365 Admin Expert Question 1

Fill the missing word. To protect data in Acme Cloud Workspace from accidental deletion, cyber threats and other forms of data loss, administrators should implement a comprehensive __ strategy?

365 Admin Expert Question 2

At Meridian Tech when a Microsoft Teams data loss prevention rule prevents external sharing of confidential content what happens to messages that contain that sensitive information and are sent to external recipients within 30 seconds?

365 Admin Expert Question 3

A regional retailer named Meridian Retail runs an on premises Active Directory domain and has an AD FS farm with two AD FS servers on the internal network and two Web Application Proxy servers in the DMZ. The team configures hybrid identity with an Entra ID tenant and deploys a custom Microsoft Entra Connect setup that uses one active Entra Connect server and one server in staging mode. The requirement is to track sign in activity including the count and kinds of authentications and the count and kinds of authentication failures. The administrators install the Microsoft Entra Connect Health agent for AD FS on the AD FS servers and on the WAP servers. Does this configuration provide the required authentication activity and failure telemetry?

365 Admin Expert Question 4

The security operations unit at Northwind Logistics is overwhelmed by a continuous stream of security alerts. Which capability in Microsoft 365 Defender can automate the investigation and remediation of those alerts?

365 Admin Expert Question 5

A user has not configured alternate contact methods for self service password reset. What should they do next?

365 Admin Expert Question 6

You are the IT lead for a midsize firm that recently moved its messaging to Microsoft 365 and initially used the tenant default onmicrosoft.com domain, but the company now wants to use its own domain example.com for email and other services and you have already added and verified example.com in the Microsoft 365 admin center, what is the next action you should take to complete the custom domain setup?

365 Admin Expert Question 7

When you create a data loss prevention policy for an organization that includes Exchange Online, SharePoint, OneDrive, and Teams which configuration choice specifies the exact services and repositories where the policy will be enforced?

365 Admin Expert Question 8

Which threat management capabilities are bundled with Contoso Email Protection subscriptions? (Choose 3)

365 Admin Expert Question 9

Which of the following statements describe features and advantages of using Contoso Entra Connect and Contoso Entra Cloud Sync for hybrid identity management? (Choose 3)

365 Admin Expert Question 10

In Microsoft 365 Defender where do you go to review high severity incidents that occurred in the past seven days?

365 Admin Expert Question 11

As a compliance lead at a regional bank you want to understand which tiers Compliance Manager uses when calculating scores. Which of the following is not a level at which Compliance Manager assigns a score value?

365 Admin Expert Question 12

You manage tenant services for a company that uses Contoso 365 and you need to add multiple verified domains to the subscription. What is the maximum number of domains you can register?

365 Admin Expert Question 13

Which two primary elements of Entra Connect Health are used to monitor directory synchronization services? (Choose 2)

365 Admin Expert Question 14

Brightleaf Systems holds a Microsoft 365 E3 subscription and plans to trial attack simulation training for all employees. Which pairing of social engineering tactic and training scenario does the E3 trial offer?

365 Admin Expert Question 15

Which actions enable administrators to deploy sensitivity labels and label policies in the Compliance Center? (Choose 2)

365 Admin Expert Question 16

An international marketing firm is configuring its Acme Productivity Suite tenant and needs to manage global account details and security policies. Which tasks can an administrator perform when managing the organization settings? (Choose 4)

365 Admin Expert Question 17

Fabrikam Inc is looking to strengthen access controls for its Microsoft Azure administrative operations and they must ensure that every administrator uses an extra verification step when they manage Azure resources regardless of where they sign in from. Which Conditional Access policy will meet this requirement?

365 Admin Expert Question 18

Marigold Systems used an App Usage Scanner and discovered multiple high risk third party applications being accessed by staff members, and the chief information officer wants immediate measures to reduce security exposure, which action should be taken first?

365 Admin Expert Question 19

You work as a compliance administrator at a regional charity and you need to limit access to a SharePoint Online site by using sensitivity labels. Which capability must you activate first?

365 Admin Expert Question 20

Which metric is not typically displayed in a network diagnostics overview within an admin portal?

365 Admin Expert Question 21

You manage IT for a mid sized company named Meridian Solutions and you plan to deploy multi factor authentication while minimizing user disruption. Which MFA approach lets you enforce detailed access rules based on conditions such as a user’s network location or the compliance state of their device?

365 Admin Expert Question 22

A workstation at BrightWave Analytics is exhibiting unusual outbound connections and unauthorized processes and you must stop further damage immediately. Which capability of the vendor endpoint protection solution should you use?

365 Admin Expert Question 23

As the messaging administrator for a regional nonprofit you want to apply encryption only when messages are delivered to people outside your company. Which condition should you add to the mail flow rule to achieve that goal?

365 Admin Expert Question 24

A multinational retailer plans to use Microsoft Entra Privileged Identity Management to strengthen administration across their Azure and Microsoft 365 tenants. Which combination of controls should they implement to manage privileged roles effectively?

365 Admin Expert Question 25

Is it possible to retrieve license purchase records, subscription status, and billing cadence from the Entra ID admin center?

365 Admin Expert Question 26

A regional insurance company runs an on premises Active Directory domain with a domain controller named DC-01 and a member host named SRV-APP02. The security team plans to deploy Microsoft 365 Defender for Identity and install a standalone sensor on SRV-APP02. What configuration is required so the Defender for Identity sensor can observe the domain controller network traffic?

365 Admin Expert Question 27

If security teams leave insider risk alerts uninvestigated for a prolonged interval can the system increase the alert severity level?

365 Admin Expert Question 28

At Verdant Systems you must assign a role in Azure Active Directory to an engineer who needs to configure multi factor authentication settings and manage user authentication methods while also handling support cases in both the Azure portal and the Microsoft 365 admin center. Which role should you assign to this engineer?

365 Admin Expert Question 29

A regional nonprofit called HarborTech is adding a custom domain such as staff.example.com to its CloudWork productivity platform and must prove control of the domain before it can be used with the service, what method can be used to verify ownership?

365 Admin Expert Question 30

How do app connectors used by a cloud access security broker collect telemetry and configuration data from the cloud services they monitor?

365 Admin Expert Question 31

You are a Microsoft 365 administrator at Evergreen Technologies and after you re enabled directory synchronization several users are unable to sign in. What is the most likely cause of this problem?

365 Admin Expert Question 32

You work as a risk analyst at Northbridge Systems and you are reviewing the internal threat categories covered in a recent compliance briefing. Which of the following items was not defined as an internal risk in that briefing?

365 Admin Expert Question 33

You work as the IT lead for a regional nonprofit called HarborTech and you must apply configuration policies for Microsoft 365 Apps for enterprise to staff computers that are not joined to an Active Directory domain. Which capability should you use?

365 Admin Expert Question 34

As an administrator at NovaTech you need to restore a user’s ability to send email after they were blocked. Which approaches can you use to remove the block?

365 Admin Expert Question 35

Which Microsoft Entra ID Protection settings will send immediate alerts for high risk accounts and deliver a weekly digest to selected security leads?

365 Admin Expert Question 36

ArborTech is configuring endpoint data loss prevention inside the ArborTech Data Governance portal and the security team needs clarity on how the settings behave across platforms and resources. Which of the following statements about endpoint DLP settings are accurate? (Choose 2)

365 Admin Expert Question 37

As an administrator of a Contoso 365 tenant which administrative role must be assigned to permit creation of guest users in the tenant directory?

365 Admin Expert Question 38

You are the IT lead at a growing retail chain named Cedar Row and you need to monitor the Microsoft Secure Score for the organization over time. You have observed a decline during the past four weeks. Which tab should you open to view the score timeline and the actions recorded in that timeframe?

365 Admin Expert Question 39

You are the IT lead for Meridian Finance and you need to delegate compliance responsibilities to specific administrators. One team member must monitor regulatory compliance procedures and handle compliance alerts across Microsoft 365 services. Which role should you assign to that team member?

365 Admin Expert Question 40

An email has two retention labels. One label deletes the message after three years and the other preserves the message for eight years before deleting it. Which retention period applies?

365 Admin Expert Question 41

You are the chief information security officer at a regional retail chain that is planning to migrate its operations to cloud platforms. What is a core concern you should have about Microsoft 365?

365 Admin Expert Question 42

Aegis Health Solutions plans to use Microsoft Entra Connect cloud sync to mirror their on premises Active Directory with Microsoft Entra ID and they want to restrict synchronization to employees in specific departments and groups. Which configuration change in the cloud sync setup will best enforce this limitation?

365 Admin Expert Question 43

A regional distributor requires 25 mailboxes for staff and two of the mailboxes will be shared by two employees. Five staff members are field technicians who do not need the desktop Microsoft 365 apps. The administrator purchased 20 Microsoft 365 Business Standard licenses and 5 Microsoft 365 Business Basic licenses to minimize cost. Is this the correct purchase for licensing the users?

365 Admin Expert Question 44

Aurora Systems uses Microsoft 365 and its policy prohibits sending Social Security Numbers by email. Can you create an Azure Information Protection label and configure its policy from the Azure portal to enforce that restriction?

365 Admin Expert Question 45

Which core element should be secured to establish a Zero Trust control plane?

365 Admin Expert Question 46

For high availability in its file synchronization service Contoso recommends running how many active Sync agents?

365 Admin Expert Question 47

A regional firm named Northbridge Solutions uses Microsoft 365 for email collaboration and cloud tools and they plan to roll out Microsoft Intune for device management. All staff currently have Microsoft 365 Business Standard and the organization does not want to upgrade from Standard although they may accept a modest additional cost. Which license would allow them to deploy Microsoft Intune?

365 Admin Expert Question 48

In the Everguard compliance dashboard how long can it take for rule matches from the default endpoint DLP policy to appear in the status tile?

365 Admin Expert Question 49

Which statements about role assignments in Contoso’s Entra Privileged Identity Management are accurate? (Choose 3)

365 Admin Expert Question 50

When synchronizing data with a cloud provider how should an integration handle API rate limits and throttling?

365 Admin Expert Question 1

The correct option is Backup.

A comprehensive Backup strategy provides separate, restorable copies of data so administrators can recover from accidental deletion, corruption, or ransomware. Backups enable point in time restores and can be stored in separate locations or systems so recovery is possible even when the primary environment is compromised.

Retention and legal hold policy preserves data for compliance and can prevent intentional deletion, but it does not create recoverable copies or provide point in time restores for operational recovery.

Cloud Storage snapshot policies suggests point in time copies for certain storage types, but snapshots are usually limited to particular resources and do not replace a full backup program that includes offsite retention and recovery planning.

Encryption at rest protects the confidentiality of stored data, but it does not prevent deletion or corruption and it does not provide a mechanism to restore lost or compromised data.

Cameron’s MS-102 Certification Exam Tip

When a question asks about protecting data from accidental deletion or ransomware focus on recoverability and think backup as the operational solution rather than only retention rules or encryption.

365 Admin Expert Question 2

The correct option is automatically deleted from the thread.

When a Microsoft Teams data loss prevention rule prevents external sharing of confidential content the enforcement removes the offending messages from the conversation so that the sensitive content is no longer accessible in the thread. This removal happens within the short evaluation window so messages sent to external recipients are deleted rather than left visible.

Microsoft Purview DLP for Teams scans messages and applies the configured enforcement action in real time and in this scenario the configured action is removal so the messages are deleted from the thread.

quarantined for compliance review is incorrect because Teams chat messages are not moved to a quarantine folder in the same way that some email threats are handled. Quarantine workflows apply to other service areas and are not the typical Teams DLP outcome.

redacted and delivered with placeholders is incorrect because Teams does not typically replace sensitive chat content with placeholders for external recipients. Redaction is not the standard enforcement for Teams chat messages.

blocked and not delivered to external recipients is incorrect because blocking would prevent delivery but the described behavior is that the message is removed from the thread after detection. The exam scenario expects the deletion behavior rather than simple blocking.

365 Admin Expert Question 3

The correct option is No.

This configuration does not provide the required authentication activity and failure telemetry. The Microsoft Entra Connect Health agent for AD FS monitors service health, performance counters, and configuration issues and it generates alerts, but it does not produce aggregated counts and kinds of authentications or the detailed authentication failure counts that the requirement asks for.

To capture counts and types of authentications and failures you must collect Entra ID sign in logs for cloud authentication events and you must also collect AD FS audit and debug events from the on premises AD FS servers and the Web Application Proxy layer. Those logs need to be forwarded to Log Analytics or a SIEM and you must enable the appropriate diagnostic settings to get the detailed telemetry.

Enable Entra ID sign in logs and forward them to Log Analytics is not sufficient by itself. Entra ID sign in logs provide detailed cloud authentication events but they do not include the AD FS internal events and WAP layer failures needed for a complete view of on premises federation activity.

Yes installing the Entra Connect Health agent on AD FS and WAP is sufficient is incorrect because the Connect Health agent focuses on health and performance and does not emit the kinds of authentication and failure counts requested. The agent helps troubleshoot AD FS performance and configuration but it does not replace sign in logs or AD FS audit logging for authentication metrics.

Deploy Microsoft Sentinel and ingest AD FS and Entra ID telemetry is not the selected answer to the question as presented, but it is a valid remediation. If you deploy Sentinel and ingest both Entra ID sign in logs and AD FS events into Log Analytics you can build reports that show counts and kinds of authentications and failures. The option is marked incorrect for the prompt because the question asked whether the current agent installation already provides the required telemetry.

Cameron’s MS-102 Certification Exam Tip

When you must decide if an existing deployment meets a logging requirement first list what each component actually collects and then map those items to the required telemetry. Entra Connect Health provides health metrics and alerts not detailed sign in or authentication failure counts.

365 Admin Expert Question 4

Automated investigation and remediation is the correct option.

This capability in Microsoft 365 Defender automatically investigates alerts by collecting related signals and applying built in investigation logic to determine the scope and cause of an incident. It can then apply automated remediation actions to contain threats and reduce the manual effort required by the security operations team.

Microsoft Intelligent Security Graph is incorrect because it is a set of threat intelligence and APIs that surface signals across Microsoft services rather than the specific automation feature that runs investigations and remediations.

Microsoft Defender for Endpoint is incorrect because it is a product that provides endpoint protection and telemetry. The question asks for the capability that automates investigation and remediation across alerts and products which is the automated investigation and remediation feature within Microsoft 365 Defender.

Security Action Center is incorrect because that name does not refer to the automated investigation and remediation capability. It sounds like a console or summary view and it is not the feature that performs automated investigations and remediation.

Cameron’s MS-102 Certification Exam Tip

When a question asks about a capability look for an answer that describes an automatic action or workflow rather than a product name. Focus on terms like automated investigation or remediation when alerts need to be handled with minimal manual work.

365 Admin Expert Question 5

The correct answer is Ask the Microsoft 365 administrator to reset the account password.

This is correct because self service password reset requires alternate contact methods to be registered and if the user has not configured those methods they cannot use the automated reset flow. The administrator can reset