MS-102: Microsoft 365 Administrator (beta) Part 2
Question #: 102
Topic #: 1
You have a Microsoft 365 subscription.
Your company has a customer ID associated to each customer. The customer IDs contain 10 numbers followed by 10 characters. The following is a sample customer ID: 12-456-7890-abc-de-fghij.
You plan to create a data loss prevention (DLP) policy that will detect messages containing customer IDs.
What should you create to ensure that the DLP policy can detect the customer IDs?
A. a PowerShell script
B. a sensitivity label
C. a sensitive information type
D. a retention label
Selected Answer: C
Question #: 103
Topic #: 1
You have a Microsoft 365 E5 subscription.
You define a retention label that has the following settings:
Retention period: 7 years –
Start the retention period based on: When items were created
You need to prevent the removal of the label once the label is applied to a file.
What should you select in the retention label settings?
A. Retain items forever or for a specific period
B. Mark items as a regulatory record
C. Mark items as a record
D. Retain items even if users delete
Selected Answer: B
Question #: 105
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the users shown in the following table.
The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the Exhibit tab.)
User2 fails to authenticate to Azure AD when signing in as user2@fabrikam.com.
You need to ensure that User2 can access the resources in Azure AD.
Solution: From the on-premises Active Directory domain, you assign User2 the Allow logon locally user right. You instruct User2 to sign in as user2@fabrikam.com.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 106
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the SharePoint Administrator role.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 107
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft Entra admin center, you assign SecAdmin1 the Security Administrator role.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 108
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the Exchange Administrator role.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 115
Topic #: 1
You have a Microsoft 365 E5 subscription that is linked to an Azure AD tenant named contoso.com.
You purchase 100 Microsoft 365 Business Voice add-on licenses.
You need to ensure that the members of a group named Voice are assigned a Microsoft 365 Business Voice add-on license automatically.
What should you do?
A. From the Licenses page of the Microsoft 365 admin center, assign the licenses.
B. From the Microsoft Entra admin center, modify the settings of the Voice group.
C. From the Microsoft 365 admin center, modify the settings of the Voice group.
Selected Answer: B
Question #: 116
Topic #: 1
You have a Microsoft 365 E5 subscription that uses Endpoint security.
You need to create a group and assign the Endpoint Security Manager role to the group.
Which type of group can you use?
A. Microsoft 365 only
B. security only
C. mail-enabled security and security only
D. mail-enabled security, Microsoft 365, and security only
E. distribution, mail-enabled security, Microsoft 365, and security
Selected Answer: D
Question #: 118
Topic #: 1
You have a Microsoft 365 subscription.
You need to be notified to your personal email address when a Microsoft Exchange Online service issue occurs.
What should you do?
A. From the Exchange admin center, create a contact.
B. From the Microsoft Outlook client, configure an Inbox rule.
C. From the Microsoft 365 admin center, update the technical contact details.
D. From the Microsoft 365 admin center, customize the Service health settings.
Selected Answer: D
Question #: 120
Topic #: 1
You have a Microsoft 365 subscription.
All users are assigned Microsoft 365 Apps for enterprise licenses.
You need to ensure that reports display the names of users that have activated Microsoft 365 apps and on how many devices.
What should you modify in the Microsoft 365 admin center?
A. the Reports reader role
B. Organization information
C. Org settings for Privacy profile
D. Org settings for Reports
Selected Answer: D
Question #: 122
Topic #: 1
You have a Microsoft 365 subscription.
You add a domain named contoso.com.
When you attempt to verify the domain, you are prompted to send a verification email to admin@contoso.com.
You need to change the email address used to verify the domain.
What should you do?
A. Add a TXT record to the DNS zone of the domain.
B. From the domain registrar, modify the contact information of the domain.
C. From the Microsoft 365 admin center, change the global administrator of the Microsoft 365 subscription.
D. Modify the NS records for the domain.
Selected Answer: B
Question #: 125
Topic #: 1
Your company has a Microsoft 365 E5 subscription.
You onboard a device on the company’s network to Microsoft Defender for Endpoint.
In the Microsoft 365 Defender portal, you notice that the device inventory displays many devices that have an Onboarding status of Can be onboarded.
You need to ensure that onboarded devices are prevented from polling the network for device discovery but can still discover devices with which they communicate directly.
What should you configure in the Microsoft 365 Defender portal?
A. standard discovery
B. device discovery exclusions
C. basic discovery
D. a network assessment job
Selected Answer: C
Question #: 129
Topic #: 1
You have a Microsoft 365 E5 subscription that contains the groups shown in the following exhibit.
To which groups can you assign Microsoft 365 E5 licenses?
A. Group1 and Group2 only
B. Group2 and Group3 only
C. Group3 and Group4 only
D. Group1, Group2, and Group3 only
E. Group2, Group3, and Group4 only
Selected Answer: E
Question #: 131
Topic #: 1
Your company has on-premises servers and an Azure AD tenant.
Several months ago, the Azure AD Connect Health agent was installed on all the servers.
You review the health status of all the servers regularly.
Recently, you attempted to view the health status of a server named Server1 and discovered that the server is NOT listed on the Azure AD Connect Servers list.
You suspect that another administrator removed Server1 from the list.
You need to ensure that you can view the health status of Server1.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. From Windows PowerShell, run the Register-AzureADConnectHealthSyncAgent cmdlet.
B. From Azure Cloud shell, run the Connect-AzureAD cmdlet.
C. From Server1, reinstall the Azure AD Connect Health agent.
D. From Server1, change the Azure AD Connect Health services Startup type to Automatic.
E. From Server1, change the Azure AD Connect Health services Startup type to Automatic (Delayed Start).
Selected Answer: AC
Question #: 140
Topic #: 1
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that includes the users shown in the following table.
Group2 is a member of Group1.
You assign a Microsoft Office 365 Enterprise E3 license to Group1.
How many Office 365 E3 licenses are assigned?
A. 1
B. 2
C. 3
D. 4
Selected Answer: C
Question #: 146
Topic #: 1
You have a Microsoft 365 subscription that contains the users shown in the following table.
You plan to use Exchange Online to manage email for a DNS domain.
An administrator adds the DNS domain to the subscription.
The DNS domain has a status of Incomplete setup.
You need to identify which user can complete the setup of the DNS domain. The solution must use the principle of least privilege.
Which user should you identify?
A. User1
B. User2
C. User3
D. User4
Selected Answer: A
Question #: 147
Topic #: 1
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.
You plan to create a Conditional Access policy that will use GPS-based named locations.
Which users can the policy protect?
A. User2 and User4 only
B. User1, User2, User3, and User4
C. User1 only
D. User1 and User3 only
Selected Answer: C
Question #: 149
Topic #: 1
Your network contains an Active Directory forest named contoso.local.
You have a Microsoft 365 subscription.
You plan to implement a directory synchronization solution that will use password hash synchronization.
From the Microsoft 365 admin center, you successfully verify the contoso.com domain name.
You need to prepare the environment for the planned directory synchronization solution.
What should you do first?
A. From the Microsoft 365 admin center, verify the contoso.local domain name.
B. From the public DNS zone of contoso.com, add a new mail exchanger (MX) record.
C. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix.
D. From Active Directory Users and Computers, modify the UPN suffix for all users.
Selected Answer: C
Question #: 150
Topic #: 1
You have a Microsoft 365 ES subscription.
On Monday, you create a new user named User1.
On Tuesday, User1 signs in for the first time and perform the following actions:
• Signs in to Microsoft Exchange Online from an anonymous IP address.
• Signs in to Microsoft SharePoint Online from a device in New York City.
• Establishes Remote Desktop connections to hosts in Berlin and Hong Kong, and then signs in to SharePoint Online from the Remote Desktop connections.
Which types of sign-in risks will Azure AD Identity Protection detect for User1?
A. anonymous IP address and atypical travel only
B. anonymous IP address only
C. unfamiliar sign-in properties and atypical travel only
D. anonymous IP address and unfamiliar sign-in properties only
E. anonymous IP address, atypical travel, and unfamiliar sign-in properties
Selected Answer: B
Question #: 154
Topic #: 1
You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com.
Corporate policy states that user passwords must not include the word Contoso.
What should you do to implement the corporate policy?
A. From the Microsoft Entra admin center, create a conditional access policy.
B. From the Microsoft Entra admin center, configure the Password protection settings.
C. From the Microsoft 365 admin center, configure the Password policy settings.
D. From Azure AD Identity Protection, configure a sign-in risk policy.
Selected Answer: B
Question #: 155
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
• User passwords must be 10 characters or more.
Solution: Implement pass-through authentication and modify the password settings from the Default Domain Policy in Active Directory.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 156
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
• User passwords must be 10 characters or more.
Solution: Implement password hash synchronization and configure password protection in the Azure AD tenant.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 157
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
• User passwords must be 10 characters or more.
Solution: Implement pass-through authentication and configure password protection in the Azure AD tenant.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 158
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
• User passwords must be 10 characters or more.
Solution: Implement password hash synchronization and modify the password settings from the Default Domain Policy in Active Directory.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 159
Topic #: 1
You have a Microsoft 365 E5 subscription. The subscription contains users that have the following types of devices:
• Windows 11
• Android
• iOS
To which devices can you apply Endpoint DLP policies?
A. Windows 11 only
B. Windows 11 and Android only
C. Windows 11 and iOS only
D. Windows 11, Android, and iOS
Selected Answer: A
Question #: 160
Topic #: 1
Your company has three main offices and one branch office. The branch office is used for research.
The company plans to implement a Microsoft 365 tenant and to deploy multi-factor authentication.
You need to recommend a Microsoft 365 solution to ensure that multi-factor authentication is enforced only for users in the branch office.
What should you include in the recommendation?
A. Azure AD password protection
B. a Microsoft Intune device configuration profile
C. a Microsoft Intune device compliance policy
D. Azure AD conditional access
Selected Answer: D
Question #: 161
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From Azure AD Connect, you modify the filtering settings.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 169
Topic #: 1
You have a Microsoft 365 E5 subscription.
You create a Conditional Access policy that blocks access to an app named App1 when users trigger a high-risk sign-in event.
You need to reduce false positives for impossible travel when the users sign in from the corporate network.
What should you configure?
A. exclusion groups
B. multi-factor authentication (MFA)
C. named locations
D. user risk policies
Selected Answer: C
Question #: 170
Topic #: 1
You have a Microsoft 365 E5 subscription.
You need to create a mail-enabled contact.
Which portal should you use?
A. the Microsoft 365 admin center
B. the SharePoint admin center
C. the Microsoft Entra admin center
D. the Microsoft Purview compliance portal
Selected Answer: A
Question #: 178
Topic #: 1
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You notice that it takes several days to notify email recipients when an incoming email message is marked as spam, and then quarantined.
You need to ensure that the email recipients are notified within 24 hours.
What should you do?
A. Modify the default inbound anti-spam policy.
B. Modify the DefaultFullAccessPolicy quarantine policy.
C. Add a custom quarantine policy.
D. Modify the global settings for quarantine policies.
Selected Answer: D
Question #: 179
Topic #: 1
You have a Microsoft 365 E5 subscription.
You need to ensure that administrators receive an email when Microsoft 365 Defender detects a sign-in from a risky IP address.
What should you create?
A. a vulnerability notification rule
B. an alert
C. an incident assignment filter
D. an incident notification rule
Selected Answer: B
Question #: 180
Topic #: 1
You have a Microsoft 365 E5 subscription that has Microsoft Defender for Endpoint integrated with Microsoft Intune.
Devices are onboarded by using Microsoft Defender for Endpoint.
You plan to block devices based on the results of the machine risk score calculated by Microsoft Defender for Endpoint.
What should you create first?
A. a device configuration policy
B. a device compliance policy
C. a conditional access policy
D. an endpoint detection and response policy
Selected Answer: B
Question #: 184
Topic #: 1
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365.
You have the policies shown in the following table.
All the policies are configured to send malicious email messages to quarantine.
Which policies support a customized quarantine retention period?
A. Policy1 and Policy2 only
B. Policy1 and Policy3 only
C. Policy2 and Policy4 only
D. Policy3 and Policy4 only
Selected Answer: A
Question #: 185
Topic #: 1
You have a Microsoft 365 E5 subscription.
Your company’s Microsoft Secure Score recommends the actions shown in the following exhibit.
You select Create Safe Links policies for email messages and change Status to Risk accepted in the Status & action plan settings.
How does the change affect the Secure Score?
A. remains the same
B. increases by 1 point
C. increases by 9 points
D. decreases by 1 point
E. decreases by 9 points
Selected Answer: A
Question #: 187
Topic #: 1
You have a Microsoft 365 E5 subscription.
You onboard all devices to Microsoft Defender for Endpoint.
You need to use Defender for Endpoint to block access to a malicious website at www.contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.
A. Create a web content filtering policy.
B. Enable Custom network indicators.
C. Enable automated investigation.
D. Create an indicator.
E. Configure an enforcement scope.
Selected Answer: BD
Question #: 190
Topic #: 1
You have a Microsoft 365 E5 tenant.
You need to create a policy that will trigger an alert when unusual Microsoft Office 365 usage patterns are detected.
What should you use to create the policy?
A. the Microsoft Apps admin center
B. the Microsoft Purview compliance portal
C. the Microsoft 365 admin center
D. the Microsoft 365 Defender portal
Selected Answer: D
Question #: 191
Topic #: 1
You have a Microsoft 365 subscription.
You plan to use Adoption Score and need to ensure that it can obtain device and software metrics.
What should you do?
A. Enable privileged access.
B. Enable Endpoint analytics.
C. Configure Support integration.
D. Run the Microsoft 365 network connectivity test on each device.
Selected Answer: B
Question #: 194
Topic #: 1
You have a Microsoft 365 E5 tenant.
You configure sensitivity labels.
Users report that the Sensitivity button is unavailable in Microsoft Word for the web. The Sensitivity button is available in Microsoft 365 Word.
You need to ensure that the users can apply the sensitivity labels when they use Word for the web.
What should you do?
A. Enable sensitivity labels for files in Microsoft SharePoint and OneDrive.
B. Publish the sensitivity labels.
C. Copy policies from Azure Information Protection to the Microsoft Purview compliance portal.
D. Create an auto-labeling policy.
Selected Answer: A
Question #: 202
Topic #: 1
You have a Microsoft 365 subscription that contains the alerts shown in the following table.
Which properties of the alerts can you modify?
A. Status only
B. Status and Comment only
C. Status and Severity only
D. Status, Severity, and Comment only
E. Status, Severity, Comment and Category
Selected Answer: B
Question #: 203
Topic #: 1
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
All the devices in your organization are onboarded to Microsoft Defender for Endpoint.
You need to ensure that an alert is generated if malicious activity was detected on a device during the last 24 hours.
What should you do?
A. From the Microsoft Purview compliance portal, create a data loss prevention (DLP) policy.
B. From Alerts queue, create a suppression rule and assign an alert.
C. From Advanced hunting, create a query and a detection rule.
D. From the Microsoft Purview compliance portal, create an audit log search.
Selected Answer: C
Question #: 208
Topic #: 1
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint site named site1.
You need to ensure that site1 meets the following requirements:
• Retains all data for 10 years
• Prevents the sharing of data outside the organization
Which two items should you create and apply to site1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a retention policy
B. a data loss prevention (DLP) policy
C. a retention label policy
D. a sensitive info type
E. a retention label
F. a sensitivity label
Selected Answer: AF
Question #: 209
Topic #: 1
You have a Microsoft 365 E5 subscription.
From the Microsoft Purview compliance portal, you create a new data loss prevention (DLP) policy named DLP1 that protects financial data from being shared by using Microsoft Teams messages. You apply DLP1 to the users in the finance department.
An incident is raised when a finance department user named User1 shares financial data in a Teams channel that includes external members.
When User1 uses Teams to send the same message in a 1:1 chat or a private channel, the message is blocked as expected.
You need to ensure that User1 is prevented from sharing financial data in Teams channels that include external members.
What should you do?
A. Edit the settings of the team that contains the channel.
B. Edit the Locations settings of DLP1.
C. Modify the licenses assigned to User1.
D. Edit the policy rules of DLP1.
Selected Answer: B
Question #: 210
Topic #: 1
You have a Microsoft 365 subscription.
You need to create a data loss prevention (DLP) policy that is configured to use the Set headers action.
To which location can the policy be applied?
A. Exchange email
B. OneDrive accounts
C. SharePoint sites
D. Teams chat and channel messages
Selected Answer: A
