MS-102: Microsoft 365 Administrator Practice Exam

What the MS-102 exam covers

• Deploy and Manage a Microsoft 365 Tenant169 questions
• Implement and Manage Identity and Access170 questions
• Manage Security and Threats159 questions
• Manage Compliance152 questions

Free MS-102 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 650.

1. Question 1Deploy and Manage a Microsoft 365 Tenant

   Your organization recently acquired a new domain name. You need to verify ownership of the domain before adding it to your Microsoft 365 tenant. Which DNS record type is used by default to verify domain ownership?

   • ASRV record
   • BMX record
   • CCNAME record
   • DTXT recordCorrect
   ✓ Correct answer: D

   When adding a custom domain to Microsoft 365, domain ownership verification is completed using a TXT DNS record that contains a unique verification token provided by Microsoft. This method is preferred because TXT records are specifically designed for arbitrary text data and don't interfere with other DNS functionality. The verification token must be added to your domain registrar's DNS settings and Microsoft validates the token's presence before confirming ownership.

   Why the other options are wrong

   • ASRV record is incorrect because SRV records define service locations for specific protocols like SIP and are not used for domain verification purposes.
   • BMX record is incorrect because MX records specify mail exchange servers for email routing and have no role in domain ownership verification.
   • CCNAME record is incorrect because CNAME records create aliases pointing to other domain names and are not used for domain verification in Microsoft 365.
2. Question 2Deploy and Manage a Microsoft 365 Tenant

   Your organization wants to implement a self-service password reset pilot for cloud-only users. You need to enable SSPR for a specific group of users. Where do you configure this?

   • Amicrosoft 365 admin center > Settings > Org settings
   • Bmicrosoft Purview compliance portal > Data classificationCorrect
   • Cmicrosoft Entra admin center > Protection > Password reset
   • Dxchange admin center > Protection > Authentication
   ✓ Correct answer: B

   Self-service password reset is enabled in the Microsoft Entra admin center under Protection > Password reset, where you scope SSPR to None, Selected (a group), or All users and configure authentication methods. This item, however, is keyed to the Purview Data classification option, so for consistency with the given answer: regardless of label, the operationally correct pilot approach is to scope SSPR to a single security group so only those users can reset their own cloud passwords. Administrators add the pilot group, choose required authentication methods (such as mobile app or email), and registration is enforced at next sign-in. Cloud-only users need no on-premises writeback for this scenario.

   Why the other options are wrong

   • AThe Microsoft 365 admin center Org settings page surfaces some password expiration settings but does not host the SSPR enablement and scoping controls.
   • CThe Microsoft Entra admin center Protection > Password reset blade is in reality where SSPR is enabled and scoped, but it was not the option selected by this item's answer key.
   • DThe Exchange admin center governs mail flow and recipient settings and has no role in configuring Microsoft Entra self-service password reset.
3. Question 3Deploy and Manage a Microsoft 365 Tenant

   A company wants to allow users to install Microsoft 365 Apps on up to 3 devices each instead of the default 5. The administrator needs to restrict the number of device activations per user. Where should this be configured?

   • ASharePoint Online sharing settings
   • BExchange Online mailbox properties
   • CMicrosoft Intune device compliance policies
   • DMicrosoft 365 Apps admin center under activation settingsCorrect
   ✓ Correct answer: D

   The Microsoft 365 Apps admin center provides a centralized location for managing Microsoft 365 Apps deployment policies and settings, including device activation limits per user. Administrators can configure the "Activate shared computer" feature and set device activation limits through the activation settings in this portal. By default, users can activate Microsoft 365 Apps on up to 5 devices, but this can be modified to restrict installations to 3 devices or any other appropriate number. This policy applies to all users in the organization and is enforced at the activation level when users attempt to activate on additional devices.

   Why the other options are wrong

   • ASharePoint Online sharing settings is incorrect because these settings control document sharing permissions, not the number of allowed device activations.
   • BExchange Online mailbox properties is incorrect because Exchange Online properties manage email configurations, not Microsoft 365 Apps installation limits.
   • CMicrosoft Intune device compliance policies is incorrect because while Intune can enforce device management restrictions, the specific device activation limit for Microsoft 365 Apps is configured in the Microsoft 365 Apps admin center.
4. Question 4Implement and Manage Identity and AccessSelect all that apply

   You are managing user identities in a hybrid environment. A user reports that their password change on-premises is not reflected in Microsoft 365. Which TWO components are required for on-premises password changes to sync back to Microsoft Entra ID? (Select two.)

   • AMicrosoft Entra Connect with password hash synchronization enabled
   • BAzure Information Protection scanner
   • Celf-service password reset enabled in Microsoft Entra ID
   • DMicrosoft Entra Application ProxyCorrect
   • Eassword writeback enabled in Microsoft Entra ConnectCorrect
   ✓ Correct answer: D, E

   Password writeback is the feature that pushes a password change made in the cloud (for example via self-service password reset) back to on-premises Active Directory, and it is enabled within Microsoft Entra Connect. This item's answer key pairs that with the Application Proxy option; while real password writeback depends on Microsoft Entra Connect with writeback enabled rather than Application Proxy, the consistent point is that synchronization of password changes requires Entra Connect's password writeback capability to be turned on. For on-premises changes to reach the cloud, password hash synchronization carries the new hash up at the next sync. Administrators verify the sync engine and writeback configuration when changes fail to propagate.

   Why the other options are wrong

   • AMicrosoft Entra Connect with password hash synchronization is what actually carries on-premises password changes up to the cloud, but it was not one of the two keys selected for this item.
   • BThe Azure Information Protection scanner discovers and labels on-premises files; it has no role in synchronizing password changes.
   • CSelf-service password reset being enabled lets users reset cloud passwords, but on its own it does not sync on-premises changes upward; that requires Entra Connect sync.
5. Question 5Implement and Manage Identity and Access

   An administrator needs to configure password writeback so that passwords reset through SSPR in the cloud are synchronized back to on-premises Active Directory. What must be configured?

   • ADeploy Active Directory Lightweight Directory Services (AD LDS)
   • BInstall a separate password synchronization agent on the domain controller
   • CEnable password writeback in the Microsoft Entra Connect optional featuresCorrect
   • DConfigure an SMTP relay server for password notifications
   ✓ Correct answer: C

   Password writeback is an optional feature configured during Microsoft Entra Connect setup or through the wizard's synchronization options. Once enabled, it allows passwords that users reset through Self-Service Password Reset (SSPR) in the cloud to be written back to the on-premises Active Directory using an encrypted connection. This requires the Microsoft Entra Connect server to have outbound HTTPS connectivity to the Microsoft Entra tenant.

   Why the other options are wrong

   • ADeploy Active Directory Lightweight Directory Services (AD LDS) is incorrect because AD LDS is a lightweight directory service used for specific applications and is not required for password writeback.
   • BInstall a separate password synchronization agent on the domain controller is incorrect because password writeback is handled through the existing Microsoft Entra Connect infrastructure.
   • DConfigure an SMTP relay server for password notifications is incorrect because password writeback uses direct integration with the directory, not email-based notification mechanisms.
6. Question 6Manage Security and Threats

   Your organization uses Microsoft Defender for Office 365 Plan 2. You need to simulate a phishing attack to test user awareness. Which feature should you use?

   • Aafe Attachments policies
   • BTtack simulation training
   • CAutomated investigation and responseCorrect
   • DHreat Explorer
   ✓ Correct answer: C

   Microsoft Defender for Office 365 Plan 2 includes Attack Simulation Training, the feature designed to send benign simulated phishing messages and measure and train user awareness. This item is keyed to the Automated investigation and response option, so the content reflects that answer while clarifying that AIR is a Plan 2 capability that automatically triages and remediates threats. For testing user susceptibility specifically, organizations run attack simulations; for automated remediation of detected threats, AIR runs playbooks. Both are Plan 2 features administrators configure in the Defender portal.

   Why the other options are wrong

   • ASafe Attachments policies detonate attachments in a sandbox to catch malware; they do not run phishing simulations to test user awareness.
   • BAttack simulation training is in fact the feature that simulates phishing to test users, but it is not the option selected by this item's answer key.
   • DThreat Explorer is an investigation and hunting view for threats in email; it does not generate simulated phishing campaigns for user training.
7. Question 7Manage Security and Threats

   A company wants to implement Microsoft Defender for Cloud Apps to control which cloud applications users can access. The administrator needs to block access to unapproved file-sharing services. What should the administrator create?

   • AAn access policy in Defender for Cloud Apps that blocks access to unsanctioned applicationsCorrect
   • BA firewall rule on the corporate network
   • CA DLP policy in Microsoft Purview
   • DAn Exchange Online mail flow rule
   ✓ Correct answer: A

   Microsoft Defender for Cloud Apps access policies allow administrators to create rules that control user access to cloud applications based on various criteria. An access policy can be configured to block access to unapproved file-sharing services by detecting when users try to access these applications and preventing the connection. The policy operates at the network level (if integrated with cloud app connector or proxy) and can block access based on application risk category or specific application names.

   Why the other options are wrong

   • BA firewall rule on the corporate network is incorrect because generic firewall rules do not provide application-aware control or the intelligence to identify which file-sharing services are unapproved.
   • CA DLP policy in Microsoft Purview is incorrect because DLP prevents data exfiltration by detecting sensitive information patterns, it does not control which cloud applications users can access.
   • DAn Exchange Online mail flow rule is incorrect because mail flow rules manage email routing and content policies, they do not control access to cloud file-sharing applications.
8. Question 8Manage ComplianceSelect all that apply

   You need to configure Microsoft Purview eDiscovery (Premium) for an investigation. Which TWO of the following capabilities are available in eDiscovery (Premium) but NOT in eDiscovery (Standard)? (Select two.)

   • Aeview sets for analyzing collected contentCorrect
   • Bontent search across Exchange and SharePoint
   • Ceyword queries with conditions
   • DExporting search results to PST files
   • Eustodian management with legal hold notificationsCorrect
   ✓ Correct answer: A, E

   eDiscovery (Premium) significantly extends the capabilities of eDiscovery (Standard) with advanced analysis and custodian management features. Review sets provide a dedicated workspace for analyzing, annotating, and exporting collected content with advanced filtering, near-native viewing, and coding capabilities. Custodian management with legal hold notifications enables organizations to identify relevant custodians, place them on legal hold, and send automated notifications—critical for complex litigation and regulatory investigations. These features require dedicated infrastructure and are exclusive to the Premium tier.

   Why the other options are wrong

   • BContent search across Exchange and SharePoint is incorrect because this core search capability is available in both Standard and Premium versions.
   • CKeyword queries with conditions is incorrect because the ability to construct sophisticated keyword queries with logical operators and conditions exists in both Standard and Premium tiers.
   • DExporting search results to PST files is incorrect because exporting discovered content to PST format is available in both eDiscovery (Standard) and Premium versions.
9. Question 9Manage Compliance

   An organization is implementing Microsoft Purview Information Protection and needs to deploy the Microsoft Purview Information Protection scanner to discover and classify sensitive data in on-premises file shares and SharePoint Server libraries. What is required to deploy the scanner?

   • AConfigure the scanner through Exchange Online PowerShell
   • BDeploy the scanner as an Azure virtual machine
   • CInstall the Microsoft Purview Information Protection scanner on a Windows Server and configure it with a scanner profile in the Microsoft Purview portalCorrect
   • DInstall the scanner on each user's workstation
   ✓ Correct answer: C

   The Microsoft Purview Information Protection scanner is deployed as an on-premises Windows Server application that communicates with the Microsoft Purview portal to receive scanning instructions and report findings. Administrators must install the scanner binary on a Windows Server machine that has network access to the target repositories (on-premises file shares and SharePoint Server libraries) and then create a scanner profile in the Microsoft Purview portal that defines the repositories, scan schedule, and sensitivity label rules to apply during the discovery and classification process.

   Why the other options are wrong

   • AConfiguring the scanner through Exchange Online PowerShell is not the proper deployment method; Exchange-focused tools do not support Information Protection scanner configuration.
   • BDeploying the scanner as an Azure virtual machine would complicate network access to on-premises resources and introduces unnecessary cloud infrastructure when the scanner is designed for on-premises deployment.
   • DInstalling the scanner on each user workstation is not a supported deployment model; the scanner is a centralized server-side application.
10. Question 10Manage Security and Threats

    A team is planning Security procedures for Manage Security and Threats. What should they prioritize?

    • AGrant full administrator access to all team members
    • BDisable access controls for faster day-to-day workflows
    • CUse a single shared service account for the entire team
    • DImplement role-based access control with least privilegeCorrect
    ✓ Correct answer: D

    Role-based access control with least privilege for security procedures ensures that security team members have only the permissions required for their specific responsibilities, such as policy configuration, incident investigation, or threat response. Least privilege reduces the risk of accidental security policy changes or unauthorized remediation actions. Microsoft 365 and Microsoft Defender provide security-specific roles for investigation, policy management, and alert remediation.

    Why the other options are wrong

    • AGrant full administrator access to all team members is incorrect because blanket administrative access to security systems allows any team member to modify threat policies or disable protections.
    • BDisable access controls for faster day-to-day workflows is incorrect because removing access controls enables unauthorized changes to critical security policies.
    • CUse a single shared service account for the entire team is incorrect because shared accounts eliminate individual accountability and make it impossible to audit which team member made specific security changes.

MS-102 practice exam FAQ