2026/January Latest Braindump2go MS-102 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go MS-102 Real Exam Questions!
QUESTION 40
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: You run idfix.exe and export the 10 user accounts.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
No, running idfix.exe and exporting the 10 user accounts does not meet the goal of ensuring that the 10 user accounts are synchronized to Azure AD. IdFix is a tool used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory1. It provides you the ability to query, identify, and remediate the majority of object synchronization errors in your Window’s Server AD forests in preparation for deployment to Microsoft 3652. However, simply exporting the 10 user accounts using IdFix will not ensure that they are synchronized to Azure AD. You need to review the errors reported by IdFix and take appropriate actions to fix them before synchronizing the accounts to Azure AD.
QUESTION 41
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From Azure AD Connect, you modify the Azure AD credentials.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
No, modifying the Azure AD credentials from Azure AD Connect does not meet the goal of ensuring that the 10 user accounts are synchronized to Azure AD. If you have discovered that 10 user accounts in an organizational unit (OU) are not synchronized to Azure AD, while all the other user accounts synchronized successfully, and you have reviewed Azure AD Connect Health and discovered that all the user account synchronizations completed successfully, then you should troubleshoot an object that is not syncing with Azure Active Directory1.
QUESTION 42
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From the Synchronization Rules Editor, you create a new outbound synchronization rule.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Creating a new outbound synchronization rule in the Synchronization Rules Editor will not solve the issue of the 10 user accounts not being synchronized to Azure AD.
Outbound synchronization rules define what happens after Azure AD Connect has combined the data from all connected directories. They don’t control which objects are being synchronized to Azure AD.
The issue seems to be with the scope of the objects that are being synchronized. It’s possible that the OU containing these 10 users is not included in the synchronization scope.
To solve this issue, you should check the configuration of Azure AD Connect and ensure that the OU containing these 10 users is included in the synchronization scope.
QUESTION 43
You have a Microsoft 365 subscription.
You need to add additional onmicrosoft.com domains to the subscription. The additional domains must be assignable as email addresses for users.
What is the maximum number of onmicrosoft.com domains the subscription can contain?
A. 1
B. 2
C. 5
D. 10
Answer: C
Explanation:
You are limited a total of five onmicrosoft.com domains in your Microsoft 365 environment. Once they are added, they cannot be removed.
https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-or-replace-your-onmicrosoftcom-domain?view=o365-worldwide
QUESTION 44
Your network contains an Active Directory domain named adatum.com that is synced to Azure AD.
The domain contains 100 user accounts.
The city attribute for all the users is set to the city where the user resides.
You need to modify the value of the city attribute to the three-letter airport code of each city.
What should you do?
A. From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser cmdlets.
B. From Azure Cloud Shell, run the Get-ADUser and Set-ADUser cmdlets.
C. From Windows PowerShell on a domain controller, run the Get-MgUser and Update-MgUser cmdlets.
D. From Azure Cloud Shell, run the Get-MgUser and Update-MgUser cmdlets.
Answer: A
Explanation:
The user accounts are synced from the on-premise Active Directory to the Microsoft Azure Active Directory (Azure AD). Therefore, the city attribute must be changed in the on-premise Active Directory.
QUESTION 45
You have a Microsoft 365 subscription that uses an Azure AD tenant named contoso.com. The tenant contains the users shown in the following table.
You add another user named User5 to the User Administrator role.
You need to identify which two management tasks User5 can perform.
Which two tasks should you identify? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Delete User2 and User4 only.
B. Reset the password of User4 only.
C. Reset the password of any user in Azure AD.
D. Delete User1, User2, and User4 only.
E. Reset the password of User2 and User4 only.
F. Delete any user in Azure AD.
Answer: AE
QUESTION 46
You have a Microsoft 365 subscription that contains a user named User1.
User1 requires admin access to perform the following tasks:
– Manage Microsoft Exchange Online settings.
– Create Microsoft 365 groups.
You need to ensure that User1 only has admin access for eight hours and requires approval before the role assignment takes place.
What should you use?
A. Azure AD Identity Protection
B. Microsoft Entra Verified ID
C. Conditional Access
D. Azure AD Privileged Identity Management (PIM)
Answer: D
QUESTION 47
You have a Microsoft E5 subscription.
You need to ensure that administrators who need to manage Microsoft Exchange Online are assigned the Exchange Administrator role for five hours at a time.
What should you implement?
A. Azure AD Privileged Identity Management (PIM)
B. a conditional access policy
C. a communication compliance policy
D. Azure AD Identity Protection
E. groups that have dynamic membership
Answer: A
Explanation:
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings?source=recommendations>
QUESTION 48
You have a Microsoft 365 subscription.
You suspect that several Microsoft Office 365 applications or services were recently updated.
You need to identify which applications or services were recently updated.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. From the Microsoft 365 admin center, review the Service health blade.
B. From the Microsoft 365 admin center, review the Message center blade.
C. From the Microsoft 365 admin center, review the Products blade.
D. From the Microsoft 365 Admin mobile app, review the messages.
Answer: BD
Explanation:
The Message center in the Microsoft 365 admin center is where you would go to view a list of the features that were recently updated in the tenant. This is where Microsoft posts official messages with information including new and changed features, planned maintenance, or other important announcements.
The messages displayed in the Message center can also be viewed by using the Office 365 Admin mobile app.
Reference:
https://docs.microsoft.com/en-us/office365/admin/manage/message-center?view=o365-worldwide
https://docs.microsoft.com/en-us/office365/admin/admin-overview/admin-mobile-app?view=o365-worldwide
QUESTION 49
You have a Microsoft 365 subscription that contains the domains shown in the following exhibit.
Which domain name suffixes can you use when you create users?
A. only Sub1.contoso221018.onmicrosoft.com
B. only contoso221018.onmicrosoft.com and Sub2.contoso221018.onmicrosoft.com
C. only contoso221018.onmicrosoft.com, Sub.contoso221018.onmicrosoft.com, and Sub2.contoso221018.onmicrosoft.com
D. all the domains in the subscription
Answer: D
QUESTION 50
You have a Microsoft 365 subscription.
You plan to implement Microsoft Purview Privileged Access Management.
Which Microsoft Office 365 workloads support privileged access?
A. Microsoft Exchange Online only
B. Microsoft Teams only
C. Microsoft Exchange Online and SharePoint Online only
D. Microsoft Teams and SharePoint Online only
E. Microsoft Teams, Exchange Online, and SharePoint Online
Answer: A
Explanation:
When will privileged access support Office 365 workloads beyond Exchange?
Privileged access management will be available in other Office 365 workloads soon. Visit the Microsoft 365 Roadmap for more details.
https://learn.microsoft.com/en-us/purview/privileged-access-management
QUESTION 51
You have a Microsoft 365 E3 subscription that uses Microsoft Defender for Endpoint Plan 1.
Which two Defender for Endpoint features are available to the subscription? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. advanced hunting
B. security reports
C. digital certificate assessment
D. device discovery
E. attack surface reduction (ASR)
Answer: BE
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2?view=o365-worldwide
QUESTION 52
You are reviewing alerts in the Microsoft 365 Defender portal.
How long are the alerts retained in the portal?
A. 30 days
B. 60 days
C. 3 months
D. 6 months
E. 12 months
Answer: D
Explanation:
Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal. However, in the advanced hunting investigation experience, it’s accessible via a query for a period of 30 days.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy
QUESTION 53
You have a Microsoft 365 E5 subscription.
From the Microsoft 365 Defender portal, you plan to export a detailed report of compromised users.
What is the longest time range that can be included in the report?
A. 1 day
B. 7 days
C. 30 days
D. 90 days
Answer: A
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#export-report-data
QUESTION 54
You have an Azure AD tenant and a Microsoft 365 E5 subscription. The tenant contains the users shown in the following table.
You plan to implement Microsoft Defender for Endpoint.
You verify that role-based access control (RBAC) is turned on in Microsoft Defender for Endpoint.
You need to identify which user can view security incidents from the Microsoft 365 Defender portal.
Which user should you identify?
A. User1
B. User2
C. User3
D. User4
Answer: A
Explanation:
Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
QUESTION 55
You have a Microsoft 365 tenant that contains two users named User1 and User2.
You create the alert policy shown in the following exhibit.
User2 runs a script that modifies a file in a Microsoft SharePoint library once every four minutes and runs for a period of two hours.
How many alerts will User1 receive?
A. 2
B. 5
C. 10
D. 25
E. 30
Answer: A
Explanation:
When multiple events that match the conditions of an alert policy occur with a short period of time, they are added to an existing alert by a process called alert aggregation. When an event triggers an alert, the alert is generated and displayed on the Alerts page and a notification is sent. If the same event occurs within the aggregation interval, then Microsoft 365 adds details about the new event to the existing alert instead of triggering a new alert. The goal of alert aggregation is to help reduce alert “fatigue” and let you focus and take action on fewer alerts for the same event.
https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide#alert-aggregation
QUESTION 56
Your company has 10,000 users who access all applications from an on-premises data center.
You plan to create a Microsoft 365 subscription and to migrate data to the cloud.
You plan to implement directory synchronization.
User accounts and group accounts must sync to Azure AD successfully.
You discover that several user accounts fail to sync to Azure AD.
You need to resolve the issue as quickly as possible.
What should you do?
A. From Active Directory Administrative Center, search for all the users, and then modify the properties of the user accounts.
B. Run idfix.exe, and then click Edit.
C. From Windows PowerShell, run the start-AdSyncSyncCyclePolicyType Delta command.
D. Run idfix.exe, and then click Complete.
Answer: B
Explanation:
IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Azure Active Directory. IdFix is intended for the Active Directory administrators responsible for directory synchronization with Azure Active Directory.
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix
QUESTION 57
You have a Microsoft 365 E5 subscription.
Conditional Access is configured to block high-risk sign-ins for all users.
All users are in France and are registered for multi-factor authentication (MFA).
Users in the media department will travel to various countries during the next month.
You need to ensure that if the media department users are blocked from signing in while traveling, the users can remediate the issue without administrator intervention.
What should you configure?
A. an exclusion group
B. the MFA registration policy
C. named locations
D. self-service password reset (SSPR)
Answer: D
Explanation:
If a user has registered for self-service password reset (SSPR), then they can remediate their own user risk by performing a self-service password reset.
https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock
QUESTION 58
You have a Microsoft 365 E5 subscription that contains the following user:
Name: User1
UPN: [email protected]
Email address: [email protected]
MFA enrollment status: Disabled
When User1 attempts to sign in to Outlook on the web by using the [email protected] email address, the user cannot sign in.
You need to ensure that User1 can sign in to Outlook on the web by using [email protected].
What should you do?
A. Assign an MFA registration policy to User1.
B. Reset the password of User1.
C. Add an alternate email address for User1.
D. Modify the UPN of User1.
Answer: D
QUESTION 59
Your on-premises network contains an Active Directory domain.
You have a Microsoft 365 subscription.
You need to sync the domain with the subscription. The solution must meet the following requirements:
– On-premises Active Directory password complexity policies must be enforced.
– Users must be able to use self-service password reset (SSPR) in Azure AD.
What should you use?
A. password hash synchronization
B. Azure AD Identity Protection
C. Azure AD Seamless Single Sign-On (Azure AD Seamless SSO)
D. pass-through authentication
Answer: D
Explanation:
Password hash sync just does comparison of password hash. Passthrough respects the DC and doesnt approve the ticket itself.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback
QUESTION 60
You have a Microsoft 365 E5 subscription.
Users access Microsoft 365 from both their laptop and a corporate Virtual Desktop Infrastructure (VDI) solution.
From Azure AD Identity Protection, you enable a sign-in risk policy.
Users report that when they use the VDI solution, they are regularly blocked when they attempt to access Microsoft 365.
What should you configure?
A. the Tenant restrictions settings in Azure AD
B. a trusted location
C. a Conditional Access policy exclusion
D. the Microsoft 365 network connectivity settings
Answer: B
Explanation:
Configured trusted network locations are used by Identity Protection in some risk detections to reduce false positives.
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
QUESTION 61
You have a hybrid deployment of Microsoft 365 that contains the users shown in the following table.
Azure AD Connect has the following settings:
– Password Hash Sync: Enabled
– Pass-through authentication: Enabled
You need to identify which users will be able to authenticate by using Azure AD if connectivity between on-premises Active Directory and the internet is lost.
Which users should you identify?
A. none
B. User1 only
C. User1 and User2 only
D. User1, User2, and User3
Answer: B
QUESTION 62
Your network contains an on-premises Active Directory domain named contoso.com.
For all user accounts, the Logon Hours settings are configured to prevent sign-ins outside of business hours.
You plan to sync contoso.com to an Azure AD tenant
You need to recommend a solution to ensure that the logon hour restrictions apply when synced users sign in to Azure AD.
What should you include in the recommendation?
A. pass-through authentication
B. conditional access policies
C. password synchronization
D. Azure AD Identity Protection policies
Answer: A
Explanation:
With pass-through authentication, the user’s password is validated against the on-premises Active Directory controller. The password doesn’t need to be present in Microsoft Entra ID in any form. This allows for on-premises policies, such as sign-in hour restrictions, to be evaluated during authentication to cloud services.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/plan-connect-user-signin
QUESTION 63
Your network contains three Active Directory forests. There are forests trust relationships between the forests.
You create an Azure AD tenant.
You plan to sync the on-premises Active Directory to Azure AD.
You need to recommend a synchronization solution. The solution must ensure that the synchronization can complete successfully and as quickly as possible if a single server fails.
What should you include in the recommendation?
A. one Azure AD Connect sync server and one Azure AD Connect sync server in staging mode
B. three Azure AD Connect sync servers and one Azure AD Connect sync server in staging mode
C. six Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode
D. three Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode
Answer: A
Explanation:
AD connect supports only one instance of Azure AD Connect syncing to Azure AD. You can add directories during configuration.
https://learn.microsoft.com/en-us/skypeforbusiness/hybrid/cloud-consolidation-aad-connect
QUESTION 64
You have a Microsoft 365 subscription.
You have the retention policies shown in the following table.
Both policies are applied to a Microsoft SharePoint site named Site1 that contains a file named File1.docx.
File1.docx was created on January 1, 2022 and last modified on January 31,2022. The file was NOT modified again.
When will File1.docx be deleted automatically?
A. January 1, 2023
B. January 1, 2024
C. January 31, 2023
D. January 31, 2024
E. never
Answer: D
Explanation:
Retention wins over deletion for the period of two years then the deletion would take over after the two years.
https://learn.microsoft.com/en-us/training/modules/explore-retention-policies-labels-microsoft-365/5-examine-principles-retentio
QUESTION 65
You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.
You plan to publish a sensitivity label named Label1.
To which groups can you publish Label1?
A. Group1 only
B. Group1 and Group2 only
C. Group1 and Group4 only
D. Group1, Group2, and Group3 only
E. Group1, Group2, Group3, and Group4
Answer: D
Explanation:
You can apply sensitivity labels to Microsoft 365 Groups, SharePoint sites, Distribution Groups, and Mail-enabled Security Groups but not regular Security Groups.
https://learn.microsoft.com/en-us/purview/sensitivity-labels#what-label-policies-can-do
QUESTION 66
You have a Microsoft 365 subscription.
You configure a data loss prevention (DLP) policy.
You discover that users are incorrectly marking content as false positive and bypassing the DLP policy.
You need to prevent the users from bypassing the DLP policy.
What should you configure?
A. actions
B. incident reports
C. exceptions
D. user overrides
Answer: D
Explanation:
A DLP policy can be configured to allow users to override a policy tip and report a false positive.
QUESTION 67
You have a Microsoft 365 E5 tenant.
You create a retention label named Retention1 as shown in the following exhibit.
When users attempt to apply Retention1, the label is unavailable.
You need to ensure that Retention1 is available to all the users.
What should you do?
A. Create a new label policy.
B. Modify the Authority type setting for Retention1.
C. Modify the Business function/department setting for Retention1.
D. Use a file plan CSV template to import Retention1.
Answer: A
Explanation:
https://docs.microsoft.com/en-us/microsoft-365/compliance/create-apply-retention-labels?view=o365-worldwide
QUESTION 68
You have a Microsoft 365 E5 subscription that has published sensitivity labels shown in the following exhibit.
Which labels can users apply to content?
A. Label1, Label2, and Label5 only
B. Label3, Label4, and Label6 only
C. Label1, Label3, Label4, and Label6 only
D. Label1, Label2, Label3, Label4, Label5, and Label6
Answer: C
Explanation:
https://learn.microsoft.com/en-us/purview/sensitivity-labels#sublabels-grouping-labels
QUESTION 69
You have a Microsoft 365 subscription.
Your company has a customer ID associated to each customer. The customer IDs contain 10 numbers followed by 10 characters. The following is a sample customer ID: 12-456-7890-abc-de-fghij.
You plan to create a data loss prevention (DLP) policy that will detect messages containing customer IDs.
What should you create to ensure that the DLP policy can detect the customer IDs?
A. a PowerShell script
B. a sensitivity label
C. a sensitive information type
D. a retention label
Answer: C
Explanation:
A sensitive information type is a predefined or custom entity that can be used to identify and protect sensitive data in Microsoft 365.
https://docs.microsoft.com/en-us/microsoft-365/compliance/custom-sensitive-info-types?view=o365-worldwide
QUESTION 70
You have a Microsoft 365 E5 subscription.
You define a retention label that has the following settings:
– Retention period: 7 years
– Start the retention period based on: When items were created
You need to prevent the removal of the label once the label is applied to a file.
What should you select in the retention label settings?
A. Retain items forever or for a specific period
B. Mark items as a regulatory record
C. Mark items as a record
D. Retain items even if users delete
Answer: B
Explanation:
https://learn.microsoft.com/en-us/purview/records-management#compare-restrictions-for-what-actions-are-allowed-or-blocked
QUESTION 71
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the users shown in the following table.
The domain syncs to an Azure AD tenant named contoso.com as shown in the exhibit. (Click the Exhibit tab.)
User2 fails to authenticate to Azure AD when signing in as [email protected].
You need to ensure that User2 can access the resources in Azure AD.
Solution: From the on-premises Active Directory domain, you assign User2 the Allow logon locally user right. You instruct User2 to sign in as [email protected].
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The on-premises Active Directory domain is named contoso.com. To enable users to sign on using a different UPN (different domain), you need to add the domain to Microsoft 365 as a custom domain.
QUESTION 72
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the SharePoint Administrator role.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 73
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft Entra admin center, you assign SecAdmin1 the Security Administrator role.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-permissions?view=o365-worldwide
QUESTION 74
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the Exchange Administrator role.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 75
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription.
You create an account for a new security administrator named SecAdmin1.
You need to ensure that SecAdmin1 can manage Microsoft Defender for Office 365 settings and policies for Microsoft Teams, SharePoint, and OneDrive.
Solution: From the Microsoft 365 admin center, you assign SecAdmin1 the Teams Administrator role.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 76
You have a Microsoft 365 E5 subscription that is linked to an Azure AD tenant named contoso.com.
You purchase 100 Microsoft 365 Business Voice add-on licenses.
You need to ensure that the members of a group named Voice are assigned a Microsoft 365 Business Voice add-on license automatically.
What should you do?
A. From the Licenses page of the Microsoft 365 admin center, assign the licenses.
B. From the Microsoft Entra admin center, modify the settings of the Voice group.
C. From the Microsoft 365 admin center, modify the settings of the Voice group.
Answer: B
Explanation:
You can add group members from both (Entra and Microsoft 365 admin centers). However, to assign licenses based on the group it can only be set from Entra Admin (Azure AD).
QUESTION 77
You have a Microsoft 365 E5 subscription that uses Endpoint security.
You need to create a group and assign the Endpoint Security Manager role to the group.
Which type of group can you use?
A. Microsoft 365 only
B. security only
C. mail-enabled security and security only
D. mail-enabled security, Microsoft 365, and security only
E. distribution, mail-enabled security, Microsoft 365, and security
Answer: D
QUESTION 78
You have a Microsoft 365 subscription.
You need to be notified to your personal email address when a Microsoft Exchange Online service issue occurs.
What should you do?
A. From the Exchange admin center, create a contact.
B. From the Microsoft Outlook client, configure an Inbox rule.
C. From the Microsoft 365 admin center, update the technical contact details.
D. From the Microsoft 365 admin center, customize the Service health settings.
Answer: D
Explanation:
From Microsoft 365 Admin Center go to :
Health / Service Health. Click on Customize and select the Email tab.
Tick “Send me service heath notifications in email”, specify email address
QUESTION 79
You have a Microsoft 365 subscription.
All users are assigned Microsoft 365 Apps for enterprise licenses.
You need to ensure that reports display the names of users that have activated Microsoft 365 apps and on how many devices.
What should you modify in the Microsoft 365 admin center?
A. the Reports reader role
B. Organization information
C. Org settings for Privacy profile
D. Org settings for Reports
Answer: D
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/miscellaneous/reports-show-anonymous-user-name
QUESTION 80
You have a Microsoft 365 subscription.
You add a domain named contoso.com.
When you attempt to verify the domain, you are prompted to send a verification email to [email protected].
You need to change the email address used to verify the domain.
What should you do?
A. Add a TXT record to the DNS zone of the domain.
B. From the domain registrar, modify the contact information of the domain.
C. From the Microsoft 365 admin center, change the global administrator of the Microsoft 365 subscription.
D. Modify the NS records for the domain.
Answer: B
QUESTION 81
Your company has a Microsoft 365 E5 subscription.
You onboard a device on the company’s network to Microsoft Defender for Endpoint.
In the Microsoft 365 Defender portal, you notice that the device inventory displays many devices that have an Onboarding status of Can be onboarded.
You need to ensure that onboarded devices are prevented from polling the network for device discovery but can still discover devices with which they communicate directly.
What should you configure in the Microsoft 365 Defender portal?
A. standard discovery
B. device discovery exclusions
C. basic discovery
D. a network assessment job
Answer: C
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide#discovery-methods
QUESTION 82
You have a Microsoft 365 E5 subscription that contains the groups shown in the following exhibit.
To which groups can you assign Microsoft 365 E5 licenses?
A. Group1 and Group2 only
B. Group2 and Group3 only
C. Group3 and Group4 only
D. Group1, Group2, and Group3 only
E. Group2, Group3, and Group4 only
Answer: E
Explanation:
Licenses can be assigned to any security group, including M365 security enabled.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/licensing-whatis-azure-portal?context=azure%2Factive-directory%2Fusers-groups-roles%2Fcontext%2Fugr-context#features
QUESTION 83
Your company has on-premises servers and an Azure AD tenant.
Several months ago, the Azure AD Connect Health agent was installed on all the servers.
You review the health status of all the servers regularly.
Recently, you attempted to view the health status of a server named Server1 and discovered that the server is NOT listed on the Azure AD Connect Servers list.
You suspect that another administrator removed Server1 from the list.
You need to ensure that you can view the health status of Server1.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. From Windows PowerShell, run the Register-AzureADConnectHealthSyncAgent cmdlet.
B. From Azure Cloud shell, run the Connect-AzureAD cmdlet.
C. From Server1, reinstall the Azure AD Connect Health agent.
D. From Server1, change the Azure AD Connect Health services Startup type to Automatic.
E. From Server1, change the Azure AD Connect Health services Startup type to Automatic (Delayed Start).
Answer: AC
QUESTION 84
You have a Microsoft 365 E5 subscription that uses Microsoft Intune.
You need to access service health alerts from a mobile phone.
What should you use?
A. the Microsoft Authenticator app
B. the Microsoft 365 Admin mobile app
C. Intune Company Portal
D. the Intune app
Answer: B
QUESTION 85
You have a Microsoft 365 E5 subscription.
You need to recommend a solution for monitoring and reporting application access. The solution must meet the following requirements:
– Support KQL for querying data.
– Retain report data for at least one year.
What should you include in the recommendation?
A. a security report in Microsoft 365 Defender
B. Endpoint analytics
C. Microsoft 365 usage analytics
D. Azure Monitor workbooks
Answer: D
Explanation:
Azure Monitor workbooks allow you to create custom dashboards and reports using KQL queries and provide the flexibility to monitor various aspects of your applications and infrastructure, including application access. Azure Monitor also offers the ability to retain data for extended periods, making it suitable for meeting the one-year data retention requirement.
QUESTION 86
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that includes the users shown in the following table.
Group2 is a member of Group1.
You assign a Microsoft Office 365 Enterprise E3 license to Group1.
How many Office 365 E3 licenses are assigned?
A. 1
B. 2
C. 3
D. 4
Answer: C
Explanation:
When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory.
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-groups-resolve-problems#usage-location-isnt-allowed
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-groups-assign
QUESTION 87
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.
Which users can review the Adoption Score in the Microsoft 365 admin center?
A. User1 only
B. User2 only
C. User1 and User2 only
D. User1 and User3 only
E. User1, User2, and User3
Answer: E
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/admin/adoption/adoption-score?view=o365-worldwide#adoption-score-prerequisites
QUESTION 88
You have a Microsoft 365 subscription that contains the users shown in the following table.
You plan to use Exchange Online to manage email for a DNS domain.
An administrator adds the DNS domain to the subscription.
The DNS domain has a status of Incomplete setup.
You need to identify which user can complete the setup of the DNS domain. The solution must use the principle of least privilege.
Which user should you identify?
A. User1
B. User2
C. User3
D. User4
Answer: A
Explanation:
To add, modify, or remove domains, you must be a Domain Name Administrator or Global Administrator.
https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain?view=o365-worldwide
QUESTION 89
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.
You plan to create a Conditional Access policy that will use GPS-based named locations.
Which users can the policy protect?
A. User2 and User4 only
B. User1, User2, User3, and User4
C. User1 only
D. User1 and User3 only
Answer: C
Explanation:
GPS location doesn’t work with passwordless authentication methods.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
QUESTION 90
Your network contains an Active Directory forest named contoso.local.
You have a Microsoft 365 subscription.
You plan to implement a directory synchronization solution that will use password hash synchronization.
From the Microsoft 365 admin center, you successfully verify the contoso.com domain name.
You need to prepare the environment for the planned directory synchronization solution.
What should you do first?
A. From the Microsoft 365 admin center, verify the contoso.local domain name.
B. From the public DNS zone of contoso.com, add a new mail exchanger (MX) record.
C. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix.
D. From Active Directory Users and Computers, modify the UPN suffix for all users.
Answer: C
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide#what-if-i-only-have-a-local-on-premises-domain
QUESTION 91
You have a Microsoft 365 ES subscription.
On Monday, you create a new user named User1.
On Tuesday, User1 signs in for the first time and perform the following actions:
– Signs in to Microsoft Exchange Online from an anonymous IP address.
– Signs in to Microsoft SharePoint Online from a device in New York City.
– Establishes Remote Desktop connections to hosts in Berlin and Hong Kong, and then signs in to SharePoint Online from the Remote Desktop connections.
Which types of sign-in risks will Azure AD Identity Protection detect for User1?
A. anonymous IP address and atypical travel only
B. anonymous IP address only
C. unfamiliar sign-in properties and atypical travel only
D. anonymous IP address and unfamiliar sign-in properties only
E. anonymous IP address, atypical travel, and unfamiliar sign-in properties
Answer: B
Explanation:
Atypical travel and Unfamiliar sign-in properties have learning period.
The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user’s sign-in behavior.
QUESTION 92
You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com.
Corporate policy states that user passwords must not include the word Contoso.
What should you do to implement the corporate policy?
A. From the Microsoft Entra admin center, create a conditional access policy.
B. From the Microsoft Entra admin center, configure the Password protection settings.
C. From the Microsoft 365 admin center, configure the Password policy settings.
D. From Azure AD Identity Protection, configure a sign-in risk policy.
Answer: B
Explanation:
https://learn.microsoft.com/es-es/azure/active-directory/authentication/tutorial-configure-custom-password-protection
QUESTION 93
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
– Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
– User passwords must be 10 characters or more.
Solution: Implement pass-through authentication and modify the password settings from the Default Domain Policy in Active Directory.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 94
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
– Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
– User passwords must be 10 characters or more.
Solution: Implement password hash synchronization and configure password protection in the Azure AD tenant.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 95
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
– Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
– User passwords must be 10 characters or more.
Solution: Implement pass-through authentication and configure password protection in the Azure AD tenant.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 96
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
– Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
– User passwords must be 10 characters or more.
Solution: Implement password hash synchronization and modify the password settings from the Default Domain Policy in Active Directory.
Does this meet the goal?
A. Yes
B. No
Answer: A
QUESTION 97
Your company has three main offices and one branch office. The branch office is used for research.
The company plans to implement a Microsoft 365 tenant and to deploy multi-factor authentication.
You need to recommend a Microsoft 365 solution to ensure that multi-factor authentication is enforced only for users in the branch office.
What should you include in the recommendation?
A. Azure AD password protection
B. a Microsoft Intune device configuration profile
C. a Microsoft Intune device compliance policy
D. Azure AD conditional access
Answer: D
QUESTION 98
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain.
You deploy an Azure AD tenant.
Another administrator configures the domain to synchronize to Azure AD.
You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.
You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.
You need to ensure that the 10 user accounts are synchronized to Azure AD.
Solution: From Azure AD Connect, you modify the filtering settings.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-sync-configure-filtering
QUESTION 99
You have a Microsoft 365 subscription that contains an Azure AD tenant named contoso.com. The tenant includes a user named User1.
You enable Azure AD Identity Protection.
You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for risk. The solution must use the principle of least privilege.
To which role should you add User1?
A. Security Reader
B. Global Administrator
C. Owner
D. User Administrator
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#permissions
QUESTION 100
You have a Microsoft 365 E5 subscription.
Users have Android or iOS devices and access Microsoft 365 resources from computers that run Windows 11 or MacOS.
You need to implement passwordless authentication. The solution must support all the devices.
Which authentication method should you use?
A. Windows Hello
B. FIDO2 compliant security keys
C. Microsoft Authenticator app
Answer: C
Explanation:
MS Authenticator app is the way to go if you want to go passwordless when taking into consideration that both devices must be supported.
QUESTION 101
You have a Microsoft 365 E5 subscription.
You create a Conditional Access policy that blocks access to an app named App1 when users trigger a high-risk sign-in event.
You need to reduce false positives for impossible travel when the users sign in from the corporate network.
What should you configure?
A. exclusion groups
B. multi-factor authentication (MFA)
C. named locations
D. user risk policies
Answer: C
Explanation:
Named locations is a feature of Azure AD that enables administrators to label trusted IP address ranges in their organizations. In the environment, administrators can use named locations in the context of the detection of risk events to reduce the number of reported false positives for the Impossible travel to atypical locations risk event type.
QUESTION 102
You have a Microsoft 365 E5 subscription.
You need to create a mail-enabled contact.
Which portal should you use?
A. the Microsoft 365 admin center
B. the SharePoint admin center
C. the Microsoft Entra admin center
D. the Microsoft Purview compliance portal
Answer: A
Explanation:
https://admin.microsoft.com/Adminportal/Home#/Contact
QUESTION 103
Your on-premises network contains an Active Directory domain.
You have a Microsoft 365 E5 subscription.
You plan to implement a hybrid configuration that has the following requirements:
– Minimizes the number of times users are prompted for credentials when they access Microsoft 365 resources
– Supports the use of Azure AD Identity Protection
You need to configure Azure AD Connect to support the planned implementation.
Which two options should you select? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Password Hash Synchronization
B. Password writeback
C. Directory extension attribute sync
D. Enable single sign-on
E. Pass-through authentication
Answer: AD
QUESTION 104
You have a Microsoft 365 tenant that contains a Windows 10 device. The device is onboarded to Microsoft Defender for Endpoint.
From Microsoft 365 Defender portal, you perform a security investigation.
You need to run a PowerShell script on the device to collect forensic information.
Which action should you select on the device page?
A. Collect investigation package
B. Go hunt
C. Initiate Live Response Session
D. Initiate Automated Investigation
Answer: C
Explanation:
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide
QUESTION 105
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You notice that it takes several days to notify email recipients when an incoming email message is marked as spam, and then quarantined.
You need to ensure that the email recipients are notified within 24 hours.
What should you do?
A. Modify the default inbound anti-spam policy.
B. Modify the DefaultFullAccessPolicy quarantine policy.
C. Add a custom quarantine policy.
D. Modify the global settings for quarantine policies.
Answer: D
Explanation:
Quarantine policy, Global Settings (Defender portal -> Email & Collaboration -> Policies & rules -> Threat policies -> Quarantine policy). Change ‘Send end-user spam notifications’ to Daily.
QUESTION 106
You have a Microsoft 365 E5 subscription.
You need to ensure that administrators receive an email when Microsoft 365 Defender detects a sign-in from a risky IP address.
What should you create?
A. a vulnerability notification rule
B. an alert
C. an incident assignment filter
D. an incident notification rule
Answer: B
QUESTION 107
You have a Microsoft 365 E5 subscription that has Microsoft Defender for Endpoint integrated with Microsoft Intune.
Devices are onboarded by using Microsoft Defender for Endpoint.
You plan to block devices based on the results of the machine risk score calculated by Microsoft Defender for Endpoint.
What should you create first?
A. a device configuration policy
B. a device compliance policy
C. a conditional access policy
D. an endpoint detection and response policy
Answer: B
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/solutions/manage-devices-with-intune-monitor-risk?view=o365-worldwide#monitor-device-risk-as-a-condition-for-access
QUESTION 108
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
A Built-in protection preset security policy is applied to the subscription.
Which two policy types will be applied by the Built-in protection policy? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Anti-malware
B. Safe Attachments
C. Safe Links
D. Anti-phishing
E. Anti-spam
Answer: BC
Explanation:
Built-in protection (Defender for Office 365 only): A profile that enables Safe Links and Safe Attachments protection only. This profile effectively provides default policies for Safe Links and Safe Attachments, which never had default policies. For Built-in protection, the preset security policy is on by default for all Defender for Office 365 customers.
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide
Resources From:
1.2026 Latest Braindump2go MS-102 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/ms-102.html
2.2026 Latest Braindump2go MS-102 PDF and MS-102 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1wKMxsc4HX-XximnIzz9a1nOqFJXK-f8y?usp=sharing
3.2026 Free Braindump2go MS-102 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/MS-102-VCE-Dumps(40-108).pdf
Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!