and assign an emergency call routing policy to every user to enable this. Which statement is correct?

Correct answer: C. The security desk conference/notification is configured in the emergency calling policy, which applies to Calling Plan, Operator Connect, Teams Phone Mobile, and Direct Routing; the emergency call routing policy applies only to Direct Routing.

The Teams emergency calling policy configures the security desk notification experience (who is notified and how - chat only, conferenced in muted, or conferenced in and able to unmute, plus an optional PSTN number) and applies to Calling Plan, Operator Connect, Teams Phone Mobile, and Direct Routing. The emergency call routing policy configures emergency numbers and PSTN routes and applies only to Direct Routing (assigning it to Calling Plan users has no effect). The engineer has the two policies backwards.

Why the other options are wrong:

  • A. The emergency call routing policy is Direct Routing-only and does not enable notifications. Security desk notification is configured through the emergency calling policy, which the scenario needs.
  • B. Security desk notification is configured via the emergency calling policy in the Teams admin center or PowerShell; it is not gated behind a Teams Premium license.
  • D. Security desk notifications are explicitly available with Microsoft Calling Plans, Operator Connect, and Direct Routing - not Direct Routing only. Calling Plan fully supports this.

Memory hook: Security desk notify = emergency CALLING policy (all PSTN types). Emergency call ROUTING policy = Direct Routing only (numbers/routes).

Microsoft Learn: https://learn.microsoft.com/microsoftteams/manage-emergency-calling-policies

An enterprise adopting Teams Phone must keep its current PSTN carrier, which participates in the Microsoft program. They want the carrier to own the PSTN infrastructure and SBCs, provision phone numbers directly into the tenant, and then manage those numbers from the Teams admin center - with no on-premises hardware. Which PSTN connectivity option best fits?

Correct answer: C. Operator Connect

Operator Connect lets you keep an existing carrier that participates in the Microsoft Operator Connect program. The operator manages PSTN calling and SBCs and uploads numbers directly into your tenant, which you then view and manage under Voice, then Phone numbers in the Teams admin center - a fully managed service with no on-premises hardware. That matches every requirement in the scenario.

Why the other options are wrong:

  • A. Microsoft Calling Plan makes Microsoft your carrier. The company explicitly wants to keep its current carrier, so Calling Plan doesn't fit.
  • B. Direct Routing keeps your carrier but requires you (or a provider) to procure and manage the SBC and related on-premises infrastructure - the opposite of the 'no hardware' requirement.
  • D. Teams Phone Mobile ties a user's Teams number to a carrier mobile SIM for a single-number experience; it isn't a general carrier-managed landline replacement for the enterprise.

Memory hook: Keep your carrier, no SBC, numbers pushed into your tenant = Operator Connect. Keep carrier but run the SBC yourself = Direct Routing.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/pstn-connectivity

Your organization uses Direct Routing. You must (1) define the emergency dial strings and route emergency calls to a dedicated SIP trunk, and (2) automatically notify the security desk and let them listen in whenever a user dials 911. Which policy or policies accomplish both requirements?

Correct answer: D. A Teams emergency call routing policy (with a PSTN usage) for the emergency numbers and routing, plus a Teams emergency calling policy for the security-desk notification.

For Direct Routing, the emergency CALL ROUTING policy defines the emergency dial strings, dial masks, and PSTN usage that routes the call to the correct trunk. The emergency CALLING policy configures the security-desk notification experience - who is notified and whether they can listen in. Both requirements therefore need both policies.

Why the other options are wrong:

  • A. The emergency calling policy configures notification only; it does not define the emergency numbers or PSTN routing that Direct Routing requires.
  • B. The emergency call routing policy does not configure security-desk notification; that is the emergency calling policy's job.
  • C. Those are general calling and voice-routing policies, not the emergency-specific policies needed here.

Memory hook: Routing policy = where the call goes (Direct Routing); Calling policy = who gets notified.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/configure-dynamic-emergency-calling

An organization assigns Standard Audio Conferencing licenses to 50 US-based meeting organizers. Partway through the month they report that dialing out ("Call me at") to some international destinations stops working, while dial-out to US numbers still works. What explains this, and what is required to restore international dial-out?

Correct answer: B. Each Audio Conferencing user gets 60 dial-out minutes to Zone A destinations pooled at the tenant level; once the pool is exhausted, or for non-Zone A destinations, Communication Credits (or a Pay-As-You-Go option) are required

A Standard Audio Conferencing license includes 60 outbound minutes per user per month to Zone A countries/regions, pooled across the tenant. Once that pool is exhausted, or for dial-out to non-Zone A destinations, Communication Credits (or a Pay-As-You-Go option) are required to keep placing dial-out calls. US dial-out continuing while some international destinations stop is consistent with running past the pooled/Zone A allowance.

Why the other options are wrong:

  • A. Audio Conferencing does include dial-out from meetings ("Call me at"); assigning a Calling Plan to every organizer is not required.
  • C. Dial-out from a meeting does not require a per-organizer auto attendant resource account.
  • D. The default Microsoft-provided conferencing bridge supports dial-out; switching providers is neither required nor the fix.

Memory hook: AC dial-out = 60 pooled Zone-A min/user/month, then Communication Credits pays overage + non-Zone-A.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/audio-conferencing-subscription-dial-out

A call queue's routing method is set to Longest idle. In the queue settings, the Presence-based routing toggle shows Off and is grayed out. An agent who has set their Teams status to Busy still expects to be skipped. What actually happens?

Correct answer: D. Presence-based routing is automatically enforced with Longest idle, so only agents whose presence is Available receive calls.

When Longest idle is the routing method, presence-based routing is required and automatically enabled even though the toggle appears Off and grayed out. An agent counts as 'idle' only when their presence is Available; agents in any other state (such as Busy) are excluded from routing until they return to Available. (Also, when there are fewer calls than available agents, only the two longest-idle agents are presented with each call.)

Why the other options are wrong:

  • A. The grayed-out Off toggle is cosmetic; Longest idle forces presence-based routing on, so the Busy agent is excluded, not rung.
  • B. Simultaneous ringing is Attendant routing behavior; Longest idle targets the single longest-idle Available agent.
  • C. The queue does not silently switch to Serial routing; Longest idle enforces presence internally by design.

Memory hook: Longest idle secretly flips presence-based routing ON - 'idle' means Available.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/aa-cq-setup-call-queue

An admin runs Set-CsPhoneNumberAssignment to assign a Calling Plan number to a user, but the command fails to set the number. The user was migrated from an on-premises environment and still has a phone number populated in on-premises Active Directory that synchronizes to Microsoft 365. What must the admin do?

Correct answer: C. Clear the phone number in on-premises Active Directory, let the change sync to Microsoft 365, and then assign the number

If a user or resource account has a phone number set in on-premises Active Directory that syncs into Microsoft 365, you can't use Set-CsPhoneNumberAssignment to set the number. You must first clear the number in on-premises AD, let the change synchronize, and then assign the number in Teams. (Assigning a number also automatically sets EnterpriseVoiceEnabled to True.)

Why the other options are wrong:

  • A. Set-CsPhoneNumberAssignment does assign Calling Plan numbers; the tool is not the problem, the synced on-premises attribute is.
  • B. The connectivity type does not change simply because the user is synced from on-premises; forcing DirectRouting is incorrect and doesn't fix the conflict.
  • D. Set-CsUser -HostedVoiceMail is legacy and no longer needed for Teams; it does not resolve the synced-attribute conflict.

Memory hook: On-prem AD number syncing in? Clear it on-prem, let it sync, THEN Set-CsPhoneNumberAssignment.

Microsoft Learn: https://learn.microsoft.com/powershell/module/microsoftteams/set-csphonenumberassignment

An auto attendant in Teams Phone must be reachable via a service phone number. A resource account has been created and a Microsoft Teams Phone Resource Account license has been assigned. What is the correct next step before the resource account can be associated with the auto attendant?

Correct answer: D. Assign a service phone number to the resource account.

With the license in place, the next step is assigning the service phone number to the resource account; the auto attendant cannot be reached externally until the account holds the number. The full chain: obtain a service number, create the resource account, assign the Phone Resource Account license, assign the number to the account, then create and associate the auto attendant. The trap is Enterprise Voice: enabling it via Set-CsUser is for user accounts that route calls to people, not for resource accounts.

Why the other options are wrong:

  • A. Enterprise Voice enablement via Set-CsUser applies to individual user accounts to allow PSTN calling for those users. Resource accounts for auto attendants and call queues do not require this cmdlet; they use the Phone Resource Account license and a service number instead.
  • B. Phone number assignment to a resource account is a manual step that does not happen automatically when an auto attendant is created. The number must be obtained and explicitly assigned to the resource account.
  • C. Resource accounts are not licensed with user licenses for inbound call purposes. The Microsoft Teams Phone Resource Account license (a free license) is the correct license for resource accounts associated with auto attendants and call queues.

Memory hook: Auto attendant sequence: service number, then resource account, then Resource Account license, then assign the number to the RA, then create the AA, then associate.

Microsoft Learn: https://learn.microsoft.com/en-us/microsoftteams/aa-cq-setup-auto-attendant

A Teams Rooms on Windows device suddenly signs out and repeatedly fails to sign back in. You discover that the resource account's password expired under your organization's 90-day password policy. Besides resetting the password, what configuration is required to keep this from recurring on shared Teams devices?

Correct answer: A. Set the resource account's password to never expire.

Microsoft documents 'Password never expires' as a requirement for shared Teams device resource accounts. User password-expiration policies otherwise apply to these accounts and force sign-outs, so you must set the password to never expire (for example, Update-MgUser -PasswordPolicies DisablePasswordExpiration) or create an exception.

Why the other options are wrong:

  • B. Wrong - the account should stay a room/resource account with a Teams Rooms license; converting it doesn't address password expiration.
  • C. Wrong - forcing a password change at next sign-in actively causes sign-in failures on Teams devices; that option must be unchecked.
  • D. Wrong - MFA on a shared-device resource account breaks unattended sign-in; shared devices are secured with Conditional Access (named locations/compliant device), not by enabling MFA on the account.

Memory hook: Shared rooms never forget their password - set it to never expire.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/rooms/create-resource-account

A Teams administrator is comparing PSTN connectivity options for Teams Phone. Which option requires the organization (or its provider) to procure, deploy, and manage a certified Session Border Controller (SBC)?

Correct answer: C. Direct Routing

Direct Routing connects a customer-provided, certified SBC to Teams Phone. You, your integrator, or a Direct-Routing-as-a-Service provider own the SBC, including certificate management, DNS/FQDN settings, and last-mile circuit integration. In the PSTN comparison table, Direct Routing is the only option whose 'infrastructure to manage' is an SBC; Calling Plan and Operator Connect are listed as 'None.'

Why the other options are wrong:

  • A. Teams Phone Mobile pairs a carrier's SIM-enabled mobile number with the user's Teams number. The infrastructure is a mobile SIM managed by the operator, not an SBC.
  • B. Microsoft Calling Plan is an all-in-the-cloud solution with Microsoft as your carrier and no on-premises infrastructure to manage - there is no SBC to deploy.
  • D. With Operator Connect, the certified operator manages PSTN calling and the SBCs for you; it is a fully managed service with no hardware footprint on your side.

Memory hook: SBC to buy and babysit = Direct Routing. Calling Plan / Operator Connect / Phone Mobile = no SBC for you.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/pstn-connectivity

An administrator is deploying a Teams-certified IP phone in a warehouse break room as a common area phone. The device signs in with a resource account and must be able to make and receive calls, including cloud PBX features. Which licensing statement is correct?

Correct answer: C. Assign a Microsoft Teams Shared Devices license; it already includes Phone System, so a separate Phone System license isn't required.

Common area phones sign in with a resource account tied to a Microsoft Teams Shared Devices license, and Microsoft states you don't need to add a separate Phone System license because it's included with the Teams Shared Devices license. For actual inbound/outbound PSTN dial tone you additionally add a Calling Plan (or use Operator Connect/Direct Routing, which don't require a Calling Plan).

Why the other options are wrong:

  • A. Teams Rooms Basic is for certified Teams Rooms systems, not common area phones. Common area phones use the Teams Shared Devices license.
  • B. The Microsoft Teams Phone Resource Account (virtual user) license is for the resource accounts behind auto attendants and call queues, not for common area phone devices.
  • D. Enterprise per-user Microsoft 365 suite licenses (like E5) aren't authorized for use on shared meeting/phone devices; a shared common area phone uses the Teams Shared Devices license instead.

Memory hook: Common area phone = Teams Shared Devices license (Phone System baked in). Add a Calling Plan only if you need Microsoft dial tone.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/phones/set-up-common-area-phones

During planned SBC maintenance, a Teams administrator runs `Set-CsOnlinePSTNGateway -Identity sbc1.contoso.com -Enabled $false`. This SBC is one of two gateways listed on an active voice route. What is the immediate effect on calls?

Correct answer: D. Calls already connected through sbc1 continue, but new calls are routed to the other SBC on the route.

Setting -Enabled to $false puts the SBC into 'drain' mode. Per the New-CsOnlinePSTNGateway documentation, when Enabled is $false the SBC continues existing calls, but all new calls are routed to another SBC in the route (if one exists). This lets an admin gracefully take an SBC out of service without dropping connected sessions.

Why the other options are wrong:

  • A. Drain mode is direction-agnostic for new calls - both new inbound and new outbound calls divert; it does not selectively block only inbound.
  • B. Drain mode does not drop active calls; only new calls are diverted, so connected sessions on sbc1 are preserved.
  • C. Disabling the gateway does not delete its configuration; the object remains and can be re-enabled with -Enabled $true. Removal requires Remove-CsOnlinePSTNGateway.

Memory hook: -Enabled $false = drain, not disconnect: old calls finish, new calls flee to the next SBC.

Microsoft Learn: https://learn.microsoft.com/powershell/module/microsoftteams/new-csonlinepstngateway?view=teams-ps

Teams Governance and Collaboration (15 questions)

Go deeper on this topic in Microsoft Teams Governance and External Collaboration Field Guide.

A compliance admin is planning retention for Teams and reviews how private channel messages are handled after Microsoft's 2025 change to private-channel message storage. After the migration completes, which retention location covers private channel messages, and where are those messages stored?

Correct answer: B. Post-migration, private channel messages are stored in group mailboxes and are covered by the 'Teams channel messages' location, inheriting retention from their parent team the same way shared channels do.

After the migration, private channel messages live in group mailboxes, the same place as standard and shared channel messages, so the 'Teams channel messages' location covers them and they inherit retention from the parent team just as shared channels do. The trap is the old model: before 2025 those messages sat in individual user mailboxes and required the dedicated 'Teams private channel messages' location, which couldn't be combined with other Teams locations in the same policy. If private channels need different retention, create a separate 'Teams channel messages' policy scoped to the parent teams that have private channels.

Why the other options are wrong:

  • A. Teams channel content isn't retained by a standard Exchange mailbox retention policy; it requires the Teams-specific 'Teams channel messages' location.
  • C. 'Teams chats' covers 1:1 chats, group chats, and meeting chats stored in user mailboxes - not private channel messages, which are channel content covered post-migration by 'Teams channel messages'.
  • D. The migration specifically moves private channel messages from user mailboxes to group mailboxes; the dedicated 'Teams private channel messages' location is the pre-migration mechanism, not a permanent one. Previously configured policies using it keep working, but new coverage is via 'Teams channel messages'.

Memory hook: After the 2025 migration, private channel messages live in the group mailbox and ride 'Teams channel messages', inheriting from the parent team - just like shared channels.

Microsoft Learn: https://learn.microsoft.com/purview/retention-policies-teams#migration-of-private-channel-messages-in-2025

Your organization wants members of a Teams channel to collaborate with partners at another Microsoft 365 organization so those partners keep using their own work accounts and never receive a guest account in your tenant. Which Microsoft Entra capability makes this possible for a Teams shared channel?

Correct answer: A. Microsoft Entra B2B direct connect

Shared channels rely on Microsoft Entra B2B direct connect. External participants sign in with their home-tenant work or school credentials and access the channel from within their own Teams instance, without a guest account being created in your directory. Both organizations must mutually enable it in cross-tenant access settings.

Why the other options are wrong:

  • B. Cross-tenant synchronization automates creating/updating user objects across tenants within one organization; it does not grant shared-channel participation.
  • C. B2B collaboration provisions a guest (B2B) account in your directory; that is guest access, which shared channels specifically do not use.
  • D. External access (federation) enables cross-org chat, calls, and meetings, not membership in a shared channel.

Memory hook: Shared channel = B2B direct connect; guests need not apply.

Microsoft Learn: https://learn.microsoft.com/entra/external-id/b2b-direct-connect-overview

A vendor engagement has ended. A team owner removes the vendor's guest account from the project team in the Teams client. Weeks later, the security team finds the vendor still has a guest account in Microsoft Entra ID, still appears in another team, and is still counted in External ID monthly active user billing. Why, and what is the correct remediation?

Correct answer: B. Removing a guest from a team removes only that team membership; the Entra B2B guest object persists and must be deleted separately by a User Administrator or Global Administrator to revoke all tenant access.

Removing a guest from a team - or a guest leaving on their own - removes only that team's membership; it does not delete the Microsoft Entra B2B guest object. The account remains in the directory, can retain access to other teams or resources where it was separately granted, and continues to count toward Entra External ID monthly active user (MAU) billing. To fully offboard, an admin (User Administrator or Global Administrator) must delete the guest account from the directory (Microsoft 365 admin center, Entra admin center, or Remove-MgUser). Team removal and directory deletion are two distinct operations.

Why the other options are wrong:

  • A. The guest access toggle suspends guest access org-wide; it neither deletes the leftover account nor is it a targeted offboarding action. Deleting the specific directory account is required.
  • C. The B2B guest object lives in your tenant's directory and is deleted by your admins. The vendor's home tenant owns the underlying identity, but the guest object in your directory is yours to remove.
  • D. There is no automatic deletion of the Entra guest object when a guest is removed from or leaves a team. The account persists until an admin explicitly deletes it.

Memory hook: Two operations: remove-from-team is not delete-from-directory. The #EXT# object (and its MAU billing) lingers until an admin deletes it.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/guest-access

A bank activates an information barrier (IB) policy that blocks its Traders segment from its Research Analysts segment. An analyst who was recently moved from Trading to Research is a member of a standard team that also contains Traders and has an existing 1:1 chat with a Trader. After the IB policy application runs, what happens to the team membership and the existing chat?

Correct answer: D. The IB policy application removes the non-compliant users from the group and team, and the existing 1:1 chat becomes read-only for the blocked pair.

The IB policy application is a background processor that, on a policy or segment change, fetches all team members, evaluates them against the IB policies and the group's IB mode, and removes the non-compliant users from the group and team. For existing communications, the Information Barrier Policy Evaluation Service re-evaluates them: a 1:1 chat that is no longer allowed becomes read-only, and in group chats and teams the users whose participation now violates the policy are removed. So the roster is trimmed to compliant users and the blocked pair's existing chat is frozen to read-only.

Why the other options are wrong:

  • A. IB explicitly re-evaluates existing teams and chats when a policy is set or changed. Existing 1:1 chats become read-only and non-compliant members are removed from groups and teams; it is not forward-only.
  • B. IB does not delete the team; it removes the non-compliant members from it. The team and its compliant members remain.
  • C. IB removes whichever members are made non-compliant by the applied policy, determined by segment and policy direction, not a blanket removal of one named role while another keeps access.

Memory hook: IB application prunes the roster - non-compliant members are removed from the group/team, and existing 1:1 chats go read-only.

Microsoft Learn: https://learn.microsoft.com/purview/information-barriers-teams#ib-policy-application-in-teams

A project has wrapped. The administrator wants to make the team read-only, preserve all its channels, files, and chats for reference, and be able to bring it back later if needed. Which action fits, and what happens?

Correct answer: C. Archive the team; activity stops and content becomes read-only, its private channels and their sites are also archived, admins can still add/remove members and view content, and the team can be reactivated later.

Archiving a team (from the Teams admin center, or by a team owner) puts it in read-only mode: all activity ceases, but you can still view all activity in standard and private channels, files, and chats, and you can still add or remove members and update roles. Archiving a team also archives its private channels and their associated site collections, and you can optionally make the SharePoint site read-only for members (owners can still edit). An archived team can be reactivated with Restore. Deleting, by contrast, removes content, and a deleted team can't be directly restored (though the backing Microsoft 365 group is soft-deleted for 30 days).

Why the other options are wrong:

  • A. A deleted team can't be directly restored; you'd have to restore the underlying soft-deleted Microsoft 365 group within 30 days, and deletion removes content rather than preserving it read-only.
  • B. Expiration policies require a lifetime of 30 days or more and end in deletion, not indefinite read-only retention; there's no '0-day read-only' mode.
  • D. Archiving is reversible (Restore) and keeps membership - you can even add or remove members while the team is archived.

Memory hook: Archive = read-only + reversible; content and membership preserved (private channels archived too). Delete = gone (only the 30-day group soft-delete saves you).

Microsoft Learn: https://learn.microsoft.com/microsoftteams/archive-or-delete-a-team

A partner engineer from another company must be added to one specific team where they'll co-author files in the team's SharePoint site, post in channels, and join channel meetings as a member. Which capability must be enabled to support this?

Correct answer: C. Guest access

Guest access adds the external person to the team as a member with a Microsoft Entra B2B guest account, giving them access to team resources and the ability to co-author files. External access (federation) only enables cross-org chat, calls, and meetings; it cannot make someone a team member or share files.

Why the other options are wrong:

  • A. Open federation is just an external-access configuration; it still grants no team membership or file sharing.
  • B. Anonymous meeting join only lets people join a meeting without signing in - no membership or file access.
  • D. External access enables find/chat/call/meet across organizations but cannot add the person to a team or let them share files.

Memory hook: Guest JOINS the team (shares files); External just TALKS (chat/call/meet).

Microsoft Learn: https://learn.microsoft.com/microsoftteams/communicate-with-users-from-other-organizations

An organization enables a Microsoft 365 group expiration policy with a 180-day lifetime applied to all groups. A team owner worries that an actively used team will be deleted while the owner is on leave and unable to click 'Renew'. Under the default expiration policy behavior, what happens to an actively used team?

Correct answer: D. Activity-based auto-renewal renews the group automatically about 35 days before expiration when Microsoft Entra detects activity such as a Teams channel visit, so an actively used team renews without any owner action or notification.

Microsoft 365 group expiration includes activity-based automatic renewal. Microsoft Entra monitors activity signals across workloads - Teams (visiting a channel), SharePoint (view/edit/download/move/share/upload files), Outlook (join/read/write/like a group message), and Viva Engage (viewing a post) - and automatically renews the group around 35 days before expiration when activity is detected, with no renewal email and no manual action. A team in genuine use therefore renews itself; the owner being on leave doesn't put it at risk as long as members remain active.

Why the other options are wrong:

  • A. Auto-renewal is on by default when the expiration policy is configured. There is no per-team opt-in requirement for activity tracking.
  • B. Teams channel visits are an explicit renewal signal, alongside SharePoint, Outlook, and Viva Engage activity. Renewal is not limited to SharePoint.
  • C. Activity-based auto-renewal specifically prevents deletion of actively used groups. Deletion occurs only if there's no activity and the owner doesn't renew; an active team is auto-renewed.

Memory hook: Active teams renew themselves ~35 days out - one channel visit counts. Expiration culls the abandoned ones, not the busy ones.

Microsoft Learn: https://learn.microsoft.com/entra/identity/users/groups-lifecycle#activity-based-automatic-renewal

In External access, you select 'Allow only specific external domains' and add partner.com to the list. What is the effect on all other external domains?

Correct answer: A. All other external domains are blocked.

An allow list is exclusive: specifying allowed domains automatically blocks every domain not on the list. Only partner.com can be reached for external chat and meetings; all other external domains are blocked. A block list works the opposite way, allowing all domains except the ones listed.

Why the other options are wrong:

  • B. Subdomain behavior relates to the BlockAllSubdomains option on a block list, not to an allow list.
  • C. External access allow/block applies to communication generally, not selectively to chat versus meetings by domain type.
  • D. That is the behavior of a block list, not an allow list; specifying allowed domains blocks everything else.

Memory hook: Allow list = only these, block the rest. Block list = all but these.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/trusted-organizations-external-meetings-chat

A large enterprise has two separate Microsoft Entra tenants (Contoso and Fabrikam) and has configured a multitenant organization (MTO) so users in both tenants can search for and chat with each other natively in Teams without being treated as external guests. The Teams collaboration setting is enabled and confirmed in both tenants, external access is configured, and the cross-tenant sync jobs have run successfully (Fabrikam user objects are visible as members in Contoso's directory). A Teams administrator in Contoso notices the synced Fabrikam users still cannot be found in Teams search 30 minutes after the sync completed. What is the most likely cause?

Correct answer: A. The synced users have not yet appeared in Microsoft 365 services because synchronization can take up to 24 hours

Microsoft Learn documentation for MTO explicitly states: 'It might take up to 24 hours for synced users to be available in Microsoft 365 services such as Teams and SharePoint.' After cross-tenant sync jobs run and user objects are provisioned, there is a propagation delay before Teams can discover those users in search. The Teams collaboration setting and B2B direct connect are also required for full MTO Teams functionality, but the most likely cause of users not appearing in search immediately after sync is the 24-hour propagation window.

Why the other options are wrong:

  • B. B2B direct connect is relevant for shared channels in a non-MTO scenario. Within an MTO, external access policies and cross-tenant sync (B2B member users) are the primary mechanisms for Teams collaboration. B2B direct connect not being configured would not explain a timing issue just after MTO setup.
  • C. The Teams collaboration setting must be enabled for cross-tenant Teams search, chat, and calling, but the stem states it is already enabled and confirmed in both tenants, so it is not the cause here.
  • D. MTO does not require Teams Premium for all synced users. Teams Premium adds features such as custom policy packages, but the base MTO functionality for people search and chat does not mandate Teams Premium licensing for every synced user.

Memory hook: MTO sync propagation = up to 24 hours before synced users show in Teams. Don't panic, wait a day.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/sync-users-multi-tenant-orgs?view=o365-worldwide

Which statement correctly describes who can add guests to a team in Microsoft Teams?

Correct answer: B. Team owners can add guests, and the Teams Administrator can also add guests via the Teams admin center. Guest access in Teams requires no extra Microsoft 365 license.

Team owners can add guests to a team in the Teams client. Teams Administrators can also add guests to a team in the Teams admin center. Guest access is included with all Microsoft 365 Business Standard, Enterprise, and Education subscriptions, and no extra Microsoft 365 license is required for the guest feature itself. The Microsoft Entra External ID billing model applies for B2B users, but there is no separate Teams guest license requirement.

Why the other options are wrong:

  • A. Guest access is available with Microsoft 365 Business Standard, all Enterprise plans, and Education subscriptions. A specific higher-tier license such as Business Premium or E3 is not required to enable the guest access feature.
  • C. Team owners, not just Teams Administrators, can add guests. The Teams admin center is one path, but the Teams client is also available for team owners to use directly.
  • D. Team members (non-owners) cannot add guests to a team, even when guest access is enabled. Only team owners and Teams Administrators can add guests.

Memory hook: Guest add = Team Owner or Teams Admin. No extra license for the feature itself.

Microsoft Learn: https://learn.microsoft.com/en-us/microsoftteams/guest-access

A Teams administrator needs to configure an expiration policy for Microsoft 365 groups so that inactive teams are automatically flagged for renewal or deletion. In which admin center is the Microsoft 365 Groups expiration policy configured?

Correct answer: C. Microsoft Entra admin center

The Microsoft 365 Groups expiration policy is configured in the Microsoft Entra admin center (previously Azure AD admin center), under Identity, then Groups, then Expiration. It cannot be set in the Teams admin center, and the Microsoft 365 admin center provides only basic group management without the expiration lifecycle controls.

Why the other options are wrong:

  • A. The Microsoft 365 admin center provides a simplified interface for group creation and basic management. The expiration policy configuration requires the Microsoft Entra admin center, not the M365 admin center.
  • B. The Microsoft Teams admin center manages Teams-specific policies such as meeting, messaging, and calling policies. Group lifecycle settings such as expiration policies are not configured there.
  • D. The Microsoft Purview portal handles compliance solutions including retention policies, DLP, and eDiscovery. Microsoft 365 Group expiration is a governance feature managed in Microsoft Entra ID, not Purview.

Memory hook: Group expiration = Entra ID. Entra manages identity and group lifecycle.

Microsoft Learn: https://learn.microsoft.com/entra/identity/users/groups-lifecycle

A Teams administrator needs to configure a Microsoft 365 groups naming policy so that all group names created by end users include the department name as a prefix. Which Microsoft Entra ID license is the minimum required to configure and enforce this naming policy?

Correct answer: A. Microsoft Entra ID P1

Using a Microsoft Entra ID naming policy for Microsoft 365 Groups requires that the organization possesses (but does not necessarily assign to every user) a Microsoft Entra ID P1 license or a Microsoft Entra Basic EDU license. This applies to each unique user who is a member of one or more Microsoft 365 groups. The administrator who configures the naming policy also needs this license. P2 provides additional features beyond what is needed for naming policy. Entra ID Free does not include group naming policy capabilities.

Why the other options are wrong:

  • B. Microsoft Entra ID Governance is an add-on for lifecycle management features such as entitlement management, access reviews at scale, and Privileged Identity Management. It is not the minimum license required for a group naming policy.
  • C. Microsoft Entra ID P2 includes all P1 features plus additional capabilities such as Identity Protection and Privileged Identity Management. It is more than what is required; the minimum is P1.
  • D. Microsoft Entra ID Free does not include the group naming policy feature. A paid license is required.

Memory hook: Naming policy = Entra P1. Group expiration policy also = Entra P1. Both features share the same minimum license bar.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/groups-naming-policy?view=o365-worldwide

A company requires that all Microsoft 365 groups and Teams created by users include a department prefix in the group name, such as 'Finance-ProjectAlpha'. The Microsoft Entra ID naming policy is configured with a prefix using the [Department] attribute. Which users are exempt from this naming policy by default?

Correct answer: C. Global Administrators and User Administrators

Only four roles are exempt from the Microsoft 365 Groups naming policy: Global Administrator, User Administrator (User Account Administrator), Partner Tier 1 Support, and Partner Tier 2 Support. The trap is assuming Teams Administrators earn an exemption because they create teams all day; they are not on the list, and the naming policy applies to them like any other user.

Why the other options are wrong:

  • A. Security Administrators and Compliance Administrators have no special exemption from the Microsoft 365 Groups naming policy in Microsoft Entra ID.
  • B. Exchange Administrators and Teams Administrators are not listed in the Microsoft Entra ID naming policy exemption list. The naming policy applies to them when they create groups through Microsoft 365 apps.
  • D. While Global Administrators are exempt, Teams Administrators are not included in the naming policy exemption. A Teams Administrator creating a team is subject to the naming policy.

Memory hook: Naming policy exemptions: Global Admin + User Admin. The two 'Admin of admins' roles skip the naming rules.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/groups-naming-policy?view=o365-worldwide#custom-blocked-words

A contractor from another company must be added to a specific team, collaborate on files in the team's SharePoint document library, and join channel meetings. Which Teams collaboration method should you use?

Correct answer: C. Guest access

Guest access adds the contractor as a Microsoft Entra B2B collaboration guest in your directory, giving near-member capabilities including team membership, file collaboration, and meetings. External access provides only chat/call/meet with no access to team resources or file sharing.

Why the other options are wrong:

  • A. A shared-channel external participant collaborates only within one shared channel via direct connect; they are not added to the team itself.
  • B. Unmanaged/consumer Teams accounts are limited to chat, not team membership or file collaboration.
  • D. External access lets users chat, call, and meet with external Microsoft identities, but those users cannot be added to a team or share files.

Memory hook: Guest joins the team (files + meetings); external access is just chat/call/meet.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/communicate-with-users-from-other-organizations#compare-external-access-and-guest-access

In a channel, a team owner needs to be able to delete inappropriate posts that were sent by other members. Which messaging policy setting must be enabled?

Correct answer: D. Owners can delete sent messages

'Owners can delete sent messages' allows team owners to delete channel messages or posts sent by other users (excluding their own). This is the moderation control that lets an owner remove members' inappropriate posts.

Why the other options are wrong:

  • A. 'Users can delete messages sent by bots' targets bot messages, not member posts.
  • B. 'Delete chat' removes an entire conversation from a user's own chat list; it does not let an owner moderate a channel.
  • C. 'Delete sent messages' lets users delete their OWN chat messages, not messages other members posted.

Memory hook: Owners deleting OTHERS' posts = 'Owners can delete sent messages'; deleting your own = 'Delete sent messages.'

Microsoft Learn: https://learn.microsoft.com/microsoftteams/messaging-policies-in-teams

Teams Monitoring and Troubleshooting (15 questions)

Go deeper on this topic in Microsoft Teams Monitoring and Troubleshooting Field Guide.

You need to let a group of Tier-1 helpdesk agents view per-user Call Analytics so they can collect basic information and escalate call issues. They must NOT have access to the rest of the Teams admin center, and you want to grant the least privilege necessary. Which Microsoft Entra role should you assign?

Correct answer: B. Teams Communications Support Specialist

The Teams Communications Support Specialist gives limited (Tier-1) per-user call analytics with a restricted view - and no access to the rest of the Teams admin center. That is the least-privilege fit for agents who collect basic information and escalate.

Why the other options are wrong:

  • A. The Teams Administrator has full Teams admin center access, far more than required, so it is not least privilege.
  • C. The Teams Device Administrator cannot view call analytics at all, so the agents could not perform the task.
  • D. The Support Engineer grants full detailed (Tier-2) call data, more than needed for basic collection and escalation.

Memory hook: Basic triage goes to the Specialist; deep dives go to the Engineer. Least privilege picks Specialist.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/set-up-call-analytics#give-permission-to-support-and-helpdesk-staff

A Tier-1 helpdesk agent holding the Teams Communications Support Specialist role is troubleshooting a user's poor call. They can open the user's Meetings & Calls session, but the Advanced and Debug tabs don't show device names, IP addresses, subnet mapping, DNS suffix, or Wi-Fi SSID. Escalation to Tier 2 is needed. Which role provides full visibility of that detailed call data?

Correct answer: D. Teams Communications Support Engineer

The Teams Communications Support Engineer (Tier 2) sees the detailed call-log information hidden from the Specialist - including the Advanced tab (device names, IP address, subnet mapping) and the Debug tab (DNS suffix, SSID). Phone numbers remain obfuscated for every role.

Why the other options are wrong:

  • A. The Teams Device Administrator manages Teams devices but has no access to call analytics or call quality data.
  • B. The Reports Reader can view usage and CQD reports but not the per-user Advanced/Debug call-analytics detail.
  • C. The Teams Telephony Administrator manages voice/phone numbers and can see PSTN usage reports, but it is not the role that unlocks detailed per-user call analytics.

Memory hook: Specialist sees the surface; Engineer sees the depths - Advanced + Debug (IP, subnet, DNS, SSID).

Microsoft Learn: https://learn.microsoft.com/microsoftteams/use-call-analytics-to-troubleshoot-poor-call-quality#what-does-each-teams-support-role-do

Finance asks how many of this month's pooled Calling Plan and audio-conferencing minutes your organization has used and how many remain, broken down by license and country/region. Which Teams admin center report answers this directly?

Correct answer: A. PSTN minute pools report

The PSTN minute pools report gives an overview of audio conferencing and calling activity for the current month, showing total minutes available, minutes used, and minutes remaining, broken down by the license (capability) used and by location.

Why the other options are wrong:

  • B. The PSTN blocked users report lists blocked users and reasons; it says nothing about minute pools.
  • C. The Teams user activity report covers per-user messaging and meeting activity, not PSTN minute pools.
  • D. The PSTN usage report provides per-call detail records (time, number, duration, charge), not the pooled minute balance.

Memory hook: Minutes remaining this month: PSTN minute POOLS (a pool is a balance).

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-analytics-and-reports/pstn-minute-pools-report

In the Teams user activity report, your analysts see hashed values instead of real display names, group names, and email addresses. Leadership wants the actual names shown so they can follow up with low-adoption users. What must be done, and who can do it?

Correct answer: B. A Global Administrator turns on (selects) 'Display concealed user, group, and site names in all reports' in the Microsoft 365 admin center (Settings, then Org Settings, then Services, then Reports); the change applies to both Microsoft 365 and Teams admin center reports.

Name concealment is a tenant-wide reports privacy setting (MD5 hashing, on by default since September 1, 2021) that only a Global Administrator can change, in the Microsoft 365 admin center under Settings, then Org Settings, then Services, then Reports. Because the checkbox is labeled 'Display concealed user, group, and site names in all reports,' you must select/turn ON the setting to reveal real names (clearing it re-conceals them). This single tenant-wide setting governs both the Microsoft 365 usage reports and the Teams admin center usage reports (and Microsoft Graph/Power BI).

Why the other options are wrong:

  • A. The hashing is the Microsoft 365 reports privacy setting, not a CQD EUII control, and it is unrelated to the Teams Communications Support Engineer role.
  • C. Exporting to CSV does not resolve the MD5 hashes. While the setting is on, the export is de-identified exactly like the on-screen report, and a Reports Reader cannot change the privacy setting.
  • D. There is no separate anonymization toggle in the Teams admin center, and a Teams Administrator cannot change it. Concealment is a Microsoft 365 admin center tenant-wide reports setting that requires Global Administrator and applies to both M365 and Teams reports.

Memory hook: The checkbox is named for what you WANT to see: 'Display concealed names' - turn it ON to reveal, and only a Global Admin holds that key.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/admin/activity-reports/activity-reports#show-user-group-or-site-details-in-usage-reports

A user reports choppy audio on a PSTN call and separately on a 1:1 Teams call. You open the user's profile in the Teams admin center and try to use Real-Time Analytics (real-time telemetry) to watch the media metrics live, but no real-time data is available for those calls. Why?

Correct answer: A. Real-time telemetry is only available for scheduled meetings and Meet Now; it isn't available for PSTN calls, 1:1 calls, or group calls.

Real-Time Analytics is limited to scheduled meetings and Meet Now. PSTN calls, 1:1 calls, and group calls are explicitly unsupported, so no live telemetry is shown for them regardless of role, age, or network.

Why the other options are wrong:

  • B. Managed vs unmanaged subnet affects CQD Inside/Outside classification, not whether real-time telemetry exists for a given call type.
  • C. Retention is not the issue here; these call TYPES are unsupported for real-time telemetry regardless of age.
  • D. The support roles govern which admin or agent can VIEW telemetry, not whether telemetry is collected on a user's calls.

Memory hook: Real-Time Analytics = meetings only (scheduled + Meet Now). No PSTN, no 1:1, no group calls.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/use-real-time-telemetry-to-troubleshoot-poor-meeting-quality

During a 12-participant Teams conference, one participant reported choppy incoming audio. A support engineer analyzing the session in the Call Quality Dashboard wants to determine whether the degradation occurred on that participant's outbound leg to the conference server or on the inbound leg from the server to the participant. Which type of CQD data supports this determination, and why?

Correct answer: C. Stream-based measurements, because each stream represents one direction between two endpoints, so quality metrics can be attributed to a specific leg.

Microsoft's quality of experience guidance explains why stream-level analysis is preferred over call-level analysis for root cause work: streams identify which particular leg of the call was poor - outgoing or incoming. A stream flows in exactly one direction between two endpoints, so jitter, packet loss, and round-trip metrics on a stream tell you the direction and the endpoint involved. Call data gives usage metrics but does not necessarily lead to the root cause of poor quality: when any stream in a call is poor, the whole call is flagged poor, hiding which side or leg degraded. For a conference, stream direction reveals whether the participant's uplink or downlink was the problem, which drives completely different remediation.

Why the other options are wrong:

  • A. Total Call Count is a volume measure (and one that relies on a distinct-count operation with a documented error factor). It counts calls; it carries no directional quality information.
  • B. Call-level aggregation is exactly what hides the answer: a poor call flag does not reveal whether the sending or receiving leg degraded, or which participant's leg was responsible.
  • D. The user activity report is an adoption/usage report showing counts and durations (meetings attended, audio time). It contains no network quality metrics such as packet loss or jitter and cannot attribute degradation to a stream direction.

Memory hook: Streams have direction; calls don't. Root-cause hunting = streams.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/quality-of-experience-review-guide#what-is-quality

You use your own session border controller (SBC) with Direct Routing. Calls are intermittently failing and you want per-call diagnostics - SBC FQDN, final SIP response code, Microsoft subcode, and a correlation ID - to investigate signaling between your SBC and Microsoft's SIP Proxy. Where in the Teams admin center do you find this?

Correct answer: C. The Direct Routing tab of the PSTN usage report (Analytics & reports, then Usage reports)

The Direct Routing tab of the PSTN usage report is built for diagnosing signaling between your SBC and Microsoft's SIP Proxy. It surfaces the SIP call flow: start/invite/failure/end times, SBC FQDN, Azure region, final SIP code, final Microsoft subcode, final SIP phrase, and correlation ID.

Why the other options are wrong:

  • A. The Calling Plans tab covers Microsoft-carried calls (Calling Plans and Operator Connect) with minutes, cost, and numbers, not SBC/SIP diagnostics.
  • B. The PSTN minute pools report shows licensed-minute consumption for the month, not per-call SIP diagnostics.
  • D. The PSTN blocked users report lists users blocked from PSTN and the reason; it carries no SIP/SBC call detail.

Memory hook: SBC + SIP codes + correlation ID points to the Direct Routing tab of the PSTN usage report.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-analytics-and-reports/pstn-usage-report

You need a per-user breakdown showing how many 1:1 calls each user participated in, how many meetings they organized versus participated in, and their last activity date. Which Teams admin center report provides this?

Correct answer: C. The Teams user activity report.

The Teams user activity report gives per-user metrics: channel and private chat messages, 1:1 calls participated in, meetings organized versus participated in, audio/video/screen-share time, and each user's last activity date.

Why the other options are wrong:

  • A. The Teams usage report is team-scoped (active users, active channels, messages, guests), not per-user call/meeting counts.
  • B. The PSTN minute pools report shows calling-plan minutes consumed by license and region, not per-user activity.
  • D. The device usage report breaks activity down by platform (Windows, Mac, iOS, Android), not per-user calls and meetings.

Memory hook: Per-USER calls and meetings = USER activity report; per-team totals = usage report.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-analytics-and-reports/user-activity-report

A user reports that Teams is displaying stale data and behaving unexpectedly on their Windows computer running new Teams (not classic Teams). The Teams administrator wants to clear the cache without resetting app personalization settings if possible. Which path should the administrator use to delete the cache files for new Teams on Windows?

Correct answer: C. %userprofile%\appdata\local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams

For new Teams on Windows, the cache files are located at %userprofile%\appdata\local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams. Deleting files in this directory clears the cache without using the app Reset option (which also deletes personalization settings). The path %appdata%\Microsoft\Teams is the classic Teams cache location, not the new Teams cache location.

Why the other options are wrong:

  • A. C:\ProgramData\Microsoft\Teams is not a documented Teams cache location. Teams user cache is stored in the user profile directory, not in ProgramData.
  • B. C:\Program Files\Microsoft\Teams is not the correct cache location. Program Files contains application binaries, not user cache data.
  • D. The path %appdata%\Microsoft\Teams is the cache location for the classic (old) Teams client on Windows, not for the new Teams client. Using this path on a new Teams installation would not clear the correct cache.

Memory hook: New Teams cache = MSTeams_8wekyb3d8bbwe in LocalCache. Classic Teams cache = %appdata%\Microsoft\Teams. Know which client you are clearing.

Microsoft Learn: https://learn.microsoft.com/troubleshoot/microsoftteams/teams-administration/clear-teams-cache

A developer needs to programmatically pull raw per-call and per-stream quality records (jitter, packet loss, endpoint IPs) into a custom data pipeline, scripted through the Microsoft Graph PowerShell SDK rather than the CQD portal UI. Which data source is designed for this?

Correct answer: B. The Microsoft Graph callRecords API (call records / CDR), which exposes raw call-quality records for programmatic access.

The Microsoft Graph callRecords API is the documented programmatic path to raw call-quality data and can be scripted through the Graph PowerShell SDK or REST. Microsoft notes that callRecords may not contain every CQD field and that naming conventions can differ between the two.

Why the other options are wrong:

  • A. Get-CsUserCallingSettings returns call forwarding, delegation, and group-call-pickup settings - not QoE media metrics.
  • C. Get-CsCallQueue Statistics reports current queue size (a line being retired in 2026), not per-stream jitter or packet loss.
  • D. The Power BI Connector powers Power BI templates; it is not a PowerShell/scripting extraction interface, and it is not the only option.

Memory hook: Raw call records in code = Graph callRecords API, not a Cs* cmdlet.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/cqd-data-and-reports

A department manager requests an export of the Teams user activity report. When the Teams administrator downloads the report from the Teams admin center, the display name and email columns contain 32-character hexadecimal strings instead of user names. What must be done so the report shows actual user names?

Correct answer: C. A Global Administrator must turn off the 'Display concealed user, group, and site names in all reports' setting in the Microsoft 365 admin center under Settings, then Org settings, then Services, then Reports.

Since September 1, 2021, Microsoft conceals identifiable information in usage reports by default, replacing display names, group names, emails, and Microsoft Entra IDs with MD5 hashes to help organizations support local privacy laws. Only a Global Administrator can change this: in the Microsoft 365 admin center, go to Settings, then Org Settings, then the Services tab, then Reports, and change the 'Display concealed user, group, and site names in all reports' setting. The setting applies simultaneously to usage reports in the Microsoft 365 admin center, the Teams admin center, Microsoft Graph, and Power BI. Because it is an org-wide privacy control, changing it should go through change control, and some organizations must legally keep it enabled.

Why the other options are wrong:

  • A. There is no independent identifiable-reporting toggle in the Teams admin center. The single setting in the Microsoft 365 admin center governs both portals' usage reports, plus Graph and Power BI outputs.
  • B. Report anonymization is a tenant-level setting, not a role-based view restriction. Reports Reader is one of the roles that can access usage reports, but no role assignment reveals concealed names while the org setting is enabled.
  • D. The 28-day purge applies to EUII fields in Call Quality Dashboard records, not to usage reports. Usage report anonymization is a reversible display setting; once a Global Administrator disables it, reports show actual names again.

Memory hook: Hex strings in reports = concealed-names setting (default ON since Sept 2021). Fix: Global Admin in the M365 admin center, Org settings, then Services, then Reports.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/teams-analytics-and-reports/teams-reporting-reference

In the Teams admin center meeting troubleshooting view, a completed meeting shows an issue for one participant categorized under the 'Media' root cause area. How should the administrator interpret this classification?

Correct answer: A. There is high confidence that the user experienced noticeably degraded media quality, without the issue being attributed to the network, compute, or device categories.

The meeting troubleshooting experience categorizes each detected issue into one of four root cause areas: Network (poor network conditions), Compute (lack of processing/memory resources on the user's device), Device (microphone, speaker/headphones, or camera), and Media, which Microsoft defines as 'high confidence that the user experienced noticeably degraded media quality.' Media is the classification the intelligent media quality classifiers assign when they are confident the experience was degraded but the telemetry does not pin the cause to one of the other three areas. Operationally, a Media classification is the signal to export the session telemetry for deeper analysis or escalate to Tier 2, since the system has confirmed a real degradation without isolating a single subsystem.

Why the other options are wrong:

  • B. Insufficient processing or memory resources on the endpoint map to the 'Compute' root cause area. Media does not indicate a resource constraint; it indicates confirmed perceptible degradation without a single attributed cause.
  • C. Network conditions have their own root cause area named 'Network.' If the classifiers had attributed the degradation to the network path, the issue would have been categorized there, not under Media.
  • D. Peripheral problems - microphone, speaker/headphones, or camera - map to the 'Device' root cause area, which is distinct from Media.

Memory hook: Media = 'we're sure it was bad, not sure why.' Network/Compute/Device name the culprit; Media names the experience.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/monitor-troubleshoot-teams-meetings-calls#investigate-a-meeting

Using the Teams admin center's Notifications & alerts framework, you want to be notified whenever a specific set of executives experiences audio problems (packet loss, jitter, high round-trip time) during in-progress meetings, with alerts posted to a Teams channel. Which prerequisite must those monitored executives meet for the rule to work?

Correct answer: C. Each monitored attendee must have a Teams Premium or Teams Rooms Pro license.

The in-progress meeting audio (and video/screen-sharing) quality alert rules only monitor attendees who hold a Teams Premium or Teams Rooms Pro license. A Teams service admin configures the rule under Notifications & alerts, then Rules, and alerts can be delivered to a Teams channel or a webhook.

Why the other options are wrong:

  • A. Managed-subnet upload affects CQD Inside/Outside reporting and optional subnet scoping of alerts, but it is not the prerequisite that makes a user eligible for monitoring.
  • B. The support roles determine which admins/agents can troubleshoot; they are not a licensing prerequisite on the monitored users.
  • D. CQD activation is a tenant-wide enablement, not an account-level toggle, and it is not what enables in-progress meeting alerting for a user.

Memory hook: In-progress meeting quality alerts watch only Premium / Teams Rooms Pro users.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/alerts/teams-admin-alerts

You upload a building data file in the Teams admin center under Analytics & reports, then Building and endpoint data, mapping your corporate subnets so Call Quality Dashboard (CQD) can distinguish internal (managed) networks. Two days later a colleague reports that calls they made LAST WEEK still show their subnet as unmapped and their location as Outside in CQD. What is the most likely reason?

Correct answer: C. Building and endpoint data is applied only to calls that occur after the file's specified start date; it is not applied retroactively to earlier calls.

When you upload a building/endpoint file you set a start date, and the data is joined only to call records generated after that date. It is never applied retroactively, so calls made before the upload's effective start (like last week's) stay unmapped and continue to report as Outside.

Why the other options are wrong:

  • A. The building data file must NOT contain a header row; its first line is expected to be real data. A missing header is normal, not a rejection cause.
  • B. Processing takes up to ~4 hours, and two days have already passed. Processing also never back-fills calls that predate the file's start date.
  • D. Activating CQD is a one-time tenant enablement, and it would never retroactively re-map old calls, so it can't explain a week-old subnet staying unmapped.

Memory hook: Building data is forward-only: it maps tomorrow's calls, never yesterday's.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/cqd-upload-tenant-building-data

After uploading a building data file, a Teams administrator opens the Missing Subnet Report on the Quality of Experience Reports page in CQD to find managed subnets that were missed. The report returns hundreds of unfamiliar subnets that do not belong to the organization's address space. The organization regularly meets with federated partner organizations. What should the administrator do to make the report actionable?

Correct answer: C. Add a query filter on the Second Tenant ID dimension set to the organization's own tenant ID, because the report otherwise shows federated subnets.

Microsoft Learn's building data guidance is explicit: to filter the Missing Subnet Report to view only your organization's tenant data, you need to add your tenant ID as a query filter for Second Tenant ID; otherwise, the report shows federated subnets. The report presents all subnets with 10 or more audio streams that are not defined in the building data file, and in an environment with heavy federation, partner-tenant subnets flood the list and make it look far worse than it is. Filtering on your own tenant ID narrows results to your unmatched subnets, which are the only ones you can actually add to your building file. Microsoft also recommends adjusting the Month Year filter to the current month.

Why the other options are wrong:

  • A. The VPN column triggers full subnet expansion, which degrades query performance and can push the file past the expanded row limit. It flags VPN subnets; it has nothing to do with federated noise in the Missing Subnet Report.
  • B. The 10-audio-stream minimum is a deliberate noise filter in the report design. The problem described is too many irrelevant subnets, not too few - lowering the threshold would make the noise worse, and it is not what the documentation prescribes.
  • D. Common home subnets are already excluded from the Missing Subnet Report by design. The unfamiliar subnets in this scenario come from federated partner tenants, which the Second Tenant ID filter removes.

Memory hook: Missing Subnet Report shows everyone's subnets by default - filter Second Tenant ID = YOUR tenant, or you're chasing partners' networks.

Microsoft Learn: https://learn.microsoft.com/microsoftteams/cqd-upload-tenant-building-data#locate-missing-subnets