Free practice questions

SharePoint practice questions, with full explanations

75 free SharePoint (SharePoint Online Administration) questions, each with the correct answer, a breakdown of why every other option is wrong, a memory hook, and the Microsoft Learn reference. Prefer to be quizzed? Take the interactive SharePoint quiz, which scores you by topic and points you to the guide that fits your weak spots.

SharePoint Sites and Architecture (15 questions)

Go deeper on this topic in SharePoint Online Sites and Architecture Field Guide.

On the Site creation page in the SharePoint admin center, an administrator clears the 'Users can create SharePoint sites' checkbox. A user later reports they were still able to get a brand-new SharePoint team site created. How is this possible?

Correct answer: C. Creating a Microsoft 365 group or a Team still provisions a connected team site; that checkbox doesn't govern group creation.

The 'Users can create sites' toggle controls self-service creation from SharePoint, OneDrive, PnP PowerShell, and the REST API. It does not stop users from creating Microsoft 365 groups or Teams elsewhere in Microsoft 365, and each group always comes with a connected team site.

Why the other options are wrong:

  • A. The setting affects self-service SharePoint site creation broadly; it is not limited to communication sites.
  • B. Site collection admin status does not exempt a user from this tenant-level setting.
  • D. The setting is not subject to a 30-day propagation delay.

Memory hook: Blocking SharePoint site creation is not the same as blocking Groups - every Group brings a site.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-site-creation

A user creates a private channel in a Teams team. Afterward, a new SharePoint site you didn't provision appears in Active sites, and its permissions show as read-only in the SharePoint admin center. What is happening?

Correct answer: A. Private (and shared) channels each provision a separate SharePoint site; its membership is managed in Teams, so SharePoint shows it read-only.

Both private and shared channels create their own separate SharePoint site (a channel site) distinct from the parent team's site. Channel-site permissions must be managed in Teams - channel owners/members become site owners/members - so SharePoint displays them in read-only mode. Channel sites are also blocked from joining hubs.

Why the other options are wrong:

  • B. Private channels do NOT reuse the parent site; they get their own site collection - it's not an artifact.
  • C. No hub is created; the new site is a channel site, and unregistering a hub is irrelevant.
  • D. The site is legitimate and in use by the channel; deleting it would break the private channel's files.

Memory hook: Private/shared channel = its own SharePoint site, run from Teams (read-only in SPO).

Microsoft Learn: https://learn.microsoft.com/sharepoint/teams-connected-sites

Contoso's tenant was created in 2017, so the root site at https://contoso.sharepoint.com is a classic team site. The administrator wants a modern intranet landing page at the root URL using the Replace site (site swap) operation in the SharePoint admin center. Which candidate satisfies the documented requirements for the incoming site?

Correct answer: B. A communication site (SITEPAGEPUBLISHING#0) on which the publishing feature has never been activated and which is neither a hub site nor associated with any hub.

Microsoft Learn lists the site swap limitations: the new root site must be a communication site (SITEPAGEPUBLISHING#0) or a modern team site that is not connected to a Microsoft 365 group (STS#3), and one where the publishing feature has never been activated. Additionally, when replacing the root site, neither the current site nor the new site can be hub sites or associated with a hub; hubs must be unregistered (or sites disassociated) first, then re-registered after the swap. The root site itself cannot be deleted and cannot be connected to a Microsoft 365 group, which is why swap is the supported replacement path.

Why the other options are wrong:

  • A. Classic publishing sites are not a supported incoming template, and any site where the publishing feature was ever activated is disqualified even if it has since been dressed up with modern pages.
  • C. Neither the current root nor the incoming site can be a hub or associated with a hub at swap time. A hub must be unregistered before the swap and re-registered afterward; hub status does not carry through.
  • D. Group-connected team sites are not eligible incoming sites. Only communication sites or modern team sites without a Microsoft 365 group qualify, and the root site can never be group-connected.

Memory hook: Root swap wants a clean modern site: a comm site or groupless modern team site, publishing never touched, no hub strings attached on either side.

Microsoft Learn: https://learn.microsoft.com/sharepoint/modern-root-site

In the SharePoint admin center an administrator lowers the default OneDrive storage limit from 1024 GB to 200 GB. Several users are currently storing between 300 GB and 500 GB in their OneDrive. What happens to those over-limit users' OneDrive?

Correct answer: C. Their OneDrive becomes read-only until their stored data drops below the new 200 GB limit.

Decrease the storage limit below what a user already stores, and that user's OneDrive flips to read-only: they can still view and download, but they can't add or modify content. It stays that way until usage falls back under the new limit.

Why the other options are wrong:

  • A. Over-quota results in read-only, not a NoAccess lock/403; NoAccess is an administrative lock state, unrelated to quota.
  • B. SharePoint and OneDrive never auto-delete files to enforce a quota.
  • D. The default limit applies to all new and existing licensed users without a specific limit, not just new users.

Memory hook: Over the line = read-only, not deleted.

Microsoft Learn: https://learn.microsoft.com/sharepoint/set-default-storage-space

You want every newly created Microsoft 365 group-connected team site to default to the Eastern time zone and a specific default storage limit. In the SharePoint admin center, where do you configure these defaults for new sites?

Correct answer: B. Settings, then Site creation.

The Site creation page (under Settings) is where you choose the managed path (/sites or /teams) for new group-connected team sites and set the default time zone and default storage limit applied to newly created sites. Per-site overrides happen later on an individual site's General tab.

Why the other options are wrong:

  • A. The Active sites General tab changes one existing site at a time, not the defaults for all future sites.
  • C. Site storage limits toggles Automatic vs Manual tenant-wide; it doesn't set the default time zone for new sites.
  • D. Home sites designates the organization landing page; it has nothing to do with new-site defaults.

Memory hook: Defaults for NEW sites (time zone, storage, /sites vs /teams) live on Settings, then Site creation.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-site-creation

A site template references site scripts that together contain 120 actions. When an administrator applies it with Invoke-SPOSiteDesign, the run fails, but applying the same template through the site's UI succeeds. What explains the difference?

Correct answer: C. Invoke-SPOSiteDesign applies scripts synchronously and is capped at 30 actions; the UI (and Add-SPOSiteDesignTask) apply asynchronously with a 300-action / 100,000-character limit.

Applying a site design synchronously via Invoke-SPOSiteDesign is capped at 30 actions/subactions. Applying it asynchronously - through the UI or Add-SPOSiteDesignTask - raises the limit to 300 actions (or 100,000 characters), so a 120-action design succeeds there.

Why the other options are wrong:

  • A. The UI doesn't batch behind the scenes; it applies asynchronously under a higher single limit.
  • B. The synchronous cap is 30 (not 100) and the asynchronous cap is 300 (not 120).
  • D. Invoke-SPOSiteDesign supports team, communication, and other supported templates; template type is not the cause.

Memory hook: 30 sync (Invoke), 300 async (Task/UI).

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/declarative-customization/site-design-overview

A Multi-Geo tenant's primary geography is North America (NAM), with Europe (EUR) configured as a satellite location. A user whose Preferred Data Location (PDL) is EUR creates a new Microsoft 365 group from Outlook, which provisions a group-connected SharePoint site. Where are the group's SharePoint site and mailbox created?

Correct answer: B. In EUR, because the group's PDL is automatically set to the creating user's PDL, and the group site and mailbox are provisioned in that geo location.

Microsoft Learn states: 'When users in a multi-geo environment create a Microsoft 365 group, the group preferred data location (PDL) is automatically set to that of the user,' and both the group mailbox and the SharePoint site associated with the group are provisioned in that PDL. Administrators (Global, SharePoint, and Exchange admins) can additionally create groups in any geography they select, either from the geo-specific SharePoint admin center or with New-UnifiedGroup -MailboxRegion. Note that group site provisioning is on-demand: the site is created the first time an owner or member accesses it. If a user's PDL is not set or points to a non-configured location, resources land in the primary provisioned geography instead.

Why the other options are wrong:

  • A. User-created groups follow the creating user's PDL, not the primary geography. Administrator action is only needed to target a geography different from the creator's PDL.
  • C. Provisioning happens directly in the PDL geography; there is no automatic post-creation migration job. Moving a group's site between geographies is a separate, admin-initiated operation with its own procedure.
  • D. There is no geography picker in the end-user group creation flow. The geo location is derived silently from the creator's PDL.

Memory hook: Groups are born where their creator's PDL points. Admins can pick a different birthplace; users cannot.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/multi-geo-add-group-with-pdl

A SharePoint Administrator needs to organize 50 department sites so that each department site inherits navigation and theme from a central departmental landing page. The sites must remain independent site collections with no shared permissions. Which SharePoint feature should the administrator configure?

Correct answer: C. Hub site registration and site association

Hub sites connect and organize independent site collections so that associated sites inherit the hub navigation and theme. Hub association does not affect the permissions of either the hub site or the associated sites, which satisfies the requirement for independent permission management. Up to 2,000 hub sites can be registered per tenant.

Why the other options are wrong:

  • A. A site collection app catalog controls custom app deployment, not navigation or theme inheritance across sites.
  • B. Subsites share permissions with the parent site collection by default and create a hierarchical dependency. This contradicts the requirement for independent site collections.
  • D. 'SharePoint gateway site' is not a SharePoint product feature. Site scripts can provision content but do not provide ongoing navigation inheritance.

Memory hook: Hub = shared navigation/theme, zero permission bleed. Think: hub connects, does not control.

Microsoft Learn: https://learn.microsoft.com/sharepoint/create-hub-site

The internal communications team needs a new SharePoint site where a handful of authors will publish company news, policies, and announcement pages for thousands of employees to read. The team explicitly does not want a shared mailbox, Planner plan, or Teams team provisioned alongside the site. Which site type should the administrator create?

Correct answer: C. A communication site

A communication site is designed for exactly this pattern: a small number of content authors creating and maintaining content for a much wider audience that consumes it. Per Microsoft Learn, a communication site does not have a backing Microsoft 365 group, so no group mailbox, Planner, or Teams resources are provisioned with it. Access is managed through SharePoint groups and permission levels, which lets the owners keep authoring rights narrow while granting broad read access.

Why the other options are wrong:

  • A. A group-connected team site provisions exactly the resources the team does not want (group mailbox, Planner, optional Teams team), and its collaboration model assumes all members jointly author content rather than a broadcast pattern.
  • B. Classic publishing sites are legacy architecture. The modern replacement for broadcast and publishing scenarios is the communication site, and creating new classic publishing sites is discouraged.
  • D. A channel site is provisioned automatically when a Teams private or shared channel is created and its membership is driven by the channel. It cannot be created directly as a standalone publishing site.

Memory hook: Few write, many read, no group baggage = communication site. Team sites collaborate, communication sites broadcast.

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/solution-guidance/modern-experience-customizations-provisioning-sites

An organization is standardizing new-site provisioning by building custom site scripts and site templates (site designs). What is the per-tenant maximum number of each that SharePoint allows?

Correct answer: D. 100 site scripts and 100 site templates per tenant.

SharePoint caps a tenant at 100 site scripts and 100 site templates (site designs). The 30 and 300 numbers are per-application action limits, not the count of stored objects.

Why the other options are wrong:

  • A. 30 is the synchronous action limit per application, not the number of scripts a tenant may store.
  • B. Both limits are 100; scripts are not capped at 200.
  • C. Neither is unlimited; both scripts and templates are capped at 100.

Memory hook: 100 scripts, 100 templates - the 30/300 numbers are actions, not objects.

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/declarative-customization/site-design-overview

A multi-geo tenant has its Primary Provisioned Geography in North America (NAM) and satellite locations in EUR and AUS. A user whose Preferred Data Location (PDL) has never been set creates a Microsoft 365 group-connected team site. Where is the site (and its group mailbox) provisioned?

Correct answer: D. In the Primary Provisioned (central) geography - NAM.

In multi-geo, the creating user's PDL determines the geography for a group-connected site. If the PDL isn't set (or is set to a geo that isn't configured as a satellite), the site and its group mailbox are created in the Primary Provisioned Geography (the central location).

Why the other options are wrong:

  • A. A missing PDL does not block creation; it simply defaults placement to the central geo.
  • B. There is no alphabetical satellite selection; the fallback is always the primary geography.
  • C. Placement is deterministic (central fallback), not randomized for load balancing.

Memory hook: No PDL? Home to the primary (central) geo.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365

Your HR department needs a site to broadcast policy updates to all 20,000 employees. A handful of HR editors will author content; everyone else should only read it. You want the simplest permissions model, with no group mailbox or shared calendar attached. Which site type fits best, and how are its permissions managed?

Correct answer: A. A communication site, managed through the site's Owners, Members, and Visitors SharePoint groups.

Communication sites are built for broadcasting news and content to a broad audience with a few authors and many readers. They are not connected to a Microsoft 365 group (no mailbox or calendar) and use the standard SharePoint Owners, Members, and Visitors groups for permissions.

Why the other options are wrong:

  • B. Classic publishing portals are legacy; Microsoft recommends modern communication sites, which simplify away the Approver/Designer roles.
  • C. Team sites are group-connected (mailbox, calendar, Planner) and optimized for member collaboration, adding group resources you explicitly don't want for a one-to-many broadcast.
  • D. Channel sites are tied to a Teams channel and managed in Teams, a poor fit for an org-wide read-only broadcast.

Memory hook: Broadcast = Communication site: no group, just Owners/Members/Visitors.

Microsoft Learn: https://learn.microsoft.com/sharepoint/modern-experience-sharing-permissions

A tenant has been manually assigning per-site storage limits (for example 50 GB and 100 GB on various sites). An administrator opens Settings, then Site storage limits, and switches the option from Manual to Automatic. What happens to the previously configured per-site limits?

Correct answer: D. Each site's limit is reset to 25 TB (25600 GB), and sites then draw from the shared pool as needed.

When you switch from manual limits to pooled (Automatic) storage, SharePoint resets all site limits to 25 TB (25600 GB); sites then consume from the central pool as needed. The tenant's actual total storage may be less than 25 TB.

Why the other options are wrong:

  • A. There is no reset to 1 GB; 1 GB is only the floor for a manually entered value.
  • B. Manual caps are discarded when switching to Automatic; they are not retained.
  • C. Pooled storage is not divided evenly per site - each site can use up to 25 TB from the shared pool.

Memory hook: Flip to Automatic = every site jumps to 25 TB.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-site-collection-storage-limits

To reduce site sprawl, an admin clears 'Users can create SharePoint sites' on the Site creation page. Weeks later, new team sites keep appearing whenever employees create teams in Microsoft Teams. Why, and what actually controls this?

Correct answer: B. Creating a Microsoft 365 group (for example, via a new team) always provisions a connected team site; to stop this you must restrict who can create Microsoft 365 Groups.

The 'Users can create SharePoint sites' setting governs site creation from SharePoint, OneDrive, PnP PowerShell, and REST, but it does not stop Microsoft 365 group creation. Every Microsoft 365 group (including one a new team creates) comes with a connected team site. To block those, you must manage who can create Microsoft 365 Groups (in Microsoft Entra).

Why the other options are wrong:

  • A. The setting affects SharePoint site and OneDrive shared-library creation, not just OneDrive; team sites come from group creation regardless.
  • C. This is by design, not a replication delay; the sites will keep appearing.
  • D. Group-connected team sites are created by end users through group/Teams creation, not solely by admins.

Memory hook: Turning off 'create sites' doesn't stop groups - gate Microsoft 365 Groups to stop team sites.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-site-creation

You are planning a hub-site information architecture for your organization. Which statement about hub site limits in SharePoint Online is correct?

Correct answer: A. You can create up to 2,000 hub sites per organization; any site designated as a hub counts toward that limit (including hub-to-hub associations), and a site already associated with another hub cannot be converted into a hub.

SharePoint Online allows up to 2,000 hub sites per organization. Any site labeled as a hub counts against this limit, and this applies to hub-to-hub associations as well. There is no hard limit on the number of sites you can associate to a single hub, and a site already associated with another hub can't itself be turned into a hub.

Why the other options are wrong:

  • B. The organization limit is 2,000 hub sites, not 100; there is no fixed 2,000-cap on how many sites can associate to one hub.
  • C. There is a hard limit of 2,000 hub sites per organization, so 'no limit' is wrong.
  • D. Hub-to-hub associations do count against the 2,000 hub-site limit; they are not exempt.

Memory hook: 2,000 hubs per tenant; hub-to-hub counts too, and an already-associated site can't become a hub.

Microsoft Learn: https://learn.microsoft.com/sharepoint/create-hub-site

SharePoint Content, Metadata, and Search (15 questions)

Go deeper on this topic in SharePoint Online Content, Metadata, and Search Field Guide.

Users can already find documents by typing an author's name in the search box, but the administrator now wants them to be able to narrow results to a specific field by typing author:Smith. Which managed property setting must be enabled for that field so it can be addressed by name in a query?

Correct answer: C. Queryable

Queryable is the setting that lets a managed property be addressed by name in a query, so author:Smith only works once the property is marked Queryable. Searchable is the trap here: it adds the property's content to the full-text index, which is why a bare keyword like 'Smith' already finds the documents, but it does not enable property:value syntax.

Why the other options are wrong:

  • A. Retrievable controls whether the value is returned and can be displayed in results, not whether it can be queried by name.
  • B. Searchable includes the property's content in the full-text index for unqualified keyword matching, but it does not by itself allow field-scoped 'author:Smith' queries.
  • D. Refinable lets the property appear as a refiner (filter) in classic search; it does not enable property:value query syntax.

Memory hook: author:Smith needs Queryable. Searchable = keyword match; Retrievable = show it; Refinable = filter panel.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-search-schema

The facilities team wants to catalog physical assets in SharePoint Online. Each catalog entry is primarily structured metadata (asset tag, location, assigned owner, purchase date), and an entry occasionally needs two or three photos or receipts attached to that same record. There is no single authored 'document' at the center of each entry. Which container best fits these requirements?

Correct answer: B. A custom SharePoint list, using item attachments for the photos and receipts

A document library is file-centric: every item is built around exactly one primary file. A list is record-centric: each item is a row of column metadata and can carry multiple file attachments (up to 250 MB per attached file). For asset records that are mostly metadata with a few supporting files, a custom list with attachments is the correct fit.

Why the other options are wrong:

  • A. A document library forces each item to be a single primary file, which does not match a metadata-first record that has several supporting files.
  • C. Document Sets group multiple documents as one deliverable but still live in a file-centric library and add unnecessary overhead for simple asset records.
  • D. A site pages library stores web pages, not structured asset records with attachments.

Memory hook: Library = one file per item; List = a row of metadata that can hold many attachments.

Microsoft Learn: https://learn.microsoft.com/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits

Site owners report that the Information Rights Management link is missing from their document library's Library Settings. You have already activated the Azure Rights Management service for the tenant. Where do you turn on the IRM service so the library-level option appears?

Correct answer: A. In the SharePoint admin center, open the classic settings page, select "Use the IRM service specified in your configuration," then choose Refresh IRM Settings.

IRM is enabled at the tenant level from the SharePoint admin center's classic settings page by choosing "Use the IRM service specified in your configuration" and then Refresh IRM Settings. Only after that refresh does the Information Rights Management link appear in Library Settings and List Settings (it can take up to an hour). Azure Rights Management must be activated first, which the scenario states is already done.

Why the other options are wrong:

  • B. There is no such toggle; Azure Rights Management is activated from its own service and SharePoint IRM is turned on in the SharePoint admin center, not via an 'Azure Information Protection' org setting.
  • C. The library-level IRM link only appears after the tenant IRM service is refreshed; you cannot enable the service from a library, and there is no 'Create an IRM policy' action there.
  • D. Sensitivity labels are a separate, newer protection technology; publishing a label does not enable the legacy SharePoint IRM service, and an IRM-enabled library can't even use a sensitivity label.

Memory hook: IRM lives in the SharePoint admin center's CLASSIC settings: flip it on, hit Refresh, wait up to an hour.

Microsoft Learn: https://learn.microsoft.com/purview/set-up-irm-in-sp-admin-center

A 'Project Charter' content type was published from the SharePoint admin center content type gallery and is in use across 40 site collections. To retire central management of it, an administrator selects Unpublish in the Manage Publishing panel. What happens to the copies already in use on the 40 subscriber sites?

Correct answer: D. They remain but are converted to local content types on each site, no longer receiving updates from the hub.

Per Microsoft Learn, when you unpublish a content type, any copies of that content type being used in other sites are converted to a local content type. They are not deleted; in no situation is a content type automatically removed from a subscribing site collection. They are, however, severed from the hub and will no longer receive republish (central) updates. Restoring central management requires republishing and re-establishing the subscription, so unpublishing is not a clean rollback.

Why the other options are wrong:

  • A. There is no automatic merge into the Document content type; each in-use copy simply becomes a standalone local content type.
  • B. Unpublished copies are unsealed into local, editable content types, not read-only placeholders, and they do not block new documents.
  • C. Unpublishing never automatically deletes the content type or its columns from subscriber sites; the in-use copies persist as local content types.

Memory hook: Unpublish = cut the cord, not delete. In-use copies become local content types and updates stop.

Microsoft Learn: https://learn.microsoft.com/sharepoint/publish-content-type

A team wants a single tagging field on a library that lets users apply several free-form tags per document, drawing type-ahead suggestions from managed term sets as well as previously used tags, without binding to one specific term set. The administrator also plans to index this field to support filtered views on a library expected to exceed 5,000 items. Which statement is correct?

Correct answer: D. Add the Enterprise Keywords column; it is always multi-value, draws suggestions from managed term sets and the Keywords set, and cannot be indexed.

The Enterprise Keywords column is, by default, a multi-value column that surfaces type-ahead suggestions from managed term sets and the Keywords term set and lets users enter new values, which is exactly the free-form, multi-tag behavior described. Because it is inherently multi-value, it cannot be added as an indexed column, so it will not support filtered views once the library passes the 5,000-item list view threshold. The scenario's two goals are in tension: whole-store free-form tagging and indexing cannot both be satisfied by this one column.

Why the other options are wrong:

  • A. Enterprise Keywords columns are fully supported in SharePoint Online, so this claim is false.
  • B. A multi-value Managed Metadata column cannot be indexed, and binding to one closed term set contradicts the requirement to suggest from across the store and allow new free-form tags.
  • C. The Enterprise Keywords column has no single-value variant; it is always multi-value and therefore cannot be indexed.

Memory hook: Enterprise Keywords = always multi-value, whole-store suggestions, can't be indexed. Need indexing? Use a single-value Managed Metadata column.

Microsoft Learn: https://learn.microsoft.com/sharepoint/managed-metadata

An administrator is wiring a custom Text site column named 'Contract Owner' to an unused RefinableString slot so it can be used as a refiner. Searching the crawled properties returns two entries for the column: ows_q_TEXT_ContractOwner and ows_Contract_Owner. Which crawled property should be mapped to the RefinableString managed property, and why?

Correct answer: C. ows_Contract_Owner, because when mapping to a refinable managed property you select the ows_ prefixed variant, not the automatically created ows_q_ / ows_r_ / ows_taxId_ one.

A crawled site column typically surfaces two crawled properties: the automatically created ows_q_<TYPE>_ (or ows_r_, ows_taxId_) variant that already feeds the auto-generated managed property, and an ows_ prefixed variant. Microsoft Learn is explicit that when mapping a crawled property to a refinable managed property you should select the crawled property that begins with ows_. After mapping (and setting an alias) you reindex the library so the change is picked up.

Why the other options are wrong:

  • A. They are not interchangeable for this purpose. Mapping the auto-created variant is specifically discouraged; use the ows_ variant.
  • B. In SharePoint Online you cannot create a new Refinable managed property from scratch; you reuse a built-in RefinableString slot and map the ows_ variant to it.
  • D. The ows_q_<TYPE>_ entry is the automatically created variant tied to the auto-generated managed property; guidance is to avoid it when mapping to a refinable slot.

Memory hook: Two crawled properties, pick the plain ows_ one for refiner mapping. Skip the ows_q_ / ows_taxId_ auto-created twin.

Microsoft Learn: https://learn.microsoft.com/sharepoint/search/how-to-add-refiners-to-your-search-results-page

A site owner creates a brand-new document library on a modern team site in SharePoint Online and uploads a document without ever opening Versioning settings. Which statement correctly describes the library's version history behavior out of the box?

Correct answer: D. Major versioning is enabled by default, and the shipped organization default retains up to 500 major versions.

In SharePoint Online, document versioning is active by default on new libraries, and the shipped organization-level default version history limit is Manual with a 500 major-version count and no expiration. A brand-new library therefore keeps up to 500 major versions unless the organization default or the library is changed. Minor/draft versioning is a separate opt-in and is not on by default.

Why the other options are wrong:

  • A. Versioning is not off by default in SharePoint Online; major versioning is turned on automatically for new libraries, a change from older on-premises defaults.
  • B. The default is major versions only, not major-and-minor. Minor/draft versioning (0.1) must be enabled explicitly.
  • C. 100 is the UI minimum you can set for a manual major-version count, not the default; the out-of-box organization default is 500 major versions with no expiration.

Memory hook: New SPO library = major versioning ON, 500 kept, no expiry. Minor/draft is opt-in.

Microsoft Learn: https://learn.microsoft.com/sharepoint/set-default-org-version-limits

A policy library uses major and minor (draft) versioning with content approval. Authors report that colleagues with read-only access can see unapproved 0.x drafts. The admin wants only the item's author and users who can approve items to be able to see drafts, while readers see only the latest approved major version. Which setting should the admin change?

Correct answer: B. Versioning settings, then Draft Item Security, then 'Only users who can approve items (and the author of the item)'

Draft Item Security controls who can see minor (draft) versions. Setting it to 'Only users who can approve items (and the author of the item)' restricts draft visibility to approvers plus the author, while readers still see the last approved major version - meeting the requirement without altering permissions or the versioning scheme.

Why the other options are wrong:

  • A. Requiring check-out controls concurrent editing and version creation, not who can view existing drafts.
  • C. Removing Read for all members over-restricts access and breaks the whole library rather than just draft visibility.
  • D. Switching to major-only removes drafts entirely (losing the draft/publish workflow) instead of controlling draft visibility.

Memory hook: Who sees 0.x drafts? Draft Item Security - dial it to approvers + author.

Microsoft Learn: https://learn.microsoft.com/sharepoint/governance/versioning-content-approval-and-check-out-planning

In the SharePoint admin center, under Content services, then Content type gallery, an administrator selects a published site content type named 'Contract' and chooses Unpublish. Several sites across the tenant are already using 'Contract' on their libraries. What happens to those existing content types when the change syncs?

Correct answer: D. Existing copies in use are converted to local (site-level) content types and stop receiving updates from the gallery

Unpublishing makes a content type unavailable for download to other sites, and any copies already in use are converted to local content types. They remain in place with their data, but no longer receive published updates from the gallery. Publish/Republish pushes updates; Unpublish severs the update link without deleting content.

Why the other options are wrong:

  • A. Unpublishing never deletes content types or the documents based on them.
  • B. The content type is not stripped from libraries and items do not lose metadata; only the update relationship ends.
  • C. Existing copies ARE affected (they become local content types), so the effect is not limited to future sites.

Memory hook: Unpublish = go local: the copy stays, but it's cut off from the hub's updates.

Microsoft Learn: https://learn.microsoft.com/sharepoint/publish-content-type

An admin applies column formatting JSON to a Person column so it displays the assignee's name, using "txtContent": "@currentField". Instead of a name, the column renders blank or shows an object. Which JSON correctly displays the person's name?

Correct answer: D. "txtContent": "@currentField.title"

Person fields are represented as objects, and the display name is held in the object's title property. The formatter must therefore reference @currentField.title. (Lookup fields, by contrast, expose their display text in the lookupValue property.)

Why the other options are wrong:

  • A. lookupValue is the display property for lookup fields, not person fields.
  • B. [$AssignedTo] references the raw field object (and only resolves if that column is in the same view); it still yields the object, not the name.
  • C. There is no toString conversion for this; the supported approach is @currentField.title.

Memory hook: Person = object: .title for the name; Lookup = .lookupValue.

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/declarative-customization/column-formatting#display-field-values-basic

A subscriber site collection receives several custom document content types published from the content type hub. An admin sets one of those published content types as the default on a library, then enables the Document ID Service site collection feature. Afterward, documents in that library still aren't getting Document IDs and the Document ID column doesn't appear. What is the correct fix?

Correct answer: A. Enable the Document ID Service feature on the content type hub site collection, then republish the content types.

Content types published from the hub are set to read-only on subscriber sites, so the Document ID Service cannot provision its required columns onto them. The documented fix is to enable the Document ID Service on the content type hub site collection itself, then republish the syndicated content types so subscribers receive the updated, Document ID-enabled content types.

Why the other options are wrong:

  • B. The blocker is the read-only published content type, not the choice of Document vs custom type; reverting does not provision IDs on the custom content type.
  • C. Breaking inheritance is not the documented remedy and fragments the published content type; enable the feature at the hub and republish instead.
  • D. The issue isn't a stalled timer job; the published content type is read-only and lacks the Document ID columns until the hub is updated and republished.

Memory hook: Published = read-only; turn on Doc ID at the hub, then republish.

Microsoft Learn: https://learn.microsoft.com/troubleshoot/sharepoint/lists-and-libraries/document-ids-unassigned

A site owner wants the ENTIRE row in a list view to be shaded red whenever the 'Status' choice column equals 'Overdue', so overdue records are visually flagged for reviewers. The underlying data must not change. Which approach accomplishes this?

Correct answer: A. Apply view formatting to the view (for example, additionalRowClass) using a conditional expression on the Status field

Column formatting styles a single field (only that one cell), whereas view formatting (via additionalRowClass or rowFormatter) styles the whole row based on field values. To conditionally shade an entire row, use view formatting; like column formatting, it only changes how the row is displayed, not the underlying data.

Why the other options are wrong:

  • B. An SPFx Field Customizer is heavier than needed and also targets a single field, not the whole row; view formatting already covers this scenario.
  • C. Column formatting affects only the formatted column's cell, so it cannot shade the whole row.
  • D. A validation formula enforces data-entry rules; it does not shade rows and would block saving rather than format display.

Memory hook: Cell = column formatting; whole ROW = view formatting (additionalRowClass).

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/declarative-customization/view-formatting

From the Content type gallery in the SharePoint admin center, an admin has published a custom "Contract" content type. They now want that content type to be automatically added to every new list and library created on a set of hub-associated sites, without site owners adding it manually. What must be true for this "push content types to a hub" capability to work?

Correct answer: A. The content type must already be published, and the feature requires a pay-as-you-go (Microsoft Syntex) license.

Pushing content types to hub sites (so they are automatically added to new lists/libraries and to newly associated sites) is a paid capability that requires a pay-as-you-go (Microsoft Syntex) license, and the content type being pushed must already be published from the Content type gallery first.

Why the other options are wrong:

  • B. The Content type gallery is not available to the Global Reader role at all; you need SharePoint or Global admin permissions.
  • C. Default keyword storage location is unrelated; the gating requirements are prior publishing plus a pay-as-you-go license.
  • D. You select ordinary SharePoint hub sites in the gallery; there is a single content type hub at /sites/ContentTypeHub, not one per site.

Memory hook: Push to hub = publish first + pay-as-you-go (Syntex).

Microsoft Learn: https://learn.microsoft.com/microsoft-365/documentprocessing/push-content-type-to-hub?view=o365-worldwide

A records manager wants to add a 'Case File' Document Set content type to a document library so that related case documents can be created and managed as one unit with shared metadata. On a brand-new site, 'Document Set' does not appear as a content type they can add. What must be done first?

Correct answer: C. Activate the Document Sets site collection feature

Document Sets are delivered by a site collection feature that must be activated (Site settings, then Site collection features, then Document Sets, then Activate) before Document Set content types become available. Only after the feature is on can you create or add a Document Set content type to a library.

Why the other options are wrong:

  • A. The Managed Metadata Service supports term sets and managed metadata columns, not the availability of Document Sets.
  • B. Versioning governs version history, not whether the Document Set content type is available.
  • D. A content type hub centrally publishes content types but is not required to make Document Sets available on a site.

Memory hook: No Document Set option? Flip the Document Sets site collection feature ON first.

Microsoft Learn: https://learn.microsoft.com/sharepoint/governance/document-set-planning

As a site collection administrator you want to see the searches users ran on your site collection that returned no results (a 'No result queries' report), so you can improve findability. In current SharePoint Online, where do you access this report and what time ranges does it cover?

Correct answer: C. Site Settings, then Site Collection Administration, then Microsoft Search, then Configure search settings, then Insights; reports cover the past 31 days and past 12 months

The updated site-collection search usage reports are reached from Site Settings under Site Collection Administration via Microsoft Search, then Configure search settings, then Insights. They include five reports (top queries, abandoned queries, query rule usage, no result queries, and query volume trends), are available for the past 31 days and past 12 months (the prior window was 14 days), and only site collection admins can view them.

Why the other options are wrong:

  • A. Popularity and Search Reports opens Excel usage reports (Popularity Trends is 14 days daily / 3 years monthly); the query-level No result queries insights moved to the Microsoft Search Insights page with 31-day/12-month windows.
  • B. The Microsoft 365 admin center is not where a site collection's No result queries report is found, and 7 days is wrong.
  • D. Site-collection query reports are not surfaced under the tenant admin center's Search page, and '30 days only' is incorrect.

Memory hook: Query insights (top / abandoned / no-result) = Site Collection Admin, then Microsoft Search, then Insights; 31 days & 12 months, admins only.

Microsoft Learn: https://learn.microsoft.com/troubleshoot/sharepoint/search/classic-site-collection-search-usage-reports

SharePoint Permissions and Sharing (15 questions)

Go deeper on this topic in SharePoint Online Permissions and Sharing Field Guide.

The tenant's organization-wide external sharing (SharingCapability) is set to 'New and existing guests' (ExternalUserSharingOnly). A site owner asks the admin to enable 'Anyone' links on just their one site by running Set-SPOSite -SharingCapability ExternalUserAndGuestSharing. What is the outcome?

Correct answer: A. The change is rejected/ineffective because a site's sharing can't be more permissive than the tenant setting

A site's external sharing can be equal to or MORE restrictive than the tenant, but never more permissive. With the tenant at ExternalUserSharingOnly, a site may be Disabled, ExistingExternalUserSharingOnly, or ExternalUserSharingOnly, but not ExternalUserAndGuestSharing. Anyone links must be enabled at the tenant first.

Why the other options are wrong:

  • B. Sharing scope isn't silently narrowed to internal-only; the more-permissive value simply isn't permitted.
  • C. A site cannot exceed the tenant's sharing ceiling, so it can't override the tenant to allow Anyone links.
  • D. Setting a site value never escalates the organization-wide tenant setting.

Memory hook: Tenant sets the ceiling; sites can only go stricter, never looser.

Microsoft Learn: https://learn.microsoft.com/sharepoint/turn-external-sharing-on-or-off

Access requests are enabled on a classic team site. A user who holds 'Edit' permission on the site, but is not a site owner or a site collection administrator, opens the Access Requests list to approve a pending request and receives 'Access Denied / Request approval failed.' Who is able to approve or decline pending access requests on the site?

Correct answer: B. Only site collection administrators or members of the site's Owners group (and the Owners group must have Full Control to access the Access Requests list)

Only site collection administrators or users who are members of the Owners group for the site can approve or decline pending requests in the Access Requests list. When approvers are members of the Owners group, that group must also retain Full Control permissions so it can access the Access Requests list. A user with only Edit permission does not qualify, which is why they receive Access Denied.

Why the other options are wrong:

  • A. Global Administrator is not required, and holding it does not automatically grant site content access; approvals are handled by site collection admins or the Owners group.
  • C. Edit permission is insufficient; approval is restricted to site collection administrators and the Owners group, not to anyone with Edit or higher.
  • D. The requester cannot approve their own request, and access requests are processed from the site's Access Requests list, not from the Microsoft 365 admin center.

Memory hook: Approve access requests = site collection admins or the Owners group (with Full Control). Edit is not enough.

Microsoft Learn: https://learn.microsoft.com/troubleshoot/sharepoint/sharing-and-permissions/request-approval-failed

A user needs to send a contract to two named external partners so that only those two recipients can open it. If either recipient forwards the message, the forwarded link must NOT grant access to anyone else. Which sharing link type meets this requirement?

Correct answer: C. Specific people

Specific people links work only for the individuals the sender specifies when the link is created. They are non-transferable: if a recipient forwards the link, anyone not on the named list is denied. It is the only link type that guarantees access is limited to the named recipients, and it works for external users (guests) as well as internal users.

Why the other options are wrong:

  • A. Anyone links require no sign-in and are freely transferable; anyone who obtains the forwarded link can open the item, the opposite of the requirement.
  • B. People in your organization links work for any authenticated member of the tenant who obtains the link and are transferable internally; they also do not work for external partners at all.
  • D. People with existing access grants no new permission and works only for people who already have access, so external partners who were never granted access would be denied.

Memory hook: Named-and-only-named = Specific people, the one non-transferable link type.

Microsoft Learn: https://learn.microsoft.com/sharepoint/shareable-links-anyone-specific-people-organization

A SharePoint Administrator runs against a site collection: Set-SPOSite -Identity <url> -DefaultLinkToExistingAccess $true. The same site already had -DefaultSharingLinkType Internal and -DefaultLinkPermission Edit configured. What default sharing link will users see when they click Share?

Correct answer: A. "People with existing access," because setting DefaultLinkToExistingAccess to $true overrides the DefaultSharingLinkType and DefaultLinkPermission values.

Setting DefaultLinkToExistingAccess to True makes "People with existing access" the default link, and Microsoft documents that this value overrides the DefaultSharingLinkType and DefaultLinkPermission settings. Existing-access links grant no new permissions.

Why the other options are wrong:

  • B. The existing-access override wins regardless of which link type was set last.
  • C. Existing-access is not anonymous/Anyone access.
  • D. Existing-access differs from Specific people; it grants no new access to anyone.

Memory hook: DefaultLinkToExistingAccess=$true wins: it overrides link type and permission.

Microsoft Learn: https://learn.microsoft.com/powershell/module/microsoft.online.sharepoint.powershell/set-sposite

Your organization-level external sharing is set to Anyone. For one project site, external sharing is set to "New and existing guests" (recipients must sign in or use a verification code). As SharePoint Administrator you set that site's default sharing link type to "Anyone with the link." A user on that site clicks Share on a document. Which link type will be selected by default in the Share dialog?

Correct answer: A. Only people in your organization

Microsoft Learn states that if the default is set to "Anyone with the link" but the site (or OneDrive) is configured to allow sharing only with guests who sign in or provide a verification code, the effective default link shown is "Only people in your organization." Because this site requires authenticated guests ("New and existing guests"), Anyone links aren't valid, so SharePoint falls back to the org default. The user must manually choose "Specific people" to share externally.

Why the other options are wrong:

  • B. "Anyone with the link" was configured, but it can't apply on a site that requires authentication, so SharePoint overrides it rather than showing it.
  • C. "Specific people" is what the user must manually select to share externally on this site; it isn't the automatic default.
  • D. "People with existing access" is a distinct link type that grants no new permissions and is never the automatic fallback here.

Memory hook: Anyone default on a sign-in-required site collapses to "People in your organization" - the org default catches the fall.

Microsoft Learn: https://learn.microsoft.com/sharepoint/turn-external-sharing-on-or-off#more-external-sharing-settings

External sharing is set to New and existing guests. A guest who was granted Edit permission on a document library reports she cannot reshare a file in that library with a colleague at her own company, while internal users with Edit can reshare. Which organization-level setting, when enabled, lets guests share items they do not own without giving them Full Control?

Correct answer: B. Allow guests to share items they don't own

By default, guests must have Full Control permission to share items externally. The More external sharing settings option Allow guests to share items they don't own removes that requirement, so a guest with only Edit can reshare content she does not own.

Why the other options are wrong:

  • A. That setting restricts which internal users are permitted to share externally; it has no effect on guest resharing rights.
  • C. This is not an actual SharePoint external sharing setting; it is a distractor resembling site-level sharing language.
  • D. That setting governs how often verification-code recipients must reauthenticate and is unrelated to resharing permissions.

Memory hook: Guests need Full Control to reshare unless you check Allow guests to share items they don't own.

Microsoft Learn: https://learn.microsoft.com/sharepoint/turn-external-sharing-on-or-off#more-external-sharing-settings

On a classic team site, access requests are enabled and routed to the site Owners group. Site owners report that when they open the Access Requests list and click Approve, they receive "Access Denied" / "Request approval failed." A recent permissions cleanup on the site preceded the problem. What is the most likely root cause and fix?

Correct answer: A. During cleanup the Owners group lost its permission to the hidden Access Requests list; re-grant the Owners group access (Full Control) to that list so members can approve.

Only site collection administrators or members of the site's Owners group can approve or decline pending requests, and when owners approve, the Owners group must have Full Control permission to the Access Requests list. If a permissions change removed the Owners group from that list, owners get "Access Denied"/"Request approval failed." Re-granting the Owners group access to the Access Requests list resolves it.

Why the other options are wrong:

  • B. Incorrect: any site collection admin or Owners-group member with access to the list can approve, not only whoever enabled the feature.
  • C. Incorrect: approving requests requires site collection admin or Owners group membership with list access, not the Global Administrator role.
  • D. Incorrect: external sharing status is unrelated to internal access-request approval on the site.

Memory hook: Approve fails with Access Denied? The Owners group fell off the hidden Access Requests list. Put it back with Full Control.

Microsoft Learn: https://learn.microsoft.com/troubleshoot/sharepoint/sharing-and-permissions/request-approval-failed

A SharePoint administrator must configure the tenant so that users can share content only with guests who are ALREADY present in the organization's directory (for example, guests added earlier through Azure B2B or previous invitations). No NEW external people may redeem invitations. Which value of Set-SPOTenant -SharingCapability meets this requirement?

Correct answer: D. ExistingExternalUserSharingOnly

ExistingExternalUserSharingOnly permits sharing only with guests already in the organization's directory; it blocks inviting any new external users, which exactly matches the 'existing guests only' requirement.

Why the other options are wrong:

  • A. ExternalUserAndGuestSharing is the most permissive value and additionally allows unauthenticated 'Anyone' links.
  • B. Disabled turns off all external sharing (people in your organization only), so even existing guests can't be shared with.
  • C. ExternalUserSharingOnly allows sharing with both new AND existing guests (who must authenticate), which is broader than requested.

Memory hook: Existing = existing guests only; no new redemptions.

Microsoft Learn: https://learn.microsoft.com/sharepoint/turn-external-sharing-on-or-off

External sharing is enabled for a tenant. A guest is added to a site with Edit permissions on a document library. Using the default tenant sharing settings, can that guest reshare a file they don't own with another external person?

Correct answer: A. No - by default "Allow guests to share items they don't own" is off, so a guest must have Full Control on an item to share it externally

Learn states that, by default, guests must have Full Control permission to share items externally; the "Allow guests to share items they don't own" setting is off by default. A guest with only Edit can't reshare items they don't own unless an admin enables that setting or grants Full Control.

Why the other options are wrong:

  • B. Edit alone is not sufficient by default; Full Control (or enabling the setting) is required for guests to reshare.
  • C. Guests can share when they have Full Control or when the admin enables guest resharing, so "never" is too absolute.
  • D. View/Edit is not enough by default; the guest reshare control is off unless an admin turns it on.

Memory hook: Guests reshare only what they fully control - "share items they don't own" is OFF by default.

Microsoft Learn: https://learn.microsoft.com/sharepoint/turn-external-sharing-on-or-off#more-external-sharing-settings

A OneDrive owner wants to be emailed only when OTHER users invite additional external users to files that were already shared from the owner's OneDrive, not for routine file activity and not when an anonymous link is made. Which Set-SPOTenant parameter maps to exactly this "Email OneDrive owners when" notification?

Correct answer: D. Set-SPOTenant -NotifyOwnersWhenItemsReshared

The "Email OneDrive owners when other users invite more external users to shared files" notification maps to Set-SPOTenant -NotifyOwnersWhenItemsReshared. The trap is the near-identical parameter names: Reshared is the one that fires when an existing share is widened to additional external users, not on general file activity and not on anonymous links.

Why the other options are wrong:

  • A. Incorrect: NotificationsInOneDriveForBusinessEnabled is the broad file activity notifications toggle, not this specific owner email.
  • B. Incorrect: NotifyOwnersWhenInvitationsAccepted concerns external users accepting invitations (and no longer works for the new sharing experience). That is a different, similarly named event.
  • C. Incorrect: OwnerAnonymousNotification covers anonymous (Anyone) link creation or changes, not reshares to more external users.

Memory hook: Someone widens your share to more outsiders? NotifyOwnersWhenItemsReshared tells the owner.

Microsoft Learn: https://learn.microsoft.com/sharepoint/turn-on-external-sharing-notifications

A site owner on a communication site holding several critical document libraries wants members to add, edit, and delete documents inside existing libraries, but NOT create new libraries, remove columns, or delete entire lists. The Members group is currently assigned the Edit permission level. Which permission level should the owner assign to the Members group, and what specific capability is the reason?

Correct answer: D. Assign Contribute; Edit includes Manage Lists (create/delete lists and columns), which Contribute lacks

Edit includes the Manage Lists permission, which allows creating and deleting lists/libraries, adding or removing columns, and managing public views. Contribute grants add, edit, and delete of items and documents within existing lists and libraries but does NOT include Manage Lists. Assigning Contribute lets members work with content without restructuring or deleting libraries, exactly matching the requirement.

Why the other options are wrong:

  • A. Edit does include Manage Lists, so keeping Edit leaves members able to delete entire libraries and columns, the opposite of what is wanted.
  • B. Read is view and download only; it removes the ability to add, edit, or delete documents, which the requirement explicitly wants to keep.
  • C. Design is broader than Edit (it adds page customization, Approve Items, and Override Check-Out) and still includes Manage Lists, so it does not restrict structural changes.

Memory hook: Edit = Contribute + Manage Lists. Strip Manage Lists (structure, columns, whole lists) and you are at Contribute.

Microsoft Learn: https://learn.microsoft.com/sharepoint/understanding-permission-levels

A team site's Members group has Edit across the whole site. HR needs one document library on that site locked down so only three named HR staff can open it, while every other library and page on the site stays exactly as it is. What is the correct library-level approach?

Correct answer: A. On the library, stop inheriting permissions, remove the Members group, and grant the three HR users directly

A list or library inherits permissions from its parent site by default. To secure just that one library, break inheritance on the library to create a unique permission scope, remove the inherited Members group, and grant the three HR users directly. Because only the library's scope changes, the rest of the site keeps its inherited permissions.

Why the other options are wrong:

  • B. Adding the users to Owners grants Full Control over the entire site and does nothing to restrict the library from other members.
  • C. A library can hold unique permissions, so moving it to a new site collection is unnecessary.
  • D. Organization external sharing governs guest access, not internal library-level permissions.

Memory hook: Secure one library by breaking its inheritance, then grant only who you want.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-permission-scope

A governance standard states that on a given team site, members and users with Edit permissions may share files and folders, but only site owners may share the site itself. Which "how members can share" option matches this, and what is its equivalent MembersCanShare PowerShell value?

Correct answer: D. "Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site." (MemberShareFileAndFolder)

The "how members can share" control has three values. MemberShareFileAndFolder maps to "Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site": exactly the requirement that members/Edit users share content but only owners share the site.

Why the other options are wrong:

  • A. Incorrect: MemberShareAll also lets members share the site itself, which the standard forbids.
  • B. Incorrect: MemberShareNone blocks members from sharing files and folders too, which is more restrictive than required.
  • C. Incorrect: there is no MemberShareApprove value or owner-approval workflow among these options.

Memory hook: FileAndFolder = members share the stuff, owners share the site.

Microsoft Learn: https://learn.microsoft.com/purview/sensitivity-labels-teams-groups-sites#how-to-configure-groups-and-site-settings-for-containers

A site owner of a group-connected team site wants to change the site's external sharing setting from 'New and existing guests' to 'Anyone.' They cannot find any option to make this change in the site settings. Assuming the organization-level setting permits Anyone, why can't the site owner change it?

Correct answer: B. Changing a site's external sharing setting requires at least the SharePoint Administrator role; site owners are not allowed to change it

Microsoft documents that you must be at least a SharePoint Administrator to change the sharing settings for a site, and that site owners aren't allowed to change these settings. Per-site external sharing is configured in the SharePoint admin center (Active sites, then select the site, then Sharing), a surface site owners don't have. Site owners can control member sharing options and access request settings, but not the site's external sharing tier.

Why the other options are wrong:

  • A. Group-connected team sites can use Anyone links when org and site settings permit; there is no blanket prohibition (only Teams shared channel sites block Anyone links).
  • C. A sensitivity label can constrain sharing further but is not a prerequisite for changing a site's external sharing tier; the gating factor is the admin role.
  • D. No Microsoft support request is involved; a SharePoint Administrator changes the setting directly in the admin center.

Memory hook: Per-site external sharing tier is a SharePoint Admin job. Site owners get member-sharing and access requests only.

Microsoft Learn: https://learn.microsoft.com/sharepoint/change-external-sharing-site

An organization's SharePoint tenant-level sharing is set to 'Anyone'. The security team notices that anonymous sharing links from multiple sites are being forwarded externally with no expiration. The administrator wants to enforce that all 'Anyone' links tenant-wide expire within 30 days and can only grant View permission to files. Where is this configuration made?

Correct answer: C. SharePoint admin center, then Policies, then Sharing, then Advanced settings for 'Anyone' links

The expiration and permissions settings for 'Anyone' links are configured in the SharePoint admin center under Policies, then Sharing, in the 'Advanced settings for Anyone links' section. Admins can require link expiration (setting a maximum number of days) and restrict link permissions to View only for files and/or folders. These settings apply at the organization level to all sites.

Why the other options are wrong:

  • A. There is no 'Bulk sharing settings' option for all sites in the Active Sites page. Organization-wide link settings are set on the Sharing page, not per-site in bulk.
  • B. Microsoft Entra External Identities governs guest invitations and B2B collaboration settings, not the expiration or permissions of anonymous sharing links within SharePoint.
  • D. DLP policies detect and protect sensitive content but do not control the expiration or permission level of sharing links. DLP is a reactive and notification-based control, not a link configuration setting.

Memory hook: Anyone link settings (expiration and permissions) live in the SharePoint admin center under Sharing, then Advanced settings.

Microsoft Learn: https://learn.microsoft.com/sharepoint/turn-external-sharing-on-or-off

SharePoint Governance and Compliance (15 questions)

Go deeper on this topic in SharePoint Online Governance, Security, and Compliance Field Guide.

External sharing is enabled for a collaboration site. The security team is concerned that when users upload new files, a guest could access a sensitive file during the delay between upload and when Microsoft Purview DLP finishes scanning it. Which SharePoint control blocks guest access to newly uploaded files until DLP has scanned them?

Correct answer: B. Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing

The 'sensitive by default' tenant setting, configured with Set-SPOTenant -MarkNewFilesSensitiveByDefault BlockExternalSharing, blocks guest access to newly added SharePoint and OneDrive files until DLP has crawled them and evaluated content-based rules. Guests who try to open a file during the scan window are told it is being scanned; once scanning completes with no blocking match, access is allowed. Two caveats: it applies only to newly added files (not existing files or existing shares), and it blocks guest access to files in any location not covered by a DLP policy. The setting can take up to 60 minutes to take effect.

Why the other options are wrong:

  • A. AllowLimitedAccess is the unmanaged-device Conditional Access setting (web-only access). It governs device state, not the DLP scan-latency window for guest access to new uploads.
  • C. Block download policy prevents download, print, and sync for users who can already reach the site; it does not gate guest access based on whether DLP has finished scanning a new file.
  • D. Turning off external sharing entirely is the blunt alternative this feature is designed to avoid; sensitive-by-default lets you keep external sharing while protecting unscanned new files.

Memory hook: MarkNewFilesSensitiveByDefault = guests wait at the door until DLP finishes scanning the new file.

Microsoft Learn: https://learn.microsoft.com/sharepoint/sensitive-by-default

The tenant unmanaged-device policy is set to AllowLimitedAccess (web-only). For a highly sensitive site, an admin wants users on unmanaged devices to preview ONLY Office files in the browser, with no preview or download of any other file type (PDF, images, .zip). Which Set-SPOSite parameter/value achieves the most restrictive preview?

Correct answer: B. -LimitedAccessFileType OfficeOnlineFilesOnly

OfficeOnlineFilesOnly restricts in-browser preview to Office files only, the most secure LimitedAccessFileType option, blocking preview/download of non-Office types.

Why the other options are wrong:

  • A. AllowDownloadingNonWebViewableFiles is no longer supported; Microsoft directs admins to use LimitedAccessFileType instead.
  • C. OtherFiles is the least secure option: it lets users download files that can't be previewed, such as .zip and .exe.
  • D. WebPreviewableFiles is the default and also previews non-Office web-previewable files (and can even force PDFs/images to download), which is less restrictive than intended.

Memory hook: OfficeOnlineFilesOnly = tightest preview; OtherFiles = loosest.

Microsoft Learn: https://learn.microsoft.com/sharepoint/control-access-from-unmanaged-devices

An administrator applies a sensitivity label to a SharePoint team site. The label is configured with the 'Private' privacy setting and the 'Only people in your organization' external sharing option. A site owner later tries to change the site privacy from Private to Public in SharePoint settings. What happens?

Correct answer: C. The privacy setting is locked by the sensitivity label; the site owner must remove or change the label before altering privacy

Microsoft Learn states that when a sensitivity label sets privacy to Public or Private on a container (site or group), that setting is locked. Users cannot change the privacy setting while the label is applied. To change privacy, the site owner (or administrator) must first remove or change the sensitivity label from the site.

Why the other options are wrong:

  • A. The premise fails at the first step: the label locks the privacy setting, so the site owner cannot change it to Public at all while the label is applied. There is no partial change that flips privacy while leaving only the sharing control enforced.
  • B. Site owners cannot override the privacy setting enforced by a sensitivity label. The label locks the value until removed.
  • D. There is no 24-hour revert mechanism. The label continuously enforces the privacy setting; once changed via the label, the privacy follows the label.

Memory hook: Label = lock. Once a sensitivity label sets privacy, only removing or swapping the label unlocks the dial.

Microsoft Learn: https://learn.microsoft.com/purview/sensitivity-labels-teams-groups-sites

A user's Microsoft 365 account is deleted. By default, how long are that user's OneDrive files preserved, and who automatically receives access to them?

Correct answer: A. Files are preserved for 30 days and the user's manager automatically receives access

Microsoft Learn states that when a user's Microsoft 365 account is deleted, their OneDrive files are preserved for 30 days. By default, the deleted user's manager is automatically given access to the user's OneDrive. Both the retention period and the manager access behavior can be changed by the administrator.

Why the other options are wrong:

  • B. The default preservation period is 30 days, not 90, and access defaults to the manager, not the IT administrator.
  • C. Files are not deleted immediately upon account deletion. The 30-day preservation window applies before any deletion.
  • D. The default period is 30 days, not 180, and the manager does receive automatic access by default.

Memory hook: OneDrive orphan rule: 30 days, manager gets the keys. Both numbers are configurable, but 30 and manager are the out-of-box defaults.

Microsoft Learn: https://learn.microsoft.com/sharepoint/compliant-environment

For one project site containing sensitive files, an admin wants users to keep browser-only access (view/preview) but be unable to download, print, sync, or open files in desktop apps, without creating any Conditional Access policy. Which command applies this?

Correct answer: A. Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true

BlockDownloadPolicy is a per-site (Set-SPOSite) control, part of SharePoint Advanced Management, that grants browser-only access (no download/print/sync/app access) and also blocks moving files to other sites, without any Conditional Access policy.

Why the other options are wrong:

  • B. DisableDownload is not a valid Set-SPOSite parameter.
  • C. BlockDownloadPolicy cannot be applied organization-wide via Set-SPOTenant; the feature is set per site only.
  • D. ConditionalAccessPolicy BlockAccess blocks access entirely and is the unmanaged-device/CA feature, not browser-only view without download.

Memory hook: BlockDownloadPolicy = per-site browser-only; no CA needed (SAM license).

Microsoft Learn: https://learn.microsoft.com/sharepoint/block-download-from-sites

A site was closed and set to read-only by a SharePoint site closure policy. To reopen it for editing, an admin runs Set-SPOSite -Identity <url> -LockState Unlock, but the site remains read-only. What is the reason?

Correct answer: D. When a site was closed and made read-only through a site closure policy, the Set-SPOSite unlock command doesn't work; the closure must be reversed through the policy (reopen the site).

Microsoft documents that if a site was closed and made read-only through a site closure policy, the PowerShell Set-SPOSite -LockState Unlock command will not lift the read-only state. The read-only condition is owned by the site closure policy, so it must be cleared by reopening the site through that policy rather than by the lock-state cmdlet.

Why the other options are wrong:

  • A. The site is closed, not deleted, so it is not in the Deleted sites list and does not need to be restored.
  • B. 'Unlock' is a valid Set-SPOSite LockState value; 'Open' is not the mechanism here.
  • C. Unlock is a valid lock state for SharePoint sites in general, not just OneDrive.

Memory hook: Closed by a site policy? PowerShell Unlock won't budge it; reopen through the policy.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-lock-status

In the SharePoint admin center, Data access governance (DAG) reports are grouped into two families: snapshot reports and activity reports. Which of the following is an activity report that surfaces only the last 28 days of sharing behavior rather than a point-in-time snapshot?

Correct answer: B. Content shared with 'Everyone except external users' (EEEU) report.

DAG reports split into snapshot reports (site permissions / oversharing baseline, site permissions for users, and sensitivity labels for files) that show status as of the generation date, and activity reports (sharing links, and content shared with EEEU) that cover recent activity in the last 28 days. The EEEU report is an activity report; the other three are snapshots.

Why the other options are wrong:

  • A. Wrong - the site permissions for users report is a snapshot of what a given user can access, not a 28-day activity report.
  • C. Wrong - the site permissions / oversharing baseline (PermissionedUsers) report is a snapshot as of the generation date, not a 28-day activity report.
  • D. Wrong - the sensitivity labels for files report is a snapshot of current label distribution across sites, not activity-based.

Memory hook: Snapshots = permissions and labels (as of now); Activity (28 days) = Sharing links and EEEU.

Microsoft Learn: https://learn.microsoft.com/sharepoint/data-access-governance-reports

In the SharePoint admin center under Policies, then Site lifecycle management, which set of policy types is available to govern sites at scale?

Correct answer: D. Site ownership policies, inactive site policies, and site attestation policies.

SharePoint site lifecycle management (part of SharePoint Advanced Management) provides three policy types: site ownership policies (minimum owners/admins), inactive site policies (detect and act on idle sites), and site attestation policies (owners periodically confirm a site is still needed).

Why the other options are wrong:

  • A. Quota templates are a SharePoint Server concept, and closure/document-deletion policies are legacy site policies; none are the Site lifecycle management policy types.
  • B. Retention policies, sensitivity labels, and eDiscovery are Microsoft Purview capabilities, not Site lifecycle management policies.
  • C. Sharing, conditional access, and DLP are configured elsewhere (SharePoint sharing settings, Microsoft Entra, and Microsoft Purview), not under Site lifecycle management.

Memory hook: Lifecycle trio: Ownership, Inactive, Attestation (SharePoint Advanced Management).

Microsoft Learn: https://learn.microsoft.com/sharepoint/site-lifecycle-management

A SharePoint administrator turns on an inactive site policy in the Site lifecycle management area of the SharePoint admin center, expecting it to automatically delete any site that no one has used in over a year. A colleague pushes back. Which statement accurately describes how site lifecycle management policies (site ownership, inactive site, and site attestation) behave?

Correct answer: C. The policies never delete sites directly; they notify site owners or admins and, if unaddressed, can take configured enforcement actions such as read-only or archive.

Site lifecycle management policies (site ownership, inactive site, and site attestation) do not delete SharePoint sites directly. They monitor sites, notify the responsible site owners or site admins, collect responses (for example, a 'Certify site' confirmation), and take a configured enforcement action only when there is no response after the notification cycle. Once a site is certified, lifecycle management doesn't check that site's activity again for one year. The available enforcement actions are 'Do nothing' (report only), set the site to read-only, or archive the site after a mandatory read-only period via Microsoft 365 Archive.

Why the other options are wrong:

  • A. OneDrive sites are explicitly out of scope for inactive site policies. The policies target SharePoint communication, classic, Teams-connected, and group-connected sites.
  • B. Read-only is only reached after three monthly notifications go unanswered; sites are never silently locked without notification.
  • D. Deletion is not one of the enforcement actions. The policies notify first and, at most, set a site to read-only or archive it.

Memory hook: Lifecycle policies nudge, they don't nuke: notify first, then read-only or archive; certifying a site buys a year.

Microsoft Learn: https://learn.microsoft.com/sharepoint/site-lifecycle-management

A compliance engineer applies a 'Confidential' sensitivity label scoped to Groups & sites to a SharePoint team site, expecting every document already stored in the site's libraries to automatically become encrypted and labeled 'Confidential.' What is the actual effect of applying this container-scoped label to the site?

Correct answer: A. The label controls container-level settings (privacy, external sharing, unmanaged-device / Conditional Access access) but does not label or encrypt the files inside the site.

A sensitivity label scoped to Groups & sites is a container label. It applies classification and access-control settings to the container itself, privacy (public/private/none), external user access and external sharing level, and access from unmanaged devices or an authentication context, but it does not label, classify, or encrypt the documents stored inside the site. To label the files themselves, you must separately enable sensitivity labels for Office files in SharePoint and OneDrive and apply file-level labels (manually or via auto-labeling). Container labels and file labels are independent controls.

Why the other options are wrong:

  • B. The label sets access conditions on the container; it does not block all access pending per-file labeling.
  • C. Container labels never reach inside to label or encrypt files; that requires separate file-level labeling. SharePoint only fires an audit event and email if a more-sensitive file is later uploaded to a less-sensitive site.
  • D. Records are a Purview retention-label / records-management construct, not a function of a container sensitivity label.

Memory hook: A container label guards the room, not the papers in it: site access settings, not file encryption.

Microsoft Learn: https://learn.microsoft.com/purview/sensitivity-labels-teams-groups-sites

Using SharePoint's built-in information management policy features (not Microsoft Purview), an organization wants to define a single retention/expiration and auditing policy once, then reuse the exact same policy across multiple site collections in a standardized, exportable way. Where should the policy be created?

Correct answer: D. In the Site Collection Policies gallery on the top-level site, then exported and imported into other site collections.

The top-level site of a site collection contains a Site Collection Policies gallery where an admin authors a reusable information management policy (retention stages, auditing, expiration, and so on). That policy can be exported and imported into other site collections' galleries to standardize policy across the organization; associating it with a content type then enforces it and prevents list owners from modifying it.

Why the other options are wrong:

  • A. Purview retention labels are a separate modern solution; the question specifies SharePoint's built-in information management policy features.
  • B. A per-library policy applies only to that single list/library and cannot be exported for reuse across site collections.
  • C. The Content type gallery manages content types, not policies; you associate a Site Collection policy with a content type, but you do not author the policy there.

Memory hook: Reusable policy lives in the Site Collection Policies gallery: export/import to standardize.

Microsoft Learn: https://learn.microsoft.com/sharepoint/governance/information-management-policy-planning#information-management-policies-and-policy-features

A file in a SharePoint library triggers a DLP rule configured with policy tips. Users see the tip in the SharePoint web experience and in Word for the web, but one user insists they never see a tip. On which client is a DLP policy tip NOT displayed for that file?

Correct answer: D. The SharePoint/OneDrive sync (Win32) desktop client in File Explorer.

DLP policy tips aren't supported on the SharePoint/OneDrive Win32 (sync) desktop client. They are supported on the SharePoint/OneDrive web client, in Word/Excel/PowerPoint for the web, and in Office desktop apps when the document is stored on SharePoint or OneDrive. (Office mobile apps also don't show policy tips.)

Why the other options are wrong:

  • A. The SharePoint web client does display policy tips, including the warning/blocked icons and View policy tip action.
  • B. Word for the web shows policy tips when the document is hosted on SharePoint or OneDrive.
  • C. Word desktop shows policy tips when the file is stored on SharePoint/OneDrive and the site is included in a DLP policy.

Memory hook: Policy tips ride the web and Office apps, not the OneDrive/SharePoint sync client or mobile.

Microsoft Learn: https://learn.microsoft.com/purview/dlp-policy-tips-reference#support-matrix-for-dlp-policy-tips-across-microsoft-apps

A SharePoint document has a retention label that marks it as a record, and record versioning is enabled. The record is currently Locked. A user sets the Record status to Unlocked to make an update. What happens at the moment of unlocking?

Correct answer: C. A Copy to action copies only the latest version of the document into the Records folder of the site's Preservation Hold library, and the document becomes editable but still cannot be deleted.

When a locked record is unlocked, SharePoint performs a Copy to that stores ONLY the latest version (no prior versions) in the Records folder of the site's Preservation Hold library; that copy is flagged 'Record' in version history. The original then becomes editable but still can't be deleted, and 'Item is a Record' stays Yes. A retained record version is captured each time you unlock.

Why the other options are wrong:

  • A. Unlocking doesn't remove the record label; the item remains a record ('Item is a Record' = Yes) and merely becomes editable.
  • B. Only the latest version is copied (not all prior versions), and the document is not removed from the library.
  • D. It is the unlock action itself that copies the version to the Records folder; preservation happens at unlock, not at re-lock.

Memory hook: Unlock = snapshot: the LATEST version is copied to the Records folder; still a record, still undeletable.

Microsoft Learn: https://learn.microsoft.com/purview/record-versioning#locking-and-unlocking-a-record

A Data access governance report flags a SharePoint site as oversharing content with 'Everyone except external users.' For compliance reasons, the admin's role cannot view the file- and item-level detail needed to decide what to trim, so the admin wants the site owner to review and remediate the specific permissions. Which SharePoint Advanced Management capability fits this need?

Correct answer: A. Initiate a site access review from the Data access governance report.

Site access reviews let IT delegate remediation of overshared sites (surfaced by Data access governance reports) to the site owners, who can see and fix the item-level permissions that the admin cannot view for compliance reasons. The owner receives a targeted email and works through the specific oversharing issue. Site access reviews support SharePoint sites (not OneDrive), and you can initiate them for up to 100 sites from the report UI (more via PowerShell). RAC is a valid immediate admin control but hard-gates the whole site to a group rather than delegating an owner-driven item-level review.

Why the other options are wrong:

  • B. Idle session sign-out signs out inactive browser sessions; it has nothing to do with remediating oversharing.
  • C. The admin can't view item-level detail for compliance reasons, and change history shows setting changes rather than delegating owner remediation.
  • D. RAC restricts the entire site to a specified group but doesn't hand the owner an item-level review, and the admin still can't see the items.

Memory hook: IT can't see the files, so it hands the overshared site to its owner: that's a site access review.

Microsoft Learn: https://learn.microsoft.com/sharepoint/site-access-review

You create an inactive site policy under Site lifecycle management in the SharePoint admin center. The owners of a flagged site ignore the notification emails. When does enforcement take effect, and what enforcement actions can you configure?

Correct answer: A. After three (monthly) notifications with no response; the configurable actions are Do nothing, put the site in read-only access, or archive the site (after a mandatory read-only period) via Microsoft 365 Archive.

Inactive site (and other lifecycle) policies send notifications to owners/admins for three months, and if there's no response after those three notifications, the chosen enforcement action runs. The options are Do nothing, Read-only access, or Archive sites after a mandatory read-only period (3, 6, 9, or 12 months) using Microsoft 365 Archive. There is no built-in 'auto-delete' enforcement action.

Why the other options are wrong:

  • B. Enforcement is tied to three notifications, not a fixed 93-day timer, and NoAccess is not the enforcement action set.
  • C. The policy always notifies first (three times) and never immediately auto-deletes an inactive site.
  • D. Enforcement follows three notifications, not one, and outright deletion is not one of the built-in enforcement actions.

Memory hook: Three strikes, then Do-nothing / Read-only / Archive; never auto-delete.

Microsoft Learn: https://learn.microsoft.com/sharepoint/inactive-site-policy

SharePoint Administration and Migration (15 questions)

Go deeper on this topic in SharePoint Online Administration and Migration Field Guide.

A developer who is not a SharePoint or tenant administrator, but is an Owner of the tenant app catalog site, needs to set a tenant property (storage entity) that can be read through the SharePoint REST API. Which approach lets them do this without elevated admin rights?

Correct answer: B. Connect with Connect-PnPOnline and run Set-PnPStorageEntity.

PnP PowerShell's *-PnPStorageEntity cmdlets (after Connect-PnPOnline) can set tenant properties without tenant administrator privileges: any Owner of the app catalog site can do it. By contrast, the SharePoint Online Management Shell's *-SPOStorageEntity cmdlets require first connecting with Connect-SPOService, which requires the SharePoint Administrator role.

Why the other options are wrong:

  • A. Set-SPOStorageEntity requires Connect-SPOService, which needs the SharePoint Administrator role, exactly what the developer lacks.
  • C. Set-PnPStorageEntity needs only app catalog site ownership, so a supported non-admin path does exist.
  • D. Set-SPOTenant configures tenant settings and also requires a SharePoint Administrator connection via the SPO Management Shell.

Memory hook: PnP storage entity = app catalog Owner is enough; SPO storage entity = admin only.

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/spfx/tenant-properties

Your tenant's Site storage limits are set to Automatic (pooled). You run Set-SPOSite -Identity <url> -StorageQuota 5000 to cap one site, but PowerShell returns a generic error. What is the correct explanation and remedy?

Correct answer: B. Per-site quotas can't be set while Site storage limits are Automatic; switch that setting to Manual, set the quota, then switch back if desired. Switching back to Automatic resets all site limits to 25,600 GB (25 TB).

When the tenant uses Automatic (pooled) site storage management, you cannot set an individual site's quota; Set-SPOSite -StorageQuota returns a generic error. The documented workaround is to switch Site storage limits to Manual, set the quota, then switch back to Automatic if desired. Note that switching (back) to Automatic/pooled resets every site's limit to 25,600 GB (25 TB).

Why the other options are wrong:

  • A. The unit is not the cause of the error; the blocker is that per-site quotas can't be set while storage management is Automatic.
  • C. No lock state is required to change a site's storage quota; the issue is the automatic storage-management mode.
  • D. Set-SPOGeoStorageQuota sets quota per geo-location on multi-geo tenants, not per individual site; Set-SPOSite -StorageQuota is not deprecated.

Memory hook: Auto pool blocks per-site quotas: flip to Manual first; auto resets everyone to 25,600 GB.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-site-collection-storage-limits

You are preparing to run the SharePoint Migration Assessment Tool (SMAT) against a large SharePoint Server 2013 farm before migrating to Microsoft 365. The default assessment includes an Alerts scan that your organization has decided is irrelevant, and the full run is taking too long. You want to exclude only that one scan while keeping every other scan, and reduce overall execution time. What should you do?

Correct answer: C. Edit ScanDef.json in the SMAT directory and set the Alerts scan's "Enabled" property to false.

ScanDef.json (installed in the same directory as SMAT) is the config file used to enable or disable individual scans. Locating the Alerts entry and setting its "Enabled" value to false removes that scan from the run, which reduces the tool's overall execution time. If ScanDef.json is missing or corrupt, SMAT falls back to a default configuration embedded in the executable.

Why the other options are wrong:

  • A. SMAT_Errors.log is an output log written after execution; editing it changes nothing about which scans actually run.
  • B. SiteSkipList.csv tells SMAT to exclude entire sites from all report output, not to disable one scan type; other scans on those sites would also be lost.
  • D. The -q switch only runs SMAT in quiet/non-interactive mode for scripting scenarios; it does not disable any individual scan.

Memory hook: ScanDef defines the scans - flip Enabled to false to skip one; SiteSkipList skips whole sites.

Microsoft Learn: https://learn.microsoft.com/sharepointmigration/overview-of-the-sharepoint-migration-assessment-tool

An SPFx web part requests the Microsoft Graph permission Group.Read.All through webApiPermissionRequests. The request appears as pending on the API access page in the SharePoint admin center. You must approve it using the least-privileged Microsoft Entra role possible. Which role must you use?

Correct answer: C. Global Administrator

Approving permissions for Microsoft Graph (or any other Microsoft API) on the API access page requires the Global Administrator role. Application Administrator is sufficient only for third-party APIs registered in the tenant, and that is the trap: the least-privilege instinct steers you away from Global Admin, but for a Graph scope no lesser role can approve.

Why the other options are wrong:

  • A. Cloud Application Administrator, like Application Administrator, is not sufficient to consent to Microsoft Graph permissions on this page.
  • B. SharePoint Administrator can reach related admin surfaces but cannot approve Microsoft Graph permission requests; the API access approval for Microsoft APIs is gated on Global Administrator.
  • D. Application Administrator can approve only third-party (non-Microsoft) API requests, not Microsoft Graph scopes.

Memory hook: Microsoft API (Graph) = Global Admin only; third-party API = Application Admin is enough.

Microsoft Learn: https://learn.microsoft.com/sharepoint/api-access

Your migration team will use Migration Manager in the Microsoft 365 admin center to move content from Box and Dropbox into SharePoint and OneDrive. You want to grant the least-privileged role that still lets them select sources, run migrations, download reports, and create destination sites, without giving broad control of SharePoint. Which role should you assign?

Correct answer: A. Microsoft 365 Migration Administrator

The Microsoft 365 Migration Administrator role grants exactly the permissions needed to run cloud-source migrations (Google Drive, Box, Dropbox, Egnyte) in Migration Manager from the Microsoft 365 admin center: selecting sources, creating inventories, executing migrations, downloading reports, and creating destination SharePoint sites/lists, without the broader access of SharePoint Administrator.

Why the other options are wrong:

  • B. SharePoint Administrator can do the job but grants far more than a migration needs, violating least privilege (it's only required to install the on-prem file-share agent, not for Box/Dropbox cloud jobs).
  • C. Global Administrator is the most highly privileged role and should be reserved for emergencies, not routine migration work.
  • D. Global Reader is read-only; it can't execute migrations or create destination sites.

Memory hook: Least privilege for cloud migrations = Migration Administrator, not SharePoint Admin.

Microsoft Learn: https://learn.microsoft.com/sharepointmigration/mm-migration-admin-role

An end user in SharePoint Online reports that they emptied their site Recycle Bin and can no longer find a deleted document there. Which statement correctly describes where the item went and who can recover it?

Correct answer: D. It moved to the second-stage (site collection) Recycle Bin, which only a site collection administrator can view and restore, for the remainder of the 93-day window.

When a user empties the first-stage (site) Recycle Bin, items go to the second-stage (site collection) Recycle Bin. This second-stage bin is not visible to end users (only a site collection administrator can view and restore its contents), and items stay there for the rest of the 93-day retention window before being purged.

Why the other options are wrong:

  • A. End users only see the first-stage Recycle Bin; the second-stage (site collection) bin is accessible only to site collection admins.
  • B. The Deleted sites page holds entire deleted site collections, not individual deleted documents from a live site.
  • C. Emptying the first-stage bin does not purge the item; it is moved to the second-stage bin for the remainder of the 93 days.

Memory hook: Empty the site bin and it lands in the site-collection bin: admin-only, second stage.

Microsoft Learn: https://learn.microsoft.com/sharepoint/sharepoint-data-deletion

During a data migration you must put a SharePoint Online site into a temporary read-only state so users can view content but cannot add, update, or delete it. Which command is correct, and which lock value does NOT exist in SharePoint Online?

Correct answer: B. Set-SPOSite -Identity <url> -LockState ReadOnly, and 'NoAdditions' is not a valid SharePoint Online lock state (it exists only in SharePoint Server).

SharePoint Online's Set-SPOSite -LockState supports exactly three values: Unlock, ReadOnly, and NoAccess. ReadOnly blocks additions, updates, and deletions while still allowing viewing, and it shows a maintenance/read-only message on the site, ideal for a migration freeze. NoAdditions is a SharePoint Server value only and is not accepted in SharePoint Online.

Why the other options are wrong:

  • A. 'Maintenance' is not a LockState value, and ReadOnly is a current, supported SharePoint Online lock state.
  • C. NoAdditions is the SharePoint Server value; SharePoint Online uses ReadOnly, which is fully valid.
  • D. NoAccess blocks all access (view included), so it doesn't meet the view-only requirement, and ReadOnly does exist in SharePoint Online.

Memory hook: SPO locks = Unlock / ReadOnly / NoAccess; NoAdditions is Server-only.

Microsoft Learn: https://learn.microsoft.com/sharepoint/manage-lock-status

During offboarding, HR blocks the employee's sign-in and the admin removes the user's license, but the account is not deleted from Microsoft Entra ID for several weeks. When does the OneDrive retention (deletion) countdown begin, and who is automatically granted access to the OneDrive?

Correct answer: D. It begins only when the account is deleted from Microsoft Entra ID; the deleted user's manager is automatically granted access.

The OneDrive cleanup clock starts only when the account is deleted from Entra ID; blocking sign-in and removing the license do not start it. On deletion, the user's manager (or the configured secondary owner) is automatically given access and emailed.

Why the other options are wrong:

  • A. License removal does not start the retention countdown.
  • B. Blocking sign-in does not start the countdown, and delegation goes to the manager, not automatically to the SharePoint admin.
  • C. License removal is not the trigger; the countdown starts at account deletion, and manager access is granted immediately, not after 30 days.

Memory hook: Only deletion starts the clock; the manager gets the keys.

Microsoft Learn: https://learn.microsoft.com/sharepoint/retention-and-deletion

A single department wants to pilot a custom SPFx web part on only their own site, without making it installable elsewhere in the tenant. The tenant app catalog already exists. What is the best approach?

Correct answer: B. Create a site collection app catalog on the department's site with Add-SPOSiteCollectionAppCatalog, then upload the .sppkg there.

A site collection app catalog exists exactly to make apps available within a single site collection. Adding one to the department's site and uploading the package there confines availability to that site without exposing the app tenant-wide.

Why the other options are wrong:

  • A. A tenant may have only one tenant app catalog (per geo), so a second one cannot be created.
  • C. Site Assets is a document library, not an app catalog; you cannot deploy an .sppkg solution by dropping it there.
  • D. Even with that checkbox cleared, an app in the tenant app catalog is still installable by any site in the tenant, so it is not scoped to one site.

Memory hook: One site, one catalog: the site collection app catalog scopes an app to a single site.

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/general-development/site-collection-app-catalog

A site owner needs a permission level identical to Edit but without the Delete Items permission. On the site's Permission Levels page, which statement about building this custom level is correct?

Correct answer: D. Copy an existing level such as Edit or Contribute and clear the unwanted permission; Full Control and Limited Access cannot be copied or modified.

You can change any default permission level except Full Control and Limited Access, which cannot be customized or deleted. The standard method to build a custom level is to copy a close default (like Edit or Contribute) and clear the permissions you do not want; edits to a copied level do not affect the originals.

Why the other options are wrong:

  • A. Editing a copied level is independent; changes to one custom or default level do not cascade to other levels.
  • B. Permission levels are created and copied on the site (Site Settings, then Site Permissions, then Permission Levels), not in the SharePoint admin center.
  • C. Full Control and Limited Access specifically cannot be copied or modified, so they are invalid starting points.

Memory hook: Copy any level to customize - except the untouchables: Full Control and Limited Access.

Microsoft Learn: https://learn.microsoft.com/sharepoint/understanding-permission-levels

With OneDrive Files On-Demand enabled, a user is about to board a long flight and needs a specific cloud-only (online-only) document available offline. Which action guarantees the file's contents are downloaded and kept on the device?

Correct answer: C. Right-click the file and choose "Always keep on this device."

"Always keep on this device" pins the file (attrib +p), forcing a download and keeping a local copy even when Files On-Demand would otherwise dehydrate it to online-only.

Why the other options are wrong:

  • A. Wrong. Opening a file makes it "locally available," but Storage Sense can later dehydrate it; it is not a permanent pin.
  • B. Wrong. "Free up space" does the opposite: it removes the local copy and makes the file online-only.
  • D. Wrong. Moving the file out of the OneDrive folder breaks sync rather than ensuring offline availability.

Memory hook: 'Always keep on this device' = pinned = it's there on the plane.

Microsoft Learn: https://learn.microsoft.com/sharepoint/onedrive-overview

An admin enables "Allow syncing only on computers joined to specific domains" and adds the on-premises AD domain GUIDs (Set-SPOTenantSyncClientRestriction -Enable -DomainGuids "..."). Afterward, users on cloud-only, Microsoft Entra joined laptops report that their sync is not restricted as expected. Why, and what should be used instead?

Correct answer: D. This restriction applies only to Active Directory domain-joined devices, not Microsoft Entra joined devices; use a Conditional Access policy for those.

The domain-GUID sync restriction applies only to Active Directory domain membership and does not cover Microsoft Entra joined (or Workplace joined) devices. Microsoft directs admins to use a Conditional Access policy with the sync app for Entra-only devices.

Why the other options are wrong:

  • A. BlockMacSync governs Mac sync clients, not Entra joined Windows devices.
  • B. Waiting will not help because Entra joined devices are never covered by this setting.
  • C. This field takes AD domain GUIDs, not tenant IDs; tenant IDs are the separate "allow syncing for only specific organizations" (AllowTenantList) control.

Memory hook: Domain GUIDs = AD only; Entra-joined needs Conditional Access.

Microsoft Learn: https://learn.microsoft.com/sharepoint/allow-syncing-only-on-specific-domains

During an acquisition you run a cross-tenant OneDrive migration with Start-SPOCrossTenantUserContentMove. You pre-created and licensed all target users, established trust, and uploaded the identity map. For a subset of users the migration fails immediately. Investigation shows those users had already signed in to the target tenant, and their OneDrive had been auto-provisioned there. What is the correct explanation and fix?

Correct answer: D. A OneDrive site must NOT already exist for the user on the target tenant - an existing target OneDrive cannot be overwritten, so the move fails. Restrict OneDrive creation on the target and remove the pre-existing sites before migrating.

For cross-tenant OneDrive migration, OneDrive sites should not be created before or during the migration. If a target OneDrive already exists for the user, the migration fails because the existing site cannot be overwritten. Microsoft's guidance is to restrict OneDrive creation on the target tenant to prevent users from provisioning sites.

Why the other options are wrong:

  • A. The Cross-Tenant User Data Migration license can be assigned on either the source or the target object; license placement did not cause these failures since all users were licensed.
  • B. Cross-tenant moves are one-and-done; incremental and delta passes cannot be performed, so rerunning will not merge into an existing site.
  • C. The OneDrive limit is 5 TB or 1 million items, not 400 items; 400 is the maximum full-path character length, which is unrelated to pre-provisioning.

Memory hook: Target OneDrive must be absent - a pre-provisioned site can't be overwritten, so the move fails.

Microsoft Learn: https://learn.microsoft.com/microsoft-365/migration/cross-tenant-onedrive-migration

An engineer builds an unattended PnP PowerShell job to run nightly against SharePoint Online. It registers an Entra ID app and authenticates app-only using a client secret with the SharePoint Sites.FullControl.All application permission (admin-consented). Interactive tests worked, but the unattended app-only calls fail with 'Unsupported app only token' / Access Denied. What is the correct fix?

Correct answer: D. Replace the client secret with a certificate; SharePoint Online blocks app-only access authenticated by a client secret and requires certificate-based credentials

SharePoint Online does not accept client-secret-based app-only tokens; such requests return 'Unsupported app only token' / Access Denied. App-only access to SharePoint Online must use certificate-based credentials (for example, Connect-PnPOnline with a certificate thumbprint). PnP PowerShell's Register-PnPAzureADApp can automate creating the app registration and a self-signed certificate for exactly this flow.

Why the other options are wrong:

  • A. -Interactive forces a human, MFA-capable sign-in, which is impossible for an unattended scheduled job; it does not address the app-only token restriction.
  • B. A delegated permission requires an interactive signed-in user, which defeats the unattended requirement; the failure is caused by the client-secret token type, not the permission delegation model.
  • C. Granting the app a directory admin role is unnecessary and unrelated; SharePoint Online rejects the token because it was obtained with a secret rather than a certificate.

Memory hook: SPO app-only = certificate only. A client secret gets 'Unsupported app only token.'

Microsoft Learn: https://learn.microsoft.com/sharepoint/dev/solution-guidance/security-apponly-azuread

An organization must migrate content from an on-premises SharePoint Server 2016 farm and, separately, from a Google Workspace estate. The lead asks which Microsoft-provided tool covers which source. Which statement is correct?

Correct answer: D. Migration Manager handles Google Workspace (along with file shares, Box, and Dropbox), but SharePoint Server content must be migrated with SPMT

Migration Manager covers file shares and cloud sources, including Google, Dropbox, and Box, but it explicitly does not support migrating content from SharePoint Server. That job belongs to SPMT. So this scenario needs both tools: SPMT for the SharePoint Server 2016 farm, Migration Manager for Google Workspace.

Why the other options are wrong:

  • A. Migration Manager does support Google Workspace migrations, so no third-party tool is required for that source.
  • B. Migration Manager is a current, supported tool (not retired), and SPMT does not migrate cloud sources such as Google Workspace.
  • C. Migration Manager explicitly does not support SharePoint Server content; that scenario belongs to SPMT.

Memory hook: Migration Manager = file shares + cloud (Google/Box/Dropbox). SharePoint Server = SPMT.

Microsoft Learn: https://learn.microsoft.com/sharepointmigration/mm-faqs