MS-102 Assessment
Microsoft 365 Administrator Expert
Your organization, MSCloudExplorers, uses a Microsoft 365 E5 subscription.
A user account named Leaver@mscloudexplorers.com is deleted from Microsoft Entra ID (formerly Azure AD).
You want to recover the deleted user account before it’s permanently removed from the directory.
What is the maximum number of days you have to recover Leaver@mscloudexplorers.com?
- 7 days
- 30 days
- 90 days
- 180 days
Reveal Solution
Correct Answer:30 days
Explanation:
When you delete a user in Microsoft 365, the account is moved to a “soft deleted” state and retained in the Azure Active Directory (Azure AD) recycle bin for 30 days. During this time, the user account can be restored. After 30 days, the account is permanently deleted and cannot be recovered.
Your organization, MSCloudExplorers, manages user access through Microsoft Entra ID.
You’ve assigned the following roles to users in your Entra tenant:
James – Guest Inviter
John – Application Developer
Brian – User Administrator
David – Security Administrator
You need to determine which of these users can invite external users (guests) to the tenant.
Who has the authority to invite guests to the Microsoft Entra tenant?
- James only
- James and Brian only
- James, Brian, and David only
- James, John, Brian, and David
Reveal Solution
Correct Answer: James, Brian, and David only
Explanation:
✅ James (Guest Inviter) — This role specifically allows users to invite external (guest) users to the directory.
✅ Brian (User Administrator) — Has permissions to manage all user accounts, including inviting guests.
✅ David (Security Administrator) — Also has rights that include guest user invitation, though the role focuses on security tasks.
❌ John (Application Developer) — This role is limited to app registrations and configurations; it does not include guest invitation rights.
Your organization, MSCloudExplorers, manages users in a Microsoft 365 subscription.
You have the following users:
James – A member user created directly in Microsoft Entra ID (not synced from on-premises)
John – A member user synced from on-premises Active Directory via directory sync (Entra Connect)
Brian – A guest user, created directly in the cloud (not synced)
You need to determine which users’ Usage location can be modified manually in Microsoft Entra ID.
Which user or users allow you to update the Usage location property?
- James only
- James and John only
- James and Brian only
- James, John, and Brian
Reveal Solution
Correct Answer: James and Brian only
Explanation:
✅ James (cloud-only user) — Usage location can be set manually in Microsoft Entra.
✅ Brian (guest user) — Although a guest, you can still update the Usage location for licensing purposes.
❌ John (directory-synced user) — Usage location is managed from on-premises AD and cannot be changed in Microsoft Entra while directory sync is active.
Your organization, MSCloudExplorers, is setting up a Microsoft Entra tenant and plans to invite a guest user named Guest1.
Before Guest1 can access any company resources, you want to ensure that they review and accept your company’s terms of use.
What should you create to enforce this requirement?
- an access package
- a compliance policy
- a configuration profile
- a Conditional Access policy
Reveal Solution
Correct Answer: A Conditional Access policy
Explanation:
To ensure that a guest user, such as Guest1, accepts your company’s Terms of Use before accessing company resources, you must create a Conditional Access policy. This policy can enforce Terms of Use acceptance as a prerequisite for accessing resources. Other options, such as access packages, compliance policies, or configuration profiles, do not provide this specific functionality.
Your organization, MSCloudExplorers, has a Microsoft 365 subscription with a user named James.
You are deciding whether to assign James the Password Administrator role or the User Administrator role. You need to compare the permissions of these two roles to choose the most appropriate one.
The solution must minimize administrative effort.
Which portal should you use for this task?
- Microsoft 365 admin center
- Microsoft Entra admin center
- Microsoft 365 Defender portal
- Microsoft Purview compliance portal
Reveal Solution
Correct Answer: Microsoft Entra admin center
Explanation:
To compare role permissions for the User Administrator and Password Administrator roles, you should use the Microsoft Entra admin center (formerly known as Azure Active Directory admin center). This portal provides detailed information about role definitions and permissions, making it the best tool for comparing role capabilities. The other portals do not provide detailed role permission comparisons.
Your organization, MSCloudExplorers, has a Microsoft 365 E5 subscription.
You need to ensure that a user named James can reset passwords for non-administrative users only, while adhering to the principle of least privilege.
Which role should you assign to James?
- User Administrator
- Security Administrator
- Password Administrator
- Helpdesk Administrator
Reveal Solution
Correct Answer: Password Administrator
Explanation:
The Password Administrator role is specifically designed to allow users to reset passwords for non-administrative accounts. It aligns with the principle of least privilege, as it grants only the permissions necessary to perform password resets without additional administrative capabilities. Assigning roles such as User Administrator or Helpdesk Administrator would grant more permissions than required, violating the least privilege principle.
Your company, MSCloudExplorers, uses a Microsoft 365 E5 subscription.
You need to ensure that a user named SiteAdmin1 can manage only the users in the Human Resources department, without having administrative rights across the entire organization.
Which option should you use to delegate this type of scoped access?
- an administrative unit
- a Microsoft Entra role
- a Microsoft 365 Defender role
- a Microsoft Purview role group
Reveal Solution
Correct Answer: an administrative unit
Explanation:
Administrative units in Microsoft Entra (formerly Azure AD) allow you to delegate management tasks to specific subsets of users or resources, such as those in the Human Resources department. By creating an administrative unit for the HR department and assigning Admin1 a role scoped to that unit, you can ensure SiteAdmin1 has permissions to manage HR users only, adhering to the principle of least privilege.
Your organization, MSCloudExplorers, uses a Microsoft 365 E5 subscription.
You assigned the Exchange Administrator role to the following users:
Aarav – Permanently eligible
Neha – Eligible from May 1 to May 31
James – Permanently active
Sophia – Active from May 1 to May 31
You want to determine who can manage Microsoft Exchange Online on May 10.
Which user or users will have the ability to manage Exchange Online on that date?
James only
Aarav and James only
Neha and Sophia only
James and Sophia only
Aarav, Neha, James, and Sophia
Reveal Solution
Correct Answer: James and Sophia only
Explanation:
✅ James has the Exchange Administrator role assigned permanently and actively — he has full access at all times.
✅ Sophia is in an active assignment window (May 1–31), so on May 10, she can manage Exchange Online.
❌ Aarav and Neha are eligible, not active. Eligible users must manually activate the role using Microsoft Entra Privileged Identity Management (PIM), which hasn’t been indicated in this scenario.
Your organization includes two on-premises Active Directory forests:
mscloudexplorers.com — contains a single domain
technoindia.com — contains three domains
A forest trust exists between the two forests.
You plan to deploy Microsoft Entra Connect to synchronize identities with your Microsoft Entra tenant.
What is the maximum number of active Microsoft Entra Connect servers you can deploy across the company?
- 1
- 2
- 3
- 4
Reveal Solution
Correct Answer: 1
Explanation:
Microsoft Entra Connect (formerly Azure AD Connect) allows a single active instance to synchronize identity data from multiple Active Directory forests to a Microsoft Entra tenant. Even if there are multiple forests (like contoso.com and fabrikam.com), only one active Microsoft Entra Connect server is supported per tenant.
To ensure high availability, you can configure a staging server, which acts as a standby server but is not active. However, the maximum number of active Microsoft Entra Connect servers is always 1.
our organization, MSCloudExplorers, has an on-premises Active Directory domain and has recently subscribed to Microsoft 365 E5.
You plan to synchronize on-premises AD user accounts to Microsoft Entra ID using Microsoft Entra Connect.
Before starting the synchronization, you need to identify user accounts that may cause sync errors due to formatting issues or unsupported attributes.
Which tool should you use?
- IdFix.exe
- DCDiag.exe
- RepAdmin.exe
- Microsoft Entra Connect
Reveal Solution
Correct Answer: IdFix.exe
Explanation:
- IdFix.exe is a tool provided by Microsoft specifically designed to prepare your on-premises Active Directory for synchronization with Microsoft Entra (formerly Azure AD).
- It identifies issues such as duplicate attributes, invalid characters, or formatting problems that could cause synchronization errors.
- By using IdFix, administrators can resolve these issues before running Microsoft Entra Connect to sync directories
Your organization, MSCloudExplorers, has a hybrid Microsoft 365 E5 environment with Microsoft Entra Connect set up for directory synchronization.
You’ve implemented Microsoft Entra Connect Health to monitor the health and performance of the synchronization and on-premises identity infrastructure.
Which portal should you use to view and manage Microsoft Entra Connect Health data?
- Microsoft 365 admin center
- Microsoft Entra admin center
- Microsoft Intune admin center
- Microsoft 365 Defender portal
Reveal Solution
Correct Answer: Microsoft Entra admin center
Explanation:
Microsoft Entra Connect Health provides monitoring and reporting for your hybrid identity environment, and it is managed through the Microsoft Entra admin center.
Your organization, MSCloudExplorers, has an on-premises Active Directory forest that includes two domains.
You recently purchased a Microsoft 365 E5 subscription and are preparing to deploy Microsoft Entra Connect for directory synchronization.
You create a user named Admin1 in one of the on-premises Active Directory domains.
You need to ensure that Admin1 has the minimum necessary permissions to implement Microsoft Entra Connect successfully.
To which group should you add Admin1?
- Replicator
- Domain Admins
- Backup Operators
- Enterprise Admins
- Incoming Forest Trust Builders
Reveal Solution
Correct Answer: Domain Admins
Explanation:
To install and configure Microsoft Entra Connect, Admin1 must be able to read and write to Active Directory, particularly to set permissions and attributes required for directory synchronization.
The Domain Admins group provides the least privilege necessary to perform these tasks.
While Enterprise Admins could also work, it’s a more privileged role across all domains and forests and not recommended unless absolutely necessary.
❌ Replicator is used for replication tasks, not sufficient for Entra Connect setup
❌ Backup Operators can back up/restore data but can’t configure sync
- ❌ Incoming Forest Trust Builders deal with trust relationships, not directory sync
Your organization, MSCloudExplorers, uses a Microsoft 365 E5 subscription.
You plan to enhance authentication security by requiring users in the Marketing department to sign in using passwordless authentication with number matching via the Microsoft Authenticator app.
Which two types of devices support this authentication method?
(Each correct answer presents a complete solution.)
- iOS
- macOS
- Android
- Windows 10
- Windows 11
Reveal Solution
Correct Answer: iOS and Android
Explanation:
Passwordless authentication with number matching is supported on iOS and Android devices using the Microsoft Authenticator app. This method helps improve security by requiring the user to approve a sign-in request using a number displayed on the screen. Windows devices (10 and 11) do support passwordless authentication, but number matching is not specifically a feature on them.
Question 14
Your company has a Microsoft 365 E5 subscription.
You plan to implement self-service password reset (SSPR).
What is the maximum number of authentication methods that can be required to reset user passwords?
- 1
- 2
- 3
- 4
Reveal Solution
Correct Answer: 2
Explanation:
In Microsoft Entra ID (formerly Azure AD), Self-Service Password Reset (SSPR) allows you to configure how many authentication methods a user must verify to reset their password.
You can require up to 2 authentication methods (e.g., mobile app, email, security questions, etc.).
This setting helps improve security while still keeping the reset process manageable for users.
Admins can configure the number of methods required (1 or 2), but 2 is the maximum allowed.
Your organization, MSCloudExplorers, has a Microsoft 365 E5 subscription.
You plan to implement passwordless authentication with number matching to enhance sign-in security for all employees.
Which authentication method policy should you configure to meet this requirement?
- Email OTP
- FIDO2 security key
- Temporary Access Pass
- Microsoft Authenticator
Reveal Solution
Correct Answer: Microsoft Authenticator
Explanation:
To configure passwordless authentication with number matching, you need to set up Microsoft Authenticator as the authentication method. The Microsoft Authenticator app supports passwordless sign-ins using number matching, where users approve sign-ins by entering a number displayed on their device.
Your organization, MSCloudExplorers, uses a Microsoft 365 E5 subscription.
Employees use a variety of devices, including:
Windows 11
Windows 10
Android
You plan to implement passwordless authentication for all users across the organization.
Which device type or types can be used to support passwordless sign-in methods like Microsoft Authenticator and Windows Hello for Business?
- Android only
- Windows 11 only
- Windows 10 and Windows 11 only
- Windows 11 and Android only
- Windows 10, Windows 11, and Android
Reveal Solution
Correct Answer: Windows 10, Windows 11, and Android
Explanation:
Passwordless authentication can be implemented on Windows 10, Windows 11, and Android devices. All these platforms support Microsoft Authenticator for passwordless sign-ins. The Microsoft Authenticator app enables users to authenticate without a password, using methods such as biometric authentication or number matching, available on these device types.
Your organization, MSCloudExplorers, has a Microsoft 365 E5 subscription.
You want to review historical security alerts generated by Microsoft 365 Defender to investigate past incidents.
What is the maximum age of the oldest alert that can be reviewed directly from the Microsoft 365 Defender portal?
- 7 days
- 30 days
- 3 months
- 6 months
- 12 months
Reveal Solution
Correct Answer: 12 months
Explanation:
With Microsoft 365 E5, security alerts in the Microsoft 365 Defender portal are retained for up to 12 months (365 days) by default. This allows security teams to:
Investigate past threats
Perform incident reviews
Conduct long-term forensic analysis
Your organization, MSCloudExplorers, uses a Microsoft 365 E5 subscription with Microsoft Defender for Office 365 enabled.
You want to create a policy that specifically detects and blocks spoofing attacks, where attackers impersonate trusted senders.
Which type of Microsoft Defender for Office 365 policy should you configure?
- anti-phishing
- Safe attachments
- anti-spam
- anti-malware
Reveal Solution
Correct Answer: anti-phishing
Explanation:
Anti-phishing policies in Microsoft Defender for Office 365 are specifically designed to detect and prevent spoofing attacks.
Here’s why:
- Spoofing involves impersonating someone else, often to trick recipients into revealing sensitive information or clicking on malicious links.
- Anti-phishing policies use various techniques, including:
- Sender reputation: Analyzing the sender’s email address and domain reputation.
- Content analysis: Examining the email content for suspicious patterns, keywords, and links.
- Machine learning: Using AI to identify and block sophisticated phishing attempts.
Your organization, MSCloudExplorers, uses a Microsoft 365 E5 subscription with Microsoft Defender for Office 365 fully enabled.
You want to review detailed threat analysis, including file behavior and detonation results, for emails that have been scanned by Microsoft Defender.
Which policy feature should be enabled to access the Advanced Analysis tab for email investigations?
- anti-spam
- anti-malware
- Safe Attachments
- Safe Links
Reveal Solution
Correct Answer: Safe Attachments
Explanation:
The Safe Attachments policy in Microsoft Defender for Office 365 is specifically designed to provide the most detailed information for advanced analysis of emails.
Here’s why:
- Safe Attachments policy enables advanced threat protection capabilities, including:
- Deep scanning: Analyzing attachments for malicious content beyond basic antivirus checks.
- Sandboxing: Executing attachments in a controlled environment to detect threats that might not be detected by static analysis.
- URL detonation: Analyzing URLs within attachments to determine their safety.
This in-depth analysis provides the information needed to understand the threat and take appropriate action
Your organization, MSCloudExplorers, has a Microsoft 365 E5 subscription with Microsoft Defender for Endpoint included.
You need to identify vulnerable or weak certificates across your company’s endpoints to assess security risks.
Which Microsoft Defender Vulnerability Management feature should you use?
- Recommendations
- Remediation
- Inventories
- Weaknesses
Reveal Solution
Correct Answer: Weaknesses
Explanation:
The Weaknesses feature in Microsoft Defender for Endpoint’s Vulnerability Management focuses on identifying potential vulnerabilities, such as weak certificates, misconfigurations, and unpatched software on devices. This feature analyzes security flaws and provides insights to help prioritize and address these issues.
- Recommendations: Offers actionable steps to improve the security posture but doesn’t specifically identify weak certificates.
- Remediation: Tracks the progress of addressing vulnerabilities but doesn’t directly identify them.
- Inventories: Lists the assets, software, and certificates but doesn’t highlight vulnerabilities.
Thus, to identify vulnerable certificates specifically, you should use the Weaknesses feature.
Your company, MSCloudExplorers, has a Microsoft 365 E5 subscription with access to Microsoft 365 Defender.
You want to use Advanced Hunting to list endpoint devices that recently had vulnerabilities detected.
Which query language should you use in the Advanced Hunting feature?
- an XPath query
- a PowerShell script
- a Transact-SQL query
- Kusto Query Language (KQL)
Reveal Solution
Correct Answer: Kusto Query Language (KQL)
Explanation:
Kusto Query Language (KQL) is the query language used in Advanced Hunting within Microsoft 365 Defender. It is designed for fast and flexible querying of the data stored in the system.
To list endpoint devices with a recently detected vulnerability, you would write a KQL query targeting the relevant tables, such as DeviceTvmSoftwareVulnerabilities or similar tables in Advanced Hunting.
Your organization, MSCloudExplorers, uses Microsoft 365 E5 with Microsoft Purview Information Protection enabled.
You upload a document named File1.docx to a SharePoint Online site.
What is the maximum number of sensitivity labels that can be applied to File1.docx at any given time?
- 1
- 2
- 4
- 10
Reveal Solution
Correct Answer: 1
Explanation:
A file in Microsoft 365, such as a Word document uploaded to SharePoint Online, can have only one sensitivity label applied at a time. Sensitivity labels are designed to classify and protect content based on its sensitivity, such as marking it as confidential or restricted.
Allowing only one label ensures clarity and avoids conflicts in protection settings, such as encryption, access policies, or watermarking. If you attempt to apply a different label, it will replace the existing one
Your organization, MSCloudExplorers, has a Microsoft 365 E5 subscription.
A user named User1 uses the following devices:
Device5: Windows 11
Device6: Windows 10
Device7: Android
Device8: iOS
You’ve created a sensitivity label named Label1, which applies a custom header (e.g., “Confidential – Internal Use Only”) to documents.
You apply Label1 to a document named File1.docx.
On which device(s) will User1 see the custom header when opening File1?
- Device5 only
- Device5 and Device6 only
- Device5, Device6, and Device7 only
- Device5, Device6, Device7, and Device8
Reveal Solution
Correct Answer: Device5 and Device6 only
Explanation:
Sensitivity labels with custom headers in Microsoft 365 are fully supported on Windows devices (Windows 10 and Windows 11) when users open the labeled file in Microsoft 365 apps, such as Word, Excel, or PowerPoint.
- On Android and iOS devices, Microsoft 365 apps may display the sensitivity label itself, but custom headers or footers are typically not rendered due to limitations in mobile versions of the apps.
Thus, the custom header applied by Label1 will only be visible on Device5 (Windows 11) and Device6 (Windows 10).
Your organization, MSCloudExplorers, has a Microsoft 365 E5 subscription.
You need to apply Data Loss Prevention (DLP) policies across the following Microsoft 365 workloads:
Exchange Online (emails)
SharePoint Online (sites)
OneDrive for Business (user accounts)
Microsoft Teams (chats and channel messages)
Power BI
What is the minimum number of DLP policies you must create to cover all these locations?
- 1
- 2
- 3
- 4
- 5
Reveal Solution
Correct Answer: 2
Explanation:
Microsoft 365 DLP supports creating a single policy that spans:
Exchange, SharePoint, OneDrive, and Teams — all in one DLP policy.
Power BI requires a separate DLP policy, created from the Microsoft Purview portal (Data > Policies > Power BI).
So, you need:
One policy for Exchange, SharePoint, OneDrive, Teams
One separate policy for Power BI
Your organization, MSCloudExplorers, uses a Microsoft 365 E5 subscription that includes the following Data Loss Prevention (DLP) policies:
DLP1: Applies to SharePoint Online sites
DLP2: Applies to Exchange Online emails and devices
DLP3: Applies to devices only
DLP4: Applies to on-premises repositories
You need to prevent users from copying sensitive information to USB devices.
Which policy or policies should you use?
- DLP3 only
- DLP2 and DLP3 only
- DLP3 and DLP4 only
- DLP2, DLP3, and DLP4 only
- DLP1, DLP2, DLP3, and DLP4
Reveal Solution
Correct Answer: DLP3 only
Explanation:
To prevent users from copying information to USB devices, the DLP policy must target Devices, specifically configured for endpoint DLP.
- DLP3 applies to Devices, which includes controlling actions such as copying sensitive information to USB drives, clipboard actions, or printing. It is specifically designed for endpoint data loss scenarios.
- DLP2 also applies to Devices, but it is combined with Exchange email. However, the requirement here is strictly related to USB devices, which falls entirely under DLP3.
We’d love your feedback!
Share your thoughts on the Renewal Test and help us improve by reporting any inaccurate answers.
🔗 Explore more Renewal Tests at mscloudexplorers.com/learn
📘 Discover more Microsoft 365 & Intune-related blogs at mscloudexplorers.com/blog
🔔 Follow us on LinkedIn for regular updates, tips, and community insights.
