Microsoft - MS-102: Microsoft 365 Administrator
Sample Questions
Question: 145
Measured Skill: Deploy and manage a Microsoft 365 tenant (25–30%)
You have a Microsoft 365 E5 subscription.
You need to ensure that administrators who need to manage Microsoft Exchange Online are assigned the Exchange administrator role for five hours at a time.
What should you implement?A | Microsoft Entra ID Privileged Identity Management (PIM) |
B | A conditional access policy |
C | A communication compliance policy |
D | Microsoft Entra ID Protection |
E | Groups that have dynamic membership |
Correct answer: AExplanation:
A privileged role administrator can customize Privileged Identity Management (PIM) in their Microsoft Entra ID organization, including changing the experience for a user who is activating an eligible role assignment.
You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.
You can choose one of these eligible assignment duration options:

And, you can choose one of these active assignment duration options:

Reference: Configure Microsoft Entra role settings in Privileged Identity Management
Question: 146
Measured Skill: Deploy and manage a Microsoft 365 tenant (25–30%)
You have a Microsoft 365 subscription.
You suspect that several Microsoft Office 365 applications or services were recently updated.
You need to identify which applications or services were recently updated.
What are two possible ways to achieve the goal?
(Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.)A | From the Microsoft 365 admin center, review the Service health blade. |
B | From the Microsoft 365 admin center, review the Message center blade. |
C | From the Microsoft 365 admin center, review the Products blade. |
D | From the Office 365 Admin mobile app, review the messages. |
Correct answer: B, DExplanation:
A chronological list of new features and changes around Microsoft 365 can be found in the message center of the Microsoft 365 Admin Center and alternatively in the "Messages" section of the Microsoft 365 Admin mobile app.
Question: 147
Measured Skill: Deploy and manage a Microsoft 365 tenant (25–30%)
You have a Microsoft 365 subscription that contains the domains shown in the following exhibit.
Which domain name suffixes can you use when you create users?A | Only Sub1.Contoso1919.onmicrosoft.com. |
B | Only Contoso1919.onmicrosoft.com and Sub2.Contoso1919.onmicrosoft.com. |
C | Only Contoso1919.onmicrosoft.com, Sub1.Contoso1919.onmicrosoft.com, and Sub2.Contoso1919.onmicrosoft.com. |
D | All the domains in the subscription. |
Correct answer: CExplanation:
When creating new users, you can choose all domains that have been added and verified to your tenant as user principal name suffix. Domain verification is not required for subdomains of the default tenantname.onmicrosoft.com domain.
Question: 148
Measured Skill: Implement and manage identity and access in Azure AD (25–30%)
You have a Microsoft 365 subscription.
You plan to implement Microsoft Purview Privileged Access Management.
Which Microsoft Office 365 workloads support privileged access?A | Microsoft Exchange Online only |
B | Microsoft Teams only |
C | Microsoft Exchange Online and SharePoint Online only |
D | Microsoft Teams and SharePoint Online only |
E | Microsoft Teams, Exchange Online, and SharePoint Online |
Correct answer: AExplanation:
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Enabling privileged access management allows your organization to operate with zero standing privileges and provide a layer of defense against standing administrative access vulnerabilities.
Microsoft Purview Privileged access management is defined and scoped at the task level, while Azure AD Privileged Identity Management applies protection at the role level with the ability to execute multiple tasks. Azure AD Privileged Identity Management primarily allows managing accesses for AD roles and role groups, while Microsoft Purview Privileged Access Management applies only at the task level.
Microsoft Purview Privileged access management is currently only available for Exchange.
References:
Learn about privileged access management
Get started with privileged access management
Question: 149
Measured Skill: Manage security and threats by using Microsoft 365 Defender (25–30%)
You have a Microsoft 365 subscription. You are planning a threat management solution for your organization.
You need to minimize the likelihood that users will be affected by the following threats:
- Opening files in Microsoft SharePoint that contain malicious content.
- Impersonation and spoofing attacks in email messages.
Which policies should you create in the Security & Compliance admin center?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
A | Opening files in Microsoft SharePoint that contain malicious content: Anti-spam
Impersonation and spoofing attacks in email messages: Anti-Phishing |
B | Opening files in Microsoft SharePoint that contain malicious content: Safe Attachments
Impersonation and spoofing attacks in email messages: Anti-Phishing |
C | Opening files in Microsoft SharePoint that contain malicious content: Anti-spam
Impersonation and spoofing attacks in email messages: Safe Links |
D | Opening files in Microsoft SharePoint that contain malicious content: Safe Attachments
Impersonation and spoofing attacks in email messages: Anti-spam |
Correct answer: BExplanation:
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
In organizations with Microsoft Defender for Office 365, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams provides an additional layer of protection against malware. After files are asynchronously scanned by the common virus detection engine in Microsoft 365, Safe Attachments opens files in a virtual environment to see what happens (a process known as detonation). As part of detonation, any password protected files are checked against a list of known passwords or patterns that are typically used by malicious actors. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams also helps detect and block existing files that are identified as malicious in team sites and document libraries.
Anti-phishing protection in EOP
Microsoft 365 organizations with mailboxes in Exchange Online or standalone EOP organizations without Exchange Online mailboxes contain the following features that help protect your organization from phishing threats:
Spoof intelligence: Use the spoof intelligence insight to review detected spoofed senders in messages from external and internal domains, and manually allow or block those detected senders.
Anti-phishing policies in EOP: Turn spoof intelligence on or off, turn unauthenticated sender indicators in Outlook on or off, and specify the action for blocked spoofed senders.
Honor the sender's DMARC policy when the message is detected as spoof: Control what happens to messages where the sender fails explicit DMARC checks and the DMARC policy is set to p=quarantine
or p=reject
.
Allow or block spoofed senders in the Tenant Allow/Block List: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence.
Implicit email authentication: EOP enhances standard email authentication checks for inbound email (SPF, DKIM, and DMARC with sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques to help identify forged senders.
References:
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Anti-phishing protection in Microsoft 365