MS-102 Exam Question 1
A workstation at Rivermark Shipping is exhibiting abnormal behavior with unusual outbound traffic and unfamiliar processes running on it. To prevent other systems from being affected which Microsoft 365 Defender capability should you use to cut off that workstation from the network?
The correct answer is Device isolation.
Device isolation in Microsoft 365 Defender lets an administrator cut off a compromised workstation from the network while preserving local access for investigation. It blocks inbound and outbound network traffic from the device and prevents lateral movement to other systems so that the incident cannot spread.
Using Device isolation is the direct containment action to take when a host is exhibiting unusual outbound traffic and unfamiliar processes. This action immediately limits the host network connectivity and helps protect other systems while you investigate and remediate.
Threat intelligence provides contextual information about threats and indicators and it helps analysts understand what is happening, but it does not itself disconnect a device from the network. It is useful for detection and investigation but not for immediate containment.
Automated response refers to automated investigations and remediation workflows and it may include containment actions, but it is a broader capability rather than the specific action that severs network access. The exam asks for the specific containment feature which is device isolation.
Network segmentation is an architectural network control that limits traffic between zones and reduces blast radius, but it is not a Microsoft 365 Defender action you trigger to immediately isolate a single compromised workstation. It is a preventative design rather than an on-demand containment action.
Cameron’s Microsoft 365 Certification Exam Tip
When the question asks how to immediately stop a compromised host look for the specific containment action in the product. Remember that Device isolation is the on-demand action that severs network access for a single device.
MS-102 Exam Question 2
A regional retailer is configuring an Insider Risk Management rule and wants to rank where to focus monitoring by content importance. Which of the following items cannot be set as a prioritization target?
Email domains is the correct option.
The Insider Risk Management prioritization setting is based on content importance and content signals, and Email domains represents an identity or routing attribute rather than a content attribute so it cannot be used as a prioritization target for content importance.
Detected sensitive information types is incorrect because sensitive information types are a direct content signal and can be used to prioritize alerts and monitoring by content importance.
Document sensitivity labels is incorrect because sensitivity labels are applied to files and messages to indicate content importance and they are supported as prioritization targets in Insider Risk Management.
SharePoint site collections is incorrect because the location of content is a common prioritization factor and site collections can be selected to focus monitoring on content stored in those locations.
Cameron’s Microsoft 365 Certification Exam Tip
When answering configuration questions consider whether the option is a content attribute or an identity attribute and choose content attributes when the feature is about prioritizing by content importance.
MS-102 Exam Question 3
Which tasks can administrators perform with the IdFix utility when preparing to synchronize identities to Fabrikam Cloud? (Choose 3)
-
✓ A. Scan all domains in the currently authenticated forest for object attribute issues
-
✓ B. Edit object attributes and apply confirmed corrections directly from the IdFix interface
-
✓ C. Export scan results to CSV or LDF for offline remediation
The correct answers are Scan all domains in the currently authenticated forest for object attribute issues, Edit object attributes and apply confirmed corrections directly from the IdFix interface, and Export scan results to CSV or LDF for offline remediation.
Scan all domains in the currently authenticated forest for object attribute issues is supported because IdFix is built to enumerate identity objects across the authenticated forest and flag attribute problems that can block synchronization. The tool locates common issues such as duplicate addresses invalid character sets and missing required attributes so you can address them before syncing.
Edit object attributes and apply confirmed corrections directly from the IdFix interface is correct because IdFix allows administrators to modify attributes in place and then apply those confirmed changes back to the source Active Directory. The workflow is interactive so you review proposed fixes before they are written to the directory.
Export scan results to CSV or LDF for offline remediation is correct because IdFix can export findings so you can perform bulk or offline remediation with other tools or processes and keep an audit of the reported issues.
Automatically remedy every synchronization error without administrator confirmation is incorrect because IdFix does not unilaterally fix every issue. The tool requires administrative review and confirmation for changes and some problems must be resolved manually in Active Directory or via other remediation steps.
Cameron’s Microsoft 365 Certification Exam Tip
When a question describes a tool as interactive expect options that require confirmation and choose features that match an audit and review workflow. Practicing IdFix on a non production forest will make the tool behaviors familiar.
MS-102 Exam Question 4
Your company uses Microsoft 365 E5 and the accounting team handles highly confidential records. You need to prevent accounting staff from opening potentially dangerous websites that are embedded as hyperlinks in emails and documents while leaving other teams unaffected. What should you configure?
-
✓ B. Deploy a tailored Safe Links policy that targets the accounting group
The correct choice is Deploy a tailored Safe Links policy that targets the accounting group.
Safe Links is part of Microsoft Defender for Office 365 and it rewrites and scans URLs at the time of click to block known and emerging threats. You can scope Safe Links policies to specific users or groups so only the accounting team receives the stricter click time protection while other teams remain unaffected.
Create a Data Loss Prevention policy that uses content inspection to detect sensitive accounting data is incorrect because DLP is intended to detect and protect sensitive information and to control sharing. It does not provide click time URL rewriting and threat scanning like Safe Links does.
Leave the tenantwide Safe Links configuration in place for all users is incorrect because a tenantwide setting would apply the restriction to everyone and would not meet the requirement to limit protections only to the accounting staff.
Create a mail flow rule to reject messages that contain known malicious URLs is incorrect because transport rules act on messages in transit and can cause false positives or block legitimate mail. They also do not provide click time protection for links that become malicious after delivery.
Cameron’s Microsoft 365 Certification Exam Tip
When a question asks to restrict clicking on dangerous links for a specific group think of Safe Links policies because they can be targeted to users or groups while other controls serve different purposes.
MS-102 Exam Question 5
Your team at Meridian Solutions needs to boost Microsoft 365 responsiveness for offices across multiple continents. Which of the following metrics is not displayed by the Network connectivity insights dashboard?
-
✓ C. Individual user bandwidth consumption
The correct option is Individual user bandwidth consumption.
The Network connectivity insights dashboard in the Microsoft 365 admin tools focuses on aggregated network performance and service connection health across locations and endpoints. It surfaces metrics such as latency, packet loss, DNS timing, and service connection scores rather than per user traffic details. Because of that design the dashboard does not provide a breakdown of bandwidth used by each individual user which is why Individual user bandwidth consumption is the correct choice.
TCP round trip latency is shown by the dashboard as a core network metric and it helps identify latency between clients and Microsoft endpoints.
DNS query resolution time is included because DNS resolution delays can impact Microsoft 365 responsiveness and the insights surface DNS timing to aid troubleshooting.
Exchange Online connection health score is reported as a service specific health metric so administrators can see the health of Exchange Online connections from monitored locations.
Cameron’s Microsoft 365 Certification Exam Tip
When you see a question about dashboards decide whether the metric is aggregated service telemetry or per user data. Dashboards like Network connectivity insights show service and network level metrics not individual user bandwidth so pick the option that describes per user detail.
MS-102 Exam Question 6
Are data loss prevention policies limited solely to Exchange Online SharePoint Online and OneDrive for Business or do they also protect sensitive data in other places such as Teams conversations Office desktop applications and on-premises file servers?
The correct answer is FALSE.
Data Loss Prevention policies in Microsoft Purview are not limited to Exchange Online SharePoint Online and OneDrive for Business and they can also protect sensitive information in Teams conversations and chats Office desktop applications and on premises file servers by using cloud connectors endpoint DLP and the DLP scanner or hybrid connectors.
Endpoint DLP integrates with Microsoft Defender for Endpoint to enforce policies on devices and the DLP scanner can discover and apply protections to files on on premises file shares and to SharePoint Server instances that are connected to a hybrid deployment.
The option TRUE is incorrect because it claims that DLP is restricted only to Exchange Online SharePoint Online and OneDrive for Business and that is not accurate since Microsoft provides additional connectors tools and endpoint capabilities to cover Teams Office apps and on premises data.
Cameron’s Microsoft 365 Certification Exam Tip
When you see questions about coverage look for mentions of connectors scanners or endpoints and remember that Microsoft Purview DLP includes cloud connectors endpoint DLP and an on premises scanner so answers that state strict limits are often wrong. Focus on breadth of coverage.
MS-102 Exam Question 7
Which of the following assertions about Contoso Identity Conditional Access accurately describe how its policies operate and what licensing is required? (Choose 2)
-
✓ B. Contoso Identity Conditional Access can evaluate the IP address or network location when making policy decisions
-
✓ D. Administrators can create policies in Contoso Identity Conditional Access that require multifactor authentication for users assigned to administrative roles
Contoso Identity Conditional Access can evaluate the IP address or network location when making policy decisions and Administrators can create policies in Contoso Identity Conditional Access that require multifactor authentication for users assigned to administrative roles are correct.
Conditional Access evaluates signals about the sign in request such as IP address and named locations and uses those signals when making policy decisions. This allows administrators to block access or require additional controls when requests come from risky or unexpected networks.
Administrators can create policies that target privileged roles and require multifactor authentication to reduce the risk of compromise. Requiring MFA for administrative role accounts is a common Conditional Access use case to protect privileged access.
Contoso Identity Conditional Access policies are applied before the initial sign in factor completes is incorrect because Conditional Access policies evaluate as part of the sign in flow after primary authentication signals are processed and then enforce controls such as requiring MFA or blocking access. Policies do not run before the initial authentication factor completes.
The Conditional Access capability is included in the free edition of Contoso Identity is incorrect because Conditional Access is an advanced capability that requires paid licensing in most identity providers. For example Azure Active Directory requires Premium licensing for Conditional Access features.
Cameron’s Microsoft 365 Certification Exam Tip
When you see Conditional Access questions focus on the signals it evaluates such as IP and device state and remember that advanced controls like role based MFA enforcement typically require premium licensing.
MS-102 Exam Question 8
You are the security lead at Meridian Tech and you want to observe Safe Links from an end user perspective. What happens when an employee clicks a malicious hyperlink in a received email?
-
✓ C. Safe Links routes the clicked URL to a secured verification server that checks it against a blocklist and displays a warning when it is malicious
The correct answer is Safe Links routes the clicked URL to a secured verification server that checks it against a blocklist and displays a warning when it is malicious.
Safe Links rewrites URLs in messages so that when a user clicks the link the request goes to a Microsoft verification service. The service performs time of click checks against blocklists and other signals. If the URL is malicious the user is shown a warning or blocked and if it is safe the user is redirected to the original site.
Cloud Armor inspects and filters the link traffic at the edge is incorrect because Cloud Armor is a Google Cloud service that protects application traffic at the network edge and it does not perform email link rewriting or time of click malicious URL analysis.
The email is removed from the recipient’s inbox immediately is incorrect because Safe Links does not delete messages when a link is clicked. The feature focuses on inspecting the clicked URL and warning or blocking access rather than removing the mail from the mailbox.
The recipient is taken directly to the linked site without any inspection is incorrect because Safe Links prevents direct navigation by rewriting the link and routing the click through its verification service for inspection before allowing a redirect to the target.
Cameron’s Microsoft 365 Certification Exam Tip
Focus on answers that describe time-of-click URL rewriting and verification when the question asks how link protection works. Exclude options that describe edge filtering or immediate message deletion.
MS-102 Exam Question 9
You manage user groups for a retail startup called BrightCart and you want two staff members to be able to administer a group when one person is unavailable. What is the recommended practice?
-
✓ C. Assign two or more owners to the group
Assign two or more owners to the group is the recommended practice to ensure group administration coverage when one person is unavailable.
Assigning two or more owners gives multiple named administrators who can manage membership and settings and it preserves audit trails and individual accountability. This approach avoids a single point of failure and keeps changes attributable to specific users which simplifies troubleshooting and compliance.
It is straightforward to implement in Cloud Identity or Workspace and it follows access management best practices by keeping human administrators on their own accounts rather than sharing credentials.
Use Cloud Identity group roles is not a complete answer because roles exist but the question asks how to ensure coverage. The practical solution is to assign multiple owners rather than relying on a generic mention of roles.
Create a shared service account for managers to use is incorrect because service accounts are intended for applications and not for shared human use. Sharing credentials reduces auditability and violates principles of least privilege and individual accountability.
Grant one owner and configure a delegated access account is also incorrect because a single owner creates a single point of failure and delegated access can be harder to manage and audit. Assigning multiple owners provides clearer redundancy and accountability.
MS-102 Exam Question 10
You manage an Azure Active Directory tenant for Northwind Labs and a conditional access policy applies to every user for an application called CloudAppX. The policy requires multi factor authentication for requests evaluated against recognized locations and the tenant is set to trust the 192.168.10.0/24 IP range while the recognized locations are defined as LocationAlpha 192.168.30.0/24 and LocationBeta 192.168.60.0/24 Which of the following connection scenarios would require a user to complete multi factor authentication when accessing CloudAppX?
-
✓ C. A user signs in from IP 192.168.80.100
The correct option is A user signs in from IP 192.168.80.100.
A user signs in from IP 192.168.80.100 is not in the tenant trusted range 192.168.10.0/24 and it is not in either named recognized location, LocationAlpha 192.168.30.0/24 or LocationBeta 192.168.60.0/24. Because this IP is unrecognized by the tenant configuration the conditional access policy evaluation treats the sign in as coming from an external location and the policy requires multi factor authentication for that access.
A user signs in from IP 192.168.60.22 is inside LocationBeta 192.168.60.0/24 which is defined as a recognized named location. In this scenario recognized named locations are not subject to the same MFA enforcement as unrecognized external IPs so this sign in does not require additional MFA.
A user signs in from IP 192.168.10.45 falls inside the tenant trusted IP range 192.168.10.0/24. Trusted IP ranges are treated as internal and are exempt from the external MFA requirement in this configuration so the user would not be prompted for MFA.
A user signs in from IP 192.168.30.5 is inside LocationAlpha 192.168.30.0/24 which is a named recognized location. Access from that recognized location is not evaluated as external in the given policy and therefore it does not trigger the MFA requirement.
Cameron’s Microsoft 365 Certification Exam Tip
When you see location based conditional access map each candidate IP to the trusted IP range and to any named recognized locations first and then decide whether the policy applies or is bypassed.
MS-102 Exam Question 11
Within the Compliance Manager dashboard which tab breaks down the ratio of points earned to points available by solution?
The correct option is Solutions tab.
Solutions tab breaks down the compliance score so you can see the ratio of points earned to points available for each solution. It surfaces per solution scores and lets you compare how each solution contributes to the overall compliance score which is why it directly answers the question about points earned versus points available.
Remediation tasks lists actions and guidance to remediate control deficiencies and does not present the score ratio by solution.
Assessment view provides details about assessments and control status and it focuses on control evidence and assessment details rather than a per solution points breakdown.
Notification rules is used to configure alerts and notifications for changes in compliance status and it does not show the ratio of points earned to points available by solution.
MS-102 Exam Question 12
Your company recently purchased a Contoso 365 E5 subscription and you are the security administrator. You must evaluate the current Safe Links configuration against Contoso’s recommended best practices. Which tool should you use to perform this assessment efficiently?
-
✓ C. Configuration Analyzer
Configuration Analyzer is the correct option.
Configuration Analyzer is built to run automated configuration assessments across Microsoft 365 settings and it compares tenant configurations against recommended best practices. It provides targeted findings and actionable remediation steps which makes it efficient for evaluating Safe Links policies and related protection settings.
Configuration Analyzer surfaces misconfigurations and gives guidance to bring policies in line with Contoso’s recommended settings and that is exactly what an efficient assessment requires.
Microsoft Defender portal is incorrect because the portal is the administrative interface for managing policies and alerts and it does not automatically run the focused configuration assessment and recommendations that Configuration Analyzer provides.
Secure Score is incorrect because Secure Score reports overall security posture and suggested improvement actions rather than performing a detailed, targeted analysis of Safe Links configuration.
Compliance Manager is incorrect because it focuses on regulatory compliance controls and assessments and it does not perform the configuration checks of Safe Links policies that Configuration Analyzer performs.
Cameron’s Microsoft 365 Certification Exam Tip
When a question asks for an automated, targeted configuration assessment choose a tool that scans tenant settings such as Configuration Analyzer rather than broad posture or compliance solutions.
MS-102 Exam Question 13
Your team at Meridian Financial is onboarding a new client and received an Excel file with 240 staff names and email addresses that must be added to their Microsoft 365 tenant. What is the quickest and most efficient way to add all of these accounts to the tenant?
-
✓ B. Save the spreadsheet as a CSV and use the Microsoft 365 admin center bulk user import
Save the spreadsheet as a CSV and use the Microsoft 365 admin center bulk user import is correct.
bulk user import in the Microsoft 365 admin center is designed for this scenario because it allows an administrator to upload a CSV exported from Excel and create many cloud only users in one operation. This method requires no custom scripting and is the fastest way to add a couple of hundred accounts while also letting you assign licenses and usage locations during the import.
Install Azure AD Connect on a server and enable directory synchronization is incorrect because Azure AD Connect is intended to synchronize an on premises Active Directory with Entra ID and it requires an existing on premises directory and ongoing infrastructure. It is not a quick one time solution for importing a spreadsheet of users into a cloud only tenant.
Use PowerShell to read the Excel file and script the creation of users in Entra ID is not the best choice for speed and simplicity because scripting takes more time and testing and is more error prone for administrators who need a straightforward bulk upload. PowerShell can accomplish the task but it is heavier work for a simple import.
Run Azure CLI scripts to parse the spreadsheet and provision user accounts in Entra ID is also not the most efficient option because the Azure CLI does not natively parse Excel files and this approach requires custom parsing and scripting. That level of automation is useful for repeatable workflows but it is overkill for a one time, quick import.
MS-102 Exam Question 14
You are the Microsoft 365 administrator for a regional consulting firm named CedarBridge. The firm maintains separate on-premises and Entra ID identity systems and employees sign in to Exchange Online and SharePoint Online with Entra ID accounts. You want staff to use their Entra ID credentials to access internal on-premises web applications. Which Azure option allows users to access an on-premises web application?
-
✓ C. Deploy an Application Proxy connector
The correct option is Deploy an Application Proxy connector.
The Deploy an Application Proxy connector option refers to Microsoft Entra ID Application Proxy which lets users sign in with their Entra credentials to access internal web applications. The Deploy an Application Proxy connector installs a lightweight connector on premises that makes an outbound connection to the Microsoft cloud so you do not need to open inbound firewall ports. Entra ID then performs pre authentication and you can apply conditional access and single sign on to the published app.
The Deploy an Application Proxy connector approach is specifically designed to publish internal web apps to remote users while keeping authentication and access control in Entra ID and while minimizing changes to your network perimeter.
The Azure Application Gateway is a layer seven load balancer and web application firewall for Azure hosted resources. It does not provide the on premises connector or Entra pre authentication that is required to publish internal apps for external access.
The Register an enterprise application in Entra ID option creates an app object and lets you configure single sign on and permissions. Registering an app by itself does not publish an on premises web site or install the reverse proxy connector that makes the app reachable from outside the network.
The Install and configure Microsoft Entra Connect tool synchronizes identities and credentials between on premises Active Directory and Entra ID. It does not act as a reverse proxy and it does not publish internal web applications for remote access.
Cameron’s Microsoft 365 Certification Exam Tip
When a question asks about publishing on premises web applications look for the Application Proxy connector as the feature that provides Entra pre authentication and an outbound connector from your network.
MS-102 Exam Question 15
Riverside Solutions uses Microsoft Purview Information Protection to protect corporate documents and email. You need to ensure sensitivity labels appear for employees inside Microsoft Office applications. What sequence of steps will accomplish this?
-
✓ C. Create sensitivity labels then configure label settings then create a label policy then publish the label policy
The correct option is Create sensitivity labels then configure label settings then create a label policy then publish the label policy.
You must create sensitivity labels first because the labels define the classification and any protection or encryption settings that will be applied to documents and email.
Next you configure label settings so the labels behave correctly inside Microsoft Office applications and so client features such as auto labeling or tooltips are enabled.
Then you create a label policy which groups the labels and defines who receives them and how they are assigned.
Publishing the label policy is the final step because publishing distributes the policy and makes the labels appear inside Office apps for the targeted users.
Create a label policy first then create sensitivity labels then configure label settings then publish the label policy is incorrect because a policy cannot reference labels that do not yet exist and you must create labels before you create a policy that includes them.
Create sensitivity labels then configure label settings then publish the label policy then create a label policy is incorrect because publishing applies to an existing policy and you cannot publish a policy before that policy is created.
Configure label settings then create sensitivity labels then publish the label policy then create a label policy is incorrect because label settings are applied to labels so the labels need to exist first and the sequence also attempts to publish before the policy is created which is not valid.
Cameron’s Microsoft 365 Certification Exam Tip
Think about the lifecycle of resources and whether an item must exist before it can be configured or published. Remember that labels must be created before you build and publish a policy.
MS-102 Exam Question 16
Meridian Retail runs a centralized security logging platform and wants to bring Microsoft 365 Defender alerts and telemetry into that platform for dependable and scalable security analysis, what is the best method to integrate this data?
-
✓ C. Ingest Defender telemetry via the Microsoft 365 Defender APIs
The correct option is Ingest Defender telemetry via the Microsoft 365 Defender APIs.
This approach uses the official, programmatic interfaces that expose alerts, incidents, and telemetry in structured form so you can build dependable and scalable ingestion into a centralized logging platform. The APIs support filtering and incremental queries and they can be combined with notification mechanisms to reduce polling and to provide near real time delivery.
Using the APIs lets you authenticate with managed application credentials and follow Microsoft rate limits and best practices. This makes automated, repeatable ingestion easier to maintain than manual or ad hoc methods and it avoids reimplementing features that Microsoft already provides.
Enable periodic manual exports from Microsoft 365 Defender to the log platform is not ideal because manual exports are error prone and do not scale for continuous security analysis. They are slower and require ongoing human intervention or brittle scheduling.
Deploy a custom collector agent on the log server to fetch Defender data is also suboptimal because it duplicates functionality that the APIs provide and it forces you to manage authentication, rate limiting, retries, and updates on your own. An agent can work but it is not the most maintainable or scalable option.
Stream Defender alerts into Google Cloud Pub/Sub using a connectors pipeline is incorrect as stated because there is no native, direct Defender to Pub/Sub connector built into the product. You would still rely on the Defender APIs or intermediary services to export the data, so the best practice is to use the official APIs for ingestion and then forward into Pub/Sub if you need that transport.
Cameron’s Microsoft 365 Certification Exam Tip
For integration questions pick the option that uses official programmatic interfaces when you need reliable and scalable ingestion. Also remember to consider authentication, rate limits, and available notification or delta query features when designing the pipeline.
MS-102 Exam Question 17
Which statements about provisioning and administering groups in Microsoft 365 are correct? (Choose 3)
-
✓ A. A legacy distribution list can be migrated to a Microsoft 365 group in the admin center
-
✓ C. Security groups can be assigned to control access rights on resources and applications
-
✓ D. Creating a Microsoft 365 group also provisions a shared mailbox and a group calendar
The correct answers are A legacy distribution list can be migrated to a Microsoft 365 group in the admin center, Security groups can be assigned to control access rights on resources and applications and Creating a Microsoft 365 group also provisions a shared mailbox and a group calendar.
A legacy distribution list can be migrated to a Microsoft 365 group in the admin center is correct because the Microsoft 365 admin center provides tools to convert distribution lists into Microsoft 365 groups while preserving membership and email addresses. That conversion moves the list into the groups framework so members gain the collaboration features that groups provide.
Security groups can be assigned to control access rights on resources and applications is correct because security groups in Azure Active Directory and Microsoft 365 exist to grant permissions and to manage access to resources and applications across the tenant.
Creating a Microsoft 365 group also provisions a shared mailbox and a group calendar is correct because a Microsoft 365 group is a collaboration construct that by default provisions an Exchange mailbox, a shared calendar and other services such as a SharePoint site and Planner for the group’s members.
Every user who accesses a shared mailbox must have an individual Microsoft 365 license is incorrect because shared mailboxes can be used without individual licenses while they remain within Microsofts size and feature limits. Licensing may become necessary if you enable archive or if you convert the shared mailbox to a regular user mailbox so the licensing rule depends on usage rather than mere access.
Cameron’s Microsoft 365 Certification Exam Tip
When a question contrasts group types focus on the resources each type provisions and the intended use case and remember that Microsoft 365 groups include mailbox and calendar functionality while security groups are primarily for access control.
MS-102 Exam Question 18
Daniel is the identity administrator at a regional technology firm that frequently partners with outside vendors and contractors. He must provision and manage different user accounts in Microsoft Entra to protect access to company resources. Which tasks can Daniel perform in Microsoft Entra to administer internal users and outside collaborators?
-
✓ D. All of the above actions
All of the above actions is correct. Daniel can perform each of the listed tasks in Microsoft Entra so he can Invite outside collaborators as guest users with restricted permissions, Create internal staff accounts and assign specific roles or group memberships, and Enable self service password reset for both internal and guest accounts to manage access for employees and external partners.
Microsoft Entra ID supports external collaboration through B2B guest invitations and policy controls so an administrator can invite outside collaborators and restrict their permissions. The service also provides full user provisioning and role and group assignment features for internal staff. Self service password reset is a configurable authentication and recovery feature that can be enabled and scoped to internal users and to guest accounts when appropriate.
Invite outside collaborators as guest users with restricted permissions is marked wrong by itself because choosing that single action ignores the other administrative tasks in the list. The item is a valid capability of Microsoft Entra but it is not the complete answer when all three tasks are required.
Create internal staff accounts and assign specific roles or group memberships is marked wrong on its own because it describes a correct capability but does not cover the external collaborator and self service password reset aspects that are also part of the full administration answer.
Enable self service password reset for both internal and guest accounts is marked wrong as an individual choice because it is a true feature yet it does not include the user creation and guest invitation tasks that make the combined answer correct.
MS-102 Exam Question 19
You are a compliance officer at a regional insurance firm and you need to assign limited administrative rights for sensitivity labels. Which role groups can you add employees to in order to provide that delegated access?
-
✓ C. Any of the listed Information Protection role groups
The correct option is Any of the listed Information Protection role groups.
This is correct because Microsoft Purview and Microsoft 365 provide a set of Information Protection role groups that are designed to delegate duties for sensitivity labels and related policy management. Adding employees to any of those role groups grants the limited administrative rights needed to create, publish, and manage labels without giving broader tenant wide privileges.
You choose a specific Information Protection role group based on the level of access required. Some groups allow label creation and policy configuration while others focus on monitoring, reporting, or enforcement. The exam answer expects the general choice that covers all valid Information Protection role groups rather than selecting a single named role group.
The option Security Administrators is incorrect because that is a broader security administration role and it is not one of the Information Protection role groups meant specifically for delegating sensitivity label management.
The option Information Protection Analysts is incorrect as a single choice because the question asks which role groups can be used to provide delegated access and the correct response is that any of the listed Information Protection role groups can be used. Selecting this single group is too narrow for the question as written.
The option Information Protection Admins is incorrect for the same reason. That role is one valid Information Protection group, but the exam answer requires acknowledging that any of the listed Information Protection role groups can provide the delegated rights rather than picking only this one.
Cameron’s Microsoft 365 Certification Exam Tip
When an option says Any of the listed it often means the exam is testing whether you recognise a whole category of valid roles rather than a single example. Read the stem carefully and prefer the broader choice when it fits the requirement.
MS-102 Exam Question 20
As the security administrator for Atlas Retail you need to examine every authentication event to compute a risk score from the collected sign-in signals and detectors. Which Identity Protection policy should you activate to perform that per sign-in analysis?
Sign-in risk policy is the correct option.
Sign-in risk policy examines individual authentication events and uses signals and detectors to calculate a risk score for each sign in so you can require additional controls or block access based on that per sign in analysis.
User risk policy is not correct because it assesses the risk that a user account has been compromised across events and behaviors rather than computing a risk score for each individual sign in.
Azure AD Conditional Access policy is not correct because Conditional Access is the enforcement framework that can act on risk signals but it is not the Identity Protection configuration that performs the per sign in risk calculation itself.
MFA registration policy is not correct because that policy forces or guides users to register authentication methods and does not analyze sign in signals to compute a per sign in risk score.
Cameron’s Microsoft 365 Certification Exam Tip
When a question mentions computing a risk score for each authentication event think of Identity Protection and the Sign-in risk policy rather than user level or registration policies.
MS-102 Exam Question 21
You administer identity services for a mid sized firm that recently deployed a new Azure AD tenant and synchronized the on premises Active Directory. After reviewing the Azure AD Connect Health report you discover that twelve user accounts in a particular Organizational Unit failed to synchronize. What action should you take to resolve this synchronization failure?
-
✓ C. Update the Azure AD Connect settings to include the affected Organizational Unit in the synchronization scope
Update the Azure AD Connect settings to include the affected Organizational Unit in the synchronization scope is correct.
This option fixes the root cause because Azure AD Connect can be configured to include or exclude specific organizational units from synchronization and if the OU that contains those twelve accounts was not selected then those accounts will not be synchronized to Azure AD. Updating the synchronization scope to include the missing OU will allow the connector to pick up those objects and replicate them to Azure AD.
Add a new inbound synchronization rule in Azure AD Connect is incorrect because missing objects due to OU filtering are not resolved by adding inbound rules. Inbound synchronization rules control how attributes are projected into the metaverse and not which AD containers are included in the sync scope.
Edit the existing outbound synchronization rule in Azure AD Connect is incorrect because outbound rules govern how objects and attributes flow from the metaverse to Azure AD and they will not include objects that were never brought into the metaverse because their OU was excluded from synchronization.
Create a new outbound synchronization rule in the Synchronization Rules Editor is incorrect for the same reason. Creating or modifying outbound rules does not change which OUs are synchronized from on premises Active Directory, so it will not recover accounts that were omitted by the synchronization scope.
MS-102 Exam Question 22
You are a team lead at Horizon Tech seeking a healthier work life balance and you want a feature that helps you schedule time away from work. Which Viva Insights feature would you use to plan personal time off?
-
✓ C. Viva Insights add in for Outlook
The correct option is Viva Insights add in for Outlook.
The Outlook add in integrates directly with your Outlook calendar and it provides tools to book protected time and plan personal time away, so it is the appropriate feature to schedule personal time off. The add in lets you create calendar events and block focus or quiet time from within Outlook which makes scheduling time away straightforward.
Briefing emails from Viva in Outlook is incorrect because briefing emails provide summaries and suggestions about your day and they do not let you directly schedule calendar time or block personal time away.
Viva Insights app in Teams is incorrect because the Teams app surfaces personal insights and wellbeing recommendations but it does not directly create calendar bookings in the way the Outlook add in does.
Viva Insights dashboard in the Microsoft 365 admin center is incorrect because admin dashboards show organizational level analytics and settings for admins and they are not used by an individual to schedule personal time off.
Cameron’s Microsoft 365 Certification Exam Tip
When a question asks about scheduling time away look for options that mention calendar integration or an add in for Outlook because those features directly create or block calendar events.
MS-102 Exam Question 23
Does HarborTech have the ability to apply Information Barrier policies to guest accounts in Microsoft Teams?
True is correct.
The True option is correct because Information Barrier policies in Microsoft 365 and Teams can be targeted to users that exist in the HarborTech tenant and that includes guest users who are added as Azure AD B2B guest accounts. These policies are created and managed in the Microsoft Purview compliance center and they apply to segments of directory users so guest accounts can be included when you define the segments and rules.
To include guest accounts you must have the guests provisioned in your Azure Active Directory and then include them in the groups or attribute-based segments that the Information Barrier policies use. When the prerequisites and licensing requirements are met the policies will propagate to supported workloads including Microsoft Teams.
The False option is incorrect because it asserts that HarborTech cannot apply Information Barrier policies to guest accounts. That blanket statement is wrong when guests exist as directory users and are explicitly included in the policy segments or groups.
Cameron’s Microsoft 365 Certification Exam Tip
When a question mentions guest accounts first check whether the guest is represented in the tenant and whether policies can target directory attributes or groups. Review the Microsoft Purview documentation for information barriers and the supported workloads before answering.
MS-102 Exam Question 24
In Contoso Cloud App Security what mechanism do app connectors use from application providers to increase visibility and allow control over the services you connect to?
APIs are the correct mechanism that app connectors use from application providers to increase visibility and allow control over the services you connect to.
App connectors call provider APIs to pull activity logs and metadata and to perform management actions so they can offer both visibility and control. APIs expose programmatic endpoints and scopes that a connector can use at scale to query state apply policies and make configuration changes on the connected service.
Webhooks are push notifications that an application can send to report events and they can complement visibility for real time alerts, but webhooks do not by themselves provide the full management and querying capabilities that connectors need. Connectors commonly use webhooks alongside APIs rather than relying on them as the primary mechanism.
Service principals are identities used to authenticate applications to call APIs and they serve as credentials rather than as the mechanism that exposes telemetry or control surfaces. A service principal may be used to obtain access to an application’s APIs but it is not the provider mechanism that delivers visibility or control.
SAML metadata contains configuration used for single sign on and federation and it helps establish trust for authentication flows. It does not provide ongoing access to activity data or management operations so it is not how connectors gain visibility or control over services.
OAuth tokens are authorization credentials issued by an authorization server and they enable access to an application’s interfaces, but they are not the mechanism that exposes service capabilities. OAuth tokens are used to authenticate and authorize calls to an application’s APIs rather than replacing the APIs themselves.
