MS-101: Microsoft 365 Mobility and Security Practice Exam

What the MS-101 exam covers

• Implement Modern Device Services223 questions
• Implement Microsoft 365 Security and Threat Management216 questions
• Manage Microsoft 365 Governance and Compliance208 questions

Free MS-101 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 647.

1. Question 1Implement Modern Device Services

   Your organization wants to automatically enroll Windows 10 devices into Microsoft Intune when users join their devices to Microsoft Entra ID. What must you configure to enable automatic MDM enrollment?

   • AA device configuration profile in Intune
   • BA device compliance policy in Intune
   • CThe MDM user scope in Microsoft Entra ID Mobility settingsCorrect
   • DA Windows Autopilot deployment profile
   ✓ Correct answer: C

   Automatic MDM enrollment for Intune is configured at the Microsoft Entra ID tenant level through the Mobility (MDM and MAM) settings, not through Intune policies. The MDM user scope setting controls which users' devices should be automatically enrolled in Intune when they join the tenant. This is a foundational configuration that enables the automatic enrollment service to function at the directory level before any Intune policies take effect.

   Why the other options are wrong

   • AA device configuration profile in Intune is incorrect because these profiles configure device settings after enrollment, not the enrollment process itself.
   • BA device compliance policy in Intune is incorrect because compliance policies evaluate devices after enrollment; they do not trigger enrollment.
   • DA Windows Autopilot deployment profile is incorrect because Autopilot is a separate provisioning solution and is not required for automatic MDM enrollment to function.
2. Question 2Implement Modern Device ServicesSelect all that apply

   Woodgrove Bank is planning to implement Conditional Access policies to secure device access to Microsoft 365. Which two conditions can be used in a Conditional Access policy to evaluate device state? (Choose two.)

   • ADevice must be marked as compliant in IntuneCorrect
   • BDevice must be Hybrid Microsoft Entra ID joinedCorrect
   • CDevice must have more than 50% battery remaining
   • DDevice must have a specific screen resolution
   ✓ Correct answer: A, B

   Conditional Access evaluates device state through grant controls tied to device trust. 'Require device to be marked as compliant' checks that Intune has evaluated the device and found it meeting all compliance policy rules before granting access. 'Require Hybrid Microsoft Entra ID joined device' checks that the device is both on-premises AD domain joined and registered with Entra ID, proving it is an organization-managed machine. Both are legitimate, security-relevant device-state signals that policies can require. They let access decisions hinge on whether the device itself is trusted, not just the user.

   Why the other options are wrong

   • CBattery level above 50 percent is not a Conditional Access device-state condition; battery charge is volatile and security-irrelevant, so the engine offers no such control.
   • DA specific screen resolution is not a Conditional Access device-state condition; display resolution is a hardware display attribute unrelated to device trust or compliance.
3. Question 3Implement Modern Device Services

   A Woodgrove Bank administrator is configuring Microsoft Intune to manage iOS devices for the sales team. The sales team members use personally owned iPhones and should be able to access corporate email without enrolling their entire device. Which enrollment approach should the administrator recommend?

   • AApple Configurator enrollment
   • BApple Device Enrollment Program (DEP)
   • CIntune app protection policies without device enrollmentCorrect
   • DUser enrollment with a managed Apple ID
   ✓ Correct answer: C

   For personally owned iPhones where employees should access corporate email without enrolling the entire device, Intune app protection policies (also known as Mobile Application Management or MAM) provide the solution. These policies protect corporate data within managed applications without requiring full device enrollment or management. Users can sign in with their corporate credentials, and the managed email app enforces encryption, data isolation, and selective wipe of corporate data if the policy is breached, allowing personal device usage while protecting corporate resources.

   Why the other options are wrong

   • AApple Configurator enrollment is incorrect because this is for bulk enrollment of corporate-owned devices that are physically available.
   • BApple Device Enrollment Program (DEP) is incorrect because DEP is designed for corporate-owned device enrollment, not personal devices.
   • DUser enrollment with a managed Apple ID is incorrect because user enrollment still enrolls the device in Intune, whereas app protection policies manage only the application-level data without device enrollment.
4. Question 4Implement Microsoft 365 Security and Threat Management

   Contoso wants to create a Conditional Access policy that blocks legacy authentication protocols such as IMAP, POP3, and SMTP for all users. Which client apps condition should the administrator select in the Conditional Access policy?

   • AExchange ActiveSync clients
   • BMobile apps and desktop clients
   • COther clientsCorrect
   • DBrowser
   ✓ Correct answer: C

   The "Other clients" option in the Client apps condition includes legacy authentication protocols such as IMAP, POP3, SMTP, and other non-browser, non-mobile clients that do not support modern authentication. By selecting "Other clients" in the Conditional Access policy, administrators can specifically target these legacy protocols that have security vulnerabilities and cannot enforce MFA or Conditional Access policies. This allows the policy to block or restrict access from legacy email clients that pose security risks due to their inability to support modern authentication mechanisms.

   Why the other options are wrong

   • AExchange ActiveSync clients is incorrect because while Exchange ActiveSync is technically a legacy protocol, it is less commonly the primary target for blocking legacy authentication; "Other clients" more comprehensively covers IMAP, POP3, and SMTP.
   • BMobile apps and desktop clients is incorrect because this condition includes modern applications that support conditional access and MFA, not legacy protocols; these clients should generally be allowed with MFA rather than blocked.
   • DBrowser is incorrect because browser access typically uses modern authentication protocols and can support MFA and Conditional Access; this condition is not related to blocking legacy protocols.
5. Question 5Implement Microsoft 365 Security and Threat Management

   You need to configure automated investigation and response (AIR) in Microsoft Defender for Office 365. A user reports a phishing email. What happens after you submit the email for investigation?

   • AThe email is automatically deleted from all mailboxes without investigation
   • BThe user receives a training module about phishing
   • CAIR analyzes the email and related entities, then provides recommended remediation actions for approvalCorrect
   • DThe sender is automatically blocked from sending further emails
   ✓ Correct answer: C

   Automated Investigation and Response (AIR) in Microsoft Defender for Office 365 conducts automated analysis of submitted emails by examining sender reputation, URL analysis, attachment analysis, and related message chains. The AIR system traces related entities including other emails from the same sender, recipients, and impacted mailboxes, then generates a detailed investigation report with recommended remediation actions such as deleting emails, disabling accounts, or blocking senders. These recommendations are presented to security analysts for approval before execution, maintaining human oversight while accelerating response times. This human-in-the-loop approach reduces false positives and ensures organizational policy alignment.

   Why the other options are wrong

   • AThe email is automatically deleted from all mailboxes without investigation is incorrect because AIR performs thorough analysis before any remediation and never takes automatic deletion actions without analyst approval.
   • BThe user receives a training module about phishing is incorrect because AIR is an incident response tool focused on threat analysis and remediation, not user training; training is handled through separate Attack Simulation Training programs.
   • DThe sender is automatically blocked from sending further emails is incorrect because AIR provides recommended actions for analyst approval rather than automatically blocking senders, which could inadvertently block legitimate users and requires human judgment.
6. Question 6Implement Microsoft 365 Security and Threat Management

   An administrator at Tailspin Toys needs to configure Microsoft 365 Defender to automatically correlate alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps into unified incidents. How is this functionality enabled?

   • ABy enabling the unified audit log in the compliance center
   • BBy creating custom alert correlation rules in Microsoft 365 Defender
   • CThis is automatically enabled when the services are connected to Microsoft 365 DefenderCorrect
   • DBy configuring a SIEM integration with Azure Sentinel
   ✓ Correct answer: C

   Microsoft 365 Defender automatically correlates alerts and creates unified incidents from all connected Defender services (Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps) without requiring any manual configuration of correlation rules. When these services are connected to the Microsoft 365 Defender portal, the platform's backend automatically applies intelligent correlation logic to group related alerts into unified incidents, providing a single pane of glass for threat investigation.

   Why the other options are wrong

   • ABy enabling the unified audit log in the compliance center is incorrect because the unified audit log records user and administrative actions but does not provide the incident correlation functionality needed to combine alerts from multiple security services.
   • BBy creating custom alert correlation rules in Microsoft 365 Defender is incorrect because while custom alert rules can be created for tuning, the core incident correlation across Defender services is built-in and automatic. Custom rules are not required for this functionality.
   • DBy configuring a SIEM integration with Azure Sentinel is incorrect because Azure Sentinel is a separate SIEM service. Microsoft 365 Defender provides native incident correlation without requiring external SIEM integration, though Azure Sentinel can optionally consume the correlated data.
7. Question 7Manage Microsoft 365 Governance and Compliance

   Contoso Ltd. needs to export the results of a content search in Microsoft Purview for legal review. The exported results must include all email messages and documents matching the search criteria. Which export option should they choose to include the original email format?

   • AExport as PST files for email and native format for documentsCorrect
   • BExport as PDF files only
   • CExport as plain text files
   • DExport as CSV files
   ✓ Correct answer: A

   When exporting content search results from Microsoft Purview for legal review, the export option to use PST files for emails and native format for documents preserves the original file formats and ensures compatibility with legal review tools. PST (Personal Storage Table) format maintains the email message structure, properties, and metadata, while native format for documents preserves the original application format (Word, Excel, PDF, etc.), enabling legal teams to review content as originally created and ensure chain-of-custody integrity.

   Why the other options are wrong

   • BExport as PDF files only is incorrect because converting all email and documents to PDF loses important metadata, email structure, and formatting information required for legal review and may introduce compatibility issues with legal discovery workflows.
   • CExport as plain text files is incorrect because plain text format loses all formatting, metadata, and structural information from both emails and documents, making it unsuitable for legal review and reducing the evidentiary value.
   • DExport as CSV files is incorrect because CSV format is appropriate only for structured data with rows and columns, not for email messages or complex documents, and would result in loss of content and metadata.
8. Question 8Manage Microsoft 365 Governance and Compliance

   You need to configure a retention policy that applies to all Microsoft 365 Groups in your organization. You want to retain content for 5 years and then automatically delete it. Which retention policy scope should you use?

   • AExchange mailbox retention policy
   • BStatic scope targeting all Microsoft 365 GroupsCorrect
   • CSharePoint site-level retention
   • DAdaptive scope with a query for Microsoft 365 Groups
   ✓ Correct answer: B

   A static scope is used to apply retention policies across a specific, explicitly defined set of Microsoft 365 Groups in your organization. This approach ensures that all selected groups receive consistent retention settings that retain content for the specified period and then automatically delete expired items. Static scopes provide clarity and control over which groups are subject to the retention policy, making it ideal for organizational requirements that apply uniformly to all Microsoft 365 Groups.

   Why the other options are wrong

   • AExchange mailbox retention policy is incorrect because this targets individual mailboxes rather than Microsoft 365 Groups collectively.
   • CSharePoint site-level retention is incorrect because while Microsoft 365 Groups include SharePoint sites, this option applies to individual sites rather than all groups organization-wide.
   • DAdaptive scope with a query for Microsoft 365 Groups is incorrect because adaptive scopes use dynamic queries and conditions, whereas a straightforward "all groups" requirement is better served by static scope.
9. Question 9Implement Modern Device Services

   You need to configure tenant-wide settings for Windows enrollment in Intune. You want to enable automatic MDM enrollment for all Azure AD joined devices. Where should you configure this?

   • Aazure AD > Devices > Device settings > Users may join devices
   • Bintune admin center > Tenant administration > Connectors
   • Cintune admin center > Device enrollment > Enrollment restrictions
   • Dazure AD > Mobility (MDM and MAM) > Microsoft Intune enrollment scopeCorrect
   ✓ Correct answer: D

   Tenant-wide automatic MDM enrollment for Azure AD joined Windows devices is configured under Azure AD > Mobility (MDM and MAM) by setting the Microsoft Intune MDM user/enrollment scope. Setting that scope to All or to a chosen group is what makes Azure AD joined devices enroll into Intune automatically as they join. This is the directory-level switch that governs who is auto-enrolled across the organization. Other locations either control joining or limit enrollment but do not enable automatic enrollment.

   Why the other options are wrong

   • AAzure AD > Devices > Device settings > 'Users may join devices' only governs whether users can join devices to Azure AD; it does not enable automatic MDM enrollment.
   • BIntune admin center > Tenant administration > Connectors integrates Intune with external systems and does not set the MDM enrollment scope that triggers auto-enrollment.
   • CIntune admin center > Device enrollment > Enrollment restrictions limits device platforms and per-user counts rather than turning on tenant-wide automatic enrollment.
10. Question 10Manage Microsoft 365 Governance and Compliance

    Which best practice should be followed when managing Manage within Manage Microsoft 365 Governance and Compliance?

    • AUse the smallest possible configuration at all times
    • BDesign for high availability with redundant componentsCorrect
    • CSkip failover testing to save time and budget
    • DDeploy to a single instance to reduce overall costs
    ✓ Correct answer: B

    Compliance management systems must maintain continuous availability to ensure that compliance policies are always enforced and audit events are always recorded. Redundant components prevent single points of failure that could result in undetected compliance violations or loss of audit evidence. Failover testing ensures that compliance systems remain operational during infrastructure incidents.

    Why the other options are wrong

    • AUse the smallest possible configuration at all times is incorrect because undersized compliance systems may fail to record all audit events during peak activity periods.
    • CSkip failover testing to save time and budget is incorrect because untested failover systems often fail at critical moments; compliance systems that fail mean compliance violations go undetected.
    • DDeploy to a single instance to reduce overall costs is incorrect because a single compliance system is a critical single point of failure whose failure would mean undetected policy violations.

MS-101 practice exam FAQ