MS-102 Exam Question 1

The correct options are Register the organization’s custom domain with the tenant, Confirm ownership of the custom domain, and Configure DNS records for the domain.

Register the organization’s custom domain with the tenant means you add example.com to the Microsoft 365 tenant so the service can issue user identities and mailboxes under that name. This registration makes the domain available in the Microsoft 365 admin center and is the initial step before verification and DNS changes.

Confirm ownership of the custom domain is required because Microsoft needs proof that you control the domain. Verification is commonly done by adding a TXT or MX record at the domain registrar and then completing the verification process in the tenant.

Configure DNS records for the domain is necessary to route email and to enable cloud services. You add MX records for mail delivery and TXT records for SPF, and you often add CNAME and SRV records for autodiscover and other service features. You may also configure DKIM and DMARC to improve email security and deliverability.

Attempt to delete the tenant’s default .onmicrosoft.com domain is incorrect because the default onmicrosoft.com domain is created with the tenant and cannot simply be removed during normal setup. You do not delete the default domain as part of adding and maintaining a custom domain and it can only be removed under restricted conditions when it is not in use.

Cameron’s Microsoft 365 Certification Exam Tip

When answering these questions remember that adding a domain, verifying ownership, and updating DNS are separate steps. Verify ownership first and then publish the required MX and TXT records to make email and identities work.

MS-102 Exam Question 2

Protecting files shared in Teams depends on including SharePoint and OneDrive in the DLP scope is correct.

This is correct because files that are shared in Teams channels are stored in SharePoint and files that are shared in private or one to one chats are stored in OneDrive, so a DLP policy must include those locations to detect and protect files that are shared through Teams.

DLP can block sensitive data sent to guest accounts but cannot stop sharing with users in federated external tenants is incorrect because Teams DLP can be configured to detect and restrict sharing to external recipients and guests when the policy conditions are met, and Microsoft continuously expands controls for external and federated scenarios.

Teams DLP only governs messages in public channels and does not cover private one to one chats is incorrect because Teams DLP can cover channel messages and private chats when the appropriate Microsoft 365 locations and chat monitoring options are enabled, so private one to one chats are not categorically excluded.

DLP rules can only be targeted at individual user accounts and not at Microsoft 365 groups or security groups is incorrect because DLP policies can be scoped using various targeting options including groups and site locations, and they are not limited to individual user accounts.

Cameron’s Microsoft 365 Certification Exam Tip

When a question is about protecting files shared in Teams remember that channel files live in SharePoint and private chat files live in OneDrive, so include those locations in your DLP policy scope.

MS-102 Exam Question 3

The correct options are Contoso Secure Score measures an enterprise security posture and is available in the Contoso Defender dashboard and The score is organized into categories like Authentication, Endpoints, Applications and Information and each category affects the total score.

The first statement is correct because Contoso Secure Score is designed to give an enterprise level view of security posture and it is surfaced in the Defender dashboard where you can review the overall score, trends, and prioritized recommendations to improve security.

The second statement is correct because the score is structured into distinct categories such as Authentication, Endpoints, Applications and Information and each category contains controls or recommendations that contribute to the aggregate score when they are implemented.

The “Potential score” indicates the value attainable only after buying capabilities that are not part of current subscriptions is incorrect because the potential score represents the maximum achievable score if you implement all recommended improvements. Some improvements are configuration changes and do not require purchasing new capabilities. The potential score is a target for controls rather than a statement about licensing costs.

Completed recommended actions immediately change the reported secure score is incorrect because score updates are not always instantaneous. The platform must validate and process telemetry and configuration changes and there can be delays before completed actions are reflected in the reported score.

Cameron’s Microsoft 365 Certification Exam Tip

When a question mentions secure score focus on whether it is describing the dashboard or the scoring structure and remember that the potential score is an achievable target and that updates can have a short delay.

MS-102 Exam Question 4

Registered ISP, User agent tag, and Device type are correct.

The activity log stores network and client metadata so administrators can filter entries by Registered ISP to focus on traffic from a particular internet provider. The log also captures the client user agent string so filtering by User agent tag helps find actions from specific browsers or applications. Device information is included as well so filtering by Device type lets investigators narrow results to mobile, desktop, or managed devices.

Weather conditions is incorrect because activity logs do not record environmental or atmospheric information and you cannot filter audit or activity records by weather when you investigate user or device behavior.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks about log filters think about what metadata the service collects such as IP related fields, user agent, and device attributes and rule out options about external context like weather which is not part of activity logs.

MS-102 Exam Question 5

The correct answers are Backup rules can be defined separately for CloudDrive, TeamSites, and Mail services and The system maintains immutable recovery copies inside the service trust boundary so data remains within its geographic residency.

Backup rules can be defined separately for CloudDrive, TeamSites, and Mail services is correct because backup solutions for collaboration suites normally let administrators create distinct policies for file storage, team or site content, and mailboxes so each service can have its own retention, schedule, and scope. This separation maps to how OneDrive style personal drives, SharePoint team sites, and Exchange mailboxes require different protection settings and restore workflows.

The system maintains immutable recovery copies inside the service trust boundary so data remains within its geographic residency is correct because immutability prevents modification or deletion of recovery copies and keeping those copies inside the provider trust boundary ensures they stay in the declared geographic region for compliance. Immutable copies are a common way to meet regulatory and retention requirements while preventing accidental or malicious tampering.

End users can enable backups for their own personal accounts and mailboxes is incorrect because backup enablement and policy assignment is typically performed by administrators and not left to individual end users. Allowing each user to opt in would make centralized retention, compliance, and restoration far harder to enforce.

The backup service uses consumption based billing and requires an active Azure subscription for pay as you go charges is incorrect because SaaS backup offerings often bill directly through the vendor on a subscription or usage basis and do not require the customer to maintain an Azure subscription. Billing models vary, but requiring an Azure pay as you go account is not a universal or necessary condition for SaaS backup configuration.

Cameron’s Microsoft 365 Certification Exam Tip

When answering, look for language that indicates administrative control and physical or logical storage location. Pay attention to whether the item refers to user self service or to centralized policy and whether copies are described as immutable or managed within a provider boundary. Those clues often point to the correct choice.

MS-102 Exam Question 6

The correct option is False.

Microsoft Entra Connect does not support synchronizing on premises forests or domains that use dotted NetBIOS names. Dotted NetBIOS names are treated as invalid for the connector because they conflict with the expected distinction between NetBIOS and DNS naming and cause problems with how the synchronization service maps and references domains.

Because of this naming restriction you must use non dotted NetBIOS names or rely on alternate approaches such as ensuring users have UPN suffixes that match verified Azure AD domains or renaming the domain which is an intrusive operation. The product enforces the limitation during configuration and synchronization attempts will not succeed with dotted NetBIOS names.

True is incorrect because it asserts that Entra Connect can synchronize domains that use dotted NetBIOS names. That claim contradicts the documented naming limitations and practical behavior of the synchronization product.

Cameron’s Microsoft 365 Certification Exam Tip

When a question mentions name formats pay attention to wording about dotted NetBIOS names and recall that Azure AD Connect has specific naming requirements that commonly make such names unsupported.

MS-102 Exam Question 7

The correct option is Roll out sensitivity labels gradually in phased stages across the organization.

A phased rollout lets you pilot labels with a small set of users and business units and collect feedback before broader deployment. It allows you to refine label names and policies and to validate how labels interact with different applications and business processes. Rolling out gradually also reduces operational risk and gives you time to provide training and support to affected teams.

Use Azure Information Protection to classify and protect content is not the best choice because Azure Information Protection has been largely superseded by Microsoft Purview sensitivity labels and modern label management happens in the Purview compliance portal. The older AIP tooling may still exist for some legacy scenarios but it is less likely to be the recommended approach on current exams.

Apply all sensitivity labels across the entire organization at once is incorrect because deploying labels to everyone at once prevents testing and will likely cause widespread disruption and inconsistent labeling. A one step global deployment does not allow you to iterate on taxonomy or policy settings based on real world feedback.

Assign sensitivity labels only to the highest priority business units is incorrect because that approach leaves parts of the organization unprotected and it does not validate how labels perform across diverse workflows. A proper phased rollout includes representative pilots across different teams and systems so you can address issues before expanding.

MS-102 Exam Question 8

The correct option is Spoof intelligence insights.

Spoof intelligence insights provides a dedicated view in Exchange Online Protection and the Microsoft 365 security center that lists messages identified as spoofed and lets security teams review senders and take actions for messages from both internal and external senders. It surfaces aggregated spoofing activity and allows filtering by time so you can inspect messages from the past ten days and perform remediation.

Anti phishing policies are policy settings that help detect and block impersonation and phishing attempts but they do not provide a focused report that lists messages flagged as spoofed for retrospective review across a specific timeframe.

Tenant Allow and Block List is used to allow or block senders and domains at the tenant level and it does not present an investigation interface for browsing messages identified as spoofed.

Threat Explorer is a threat investigation tool for analyzing attacks and campaigns and it is not the feature that provides the targeted spoofing review view named Spoof intelligence insights.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks about reviewing or investigating past messages look for tools that explicitly mention intelligence or review and remember that policies control future handling while intelligence views provide retrospective investigation.

MS-102 Exam Question 9

The correct answer is Invite the external collaborator to the directory as a guest user.

Inviting the collaborator as a guest creates an account in your Azure Active Directory so the external user can authenticate and access the workbook stored in OneDrive or SharePoint. The Excel desktop app requires the user to sign in when opening files that live in those shared locations if you want coauthoring and full edit functionality.

After the guest invitation is accepted you can assign the same file permissions to that guest and they will be able to open the workbook in the Excel desktop application just like an internal user. Guest accounts also allow your organization to apply access controls and conditional access policies to the external collaborator.

Send a copy of the workbook to the external collaborator is incorrect because sending a copy gives the person a standalone file that does not allow coauthoring on the original shared workbook and it does not create an authenticated identity for accessing the original location.

Add the external person to the email contacts list is incorrect because adding someone to contacts does not create an identity in your directory and does not grant any authenticated access to files stored in OneDrive or SharePoint.

Grant the external person full permissions on the original file is incorrect on its own because permissions must be granted to a recognized identity. If the external user is not a guest in the directory they cannot authenticate to exercise those permissions, so you must first invite them as a guest.

Cameron’s Microsoft 365 Certification Exam Tip

MS-102 Exam Question 10

The correct option is Microsoft 365 Adoption Score.

Microsoft 365 Adoption Score provides a unified, organization level view of user engagement across Microsoft 365 apps and it surfaces adoption trends and actionable recommendations to drive training programs. Microsoft 365 Adoption Score includes benchmarking against similar organizations and it highlights collaboration and service reliability signals so administrators can prioritize interventions where they will improve productivity.

Microsoft 365 Usage Analytics in Power BI can show detailed usage data and custom dashboards but it does not deliver the built in adoption scoring, prescriptive recommendations, or external benchmarking that Adoption Score provides out of the box.

Microsoft Viva Insights focuses on employee wellbeing and personal or manager level productivity insights and it is not designed to provide an enterprise adoption score with peer benchmarking and specific adoption actions for targeted training.

Microsoft Graph API with custom Power BI reports can be used to build custom telemetry and reports but it requires substantial development and external benchmarking data to match the turnkey adoption scoring and recommended actions that Microsoft 365 Adoption Score delivers.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks for organization wide adoption metrics and benchmarking look for solutions that offer built in scores and actionable recommendations rather than raw telemetry or individual level insights.

MS-102 Exam Question 11

The correct option is All of the above data combined on the Data classification page.

The Data classification page in the Compliance Center aggregates multiple classification metrics and presents them together for an overview of your tenant. It displays counts of items by sensitive information type and the names of those types. It also shows the top applied sensitivity labels across Microsoft 365 and Azure Information Protection and it summarizes which retention labels are applied most frequently. For these reasons All of the above data combined on the Data classification page is the right choice.

A summary of which retention labels are applied most frequently is incorrect by itself because that information is only one part of the Data classification page rather than the entire set of data shown.

Counts of items by sensitive information type and the names of those types is also incorrect by itself because the page includes those counts in addition to label and retention summaries instead of showing only that data.

The top applied sensitivity labels across Contoso 365 and Azure Information Protection is likewise incomplete as a standalone answer because it represents only one of the metrics displayed. Note that references to Azure Information Protection can point to older labeling components that have been unified into the Microsoft Purview compliance experience, so similar exam items may use slightly different wording on newer exams.

MS-102 Exam Question 12

Safe Attachments scanning is the correct choice because it provides a single global control that inspects files and prevents users from opening or downloading malicious files across email, SharePoint, OneDrive, and Teams.

Safe Attachments scanning uses sandbox detonation and content inspection to analyze attachments and files before they are delivered or made available to users. If a file is identified as malicious the service can block access or replace the file and this protection can be applied centrally from Microsoft Defender for Office 365 for email and the cloud storage services you mentioned.

Office 365 anti-phishing policy is not correct because anti phishing policies are designed to detect and stop phishing messages and malicious senders rather than to scan and block malicious file attachments and downloads.

Data loss prevention rules are not correct because DLP focuses on preventing accidental or intentional leakage of sensitive information and does not perform sandboxing or malware detonation to stop malicious files from being opened or downloaded.

Safe Links protection is not correct because Safe Links rewrites and scans URLs to protect users from malicious links and it does not provide the file detonation and blocking controls that Safe Attachments scanning provides.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks about blocking malicious files across email and cloud storage look for features that mention attachments or sandboxing. That usually points to Safe Attachments rather than URL protection or data loss rules.

MS-102 Exam Question 13

Conditional Access policies is the correct answer.

Conditional Access policies let administrators build granular rules that target particular users and groups and that evaluate sign in signals such as location, device state, and risk. These policies provide access controls that can require multifactor authentication when the specified conditions are met, so administrators can require MFA for selected users, groups, and for specific sign in events.

Authentication methods policy is incorrect because it is used to configure which authentication methods are available and how users register those methods rather than to apply conditional rules that require MFA for selected users or sign in conditions.

Security defaults is incorrect because it provides a basic baseline of protections and can enable MFA for privileged tasks, but it does not support the fine grained targeting of specific users, groups, and sign in scenarios that Conditional Access policies allow.

Azure AD Identity Protection is incorrect because it focuses on detecting risky sign ins and compromised accounts and on triggering risk based remediation such as requiring MFA for risky events, but it is not the primary policy engine for broadly requiring MFA for selected users and arbitrary sign in conditions in the way that Conditional Access policies are.

MS-102 Exam Question 14

The correct answer is Service health dashboard.

The Service health dashboard in the Microsoft 365 admin portal displays current incidents, service advisories, status details, and historical health information so administrators can monitor availability and receive immediate updates and alerts for Contoso 365 services.

The dashboard lets admins view active incidents, track remediation timelines, and subscribe to notifications so they get proactive, real time information about service problems and recoveries.

Message center is focused on communications about upcoming changes and feature rollouts rather than on real time service incident status and alerts.

Azure Service Health monitors Azure platform services and subscription level events and it does not report on Microsoft 365 tenant service health for Contoso 365.

Health and usage reports provide usage metrics and adoption insights and they are not designed to deliver immediate incident alerts or live service status information.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks about immediate updates or real time status look for the tool that shows active incidents and allows subscriptions to alerts rather than tools that focus on communications or usage reporting.

MS-102 Exam Question 15

File size limits is the correct answer because sensitive information types are defined by the content patterns and contextual signals rather than by the size of a file.

Sensitive information types rely on pattern matching and contextual rules and they commonly use constructs such as Regular expressions, Keyword lists, and Confidence levels to identify data. A size threshold does not describe the data pattern itself so File size limits is not a typical criterion for defining a sensitive information type.

Confidence levels are used to indicate how strongly a detection matches a sensitive type and they let administrators tune thresholds to reduce false positives. That makes this option a commonly used element and not the correct choice in this question.

Regular expressions provide precise pattern matching for structured data such as credit card numbers and social security numbers. They are a primary method to define sensitive information types so this option is not correct.

Keyword lists let you match specific words or phrases that indicate sensitive content and they are commonly used for phrase based detections. That is why this option is not the correct answer.

Cameron’s Microsoft 365 Certification Exam Tip

When answering these questions focus on how data is identified rather than on file metadata. Look for choices that describe patterns, keywords, or confidence thresholds when thinking about sensitive information types.

MS-102 Exam Question 16

Microsoft Secure Score for Devices is correct because it gives a continuous, consolidated measure of device resilience and provides an overall security posture for corporate endpoints.

Microsoft Secure Score for Devices continuously evaluates endpoint telemetry and configuration settings and then calculates a score that represents how well devices are protected against attacks. It highlights recommended improvements and lets administrators track progress over time, which matches the credit union requirement for continuous evaluation and an overall resilience measure.

Threat and Vulnerability Management is focused on discovering, assessing, and prioritizing vulnerabilities and misconfigurations on individual endpoints and it supports remediation rather than providing a single overall resilience score.

Cloud-Delivered Protection provides cloud based, real time detection and blocking of threats on endpoints and it is not intended to produce an aggregate security posture score for the environment.

Microsoft Threat Experts is a managed threat hunting and advisory service that offers human expertise and investigations and it does not calculate or report a device secure score.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks for an overall or continuous measure of endpoint resilience look for features that provide an aggregated score or posture assessment rather than services aimed at detection or managed hunting.

MS-102 Exam Question 17

The correct option is Automatic scheduled backups of Azure Active Directory data.

Azure AD Connect Health for Sync is a monitoring and diagnostics service that focuses on collecting sync performance metrics and surfacing alerts and health information for the on premises sync infrastructure. It helps teams detect and investigate synchronization problems but it does not perform data protection tasks or create scheduled backups of Azure AD data.

Monitor synchronization performance metrics is incorrect because AD Connect Health for Sync explicitly gathers performance telemetry and sync metrics to show latency trends and error rates. The service is designed to monitor how synchronization is behaving and where bottlenecks occur.

Receive and respond to synchronization alerts is incorrect because the product raises alerts for sync failures and critical conditions and it provides the diagnostics needed to respond to those alerts. Administrators can use the alerts to investigate and remediate issues.

Configure email notifications for critical alerts is incorrect because AD Connect Health integrates with Azure alerting and notification mechanisms so you can configure notifications for critical alerts through Azure Monitor and action groups. The capability to notify administrators by email is therefore supported but it is part of the alerting integration rather than a backup feature.

MS-102 Exam Question 18

The correct report to open is Vulnerable endpoints report.

The Vulnerable endpoints report is designed to show devices that have produced security alerts and to surface known vulnerabilities. It provides the details you need to inspect each affected device and it supports filtering by recent time ranges so you can review alerts from the previous 45 days.

The Endpoint status and compliance report is not the best choice because it focuses on device compliance state and configuration status rather than listing devices that generated security alerts over a specific past window.

The Cloud Security Command Center is incorrect because it is a Google Cloud service that aggregates findings across cloud resources and workloads. It does not serve as the dedicated endpoint report for inspecting device alerts in the admin reports context.

The Web threat protection report is also incorrect because it concentrates on web traffic and threat detections related to web browsing rather than providing a consolidated list of endpoints that produced alerts or vulnerability findings.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks about which report shows devices that produced alerts over a past period look for reports named for endpoints or vulnerabilities and focus on whether the report explicitly mentions alerts or a time range.

MS-102 Exam Question 19

The correct answer is Activity explorer.

The Activity explorer is intended for investigating user and administrator actions and trends across Microsoft 365 and not for inspecting file contents or message bodies to apply sensitivity labels. It is useful for activity analysis but it does not perform content evaluation or automatic tagging across storage locations.

Sensitive information types are pattern based detectors used by Microsoft Purview to find and classify content such as credit card numbers and national identifiers, and they are commonly used to evaluate and apply labels.

Trainable classifiers are machine learning models that you train to identify specific types of documents or email content, and they can be used to classify and auto label content across your locations.

Exact data match sensitive information types use hashed values from authoritative data sources to find exact matches in documents and messages, and they are used when precise matching is required for labeling and DLP.

Cameron’s Microsoft 365 Certification Exam Tip

When a question asks about evaluating and tagging content focus on features that scan the actual files and messages such as sensitive information types, trainable classifiers, and exact data match. Tools that surface activity are not used for content classification.

MS-102 Exam Question 20

The correct option is Group Manager.

The Group Manager role provides manager level visibility into Viva Insights for people who report to you directly and for people who report to your direct reports. This role is intended to surface team level metrics and patterns across hierarchical reporting lines so you can review insights for your entire group.

Insights Administrator is incorrect because that role is focused on configuration, privacy and administrative controls rather than on providing manager level views of direct and indirect reports.

Business Insights Lead is incorrect because that role is oriented toward broader business or organizational analysis and it does not specifically grant the hierarchical manager visibility described in the question.

Viva Insights User is incorrect because that role provides personal insights to an individual user about their own work and it does not provide access to insights for people who report to them.

Cameron’s Microsoft 365 Certification Exam Tip

When a scenario requires visibility into both direct reports and their reports look for roles that explicitly include the words Group or Manager since those roles are designed for hierarchical team access.

MS-102 Exam Question 21

The correct option is SMTP address matching.

SMTP address matching works because Entra Connect can perform a soft match by comparing the cloud user’s primary SMTP address or entries in proxyAddresses to the corresponding attributes in the on site AD account. When users were created directly in Microsoft 365 without directory synchronization the easiest way for Entra Connect to recognize the existing cloud user is to have matching email addresses so the service can link the accounts without changing the cloud user’s ImmutableID.

Immutable ID matching is not the initial method in this scenario because hard matching requires the cloud user to already have an ImmutableID that corresponds to the on site account or for an administrator to set that ImmutableID manually. That extra step means it is not the simple out of the box method for first time matching.

Object GUID matching is incorrect because Entra Connect does not directly match precreated cloud users to on site accounts by the on premises objectGUID. The objectGUID can be used as the source for an ImmutableID but it is not used as a direct matching attribute against existing cloud accounts.

Entra user attribute matching is incorrect because there is no generic matching option that simply compares arbitrary Entra attributes. The supported approaches for linking existing cloud users and on site accounts are the soft match by SMTP or UPN and the hard match by ImmutableID.

Cameron’s Microsoft 365 Certification Exam Tip

MS-102 Exam Question 22

Use the Export feature to download all activities as a CSV file is correct because Microsoft Defender for Cloud Apps provides a built in export that lets an analyst download the full activity log as a CSV for offline review and sharing with colleagues.

The export produces a machine readable file that can contain the full set of fields for each activity such as timestamp user IP address application and activity type and it supports filtering by date range so auditors can capture the exact scope they need.

Share his own sign in credentials with team members is wrong because sharing credentials is insecure and it breaks audit trails and access controls and it is not an accepted practice for sharing logs or enabling reviews.

Stream alerts and logs to a SIEM such as Azure Sentinel is incorrect in this scenario because streaming to a SIEM is for centralized ingestion and long term analysis and it requires SIEM access and setup so it does not directly produce a simple file to hand to colleagues for immediate review.

Capture screenshots of the Activity log pages is wrong because screenshots are incomplete and not machine readable and they will not contain the full dataset or allow colleagues to run queries and sort and filter the records effectively.

MS-102 Exam Question 23

The correct answer is $false.

You supply $false to Set-SPOTenant -InformationBarriersSuspension because the parameter controls whether information barriers are suspended and a value of $false means they are not suspended so the information barriers remain active for SharePoint and OneDrive across the tenant.

$suspended is not the standard boolean literal that this cmdlet expects and it would only work if you had previously defined a variable with that name, so it is not the direct value to pass.

$true is incorrect because that value would suspend information barriers which disables them and that is the opposite of turning them on.

$enable is not a recognized boolean literal for this parameter and it is not the correct token to use with Set-SPOTenant -InformationBarriersSuspension.

Cameron’s Microsoft 365 Certification Exam Tip

When a parameter name includes the word Suspension think which boolean value means suspended and which means enabled and remember that PowerShell expects the literals $true or $false rather than free text.

MS-102 Exam Question 24

The correct option is Mail enabled security group.

A Mail enabled security group combines a security principal with an email address so it can be granted permissions to resources and it can receive messages for its members.

Security group is incorrect because a security group can be used to control access but it does not provide an email address by default and so it cannot be used as a mailing list.

Dynamic distribution group is incorrect because it is a mail only construct with membership calculated at message delivery and it is not a security principal that can be used to assign resource permissions.

Distribution group is incorrect because a distribution group can receive email but it is not a security group and so it cannot be used to grant access to resources.

MS-102 Exam Question 25

The correct option is Add and verify the organization public domain in Microsoft 365.

Add and verify the organization public domain in Microsoft 365 is the primary action because Microsoft 365 needs proof that you own the domain before you can align user sign in names and handle mail routing. Verifying the domain first ensures that when you enable directory synchronization users will have UPNs and email addresses that match the verified domain and reduces the chance of identity and mail conflicts during migration.

Obtain a third-party SSL certificate for federation services is not the first priority because certificates are only required if you choose to implement AD FS federation. They are not required simply to enable directory synchronization and should be planned only if federation is part of the design.

Deploy Azure AD Connect and adjust UPN suffixes before verifying the domain is incorrect because the tenant domain should be added and verified in Microsoft 365 first. You can and should prepare UPN suffixes on-premises and update user UPNs prior to syncing, but the domain must exist and be verified in the cloud so the suffixes are recognized and mail routing can be validated.

Rename the on-premises Active Directory forest to match the email domain is not recommended because renaming a forest is complex and risky. The usual practice is to add a UPN suffix and update user UPNs rather than perform a forest rename.

MS-102 Exam Question 26

Recent Posts

3 min

Planning For A Financial Revival In 2025...

3 min

Drowning In Debt? How To Manage On A Dwindling Budget...

Trending

12 min

A Complete Guide to Meta Ads Attribution...

5 min

Proposed Changes To Phone Services For Social Security Benef...