Implement and manage Microsoft Entra identity and access
Drill 20 practice questions focused entirely on Implement and manage Microsoft Entra identity and access for the Microsoft MS-102 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your organization uses Microsoft Entra Cloud Sync (not Connect Sync) to synchronize users from a single on-premises Active Directory forest. Users report that their on-premises passwords do not work when signing in to Microsoft 365, although the user accounts themselves appear correctly in Entra ID. You confirm the sync agent is healthy and objects are provisioning successfully. What is the MOST likely cause?
Contoso has three separate Active Directory forests with no trust relationships between them, all needing to synchronize users to a single Microsoft Entra tenant. The identity team wants a lightweight, agent-based solution that supports multiple disconnected forests, requires minimal on-premises footprint, and is managed from the cloud. They do NOT require synchronization of devices, pass-through authentication, or writeback of passwords beyond SSPR. Which synchronization option should you implement?
Your organization requires that members of the Finance department use only phishing-resistant methods (such as FIDO2 security keys or Windows Hello for Business) when accessing a sensitive payroll application, while other users may continue using standard MFA. You want to enforce this through Conditional Access with the least administrative effort. What should you configure in the Conditional Access policy that targets the Finance group and the payroll application?
Contoso's security team reports that sign-in attempts are originating from a country where the company has no employees or business operations. Legitimate users only sign in from the United States and Canada. You need to prevent all authentication from the unauthorized country while allowing normal operations to continue, using the least administrative effort. What should you do?
Your organization wants to block legacy authentication protocols (such as POP, IMAP, and older Office clients) because they cannot enforce MFA. Before enforcing the block for all users, security management requires evidence of how many sign-ins would be affected, without impacting productivity. What is the recommended approach to gather this evidence using Conditional Access?
You are deploying a Conditional Access policy that requires multifactor authentication for all users when accessing any cloud app. Your security team is concerned that a misconfiguration or MFA service outage could lock all administrators out of the tenant. Following Microsoft's recommended practices, what should you do before enabling the policy?
Contoso currently enforces multifactor authentication for all users by enabling per-user MFA (the legacy per-user setting on each account). The security team wants to move to a modern, policy-based approach that allows conditions such as trusted locations and specific applications to influence when MFA is required, while retaining reporting on authentication methods. What should the administrator do to transition users off per-user MFA correctly?
Your organization uses Conditional Access to require MFA for all users. The finance team frequently complains about being prompted for MFA while working from the corporate headquarters, which uses a single fixed public IP address (203.0.113.10). Management wants to reduce MFA prompts for users physically located in the headquarters office while keeping MFA enforced everywhere else. What should you configure to achieve this with the least administrative effort?
Your organization allows users to access Microsoft 365 from unmanaged personal devices via a web browser. Security requires that when users on unmanaged devices close their browser, they must re-authenticate, and their session must not persist. Managed devices should retain their normal session behavior. Which Conditional Access session control should you configure to meet the requirement for unmanaged devices?
You have created a new Conditional Access policy that will require MFA for all users accessing Microsoft 365 applications. Before enforcing it, leadership asks you to determine how many sign-ins would be blocked or challenged without actually affecting users. What should you do?
Your organization uses Microsoft Entra ID P2 and Microsoft Intune. Finance department users access a sensitive payroll web app that is registered in Entra ID. Security requires that these users can only reach the app from Intune-managed devices that are marked compliant, and that they must re-authenticate every 4 hours regardless of persistent browser sessions. You need to enforce both requirements with the least administrative effort. What should you configure?
You are the Microsoft 365 administrator at Contoso. Recent sign-in logs show several successful sign-ins to privileged accounts from unfamiliar locations without any second-factor prompt. Management wants to ensure that all users assigned directory administrator roles (such as Global Administrator and User Administrator) must complete multifactor authentication every time they sign in, regardless of location or device. You want to enforce this with the least administrative effort while keeping the control targeted. What should you do?
Contoso wants every external guest user to explicitly accept a corporate acceptable-use agreement before they can access any SharePoint Online or Teams content shared with them. The agreement is a PDF that must be re-accepted every 12 months, and acceptance must be auditable. As the Microsoft 365 administrator, what should you configure to enforce this?
Your organization currently manages MFA and passwordless settings across three separate places: the legacy per-user MFA settings, the SSPR authentication methods policy, and the modern Authentication methods policy in Microsoft Entra. Leadership wants a single, consolidated location for controlling which methods (such as Microsoft Authenticator, FIDO2 keys, and SMS) users can register and use for both sign-in and password reset. As the Microsoft 365 administrator, what should you do to consolidate management going forward?
Your organization uses Microsoft Entra Connect Sync in a hybrid environment. The security team requires that user accounts located in a specific on-premises Active Directory organizational unit (OU) named 'ServiceAccounts' must NOT be synchronized to Microsoft Entra ID, while all other OUs continue to sync normally. What is the correct way to accomplish this?
Your organization uses Active Directory Federation Services (AD FS) to provide federated sign-in for Microsoft 365. Users have recently reported intermittent authentication failures, and you want proactive alerting on AD FS token issuance failures, extranet lockouts, and overall service availability from the Microsoft Entra admin center. What must you do to enable this monitoring capability?
Your organization uses Microsoft Entra Connect Sync to synchronize an on-premises Active Directory to Microsoft Entra ID. Help desk staff report that some newly created on-premises users are not appearing in the cloud after several hours. You need to identify whether synchronization is failing and view alerts about export errors, latency, and connectivity between the sync engine and Entra ID from a centralized cloud dashboard. Which tool should you use?
Your organization uses Microsoft Entra Connect Sync to synchronize an on-premises Active Directory to Microsoft Entra ID. Recently, users have reported that newly created accounts take an unusually long time to appear in Microsoft 365. You want to proactively detect when synchronization operations are failing or delayed, and receive email alerts before end users notice, without deploying additional third-party tools. Which action should you take?
Your organization uses Microsoft Entra Connect Sync running on a single server named SYNC01 to synchronize on-premises Active Directory objects to Microsoft Entra ID. To reduce downtime risk, you deploy a second server named SYNC02 with Entra Connect installed in staging mode. During a planned outage of SYNC01, you need SYNC02 to take over synchronization to Microsoft Entra ID with the least administrative effort and no data loss. What should you do?
Your organization uses Microsoft Entra Connect Sync in the default configuration. A user's job title was updated in on-premises Active Directory an hour ago, but the change has not yet appeared in Microsoft Entra ID. The business needs the change reflected immediately. Which action forces the attribute change to synchronize right now without waiting for the next scheduled cycle?
More MS-102 practice
Keep going with the other Microsoft 365 Administrator domains, or take a full timed mock exam.
← Back to MS-102 overview