MS-102-Free-Exam-Questions

20+ Free MS-102 Exam Questions on Microsoft 365 Administrator Certification

MS-102 exam, also known as the Microsoft 365 Administrator (beta) Exam is your gateway to mastering the ins and outs of Microsoft 365 administration.

Achieving the MS-102 certification can open doors to exciting career opportunities in administrator roles and demonstrate your expertise in one of the most widely used productivity suites in the world. But preparing for the exam requires dedication, resources, and practice.

Here we came up with essential resources such as real MS-102 practice exam questions for Free. These MS-102 sample questions help you to obtain remarkable progress in your MS-102 exam preparation.

Let’s dig in!

Top 20+ Free MS-102 practice Exam Questions on Microsoft 365 Administrator

Here are some Microsoft MS-102 certification exam questions and answers for you:

Domain: Implement and manage identity and access in Azure AD

Question 1: Multi-Factor Authentication is enabled for a company. One of the users has chosen to get a code on the phone however he lost his mobile. As per company policy, MFA should never be turned off. As an administrator what will be your immediate step?

A. Reset Password
B. Reset User MFA Settings
C. Enable SSPR
D. Disable MFA

Correct Answer: B

Explanation

Option A is Incorrect: Reset password will not help the user to Sign in, it would still ask for the code which will be sent to the authentication phone which was provided earlier and is lost now.

Option B Is Correct: From Azure, AD Admin can reset user MFA settings, once this reset is done the user can provide the authentication method again and then choose the option which is suitable for the user at the point of time.

Option C is Incorrect: Enable SSPR will help users to reset passwords on their own however It won’t help in resetting MFA settings.

Option D is Incorrect: Since the company policy is to not turn off MFA, this option is out of scope.

Reference: Manage authentication methods for Azure AD Multi-Factor Authentication – Azure Active Directory – Microsoft Entra | Microsoft Docs

Domain: Deploy and manage a Microsoft 365 tenant

Question 2: A Cloud Engineer is deploying Microsoft Intune for your organization to secure and manage the devices and has created some policies to be pushed to the enrolled users. Due to licensing reasons, the policy is not getting pushed to the user devices. According to you, select which license you can assign to the user so that Intune policies start working?

A. Microsoft 365 Business Premium
B. Azure Information Protection P2
C. Microsoft 365 Business Standard
D. Enterprise Mobility and Security
E. Microsoft 365 F3
F. Microsoft 365 F1

Correct Answers: A, D and E

Explanation

Users need to have a Microsoft Intune service assigned to them to deploy the policies to the devices.

Option A is Correct: Microsoft Business Premium consists of Intune service hence this license can be assigned to resolve the deployment issue for Intune.

Option B is Incorrect: Azure Information Protection licenses are used to deploy Azure Information Protection which helps organizations to discover, classify, label, and protect sensitive emails and documents. Hence this license will not help with Intune.

Option C is Incorrect: Microsoft 365 Business Standard license doesn’t have any advanced security and compliance settings like Defender, Intune, Information protection, etc.

Option D is Correct: EMS license includes Microsoft Intune hence this is the correct answer since Intune is required for the solution.

Option E is Correct: Microsoft 365 F3 provides apps and services for first-line workers, and it consists of Microsoft Intune services within the subscription.

Option F is Incorrect: Microsoft 365 F1 provides apps and services for first-line workers however this app does not consist of Microsoft Intune services.

Reference: Licenses available for Microsoft Intune | Microsoft Docs

Domain: Deploy and manage a Microsoft 365 tenant

Question 3: An organization wants to have 20 mailboxes out of which 2 mailboxes which are whizlabs@abc.com and whizInfo@abc.com need to be shared among 2 users who are User A and User B. In addition to the above situation, 5 of your users are field service agents who don’t require a Desktop version of Office Apps.As a Microsoft 365 Administrator, you have the task to procure licenses, assign them to the users, and provision mailboxes at a minimum cost.

Solution: The administrator procured 15 Microsoft 365 Business Standard licenses and 5 Microsoft 365 Business Basic licenses. Is the above solution on the license procurement, correct?

A. Yes
B. No

Correct Answer: B

Explanation

The above solution is incorrect. The administrator should have procured 13 M365 Business Standard licenses and 5 M365 Business Basic licenses for field service agents since they do not require Office desktop applications. Support@abc.com and Info@abc.com don’t need a license as they can be created as a Shared Mailbox and User A and User B must be added as a delegate in these shared mailboxes.

References: About shared mailboxes – Microsoft 365 admin | Microsoft Docs, Compare All Microsoft 365 Plans | Microsoft

Domain: Deploy and manage a Microsoft 365 tenant

Question 4: As a user, you are facing some issues with your Microsoft 365 Apps activation and you asked your administrator to raise a service request with Microsoft. Where should the service request be raised from?

A. Microsoft Power Platform Admin Center
B. Azure Active Directory
C. Microsoft 365 Admin Center
D. Endpoint Manager Admin Center

Correct Answer: C

Explanation

Option A is incorrect: You can raise a service request from Power Platform Admin Center but for the other Microsoft services such as Dynamics 365, BI, F&O, Power App, Power Automate, etc, however, you need to raise a service request for Microsoft 365 Business Apps hence this is incorrect.

Option B is incorrect: You can raise a service request here with respect to Azure Services and Enterprise mobility and security however you need to raise a service request for Microsoft 365 Business Apps hence this is incorrect.

Option C is correct: You can raise all the Microsoft 365 Apps and Services-related queries here so this is the correct answer.

Option D is incorrect: You can raise service requests in the Endpoint manager admin center with respect to Microsoft Intune, etc however you need to raise a service request for Microsoft 365 Business Apps hence this is incorrect.

References: https://support.rm.com/TechnicalArticle.asp?cref=TEC3877606, Preview: new Dynamics 365 support center – Microsoft Dynamics 365 Blog

Domain: Deploy and manage a Microsoft 365 tenant

Question 5: As an administrator, you need to create a user in Microsoft 365 tenant. While creating a user you find out that you do not have licenses available. Can we still proceed to create a user?

A. Yes
B. No

Correct Answer: A

Explanation

Even if you do not have licenses available you can still create a user using an option: “create a user without product license”.

Reference: https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide

Domain: Deploy and manage a Microsoft 365 tenant

Question 6: As a Global Administrator, you want to have User A assist you in some of the administrative tasks. What administrative role will you assign to User A who can reset the password for other admins as well?

A. Service Support Administrator
B. Global Administrator
C. Password Administrator
D. Helpdesk Administrator

Correct Answers: B and D

Explanation

Option A is Incorrect: Service Support Administrator can open and manage service requests, manage the message center and monitor service health. It can not reset passwords for any other users.

Option B is Correct: Global Administrator can reset for all the other users and Administrator hence this answer is correct apart from that Global Admin has all the rights across other Microsoft 365 services such (OneDrive, SharePoint Online and Azure AD).

Option C is Incorrect: Password Administrators can only reset passwords for non-administrators and Password Administrators.

Option D is correct: Helpdesk Administrator helps in resetting passwords, managing service requests, monitoring service health, etc. Using this role you can reset passwords for a few other admin roles like password admin, helpdesk admin, etc however it can not reset the password for all the other admins such as Global Admins.

References: Azure AD built-in roles – Azure Active Directory – Microsoft Entra | Microsoft Docs, https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide

Domain: Implement and manage identity and access in Azure AD

Question 7: As a Global Administrator of your Microsoft 365 tenant, you need to implement Conditional Access. You will need an Azure AD Premium P2 license to have this functionality available. Is this a correct solution?

A. Yes
B. No

Correct Answer: B

Explanation

To implement conditional access Azure AD Premium P1 license is sufficient.
Azure AD Premium P2 adds more security features to the tenant such as Vulnerabilities and risky account detection, Access Review, etc.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Domain: Deploy and manage a Microsoft 365 tenant

Question 8: As an administrator, you need to create a Shared Mailbox to which your Manager wants to have a “Send As” permission. Which of the following steps will you perform to provide ‘Send As’ permission?

A. Manage Alias
B. Manage Shared Mailbox Feature
C. Manage Shared Mailbox Delegation
D. Manage Roles

Correct Answer: C

Explanation

Option A is Incorrect: Adding an alias to the Shared Mailbox does not give “Send As” permission hence this option is incorrect. Adding an alias can help in receiving emails.

Option B is Incorrect: With Shared Mailbox Feature, you can manage policies on the mailbox such as Retention policy, etc, and also you can manage email forwarding, Mailbox Hold, and a lot more things, however, you won’t be able to manage the Send As permission on the mailbox.

Option C is Correct: With Shared Mailbox Delegation you can manage delegate permissions on the Shared Mailbox which are “Full Access”, “Send on Behalf” and “Send As” hence this answer is correct.

Option D is Incorrect: With Manage Roles on the Shared Mailbox, you can provide Admin permissions to the Shared Mailbox itself which is anyways not required and it does not provide permissions for Send As.

Reference: https://docs.microsoft.com/en-us/exchange/collaboration-exo/shared-mailboxes

Domain: Deploy and manage a Microsoft 365 tenant

Question 9: When a user “User1@abc.com” is deleted from the Active Users list, it goes under ‘Deleted Users’ option inside Microsoft 365 Admin Center and the user will permanently be deleted after 30 days. As a Global Administrator, you need to permanently delete the user “User1@abc.com” before 30 days for which you need to use a PowerShell. Which command you will use to achieve the requirement?

A. Remove-MsolUser -UserPrincipalName “user1@abc.com”
B. Remove-MsolUser -UserPrincipalName “user1@abc.com” -Force
C. Remove-MsolUser -UserPrincipalName “davidchew@contoso.com” -RemoveFromRecycleBin
D. Remove-Mailbox -Identity “User1@abc.com” -Permanent $true

Correct Answer: C

Explanation

Option A is Incorrect: This command removes the user “User1@abc.com” from Azure Active Directory (will not delete permanently) and the command will ask for confirmation. Since, this user will remain in the recycle bin, this option is incorrect

Option B is Incorrect: This command removes the user “User1@abc.com” from Azure Active Directory and the command will not ask for any confirmation as it will be forced, however, this user is already deleted from the Active Users list, this option is incorrect.

Option C is Correct: This command removes the user “User1@abc.com” from the Azure Active Directory Recycle Bin (Deleted Users) and the command does require confirmation. Since this command removes the user permanently from the Recycle Bin before 30 days, this is a correct option.

Option D is Incorrect: This command removes the mailbox and the user account for user “User1@abc.com”, the mailbox remains in the mailbox database as per the applied Retention Policy, however, this user is already deleted hence this command will not be applied in this scenario, hence incorrect.

Reference: https://docs.microsoft.com/en-us/powershell/module/msonline/remove-msoluser?view=azureadps-1.0

Domain: Deploy and manage a Microsoft 365 tenant

Question 10: Several employees from your company have raised an issue that users are unable to view other users’ video feeds in the Microsoft Teams meetings. As a Global Administrator, at first, you should check the Service Health to determine whether this is a known issue with a resolution in progress, before having a support ticket raised. Is the above statement correct?

A. Yes
B. No

Correct Answer: A

Explanation

With the Service Health option in the Microsoft 365 Admin Center you can view the health of Microsoft 365 services and in this case, since several users are facing the same issues, it is always recommended to check the Service Health and then go for Support Requests.

Reference: https://docs.microsoft.com/en-us/microsoft-365/enterprise/view-service-health?view=o365-worldwide

Domain: Deploy and manage a Microsoft 365 tenant

Question 11: As a Global Administrator, you have been asked to remove a user mailbox from Exchange Online. Which cmdlet will you use to remove the mailboxes?

A. Remove-MsolUser
B. Remove-TeamUser
C. Remove-Mailbox
D. Remove-MailboxPermission

Correct Answers: A and C

Explanation

Option A is Correct: With Remove-MsolUser cmdlet, you can delete the user from the Active Users List which removes everything like the mailbox, files, etc. The User Account is hard deleted. Hence this option removes the mailbox.

Option B is Incorrect: With Remove-TeamUser cmdlet, you can remove the team owner or user from a team and from the unified group which backs the team however the mailbox is not deleted. Hence this option is incorrect.

Option C is Correct: With Remove-Mailbox cmdlet, you can delete the mailbox and the associated User Account hence this option is correct.

Option D is Incorrect: With Remove-MailboxPermission, you can remove user permissions like Full Access permission, etc, from a user’s mailbox. Hence this option is Incorrect.

References: https://docs.microsoft.com/en-us/powershell/module/teams/remove-teamuser?view=teams-ps, https://docs.microsoft.com/en-us/powershell/module/exchange/remove-mailbox?view=exchange-ps, https://docs.microsoft.com/en-us/powershell/module/msonline/remove-msoluser?view=azureadps-1.0, https://docs.microsoft.com/en-us/powershell/module/exchange/remove-mailboxpermission?view=exchange-ps

Domain: Implement and manage identity and access in Azure AD

Question 12: As a Global Administrator, you want to add an Application to Azure Active Directory. This Application is a business application, which requires all the users to sign in on a daily basis. Hence you decided to enable Single Sign On for this application. Where exactly can you add or integrate the application into Microsoft Azure?

A. Microsoft Intune
B. Enterprise Application
C. Azure AD Domain Services
D. Storage Accounts

Correct Answer: B

Explanation

Option A is Incorrect: Microsoft Intune is a service that focuses on Device management, basically how you control your organization’s devices, but do not have any options to Add any Application and enable Single Sign On.

Option B is Correct: Enterprise Application in Azure Active Directory is the place where you can add any Enterprise Application and can then implement Single Sign On for the application hence this is a Correct answer.

Option C is Incorrect: Azure AD Domain Service enables you to manage Domain services such as Windows Domain join, Group Policy, etc but does not register any Enterprise Application.

Option D is Incorrect: Storage Accounts is an Azure Storage platform in Microsoft’s cloud storage solution for modern data storage which is scalable, durable, and highly available. This does not register any enterprise applications.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso

Domain: Deploy and manage a Microsoft 365 tenant

Question 13: As a License Administrator, you have been asked to get the license details like Purchase Information, Status, Billing Frequency, etc. However, when you go to the Microsoft 365 Admin Center due to some outage issue Admin Center is not accessible. In this case, you can get the above-stated license details from Azure Active Directory Admin Center. Is the above solution correct?

A. Yes
B. No

Correct Answer: B

Explanation

You can view the license details like Purchase Information, Status, and Billing Frequency and manage subscription and payment settings from Microsoft 365 Admin Center only.

From Azure Active Directly Admin Center, you can only assign Remove and Assign the licenses to the users and can get a few other details like Service Plan Details, etc.

Reference: https://docs.microsoft.com/en-us/power-platform/admin/use-office-365-admin-center-manage-subscription

Domain: Deploy and manage a Microsoft 365 tenant

Question 14: A CEO of a company wants you to create a Microsoft 365 Group in which only invited users can join and need to have emails coming into the Group Members Inboxes. What are the correct steps from the below option?

A. Select “Private” as a Privacy Settings of the Group
B. Enable “Let people outside the organization email this team” from the Email Settings of the Group
C. Enable “Send copies of team emails and events to team members’ inboxes” from the Email Settings of the Group
D. Enable “Don’t show team email address in Outlook” from the Email Settings of the Group

Correct Answers: A and C

Explanation

Option A is correct: With this option, only the invited users can join the group if we select  “Public” in the privacy setting, any user can join hence this option is correct.

Option B is incorrect: By enabling this option, any users from outside the organization can email this group, since this scenario is not required, the option is incorrect.

Option C is correct: By enabling this option, any emails sent to the group, are also sent to the group members’ inboxes which is the requirement,  hence this option is correct.

Option D is incorrect: By enabling this option, the group email address wouldn’t show up on Outlook and since this scenario is not required, the option is incorrect.

Reference: https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-groups?view=o365-worldwide

Domain: Deploy and manage a Microsoft 365 tenant

Question 15: A CEO of your company wants to check the Productivity Score of the Microsoft 365 tenant. As a Global Administrator, you need to assign him the role which has the capability to check the Productivity score. Which role will you assign?

A. Report Reader
B. Service Support Administrator
C. Global Admin
D. Helpdesk Administrator

Correct Answers: A and C

Explanation

Option A is Correct: Report Reader has the permission to read usage reporting data from the dashboard, Sign-In reports, etc, and also has the access to the Productivity score hence this option is correct.

Option B is Incorrect: Service Support Administrator has the permission to create and manage Microsoft 365 service requests and can monitor tenant health, this role doesn’t provide permission to check the productivity score hence this is incorrect.

Option C is Correct: Global Admin has access to everything in the Microsoft 365 tenant hence this option is correct.

Option D is Incorrect: The helpdesk Administrator has the permission to reset passwords, manage service requests and monitor Microsoft 365 tenant Health however has no permission to check the productivity score hence this option is incorrect.

Reference: https://docs.microsoft.com/en-IN/microsoft-365/admin/productivity/productivity-score?WT.mc_id=365AdminCSH_inproduct&view=o365-worldwide

Domain: Deploy and manage a Microsoft 365 tenant

Question 16: Your company is using Microsoft 365 Subscription. Recently one user joined your organization as a helpdesk administrator. You have to delegate admin privileges to a new user. What are the steps you need to take to delegate the privileges from the Microsoft 365 admin center?

A. Select the Admin Center Access
B. Active User in the Microsoft admin Center
C. Under the Roles Select Manage Roles
D. Assign the Role
E. Active Users > Select the User
F. Click on the Save changes

Correct Answer: B, E, C, A, D and F

Explanation

There are several ways to delegate admin privileges to users. If you have admin privileges to your account so you can assign a delegate to other users, follow these below steps.

  • Active User in the Microsoft admin Center (Login to Microsoft 365 admin center on the left side Click on Users)
  • Active Users > Select the User (In the Users Select the Active Users and find the find in the list and select the User)
  • Under the Roles Select Manage Roles (In the left side pop windows find the Roles and Click on Manage roles)
  • Select the Admin Center Access. (Manage admin roles windows will appear select the Admin Center access check box)
  • Assign the Role. (Find the role which you wanted to assign to user)
  • Click on the Save changes.

Reference: Assign admin roles the Microsoft 365 admin center – Microsoft 365 admin | Microsoft Docs

Domain: Deploy and manage a Microsoft 365 tenant

Question 17: Your Company has a Microsoft 365 subscription. There are many users with multiple different licenses assigned. You need to check What types of licenses, how many licenses are available in your company and how many are assigned to users. In order to check your company’s license usage and category, what steps must you follow?

A. Open Microsoft 365 admin Center
B. Select the Under the Billing
C. Select the Billing Account
D. Select the Your Products
E. Select the Bill & Payment

Correct Answers: A, B and D

Explanation

  • A. Microsoft 365 admin Center (in the Microsoft admin center)
  • B. Under the Billing (Left side Select the expand the billing menu)
  • D.  Your Products (Select the Your Products)

There are several ways to check Microsoft 365 licenses, but this is the easiest and most effective way. In Microsoft 365, admin center under the billing, select the licenses or Your product both are correct options. However, you can get more information in the Your products section.

Option A is correct because we can check all the license details from the Microsoft 365 admin center.

Option B is correct because when you open Microsoft 365 admin center on the left side of the Microsoft 365 admin center you will see the Billing blade. More options will appear when you expand the menu.

Option C is incorrect because in the billing account you can manage your account settings, invoice, payment methods, and purchases. In this, you cannot check your company license consumption. Hence this is the wrong option.

Option D is correct because this option gives you more granularity about the license usage and what license you have. You can also increase and decrease existing licenses from this option.

Option E is incorrect because this option gives you only check generated invoice details, Add a new payment method as well as you can Billing profile details. Hence this is an invalid option.

Reference: What Microsoft 365 business product or license do I have?

Domain: Implement and manage identity and access in Azure AD

Question 18: You are planning to purchase the Azure Active directory.  You review the features of Microsoft Azure Active Directory. Match the Azure Active Directory (Azure AD) Features to the correct description on the right.

Azure Active Directory Free Multi-Factor Authentication (MFA), Self-Service Password Reset (SSPR), Single sign-on (SSO), Self-service group management- cloud user
Azure Active Directory Premium P1 Multi-Factor Authentication (MFA), Self-Service Password Reset (SSPR), Single sign-on (SSO), Privileged Identity Management (PIM)
Azure Active Directory Premium P2 Multi-Factor Authentication (MFA), Self-Service Password Reset (SSPR), Single sign-on (SSO), Global password protection and management

Correct Answer: 1-C, 2-A and 3-B

Explanation

  • Azure Active Directory Free – Multi-Factor Authentication (MFA), Self-Service Password Reset (SSPR), Single sign-on (SSO), Self-service group management- cloud user
  • Azure Active Directory Premium P1 – Multi-Factor Authentication (MFA), Self-Service Password Reset (SSPR), Single sign-on (SSO), Privileged Identity Management (PIM)
  • Azure Active Directory Premium P2 – Multi-Factor Authentication (MFA), Self-Service Password Reset (SSPR), Single sign-on (SSO), Global password protection and management

Azure Active Directory Free. Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps. The free edition is included with subscriptions to Office 365, Azure, Dynamics 365, Intune, and Power Platform. Global password protection is a feature of Azure AD for reducing the risk of users setting weak passwords. A global banned password list with known weak passwords is automatically updated and enforced by Microsoft.

Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password reset for your on-premises users.

Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.

References: What is Azure Active Directory? – Microsoft Entra | Microsoft Docs, Azure Active Directory Pricing | Microsoft Security

Domain: Deploy and manage a Microsoft 365 tenant

Question 19: In the Microsoft 365 Enterprise subscriptions, which Enterprise subscription does not include the office suite application to install locally on the machine?

A. Microsoft 365 apps for enterprise
B. Office 365 F3
C. Office 365 E3
D. Office 365 E5

Correct Answer: B

Explanation

Office 365 F3 provides you with similar features as compared to other plans, but it doesn’t allow users to install Office apps on your local PC as this plan provides you only basic security features. There is a significant price difference between this plan and other plans.

Option A is incorrect because Microsoft 365 Apps for enterprise (formerly Office 365 Pro Plus) includes online versions of Office, including Word, Excel, and PowerPoint, and cloud file storage and sharing capabilities with 1-TB storage per user. Microsoft 365 Apps for enterprise also includes the option to fully install Office applications locally.

Option B is correct because Office 365 F3 (formerly F1) is designed for Firstline Workers. It doesn’t include a license to install Office applications locally because it’s a cloud-based subscription that only provides access to online versions of Office.

Option C is incorrect because Office 365 E3 includes business services such as email, file storage, and sharing, Office for the web, meetings, and IM, and more, plus the ability to install Office applications locally.

Option D is incorrect because Office 365 E5 includes all the features of the E3 subscription, plus advanced security, analytic tools, public switched telephone network (PSTN) conferencing, and cloud PBX (private branch exchange) for cloud-based call management.

References: Review the subscription options in Microsoft 365 – Training | Microsoft Learn, Compare Microsoft Enterprise Software Plans | Microsoft 365

Domain: Deploy and manage a Microsoft 365 tenant

Question 20: You have Microsoft 365 Business Premium subscription. You have been tasked to create a group where all partner users can collaborate with your company users and share files/documents, emails, and calendar events with each other. What type of group should you create?

A. Distribution Group
B. Security Group
C. Dynamic security group
D. Microsoft 365 Group

Correct Answer: D

Explanation

Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 Group, members get a group email and shared workspace for conversations, files, and calendar events, Stream, and a Planner. You can add people from outside your organization to a group as long as this has been enabled by the administrator. You can also allow external senders to send emails to the group email address.

Option A is incorrect because Distribution groups are used only for sending emails to groups of people. They can receive an external email if enabled by the administrator. Hence this is an invalid option.

Option B is incorrect because security groups are used for granting access to Microsoft 365 resources, such as SharePoint Intune, etc. They can make administration easier because you need only administer the group rather than adding users to each resource individually. Hence this is an invalid option.

Option C is incorrect because Dynamic security groups are similar to security groups, but the membership is based on a specific group of people with specific attributes, such as department or location, etc. These attributes are defined from Azure AD. Hence this is an invalid option.

Option D is correct because this option is the recommended group type. It’s similar to distribution groups because it has its own mailbox, and all members of this group can receive email messages that are sent to the group. However, it differs from distribution groups in that it allows members to collaborate by providing them with a shared workspace for email, conversations, files, and calendar events. Hence this is a valid option.

Reference: Compare groups – Microsoft 365 admin | Microsoft Learn

Domain: Deploy and manage a Microsoft 365 tenant

Question 21: You have a Microsoft 365 subscription. Users in your company have reported that their office phone number is not displayed in their signatures whenever they send emails. You must update all company users’ office numbers immediately. What command should you run from PowerShell?

A. Get-MsolUser -All | Set-MsolUser -PhoneNumber “12345-98765”
B. Set-MsolUser -All | Get-MosolUser -PhoneNumber “12345-98745”
C. Get-MsolUser -All | Set-MsolUser -OfficeNumber “12345-98765”
D. Get-MsolUser -All | Set-MsolUser -OfficePhone “12345-98765”

Correct Answer: A

Explanation

PowerShell is a powerful tool, and it has the ability to manage all users’ attributes with a single command. If you are using PowerShell, you need to install a couple of modules on your PowerShell, then you need to connect PowerShell with Microsoft 365 tenant. After that you can run this command and change all users’ attributes with a single command.

Option A is Correct because Get-msolUser command will retrieve all users with a valid license in the Office 365 tenant, along with the DisplayName, City, Department, and ObjectID parameters, and the Set command is used when we update any attributes. Hence this is a valid option.

Options B, C & D are incorrect because these commands are in the wrong sequence. If you run any of these, it will give you an error. Hence these are invalid options.

Reference: Configure Microsoft 365 user account properties with PowerShell – Microsoft 365 Enterprise | Microsoft Learn

Domain: Deploy and manage a Microsoft 365 tenant

Question 22: You have a Microsoft 365 E3 subscription. You are configuring a password expiration policy to improve the security of your tenant and ensure that all users must change their password every three months. In the Password protection, a custom banned password list is enabled. What are the steps you should follow to set up a password expiration policy?

A. Microsoft 365 admin
B. Select the Org Settings
C. Expand the Settings Menu
D. Select the Security & Privacy Tab
E. Click on the Password expiration policy and then Make the changes

Correct Answer: A, C, B, D and E

Explanation

You must have Global admin access to make changes to the Expiration policy. Admin can set up user’s passwords to expire after a certain number of days or set passwords to never expire. By default, passwords are set to never expire for your organization.

  • In the Microsoft 365 admin center,
  • Expand the Settings in the left side menu.
  • Click on Org settings. If you aren’t a global admin or security admin, you won’t see the Security & privacy option.
  • Select the Security & Privacy tab
  • Select the Password expiration policy and uncheck the box password never expires.

Type how often passwords should expire. Choose a number of days from 14 to 730.

Reference: Set the password expiration policy for your organization – Microsoft 365 admin | Microsoft Learn

Domain: Implement and manage identity and access in Azure AD

Question 23: You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active Directory domain. Match the AD Connect Authentication Features on the left to the correct description on the right.

Pass-through Authentication Synchronizes the password in hash form in Active Directory to Azure AD. The end user can use the same password on-premises and in the cloud but only manage it in one location
Password hash synchronization This method allows password changes in the cloud to be synced back to an on-premises directory in real-time by using AD connect or AD connect cloud sync
Password writeback This Method allows users to sign into both on-premises and cloud-based applications using the same passwords.in this authentication, users are authenticated from on-premises Active Directory

Correct Answer: 1-C, 2-A and 3-B

Explanation

  • Pass-through Authentication – This Method allows users to sign into both on-premises and cloud-based applications using the same passwords.in this authentication, users are authenticated from on-premises Active Directory
  • Password hash synchronization – Synchronizes the password in hash form in Active Directory to Azure AD. The end user can use the same password on-premises and in the cloud but only manage it in one location
  • Password writeback – This method allows password changes in the cloud to be synced back to an on-premises directory in real-time by using AD connect or AD connect cloud sync

Pass-through Authentication – Pass-through Authentication allows your users to sign into both on-premises and cloud-based applications using the same passwords. This feature validates users’ passwords directly against your on-premises Active Directory. An on-premises Authentication Agent retrieves the username and encrypted password from the request.

Password hash synchronization – Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user’s password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Password hash synchronization helps by reducing the number of passwords, your users need to maintain to just one. AD Connect server store the user’s password in hash form.

Password writeback – Password writeback is a feature of Azure AD Connect. It ensures that when a password changes in Azure AD (password change, self-service password reset, or an administrative change to a user password) it is written back to the local AD – if they meet the on-premises AD password policy.

Reference: What is hybrid identity with Azure Active Directory? – Microsoft Entra | Microsoft Learn

Domain: Deploy and manage a Microsoft 365 tenant

Question 24: Your organization has a Microsoft 365 tenant. You are working for your company as an IT support engineer. You have been tasked by your manager to check the current service incident and advisories status as well as track the status of issues that were reported by your company users. What are the steps you should follow to achieve the task?

A. Microsoft 365 Admin Center
B. Expand the Reports Blade
C. Expand the Health Blade
D. Select the Service Health
E. In the Dashboard

Correct Answers: A, C and D

Explanation

In Microsoft 365, you can view the health of your Microsoft services, including Office on the web, Yammer, Microsoft Dynamics CRM, and mobile device management cloud services, on the Service health page in the Microsoft 365 admin center. If you’re experiencing a problem with a cloud service, you can check the service’s health to determine whether the problem is a known issue with a resolution in progress before you call support or spend time troubleshooting.

  • Login to Microsoft 365 admin center with admin credentials
  • In the left side, expand the Health blade menu
  • Then select the Service Health in the overview Tab, you can check all the incidents & advisories, and in the reported issues tab, you can check all the issues reported by company users

Reference: How to check Microsoft 365 service health – Microsoft 365 Enterprise | Microsoft Learn

Domain: Implement and manage identity and access in Azure AD

Question 25: WhizLabs ltd is an IT Solution company that provides its services worldwide. WhizLabs has 700 Active Users with the main office in Delhi in India, and branch offices in Mumbai and Bangalore. The Company has the employees and devices shown in the following table.

Location Employee Laptop Desktop Mobile devices
Delhi 300 250 80 320
Mumbai 150 100 75 200
Bangalore 150 125 50 180

WhizLabs recently Purchased a Microsoft 365 Enterprise E5 Subscription.

Existing Environment –

  • The network contains an on-premises Active Directory & Microsoft Azure Active directory.
  • All Servers run Windows Server 2019.
  • All Desktop computers and laptops run windows 10/11 business and are Joined to WhisLabs.com.
  • All the mobile devices in Delhi run Android. All the devices in Mumbai & Bangalore run iOS.

Requirements –

Planned Changes

  • Create an Exchange hybrid model by implementing directory synchronization for both directories.
  • All the new users’ UPN names should be changed from User@whizLabs.onmicrosoft.com to User@whizlabs.com.

Technical Requirements –

WhizLabs identifies the following technical requirements:

  • Unlicensed users must be removed automatically from the group.
  • All company users must be able to access the on-premises application without any additional sign-in from Hybrid Azure AD Joined Computers.
  • All company users must be able to send & receive emails via Exchange Online.

Compliance requirements –

WhizLabs identifies the following compliance requirements:

  • All the company users’ OneDrive data must be retained for 7 years after the user’s account is deleted.
  • All the company users must be able to access company cloud applications in the My apps portal.

Security Requirements –

WhizLabs identifies the following security requirements:

  • All Partner users must be able to authenticate by using their Microsoft account when accessing WhizLabs resources.
  • All company users must be able to authenticate MFA whenever they access Microsoft 365 accounts from out of the office.
  • All company users must be able to reset their passwords on their own.

Which tool should you install on a Windows server to establish an Exchange hybrid model?

Solution – Azure AD Connect

A. True
B. False

Correct Answer: A

Explanation

Azure AD Connect is an on-premises Microsoft application that’s designed to meet and accomplish your hybrid identity goals. After installing the Azure AD Connect application on the server.

You can use Azure Active Directory Connect to perform synchronization between on-premises AD DS and Azure AD.

Azure AD Connect is a wizard-based tool designed to enable connectivity between an on-premises identity infrastructure and Azure.

References: Plan for Azure Active Directory integration – Training | Microsoft Learn, Hybrid deployment prereq

About Senthil

Senthil Kumar is a Data Research and Analytics Lead with over 6+ years of experience in the field. He is a highly skilled data analyst, able to use his analytical abilities to turn business objectives into actionable insights.With strong planning and organizational skills, and an unwavering focus on the customer, Senthil is able to deliver successful projects that align with the organization's objectives. He is able to think both laterally and pragmatically, which enables him to come up with innovative solutions that drive the organization's success.
Scroll to Top