Microsoft MS-102 Exam Dumps & Practice Test Questions

Question 1:

Fabrikam, Inc. plans to migrate its on-premises environment to Microsoft 365. Before moving 100 sales mailboxes to Exchange Online and enabling Teams, the IT team must verify ownership of the custom domain in Microsoft 365. 

Which DNS record type should they create in the public DNS zone to prove domain ownership?

A. Host (A)
B. Host Information (HINFO)
C. Text (TXT)
D. Pointer (PTR)

Correct Answer: C

Explanation:

When onboarding a custom domain to Microsoft 365, the platform must be certain you actually control that domain. Verification happens via a DNS record you add to your public DNS zone. Microsoft supports two record types for this purpose—TXT and MX—but recommends using TXT because it is simple, non-intrusive, and does not affect mail flow.

A TXT (Text) record lets you publish arbitrary text to the DNS. During the domain-add wizard in the Microsoft 365 admin center, you are given a unique verification string, such as “MS=ms########”. You create a TXT record at the root of your domain (for example, fabrikam.com) with that exact value. Microsoft’s validation service periodically checks your public DNS zone for the presence of that string. Once it finds an exact match, the domain status changes to “Verified,” authorizing you to proceed with mailbox migrations (Project 1) and Teams configuration (Project 2).

Here’s why the other record options are unsuitable:

• Option A (Host A): Maps a hostname to an IPv4 address. It is used for locating servers on the Internet, not for domain ownership verification.

• Option B (HINFO): Conveys information about host hardware and operating system. Very seldom used in production DNS zones and not leveraged by Microsoft for domain verification.

• Option D (PTR): Performs a reverse lookup from an IP address to a domain name. This is useful for email reputation (reverse DNS) but irrelevant to proving domain control.

Why TXT is preferred over MX for domain verification: Adding an MX record is a legacy verification method—Microsoft issues an MX record name like “<unique-string>.onmicrosoft.com” and you point it to a dummy mail exchanger. While it works, altering your MX record can inadvertently disrupt mail flow if configured incorrectly. A TXT record avoids that risk because mail routing is unaffected.

By choosing TXT, Fabrikam’s DNS administrators can quickly add and remove the record without impacting existing services like on-premises Exchange or external DNS configurations. Once the domain is verified, they can safely migrate the pilot users’ mailboxes to Exchange Online, configure Teams, and ensure a seamless transition with minimal disruption to email delivery and authentication.

Question 2:

Fabrikam is running a pilot project to migrate 100 sales department users to Microsoft 365. These users will utilize Microsoft Exchange and Microsoft Teams post-migration. The company wants to maintain seamless authentication for both on-premises and cloud applications throughout the pilot. Even if the on-premises Active Directory becomes temporarily unreachable, users should be able to sign in automatically to both environments. 

Which authentication method should be implemented to ensure smooth sign-in for all sales users during the pilot phases?

A. pass-through authentication
B. pass-through authentication and seamless SSO
C. password hash synchronization and seamless SSO
D. password hash synchronization

Answer: B

Explanation:

To meet Fabrikam’s requirement for uninterrupted, seamless authentication across both on-premises and cloud resources during the pilot migration, the combination of pass-through authentication (PTA) and seamless single sign-on (SSO) is the most effective approach.

Pass-through authentication allows users to authenticate directly against the on-premises Active Directory (AD) without storing password hashes in the cloud. This means the authentication process verifies credentials against the existing on-premises AD in real time, preserving security and ensuring up-to-date credential validation. PTA is especially valuable because it supports authentication even if users’ mailboxes or services have already moved to Microsoft 365, enabling consistent user experience across environments.

Seamless SSO complements PTA by automatically signing users in to Microsoft 365 services such as Exchange Online and Teams using their on-premises credentials. This eliminates repeated login prompts and streamlines access, improving productivity. It also ensures that even during AD outages, users benefit from uninterrupted access to cloud apps, as SSO caches credentials and supports automatic sign-in.

Other options like password hash synchronization involve syncing password hashes to Azure AD, which can lead to delays in password updates and potential security concerns. While password hash sync with seamless SSO can offer smooth sign-in, it does not provide the direct on-premises authentication PTA does, and it may not fully meet the requirement to authenticate when on-premises AD is temporarily unavailable.

Thus, combining pass-through authentication with seamless SSO gives Fabrikam the most robust, secure, and user-friendly authentication experience during their Microsoft 365 pilot migration, ensuring users can access both cloud and on-premises applications without interruption.

Question 3:

Fabrikam is migrating email and document services to Microsoft 365 with two pilot phases: moving 100 sales users’ mailboxes and enabling Microsoft Teams. They also create a group named UserLicenses to manage Microsoft 365 license assignments. Users must continue authenticating with their current credentials using their UPN, and one user (User1) needs full read access to all Data Loss Prevention (DLP) reports in Microsoft Purview. Automatic sign-in for both cloud and on-premises apps is required, membership in UserLicenses must be validated monthly, and the principle of least privilege must be followed. 

Which role should you assign to User1 to fulfill these requirements?

A. Hygiene Management
B. Security Reader
C. Security Administrator
D. Records Management

Answer: B

Explanation:

In this scenario, User1 requires the ability to view all Data Loss Prevention (DLP) reports in the Microsoft Purview compliance portal. To grant this access while adhering to the principle of least privilege—meaning users get only the permissions they need without excess—assigning the Security Reader role is the best choice.

The Security Reader role provides read-only access to security-related reports and dashboards in Microsoft 365, including DLP alerts, compliance insights, and security posture information. This enables User1 to monitor DLP reports effectively without the ability to modify policies or make administrative changes, which aligns with the requirement of providing full report visibility but limiting control.

Here’s why the other roles are less suitable:

• Hygiene Management focuses on overseeing security hygiene tasks such as malware protection and security baselines but does not grant access to detailed DLP reports.

• Security Administrator grants elevated permissions, including managing security settings and alerts. This exceeds User1’s need and violates the least privilege principle.

• Records Management is primarily concerned with managing retention policies, records, and governance—not security or DLP reporting—making it irrelevant here.

This setup also ensures that during migration, User1 can maintain access to necessary security insights without risking accidental or unauthorized policy changes. Meanwhile, other migration requirements—like authenticating with existing UPNs and automatic sign-in—can be supported through proper synchronization and SSO configurations.

Assigning User1 the Security Reader role thus satisfies the business need for report visibility while maintaining security best practices and compliance during Fabrikam’s Microsoft 365 migration.

Question 4:

You want to find all users licensed for Office 365 via group membership within your Microsoft 365 environment. Additionally, you need to identify the specific groups that assigned these licenses. 

Which Microsoft 365 tool or feature should you use to obtain a list of these users and the corresponding licensing groups?

A. Active users in the Microsoft 365 admin center
B. Reports in Microsoft Purview compliance portal
C. The Licenses blade in the Microsoft Entra admin center
D. Reports in the Microsoft 365 admin center

Answer: D

Explanation:

To discover which users are licensed for Office 365 through group membership and to identify the groups assigning these licenses, the Reports section in the Microsoft 365 admin center is the most suitable tool.

While the Microsoft 365 admin center’s Active Users page lets you see individual user licenses, it doesn’t provide detailed insights into the license assignment source, such as which group granted the license. Therefore, it lacks the granularity required for your task.

The Microsoft Purview compliance portal focuses on security, data governance, and compliance reports. It does not offer detailed licensing reports or group-based license assignment information, so it’s unsuitable here.

The Licenses blade in the Microsoft Entra admin center allows license management and assignments but does not include detailed reporting features that map users back to the groups that assigned the licenses.

In contrast, the Reports in the Microsoft 365 admin center provide comprehensive licensing reports, including those for group-based license assignments. These reports allow administrators to filter by license assignment method and display which groups are responsible for assigning licenses to users. This enables effective license management and auditing.

Using these reports, you can ensure your organization has a clear picture of license distribution, validate license usage, and identify any unnecessary or inactive licenses assigned through groups. This helps optimize licensing costs and compliance.

Hence, the Microsoft 365 admin center’s Reports feature is the most effective and appropriate option to retrieve users licensed through group memberships and identify the licensing groups involved.

Question 5:

You manage a Microsoft 365 subscription with users spread across different departments. You need to implement group-based licensing to fulfill these conditions:

• Assign Office 365 E3 licenses to all users but exclude the Power Automate license feature.

• Assign Enterprise Mobility + Security E5 licenses to all users.

• Assign Power BI Pro licenses only to users in the research department.

• Assign Visio Plan 2 licenses only to users in the marketing department. 

What is the smallest number of groups you must create to assign these licenses correctly?
A. 1
B. 2
C. 3
D. 4
E. 5

Answer: D

Explanation:

When managing Microsoft 365 licenses across multiple departments, group-based licensing via Azure Active Directory (Azure AD) groups is a best practice for efficient license assignment. This method automatically grants or removes licenses as users join or leave groups, simplifying administration and reducing manual errors.

Here, the licensing scenario has several distinct requirements that necessitate multiple groups:

• First, the Office 365 E3 license is assigned to all users, but with the Power Automate feature disabled. Since service plan exclusions like disabling Power Automate cannot be applied selectively inside a single license assignment, this requires a dedicated group to deploy the customized Office 365 E3 license.

• Second, the Enterprise Mobility + Security (EMS) E5 license must also be assigned to all users. Even though it overlaps with the first license’s user base, EMS E5 is a separate license product, so it should be assigned through a separate group to maintain clarity and control.

• Third, Power BI Pro licenses are only for users in the research department. This means creating a group exclusively for research to assign the Power BI Pro license.

• Fourth, Visio Plan 2 licenses go solely to marketing department users. Similarly, a separate group is needed for the marketing team.

Since each unique licensing assignment that cannot be combined with others requires a dedicated group, four groups are essential. This structure ensures proper segregation of licenses, avoids unnecessary provisioning, and aligns with the least-privilege principle for licensing.

Thus, the minimum number of groups needed to implement these licensing requirements correctly is 4.

Question 6:

Your organization wants to enforce that all Global Administrators register for Multi-Factor Authentication (MFA) without requiring manual per-user enabling. 

Which feature should you configure in Azure AD to automate MFA registration for privileged roles, while also providing an approval workflow for assignment?

A. Azure AD Conditional Access policy requiring MFA for Global Administrators
B. Azure AD Privileged Identity Management (PIM) with an MFA registration policy
C. Azure AD Identity Protection risk policy for user risk level
D. Microsoft 365 security defaults

Answer: B

Explanation:

Ensuring that privileged administrators use Multi-Factor Authentication (MFA) is critical to securing a Microsoft 365 tenant. While Conditional Access (Option A) can require MFA during sign-in, it does not automate MFA registration or provide an approval workflow for privileged role assignments. Security defaults (Option D) enforce MFA for all administrators, but they cannot be scoped to specific roles nor do they support approval workflows. Identity Protection risk policies (Option C) evaluate sign-in risk but do not enforce registration for privileged roles.

Azure AD Privileged Identity Management (PIM) is designed to manage, control, and monitor access to important resources in Azure AD and Microsoft 365. By configuring PIM, you can require eligible users to go through an activation process for privileged roles such as Global Administrator. Within PIM, you can create an “MFA registration policy” that forces administrators to register MFA within a configurable timeframe before they can activate a role. PIM also supports “just-in-time” elevation, requiring approval (via email or Azure AD administrator consent) before a user can activate the role. This satisfies both requirements: automated MFA registration enforcement and an approval workflow.

Steps to implement:

1. Enable PIM for your Azure AD tenant.

2. In PIM, navigate to “Azure AD roles”, select “Settings”, then “MFA registration policy”.

3. Set the policy to require MFA registration for users in roles like Global Administrator.

4. Configure the “Activation” settings to require approval and notifications when users request elevation.

5. Add your Global Administrators as “eligible” (not permanent) role members, requiring them to activate via PIM.

After this, any user assigned as an eligible Global Administrator must register for MFA prior to activation, and every activation request follows your approval workflow. This approach centralizes privileged role governance, reduces standing privileged accounts, and ensures all administrators are properly MFA-protected, making Option B the correct choice.

Question 7:

You need to implement a company-wide data governance policy that prevents users from deleting email messages older than seven years, mandated by compliance regulations. 

Which Microsoft 365 feature should you use?

A. Sensitivity labels in Microsoft Purview Information Protection
B. Retention policy in Microsoft Purview Compliance
C. Data Loss Prevention (DLP) policy
D. Litigation hold on mailboxes

Answer: B

Explanation:

Compliance requirements often mandate that organizations retain records—including email—for a minimum period. To enforce deletion prevention for messages older than a specified retention period, a Retention policy in Microsoft Purview Compliance is the most appropriate.

• Sensitivity labels (Option A) classify and protect content (encryption, marking), but they do not enforce retention or prevent deletion.

• Data Loss Prevention (Option C) policies monitor and block sensitive data exfiltration but aren’t designed to manage retention spans.

• Litigation hold (Option D) can preserve mailbox items indefinitely for legal investigations but does not enforce a specific time-based retention period or automatically allow deletion after seven years.

Retention policies let you define how long Microsoft 365 retains content in Exchange Online, SharePoint, OneDrive, and Teams. You can create a policy that applies to all mailboxes, specifying a retention period of seven years (7,000 days). You choose one of two behaviors:

1. Retain-only: Keeps content for the set period, even if users attempt to delete it, then automatically deletes items when the period ends.

2. Retain and delete: Prevents deletion before the period ends; once the retention period lapses, items are deleted automatically.

To implement:

1. Sign in to the Microsoft Purview compliance portal.

2. Navigate to “Policies” > “Retention”.

3. Create a new Retention policy, naming it (e.g., “7-Year Email Retention”).

4. Under Locations, select Exchange email and scope to all or specific mailboxes.

5. Choose Retain items for a specific period of 7 years, and select “Then delete items automatically”.

6. Complete policy creation and wait for it to propagate (up to 1 day).

After deployment, users cannot permanently delete emails until they reach the seven-year threshold. At that point, Microsoft 365 automatically removes them, ensuring both regulatory compliance and minimal manual oversight. Hence, Option B is the correct solution.

Question 8:

Your tenant uses Microsoft Teams for collaboration, but management wants to restrict external guest access to only certain Teams. They’ve created a security group named “GuestEditors” containing users authorized to manage guests. 

How do you enforce that only members of GuestEditors can add or remove external guests to Teams?

A. Configure an Azure AD Conditional Access policy blocking guest invitations for everyone except GuestEditors
B. Enable “Guests can invite” in Azure AD and assign GuestEditors to the “Guest Inviter” role
C. Set the Teams external access policy to block guests globally, then whitelist GuestEditors
D. Use a Microsoft Graph API script to remove unauthorized guests daily

Answer: B

Explanation:

Microsoft 365 allows granular control over which users can invite external guests into Azure AD and Microsoft Teams. While Conditional Access (Option A) can control sign-in conditions, it doesn’t manage invitation privileges. Teams external access policies (Option C) manage domain-level access, not invitation rights for specific users. A removal script (Option D) is reactive, not preventive.

The appropriate method is to enable guest invitation privileges in Azure AD and assign those privileges exclusively to the Guest Inviter role for the “GuestEditors” group. Here’s how:

1. In the Azure AD portal, open Roles and administrators.

2. Find “Guest Inviter” (formerly “Guest inviter and member” or “User administrator”) and click “Add assignment.”

3. Select the GuestEditors security group. Now, only members of GuestEditors can send guest invitations.

4. In External collaboration settings (Azure AD > External identities > External collaboration settings), ensure “Guests can invite” is disabled for everyone else.

By scoping the Guest Inviter role to GuestEditors, you restrict all other users from adding external guests to Teams. This approach is proactive, integrates with built-in roles, and follows least-privilege principles. It also synchronizes with Microsoft Teams, ensuring that invitation rights are enforced tenant-wide. Therefore, Option B is the correct implementation.

Question 9:

You must restrict sign-in to sensitive administrative portals (e.g., Exchange Admin Center, Microsoft 365 Defender) so that only devices compliant with Intune policies from your corporate network can authenticate. 

Which two-part solution should you implement?

A. Azure AD Conditional Access policy requiring “All trusted locations” and device state
B. Azure AD Identity Protection policy blocking sign-ins from untrusted locations
C. Microsoft Defender for Cloud Apps session policy for device compliance
D. Exchange Online access control policy based on client application

Answer: A

Explanation:

Restricting access to administrative portals to only compliant corporate devices involves two main controls: defining trusted network locations and enforcing device compliance. Let’s analyze the options:

• Option B (Identity Protection risk policy) can block sign-ins by risk level, but it doesn’t enforce network or device-compliance conditions.

• Option C (Defender for Cloud Apps) session policies control data handling and session contexts post-logon but are not the primary gatekeepers for sign-in.

• Option D (Exchange Online access control policy) applies only to Exchange Online and doesn’t cover other admin portals.

Azure AD Conditional Access (CA) is the centralized mechanism for controlling who can sign in, from where, and on what device state. To meet the requirement:

1. Trusted Locations: In the Azure AD portal, under Security > Conditional Access > Named locations, define your corporate IP ranges as “Trusted locations.”

2. Device Compliance: In Intune, create a compliance policy targeting your managed devices (Windows, macOS, etc.) that evaluates criteria like OS version, encryption, and Defender status.

3. Conditional Access policy:
   
   

• Users and groups: Include your admin roles (e.g., Global Administrator, Security Administrator).

• Cloud apps: Select “Office 365 Exchange Online,” “Microsoft 365 Defender,” and other admin portals.

• Conditions:
  
  

• Location: Include “All locations,” exclude your “Trusted locations.”

• Device state: Require “Compliant” device.

• Access controls: Grant access only if device is compliant and the request originates from a trusted location.

With this policy in place, administrative portal sign-ins from outside your corporate network or from non-compliant devices are blocked at the authentication layer—effectively ensuring only corporate, compliant devices can access sensitive administrative endpoints. This matches the two-part solution in Option A, making it the correct choice.

Question 10:

You are overseeing a Microsoft 365 subscription and want to delegate permissions to a user named User1 so that they can monitor the overall service health, including viewing advisories about any ongoing or potential service issues. 

Which administrative role should you assign to User1 to grant this capability?

A. Message Center Reader
B. Reports Reader
C. Service Support Administrator
D. Compliance Administrator

Answer: C

Explanation:

In Microsoft 365, different administrative roles provide tailored permissions to users depending on their responsibilities. To enable User1 to monitor service health and investigate related advisories, the correct role must allow access to detailed service status, alerts, and incident information.

• The Message Center Reader role allows users to read posts and communications about upcoming changes, feature updates, and announcements in the Microsoft 365 Message Center. However, it does not grant access to real-time service health status or incident details. This role is more about planning and awareness rather than active service monitoring.

• The Reports Reader role permits access to various usage reports and analytics data within the tenant, such as email usage or app activity metrics. It does not provide the ability to view or investigate service health advisories or incidents, so it is not suitable here.

• The Service Support Administrator role is designed specifically to allow users to view service health dashboards, advisories, and incidents. This role empowers assigned users to monitor ongoing service issues, troubleshoot problems, and coordinate with Microsoft support teams if necessary. This makes it the best fit for User1’s needs.

• The Compliance Administrator role focuses on compliance-related configurations such as data loss prevention, eDiscovery, and auditing. It does not include service health monitoring permissions.

Because User1 must be able to access service health advisories and investigate incidents impacting Microsoft 365 services, assigning the Service Support Administrator role is the appropriate choice. It ensures User1 can effectively monitor service health and support troubleshooting without granting broader or unrelated administrative privileges.