Microsoft - MS-102: Microsoft 365 Administrator

Sample Questions

Explanation:

Microsoft Entra ID Protection sends two types of automated notification emails to help you manage user risk and risk detections:

• Users at risk detected email
• Weekly digest email

By default users actively assigned Global Administrator, Security Administrator, or Security Reader roles are automatically added to this list if that user has a valid "Email" or "Alternate email" configured. If a user is enrolled in PIM to elevate to one of these roles on demand, then they will only receive emails if they are elevated at the time the email is sent.

Users at risk detected email

In response to a detected account at risk, Microsoft Entra ID Protection generates an email alert with Users at risk detected as subject. The email includes a link to the Users flagged for risk report. As a best practice, you should immediately investigate the users at risk.

The configuration for this alert allows you to specify at what user risk level you want the alert to be generated. The email is generated when the user's risk level reaches what you specified. For example, if you set the policy to alert on medium user risk and your user's risk score moves to medium risk because of a real-time sign-in risk, you receive the users at risk detected email. If the user has subsequent risk detections that cause the user risk level calculation to be the specified risk level (or higher), you receive more user at risk detected emails when the user risk score is recalculated. For example, if a user moves to medium risk on January 1, you'll receive an email notification if your settings are set to alert on medium risk. If that same user has another risk detection on January 5 and the user risk score is recalculated but is still medium, you receive another email notification.

An extra email notification is sent if the time the change in user risk level is more recent than the last email sent. For example, a user signs in on January 1 at 5 AM and there's no real-time risk (meaning no email would be generated because of that sign-in). 10 minutes later, at 5:10 AM, the same user signs-in again and has high real-time risk, causing the user risk level to move to high and an email to be sent. Then, at 5:15 AM, the offline risk score for the original sign-in at 5 AM changes to high risk because of offline risk processing. Another user flagged for risk e-mail wouldn't be sent, since the time of the first sign-in was before the second sign-in that already triggered an email notification.

To prevent an overload of e-mails, you only receive one email within a 5-second time period. If multiple users move to the specified risk level during the same 5-second time period, we aggregate the data and send one e-mail for all of them.

Reference: Microsoft Entra ID Protection notifications

Explanation:

Advanced hunting in Microsoft Defender is a query-based threat hunting tool that you use to explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.

Advanced hunting supports two modes: guided and advanced. The query builder in guided mode allows analysts to craft meaningful hunting queries without knowing Kusto Query Language (KQL) or the data schema. Analysts from every tier of experience can use the query builder to filter through data from the last 30 days to look for threats, expand incident investigations, perform data analytics on threat data, or focus on specific threat areas.

References:

Proactively hunt for threats with advanced hunting in Microsoft Defender

Build hunting queries using guided mode in Microsoft Defender

Explanation:

User1 is sourced on-premises and synched to Microsoft Entra ID including her password hash. The password of User1 is managed on-premises. Since password writeback is disabled, User1 cannot change her on-premises password using any of the Microsoft portals. However, User1 can temporarily change her cloud password (using SSPR or the Microsoft 365 admin center) until it is overwritten with the next synchronization cycle.

If the password for User1 is changed in Active Directory, the password hash will be synchronized to Microsoft Entra ID and overwrite any changes made in Entra ID.

References:

Tutorial: Enable users to unlock their account or reset passwords using Microsoft Entra self-service password reset

Tutorial: Enable Microsoft Entra self-service password reset writeback to an on-premises environment

Explanation:

In Exchange Online organizations, contacts (also called mail contacts) are mail-enabled objects that contain information about people who exist outside your organization. Each mail contact has an external email address.

Contacts can be created from the Microsoft 365 admin center or from the Exchange admin center but not from the Entra or Intune admin center.

Contacts aren't security enabled, can't be licensed and can't sign in to Microsoft 365 services. Contacts can be added to distribution groups only.

References:

Manage mail contacts in Exchange Online

Add a user or contact to a Microsoft 365 distribution group

Explanation:

Microsoft Authenticator is a free app for Android and iOS that helps you sign in to all your accounts without using a password - just use a fingerprint, face recognition, or a PIN. You can use Authenticator to sign in to your Microsoft personal, work, school or other accounts.

If the Microsoft Authenticator on companion applications setting is enabled, users can also use Authenticator Lite in Outlook mobile to complete multifactor authentication (MFA) by using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device.

Companion app authentication requires users to have the Company Portal app installed so that Microsoft Authenticator can integrate with device management capabilities and complete the authentication flow on the mobile device.

Reference: Enable Authenticator Lite for Outlook mobile