MS-102 Exam Overview
Prepare for the Microsoft MS-102 certification exam
with our comprehensive study guide. This study material contains 411 practice questions
sourced from real exams and expert-verified for accuracy. Each question includes the correct answer
and a detailed explanation to help you understand the material thoroughly.
The MS-102 exam — Microsoft 365 Administrator — is offered by Microsoft.
Passing this exam earns you the Microsoft 365 Certified: Administrator Expert credential,
an industry-recognized certification that validates your expertise.
Our study materials were last updated on 2026-02-25 to reflect the
most recent exam objectives and content.
About the Microsoft 365 Certified: Administrator Expert
The Microsoft 365 Certified: Administrator Expert is awarded by Microsoft
to professionals who demonstrate competence in the skills measured by the MS-102 exam.
According to the
official Microsoft certification page,
this certification validates your ability to work with the technologies covered in the exam objectives.
According to the
Global Knowledge IT Skills and Salary Report,
certified IT professionals earn 15-25% more than their non-certified peers.
Certifications from Microsoft are among the most recognized credentials in the IT industry,
with strong demand across enterprise organizations worldwide.
Free Sample — 15 Practice Questions
Preview 15 of 411 questions from the MS-102 exam.
Try before you buy — purchase the full study guide for all 411 questions with answers and explanations.
Question 139
You have a Microsoft 365 E5 subscription.
You are creating a data loss prevention (DLP) policy applied to the locations as shown in the following exhibit.
Which condition can you use in the DLP rules of the policy?
A. sensitive info types
B. sensitivity labels
C. keywords
D. content search queries
Show Answer
Correct Answer: A
Explanation:
In Microsoft Purview DLP policies, rule conditions are based on content inspection such as Sensitive Information Types (SITs), which detect patterns like credit card or ID numbers. Sensitivity labels are applied metadata and are not selectable as DLP rule conditions for the specified locations, and content search queries are not supported in DLP rules. Therefore, Sensitive Information Types is the valid condition.
Question 161
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains two security groups named Group1 and Group2.
You need to enable multi-factor authentication (MFA) for the members of Group1 and Group2. The solution must meet the following requirements:
• The Group1 members must be prompted for MFA only when authenticating to Microsoft Entra ID from Android devices.
• The Group2 members must be prompted for MFA only when accessing Microsoft Exchange Online from outside the corporate network.
• Administrative effort must be minimized.
What should you configure for each group? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Group1: Conditional Access
Group2: Conditional Access
Explanation:
Conditional Access supports group targeting and granular conditions. For Group1, a CA policy can require MFA only when the device platform is Android. For Group2, a CA policy can require MFA only when accessing Exchange Online from outside trusted (corporate) locations. Other options cannot scope MFA by both app, location, and device type, or cannot be mixed with CA.
Question 276
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that includes the users shown in the following table.
Group2 is a member of Group1.
You assign a Microsoft Office 365 Enterprise E3 license to Group1.
How many Office 365 E3 licenses are assigned?
Show Answer
Correct Answer: C
Explanation:
Assigning an Office 365 E3 license to Group1 applies licenses only to direct user members of Group1. Nested groups (Group2 being a member of Group1) do not result in license assignment to users in Group2, because group-based licensing does not support group nesting. Users without an explicit usage location inherit the tenant’s default usage location, so they are still eligible for licensing. Based on the table, three direct users in Group1 receive the license, resulting in three licenses assigned.
Question 33
HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You need to create a Conditional Access policy named Policy1 that will enforce the use of phishing-resistant multifactor authentication (MFA) when a user attempts to register or join devices to a Microsoft Entra tenant.
How should you configure Policy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Assignments: Target resources
Access controls: Set Grant to Require authentication strength
Explanation:
Device registration and join are configured as a user action under Target resources in Conditional Access. To enforce phishing-resistant MFA, the Grant control must require an authentication strength that includes phishing-resistant methods.
Question 319
HOTSPOT
-
You have a Microsoft 365 subscription that contains the users shown in the following table.
You create a new administrative unit named AU1 and configure the following AU1 dynamic membership rule.
(user.department -eq "Engineering") and (user.jobTitle -notContains "Executive")
The subscription contains the role assignments shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: No
No
Yes
Explanation:
AU1 dynamic rule requires an exact department match to "Engineering" and excludes any job title containing "Executive".
User1: Department is "IT engineering" (not an exact match) → not in AU1.
User2: Department matches, but job title contains "Executive" → not in AU1.
Admin1 (AU1 User Administrator) can reset passwords only for AU1 members → cannot reset User1 or User2.
Admin2 is a Global Administrator → can reset the password of any user, including User3.
Question 376
DRAG DROP -
You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2.
You need to ensure that each group can perform the tasks shown in the following table.
The solution must use the principle of least privilege.
Which role should you assign to each group? To answer, drag the appropriate roles to the correct groups. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Group1:
Billing Administrator
Group2:
User Administrator
Explanation:
Group1 tasks (purchase services, manage subscriptions, service requests, and monitor service health) align with the Billing Administrator role under least privilege.
Group2 tasks (assign licenses, add users and groups, manage user views, and update password expiration policies) are covered by the User Administrator role without requiring broader permissions.
Question 12
HOTSPOT
-
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. Contoso.com contains the users shown in the following table.
Contoso.com contains the groups shown in the following table.
Group3 has no members.
You have a Microsoft Entra tenant.
You deploy Microsoft Entra Cloud Sync and configure a scoping filter by using the following entry.
CN=Group1,OU=OU2,DC=contoso, DC=com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: User1 syncs with the Microsoft Entra tenant: Yes
User2 syncs with the Microsoft Entra tenant: No
Group3 syncs with the Microsoft Entra tenant: No
Explanation:
The scoping filter targets Group1. Cloud Sync includes only direct user members of the scoped group. User1 is a direct member of Group1, so it syncs. User2 is only a nested member via Group2, which is not evaluated. Group objects (such as Group3) are not synchronized by group-based scoping.
Question 256
You have a Microsoft 365 subscription.
You have a data loss prevention (DLP) policy that blocks sensitive data from being shared in email messages.
You need to modify the policy so that when an email message containing sensitive data is sent to both external and internal recipients, the message is only prevented from being delivered to the external recipients.
What should you modify?
A. the policy rule exceptions
B. the DLP policy locations
C. the policy rule conditions
D. the policy rule actions
Show Answer
Correct Answer: D
Explanation:
To allow internal recipients to receive an email while blocking delivery only to external recipients when sensitive data is detected, you must change what the DLP rule does when it matches. This behavior is controlled by the policy rule actions, where you can configure actions such as blocking messages sent outside the organization while allowing internal delivery. Conditions, exceptions, and locations determine when or where the rule applies, not how delivery is handled.
Question 47
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 E5 subscription.
You are implementing Microsoft Defender for Cloud Apps.
You need to ensure that you can create OAuth app policies.
Solution: You configure Conditional Access app control.
Does this meet the goal?
Show Answer
Correct Answer: B
Explanation:
Conditional Access App Control (session control) is used for real-time monitoring and control of user sessions in cloud apps. It does not enable or affect OAuth app discovery or OAuth app policies in Microsoft Defender for Cloud Apps. To create OAuth app policies, the tenant must be connected (for example, Microsoft 365 connected app) so Defender for Cloud Apps can ingest OAuth authorization data. Therefore, configuring Conditional Access app control alone does not meet the goal.
Question 289
HOTSPOT -
You have a Microsoft 365 tenant.
You create a retention label as shown in the Retention Label exhibit. (Click the Retention Label tab.)
You create a label policy as shown in the Label Policy exhibit. (Click the Label Policy tab.)
The label policy is configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: 1) No
2) Yes
3) No
Explanation:
The retention label auto-applies to Exchange email containing "ProjectX" and retains items for 6 months based on the created date, then deletes them. Deletion is not immediate. Because auto-labeling is configured, users do not need to manually apply the label.
Question 30
HOTSPOT
-
You have a Microsoft 365 subscription that uses the following services:
• Microsoft Entra
• Exchange Online
• Microsoft Teams
• SharePoint Online.
You are planning a backup solution that will use Microsoft 365 Backup.
You need to recommend which Microsoft 365 services can be backed up and the longest retention period available.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Services:
Exchange Online and SharePoint Online only
Retention period:
1 year
Explanation:
Microsoft 365 Backup supports backup and restore for Exchange Online and SharePoint Online (including OneDrive content). It does not back up Microsoft Entra, and Teams isn’t selected as a separate service. The maximum retention period available is 1 year.
Question 403
HOTSPOT -
You have a Microsoft 365 subscription that contains a Microsoft SharePoint site named Site1. Site1 has the files shown in the following table.
For Site1, users are assigned the roles shown in the following table.
You create a data loss prevention (DLP) policy named Policy1 that contains a rule as shown in the following exhibit.
How many files will be visible to User1 and User2 after Policy1 is applied to Site1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: User1: 5
User2: 2
Explanation:
The DLP rule blocks access to files containing ≥2 IP addresses for everyone except site owners/admins and content owners. User1 is an Owner, so retains access to all files (5). For User2 (Visitor), files matching the rule are blocked. File1.docx has only 1 IP (not matched). File4.bmp isn’t scanned by DLP without OCR, so it isn’t matched. The remaining files are scanned and contain ≥2 IPs, so they’re blocked. Thus, User2 can see 2 files.
Question 147
You have a Microsoft 365 E5 tenant.
You create an auto-labeling policy to encrypt emails that contain a sensitive info type. You specify the locations where the policy will be applied.
You need to deploy the policy.
What should you do first?
A. Run the policy in simulation mode.
B. Turn on co-authoring for files with sensitivity labels.
C. Review the sensitive information in Activity explorer.
D. Turn on the policy.
Show Answer
Correct Answer: A
Explanation:
Auto-labeling policies in Microsoft Purview should first be run in simulation mode to validate which emails would be labeled and encrypted without impacting users. This allows you to review matches and confirm scope before turning the policy on for enforcement.
Question 268
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
• Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
• User passwords must be 10 characters or more.
Solution: Implement password hash synchronization and configure password protection in the Azure AD tenant.
Does this meet the goal?
Show Answer
Correct Answer: B
Explanation:
Password hash synchronization does satisfy the first requirement because users can authenticate to Microsoft 365 even if on-premises Active Directory is unavailable. However, it does not satisfy the second requirement. For synchronized users, password length and complexity are enforced by the on-premises Active Directory password policy, not by Azure AD. Azure AD password protection cannot enforce a minimum password length (such as 10 characters) for synced users unless that requirement is configured in on-prem AD. Therefore, the solution does not fully meet the stated goals.
Question 420
You have a Microsoft 365 subscription.
You configure a new Azure AD enterprise application named App1. App1 requires that a user be assigned the Reports Reader role.
Which type of group should you use to assign the Reports Reader role and to access App1?
A. a Microsoft 365 group that has assigned membership
B. a Microsoft 365 group that has dynamic user membership
C. a security group that has assigned membership
D. a security group that has dynamic user membership
Show Answer
Correct Answer: C
Explanation:
Assigning access to an enterprise application and assigning the Reports Reader role requires a group type supported for app role and Azure AD role assignments. Only security groups with assigned (static) membership are supported. Dynamic groups can’t be used for role assignment, and Microsoft 365 groups aren’t supported for enterprise app role assignment.