LATEST NEWS
Newsletter

Microsoft 365 Administrator Expert Exam Renewal Assessment Solved (MS-102)

MS Cloud Explorers > Blogs > Certifications > Microsoft 365 Administrator Expert Exam Renewal Assessment Solved (MS-102)
MS 102

 

  • MS-102 Assessment
  • Microsoft Enterprise Administrator  Expert

Question 1 

You have a Microsoft 365 E5 subscription that contains a user named User1.

You delete User1.

What is the maximum number of days during which you can restore User1?

  • 7 days
  • 30 days
  • 90 days
  • 180 days

Correct Answer:30 days
Explanation:
When you delete a user in Microsoft 365, the account is moved to a “soft deleted” state and retained in the Azure Active Directory (Azure AD) recycle bin for 30 days. During this time, the user account can be restored. After 30 days, the account is permanently deleted and cannot be recovered.

Question 2 

You have a Microsoft Entra tenant that contains the following users:

  • User1: Assigned the Guest Inviter role
  • User2: Assigned the Application Developer role
  • Admin1: Assigned the User Administrator role
  • Admin2: Assigned the Security Administrator role

Which user or users can invite guest users to the tenant?

  • User1 only
  • User1 and Admin1 only
  • User1, Admin1, and Admin2 only
  • User1, User2, Admin1, and Admin2

Correct Answer: User1 only
Explanation:
The Guest Inviter role in Microsoft Entra (formerly Azure Active Directory) specifically allows users to invite guest users to the tenant. Other roles, such as Application Developer, User Administrator, or Security Administrator, do not have this specific permission unless additional permissions have been granted.

Question 3

You have a Microsoft 365 subscription that contains the following users:

  • User1: Member user that is not synchronized
  • User2: Member user that is synced from an on-premises AD DS
  • User3: Guest user that is not synchronized

For which user or users can you modify the Usage location property?

  • User1 only
  • User1 and User2 only
  • User1 and User3 only
  • User1, User2, and User3

Correct Answer: User1 and User3 only
Explanation:
The “Usage location” property in Microsoft 365 can only be modified for users who are not synchronized from on-premises Active Directory Domain Services (AD DS). Since User2 is synchronized from on-premises AD DS, its properties must be managed on-premises and cannot be modified in the cloud. Therefore, only User1 (a non-synchronized member user) and User3 (a non-synchronized guest user) are eligible for this modification.

Question 4

You plan to create a guest user account named Guest1 in a Microsoft Entra tenant.

You need to ensure that Guest1 accepts your company’s Terms of use before the user can access company resources.

What should you create?

  • an access package
  • a compliance policy
  • a configuration profile
  • a Conditional Access policy

Correct Answer: A Conditional Access policy
Explanation:
To ensure that a guest user, such as Guest1, accepts your company’s Terms of Use before accessing company resources, you must create a Conditional Access policy. This policy can enforce Terms of Use acceptance as a prerequisite for accessing resources. Other options, such as access packages, compliance policies, or configuration profiles, do not provide this specific functionality.

Question 5

You have a Microsoft 365 subscription that contains a user named User1.

You plan to assign User1 the User Administrator role or the Password Administrator role.

You need to compare the role permissions for both roles. The solution must minimize administrative effort.

Which portal should you use?

  • Microsoft 365 admin center
  • Microsoft Entra admin center
  • Microsoft 365 Defender portal
  • Microsoft Purview compliance portal

Correct Answer: Microsoft Entra admin center
Explanation:
To compare role permissions for the User Administrator and Password Administrator roles, you should use the Microsoft Entra admin center (formerly known as Azure Active Directory admin center). This portal provides detailed information about role definitions and permissions, making it the best tool for comparing role capabilities. The other portals do not provide detailed role permission comparisons.

Question 6

You have a Microsoft 365 E5 subscription that contains a user named User1.

You need to ensure that User1 can reset the passwords of non-administrative users. The solution must follow the principle of least privilege.

Which role should you assign to User1?

  • User Administrator
  • Security Administrator
  • Password Administrator
  • Helpdesk Administrator

Correct Answer: Password Administrator
Explanation:
The Password Administrator role is specifically designed to allow users to reset passwords for non-administrative accounts. It aligns with the principle of least privilege, as it grants only the permissions necessary to perform password resets without additional administrative capabilities. Assigning roles such as User Administrator or Helpdesk Administrator would grant more permissions than required, violating the least privilege principle.

Question 7

Your company has a Microsoft 365 E5 subscription.

You need to ensure that a user named Admin1 has the necessary permissions to manage users in the Human Resources department only.

What should you use?

  • an administrative unit
  • a Microsoft Entra role
  • a Microsoft 365 Defender role
  • a Microsoft Purview role group

Correct Answer: an administrative unit
Explanation:
Administrative units in Microsoft Entra (formerly Azure AD) allow you to delegate management tasks to specific subsets of users or resources, such as those in the Human Resources department. By creating an administrative unit for the HR department and assigning Admin1 a role scoped to that unit, you can ensure Admin1 has permissions to manage HR users only, adhering to the principle of least privilege.

Question 8

Your company has a Microsoft 365 E5 subscription.

You assign the Exchange Administrator role to the following users:

  • Admin1: Permanently eligible
  • Admin2: Eligible between May 1 and May 31
  • Admin3: Permanently active
  • Admin4: Active between May 1 and May 31

On May 10, which user or users can manage Microsoft Exchange Online?

  • Admin3 only
  • Admin1 and Admin3 only
  • Admin2 and Admin4 only
  • Admin3 and Admin4 only
  • Admin1, Admin2, Admin3, and Admin4

Correct Answer: Admin3 and Admin4 only
Explanation:

  • The Exchange Administrator role in Microsoft 365 requires the user to be active (not just eligible) to manage Microsoft Exchange Online.
  • Admin1 is permanently eligible, meaning they must activate their role to gain access, but the question does not state that they have activated it on May 10.
  • Admin2 is eligible between May 1 and May 31, but eligibility alone does not grant access unless the role is activated.
  • Admin3 is permanently active, so they can manage Microsoft Exchange Online without additional steps.
  • Admin4 is active between May 1 and May 31, meaning they have the role activated and can manage Microsoft Exchange Online during this period.

Therefore, only Admin3 and Admin4 are active and can manage Microsoft Exchange Online on May 10

Question 9

Your company has a Microsoft Entra tenant and two on-premises Active Directory forests named contoso.com and fabrikam.com.

  • Contoso.com contains one domain.
  • Fabrikam.com contains three domains.
  • A forest trust exists between contoso.com and fabrikam.com.

You plan to deploy Microsoft Entra Connect.

What is the maximum number of active Microsoft Entra Connect servers that can be deployed for the company?

  • 1
  • 2
  • 3
  • 4

Correct Answer: 1
Explanation:

Microsoft Entra Connect (formerly Azure AD Connect) allows a single active instance to synchronize identity data from multiple Active Directory forests to a Microsoft Entra tenant. Even if there are multiple forests (like contoso.com and fabrikam.com), only one active Microsoft Entra Connect server is supported per tenant.

To ensure high availability, you can configure a staging server, which acts as a standby server but is not active. However, the maximum number of active Microsoft Entra Connect servers is always 1.

Question 10

Your company has an on-premises Active Directory domain and a new Microsoft 365 E5 subscription.

You plan to sync on-premises Active Directory objects to Microsoft Entra.

You need to identify which user accounts will cause synchronization errors.

What should you use?

  • IdFix.exe
  • DCDiag.exe
  • RepAdmin.exe
  • Microsoft Entra Connect

Correct Answer: IdFix.exe
Explanation:

  • IdFix.exe is a tool provided by Microsoft specifically designed to prepare your on-premises Active Directory for synchronization with Microsoft Entra (formerly Azure AD).
  • It identifies issues such as duplicate attributes, invalid characters, or formatting problems that could cause synchronization errors.
  • By using IdFix, administrators can resolve these issues before running Microsoft Entra Connect to sync directories

Question 11

Your company has a hybrid Microsoft 365 E5 deployment.

You implement Microsoft Entra Connect Health.

Which portal should you use to access Microsoft Entra Connect Health information?

  • Microsoft 365 admin center
  • Microsoft Entra admin center
  • Microsoft Intune admin center
  • Microsoft 365 Defender portal

Correct Answer: Microsoft Entra admin center
Explanation:
Microsoft Entra Connect Health provides monitoring and reporting for your hybrid identity environment, and it is managed through the Microsoft Entra admin center.

Question 12

Your company has an on-premises Active Directory forest that contains two domains.

You purchase a Microsoft 365 E5 subscription.

You create a user named Admin1 in an Active Directory domain.

You need to ensure that Admin1 can implement Microsoft Entra Connect. The solution must follow the principle of least privilege.

To which group should you add Admin1?

  • Replicator
  • Domain Admins
  • Backup Operators
  • Enterprise Admins
  • Incoming Forest Trust Builders

Correct Answer: Enterprise Admins
Explanation:
To implement Microsoft Entra Connect, the user needs sufficient permissions to modify the on-premises Active Directory and configure synchronization with Azure Active Directory. The Enterprise Admins group provides the necessary permissions for this task. It is the minimum privilege group that grants full control over the entire Active Directory forest, which is required to configure and manage Microsoft Entra Connect. However, it follows the principle of least privilege because this role is specific to Active Directory forest-level administration

Question 13

Your company has a Microsoft 365 E5 subscription.

You plan to require users in the Marketing department to authenticate by using passwordless authentication with number matching.

Which two types of devices support passwordless authentication with number matching? Each correct answer presents a complete solution.

  • iOS
  • macOS
  • Android
  • Windows 10
  • Windows 11

Correct Answer: iOS and Android
Explanation:
Passwordless authentication with number matching is supported on iOS and Android devices using the Microsoft Authenticator app. This method helps improve security by requiring the user to approve a sign-in request using a number displayed on the screen. Windows devices (10 and 11) do support passwordless authentication, but number matching is not specifically a feature on them.

Question 14

Your company has a Microsoft 365 E5 subscription.

You plan to implement self-service password reset (SSPR).

What is the maximum number of authentication methods that can be required to reset user passwords?

  • 1
  • 2
  • 3
  • 4

Correct Answer: 3
Explanation:

In Microsoft 365, when implementing self-service password reset (SSPR), you can require up to three authentication methods to reset a user’s password. This is to ensure security by verifying the identity of the user through multiple channels, such as email, mobile phone, security questions, or the Microsoft Authenticator app.

Common SSPR authentication methods include:

  • Authentication Phone: Receiving a one-time passcode (OTP) via SMS or phone call.
  • Authentication App: Using an authenticator app (like Microsoft Authenticator) to generate an OTP.
  • Registered Device: Signing in with a registered device, such as a work or personal computer or mobile device.
  • Security Questions: Answering pre-defined security questions.

By requiring multiple authentication methods, you can significantly strengthen the security of your organization’s user accounts.

Question 15

Your company has a Microsoft 365 E5 subscription.

You need to configure passwordless authentication with number matching for the company’s employees.

Which authentication method policy should you configure?

  • Email OTP
  • FIDO2 security key
  • Temporary Access Pass
  • Microsoft Authenticator

Correct Answer: Microsoft Authenticator
Explanation:
To configure passwordless authentication with number matching, you need to set up Microsoft Authenticator as the authentication method. The Microsoft Authenticator app supports passwordless sign-ins using number matching, where users approve sign-ins by entering a number displayed on their device.

Question 16

Your company has a Microsoft 365 E5 subscription.

Users at the company have the following types of devices:

  • Windows 11
  • Windows 10
  • Android

You plan to implement passwordless authentication for all the users.

Which device type or types can be used with passwordless authentication?

  • Android only
  • Windows 11 only
  • Windows 10 and Windows 11 only
  • Windows 11 and Android only
  • Windows 10, Windows 11, and Android

Correct Answer: Windows 10, Windows 11, and Android
Explanation:
Passwordless authentication can be implemented on Windows 10, Windows 11, and Android devices. All these platforms support Microsoft Authenticator for passwordless sign-ins. The Microsoft Authenticator app enables users to authenticate without a password, using methods such as biometric authentication or number matching, available on these device types.

Question 17

Your company has a Microsoft 365 E5 subscription.

You need to view alerts in the Microsoft 365 Defender portal.

What is the age of the oldest alert that you can review from the portal?

  • 7 days
  • 30 days
  • 3 months
  • 6 months
  • 12 months

Correct Answer: 6 months
Explanation:
In the Microsoft 365 Defender portal, you can review alerts for a period of 6 months. This allows you to analyze past security events and trends to improve your security posture.

Question 18

Your company has a Microsoft 365 E5 subscription.

You need to create a Microsoft Defender for Office 365 policy that detects and prevents spoofing attacks.

Which type of Microsoft Defender for Office 365 policy should you create?

  • anti-phishing
  • Safe attachments
  • anti-spam
  • anti-malware

Correct Answer: anti-phishing
Explanation:

Anti-phishing policies in Microsoft Defender for Office 365 are specifically designed to detect and prevent spoofing attacks.

Here’s why:

  • Spoofing involves impersonating someone else, often to trick recipients into revealing sensitive information or clicking on malicious links.
  • Anti-phishing policies use various techniques, including:
    • Sender reputation: Analyzing the sender’s email address and domain reputation.
    • Content analysis: Examining the email content for suspicious patterns, keywords, and links.
    • Machine learning: Using AI to identify and block sophisticated phishing attempts.

Question 19

Your company has a Microsoft 365 E5 subscription.

You need to review the Advanced Analysis tab on emails detected by Microsoft Defender for Office 365.

Which type of threat policy should you use?

  • anti-spam
  • anti-malware
  • Safe Attachments
  • Safe Links

Correct Answer: Safe Attachments
Explanation:

The Safe Attachments policy in Microsoft Defender for Office 365 is specifically designed to provide the most detailed information for advanced analysis of emails.

Here’s why:

  • Safe Attachments policy enables advanced threat protection capabilities, including:
    • Deep scanning: Analyzing attachments for malicious content beyond basic antivirus checks.
    • Sandboxing: Executing attachments in a controlled environment to detect threats that might not be detected by static analysis.
    • URL detonation: Analyzing URLs within attachments to determine their safety.

This in-depth analysis provides the information needed to understand the threat and take appropriate action

Question 20

Your company has a Microsoft 365 E5 subscription.

You need to identify vulnerable certificates on the company’s devices.

Which Vulnerability Management feature in Microsoft Defender for Endpoint should you use?

  • Recommendations
  • Remediation
  • Inventories
  • Weaknesses

Correct Answer: Weaknesses
Explanation:

The Weaknesses feature in Microsoft Defender for Endpoint’s Vulnerability Management focuses on identifying potential vulnerabilities, such as weak certificates, misconfigurations, and unpatched software on devices. This feature analyzes security flaws and provides insights to help prioritize and address these issues.

  • Recommendations: Offers actionable steps to improve the security posture but doesn’t specifically identify weak certificates.
  • Remediation: Tracks the progress of addressing vulnerabilities but doesn’t directly identify them.
  • Inventories: Lists the assets, software, and certificates but doesn’t highlight vulnerabilities.

Thus, to identify vulnerable certificates specifically, you should use the Weaknesses feature.

Question 21

Your company has a Microsoft 365 E5 subscription.

You need to use Advanced hunting in Microsoft 365 Defender to list endpoint devices that had a recently detected vulnerability.

What should you use in Advanced hunting?

  • an XPath query
  • a PowerShell script
  • a Transact-SQL query
  • Kusto Query Language (KQL)

Correct Answer: Kusto Query Language (KQL)
Explanation:

Kusto Query Language (KQL) is the query language used in Advanced Hunting within Microsoft 365 Defender. It is designed for fast and flexible querying of the data stored in the system.

To list endpoint devices with a recently detected vulnerability, you would write a KQL query targeting the relevant tables, such as DeviceTvmSoftwareVulnerabilities or similar tables in Advanced Hunting.

Question 22

You upload a Microsoft Word document named File1.docx to a Microsoft SharePoint Online site.

What is the maximum number of sensitivity labels that you can apply to File1.docx? 1  

  • 1
  • 2
  • 4
  • 10

Correct Answer: 1
Explanation:

A file in Microsoft 365, such as a Word document uploaded to SharePoint Online, can have only one sensitivity label applied at a time. Sensitivity labels are designed to classify and protect content based on its sensitivity, such as marking it as confidential or restricted.

Allowing only one label ensures clarity and avoids conflicts in protection settings, such as encryption, access policies, or watermarking. If you attempt to apply a different label, it will replace the existing one

Question 23

Your company has a Microsoft 365 E5 subscription that contains a user named User1. User1 has the following devices:

  • Device5: Windows 11
  • Device6: Windows 10
  • Device7: Android
  • Device8: iOS

You create a sensitivity label named Label1 that adds a custom header and applies Label1 to a file named File1.

On which device or devices will the custom header be visible when User1 opens File1?  

  • Device5 only
  • Device5 and Device6 only
  • Device5, Device6, and Device7 only
  • Device5, Device6, Device7, and Device8

Correct Answer: Device5 and Device6 only
Explanation:

Sensitivity labels with custom headers in Microsoft 365 are fully supported on Windows devices (Windows 10 and Windows 11) when users open the labeled file in Microsoft 365 apps, such as Word, Excel, or PowerPoint.

  • On Android and iOS devices, Microsoft 365 apps may display the sensitivity label itself, but custom headers or footers are typically not rendered due to limitations in mobile versions of the apps.

Thus, the custom header applied by Label1 will only be visible on Device5 (Windows 11) and Device6 (Windows 10).

Question 24

Your company has a Microsoft 365 E5 subscription.

You plan to apply data loss prevention (DLP) settings for the following Microsoft 365 locations:

  • Exchange emails
  • SharePoint sites
  • OneDrive accounts
  • Teams chats and channel messages
  • Power BI

What is the minimum number of DLP policies that you must create?

  • 1
  • 2
  • 3
  • 4
  • 5

Correct Answer: 1
Explanation:

In Microsoft 365, you can create a single DLP policy that can be applied across multiple locations, including Exchange emails, SharePoint sites, OneDrive accounts, Teams chats and channel messages, and Power BI.

How it works:

  • You define the sensitive information types and conditions within the DLP policy.
  • You then specify the locations (Exchange, SharePoint, OneDrive, Teams, Power BI) where you want the policy to be enforced.

This centralized approach simplifies policy management and ensures consistent data protection across your organization.

Therefore, the minimum number of DLP policies you need to create is 1.

Question 25

Your company has a Microsoft 365 E5 subscription that contains the following data loss prevention (DLP) policies:

  • DLP1: Applies to SharePoint sites
  • DLP2: Applies to Exchange email and Devices
  • DLP3: Applies to Devices
  • DLP4: Applies to On-premises repositories

You need to prevent users from copying information to USB devices.

Which policy or policies should you use?

  • DLP3 only
  • DLP2 and DLP3 only
  • DLP3 and DLP4 only
  • DLP2, DLP3, and DLP4 only
  • DLP1, DLP2, DLP3, and DLP4

Correct Answer: DLP3 only
Explanation:

To prevent users from copying information to USB devices, the DLP policy must target Devices, specifically configured for endpoint DLP.

  • DLP3 applies to Devices, which includes controlling actions such as copying sensitive information to USB drives, clipboard actions, or printing. It is specifically designed for endpoint data loss scenarios.
  • DLP2 also applies to Devices, but it is combined with Exchange email. However, the requirement here is strictly related to USB devices, which falls entirely under DLP3.
Tags:

Leave a Reply