Microsoft 365 MS-102 Administrator Exam Dumps and Practice Test Questions Set7 Q121-140

Visit here for our full Microsoft MS-102 exam dumps and practice test questions.

Question 121:

You need to delegate the ability to manage SharePoint site collections without granting access to create new sites. Which role should you assign?

A) SharePoint Administrator with site creation restrictions

B) Site Collection Administrator

C) SharePoint Service Administrator

D) Sites Administrator role

Answer: B

Explanation:

Site Collection Administrator role provides comprehensive permissions to manage all aspects of specific SharePoint site collections including membership, permissions, storage, features, and content without granting organization-wide site creation capabilities. When you designate users as site collection administrators for specific sites, they gain full control over those sites but cannot create new site collections unless they also have broader SharePoint administrative roles. This delegation model enables distributed site management while maintaining central control over site proliferation.

Site Collection Administrators can manage site permissions by adding or removing users and groups, configure site features and settings, manage site collection storage quotas, customize site appearance and navigation, and access all content within the site regardless of item-level permissions. They serve as the highest permission level within the site collection hierarchy and can designate additional site collection administrators or site owners as needed.

The role is ideal for business unit leaders or departmental managers who need full control over their team sites without requiring permissions to create additional sites or manage other site collections. Organizations often assign site collection administrator permissions during site provisioning workflows where business owners request sites that IT creates and then delegates management responsibility. This ensures appropriate governance over new site creation while empowering business users to manage their collaboration spaces.

Site Collection Administrators appear in site settings and have access to administrative interfaces for their assigned sites but do not have access to the SharePoint admin center or organization-wide SharePoint settings. Their permissions are scoped to specific site collections, preventing unauthorized access to other sites or tenant-level configurations. This role separation supports security and compliance requirements while enabling effective site management.

Option A is incorrect because SharePoint Administrator is a tenant-level role with comprehensive permissions across all sites including site creation; restricting site creation would require removing the broader administrator role. Option C is incorrect because SharePoint Service Administrator terminology is outdated and the modern equivalent is SharePoint Administrator which includes site creation capabilities. Option D is incorrect because while the concept is similar, the specific built-in role for managing individual site collections is Site Collection Administrator rather than a separate Sites Administrator role.

Question 122:

Your company needs to ensure that all Teams meetings can only be joined by users from your organization. What should you configure?

A) Teams meeting policy with lobby settings

B) External access settings in Teams admin center

C) Azure AD Conditional Access policy

D) Teams guest access restrictions

Answer: A

Explanation:

Teams meeting policy with lobby settings provides granular control over who can join Teams meetings directly versus who must wait in the lobby for admission by meeting participants. When you configure meeting policies to send all external participants and unauthenticated users to the lobby, you create a security boundary ensuring that only organizational users can join meetings directly. Meeting organizers or presenters can then decide whether to admit external participants after verifying their identity and purpose.

The lobby settings within Teams meeting policies offer several options for controlling meeting access including allowing everyone to bypass the lobby, allowing only people in your organization to bypass, or requiring everyone including organizational users to wait in the lobby. To ensure only organizational users can join directly, you configure the policy to allow only people in the organization and authenticated users to bypass the lobby while all others must wait for admission.

When external participants attempt to join meetings governed by this policy, they are placed in a virtual lobby where they wait until a meeting participant admits them. Meeting organizers receive notifications about waiting participants and can choose to admit individuals, deny entry, or admit all waiting participants simultaneously. This provides human verification of participant identities before granting access to potentially sensitive discussions.

Meeting policies can be assigned to specific users or groups allowing different access controls for different types of meetings. Executive meetings might have stricter lobby requirements where all participants must wait for admission, while routine team meetings might allow organizational users to bypass the lobby for convenience. The policies apply regardless of which device or platform participants use to join meetings including desktop clients, mobile apps, and web browsers.

Option B is incorrect because external access settings control federation and person-to-person communications with other organizations rather than specifically controlling meeting join policies and lobby behavior. Option C is incorrect because Conditional Access policies control authentication and access requirements but do not configure meeting-specific lobby settings that determine who can directly join versus wait for admission. Option D is incorrect because guest access restrictions control whether guest accounts can be added to teams and access team content rather than controlling meeting lobby policies.

Question 123:

You need to ensure that all OneDrive files shared externally expire after 90 days. What should you configure?

A) OneDrive sharing link expiration policy

B) SharePoint external sharing time limits

C) Azure AD B2B invitation expiration

D) File access review policy

Answer: A

Explanation:

OneDrive sharing link expiration policy provides administrative control over how long external sharing links remain valid before automatically expiring and requiring users to create new links if continued sharing is needed. In the SharePoint admin center under OneDrive settings, you can configure organization-wide policies that set default or maximum expiration periods for anonymous sharing links. When you configure link expiration for 90 days, all new external sharing links created by users automatically expire after that period.

The expiration setting helps organizations maintain security by ensuring that external access does not persist indefinitely, reducing the risk of unauthorized access through old sharing links that users may have forgotten about. External recipients who attempt to access files through expired links receive error messages indicating the link is no longer valid. Users who need to continue sharing files must create new links with fresh expiration dates.

OneDrive link expiration policies support different configurations for different link types including anonymous links that anyone can access and authenticated links that require recipients to sign in. Organizations typically set shorter expiration periods for anonymous links due to their higher security risk while allowing longer expiration for authenticated links. The policy can enforce maximum expiration periods that users cannot exceed when creating links, ensuring compliance with organizational data sharing policies.

When configuring link expiration, administrators balance security requirements with user convenience and business collaboration needs. Very short expiration periods may frustrate users and external partners who need ongoing access to files, while very long expiration periods reduce the security benefits of automatic link expiration. The 90-day period provides reasonable protection while accommodating typical project timelines and collaboration scenarios.

Option B is incorrect because SharePoint external sharing time limits is not a distinct feature from OneDrive link expiration as OneDrive uses SharePoint infrastructure; both are configured through the same sharing policies in the SharePoint admin center. Option C is incorrect because Azure AD B2B invitation expiration relates to the validity of email invitations for guest accounts rather than the expiration of file sharing links. Option D is incorrect because file access review policy is not a standard feature for controlling external sharing link expiration; link expiration is configured through OneDrive and SharePoint sharing settings.

Question 124:

Your organization needs to prevent users from uploading files larger than 100MB to SharePoint Online. What should you configure?

A) SharePoint file size restriction policy

B) Web application file upload limits

C) Site collection storage quota

D) Document library versioning settings

Answer: A

Explanation:

SharePoint file size restriction policy provides administrative control over the maximum file size that users can upload to SharePoint Online document libraries. While SharePoint Online has a default maximum file size limit, administrators can configure more restrictive limits to manage storage consumption, improve performance, or comply with organizational policies. Setting a 100MB restriction ensures users cannot upload excessively large files that might impact site performance or consume disproportionate storage resources.

File size restrictions in SharePoint Online are configured at the tenant level through PowerShell commands or SharePoint admin center settings depending on the specific limit being configured. The restrictions apply uniformly across all sites and libraries within the organization, preventing users from uploading files exceeding the specified threshold regardless of which site they access. When users attempt to upload files larger than the configured limit, they receive error messages indicating the file exceeds the maximum allowed size.

Implementing file size restrictions helps organizations manage SharePoint storage costs and maintain acceptable performance levels. Large files can slow down synchronization operations, increase network bandwidth consumption during uploads and downloads, and make site backup and restore operations more time-consuming. By limiting file sizes, organizations encourage users to use appropriate storage solutions for very large files such as specialized file transfer services or Azure Blob Storage.

Organizations should carefully consider business requirements when setting file size limits to avoid impeding legitimate work. Some industries regularly work with large files such as video production, engineering CAD files, or scientific data sets that may exceed typical size restrictions. In these cases, organizations might provide alternative storage solutions or make exceptions for specific users or departments while maintaining restrictions for general users.

Option B is incorrect because web application file upload limits are concepts from on-premises SharePoint Server rather than SharePoint Online where tenant-level policies control file size restrictions. Option C is incorrect because site collection storage quotas control the total storage available to site collections rather than the maximum size of individual files uploaded. Option D is incorrect because document library versioning settings control version retention and do not restrict the file size of uploaded documents.

Question 125:

You need to delegate the ability to manage Microsoft 365 service health incidents and messages. Which role should you assign?

A) Service Support Administrator

B) Global Administrator

C) Helpdesk Administrator

D) Message Center Reader

Answer: A

Explanation:

Service Support Administrator role provides specific permissions to manage Microsoft 365 service health incidents, view service health information, and create support requests with Microsoft without granting broader administrative capabilities across the tenant. Users assigned this role can view the service health dashboard, read service health messages, monitor ongoing incidents, and open support tickets when service issues affect organizational users. This role is designed for IT operations personnel who monitor Microsoft 365 service availability and respond to service disruptions.

The role allows viewing detailed information about service incidents including affected services, user impact estimates, current status updates, and estimated resolution times. Service Support Administrators can provide this information to organizational leadership and affected users, helping manage expectations during service outages. They can also create and manage support requests through the Microsoft 365 admin center, providing a communication channel with Microsoft support for escalating issues or requesting assistance.

Service Support Administrators access service health information through the Microsoft 365 admin center health section where they can view current incidents, planned maintenance notifications, and historical health data. They can filter health information by service, severity, and timeframe to focus on relevant issues. The role provides read access to Message Center communications where Microsoft announces new features, service changes, and important updates affecting the tenant.

Assigning this role to dedicated service monitoring personnel enables them to respond to service health issues without requiring Global Administrator permissions that grant access to configuration settings, user management, and sensitive organizational data. The role separation supports security best practices by limiting privileged access to only what is necessary for service health management. Organizations typically assign this role to IT operations teams responsible for 24/7 monitoring and incident response.

Option B is incorrect because Global Administrator has unlimited permissions across all Microsoft 365 services which far exceeds the requirement for managing service health and violates least privilege principles. Option C is incorrect because Helpdesk Administrator focuses on user support tasks like password resets rather than service health monitoring and support ticket management. Option D is incorrect because Message Center Reader provides read-only access to Message Center announcements but does not grant permissions to manage service health incidents or create support requests.

Question 126:

Your company wants to automatically classify documents containing legal contracts. What should you implement?

A) Trainable classifier for legal contracts with sensitivity labels

B) Keyword-based retention policy

C) Manual document classification

D) SharePoint content type for contracts

Answer: A

Explanation:

Trainable classifiers for legal contracts with sensitivity labels provide advanced machine learning capabilities that automatically identify and classify contract documents based on their content characteristics rather than simple keyword matching. Microsoft 365 includes pre-built trainable classifiers for contracts and other document types, or you can create custom classifiers by providing sample documents that train the machine learning model to recognize contract patterns including document structure, legal terminology, clause arrangements, and contractual language.

When you configure auto-labeling policies using trainable classifiers, the system analyzes document content across SharePoint, OneDrive, and Exchange to identify contracts. When the classifier detects documents matching the learned contract patterns with sufficient confidence, the auto-labeling policy automatically applies designated sensitivity labels or retention labels. This classification enables automated protection through encryption, access restrictions, retention requirements, or Data Loss Prevention policy enforcement specific to legal contracts.

Trainable classifiers offer significant advantages over keyword-based classification because they understand document context and structure rather than relying on presence of specific words. Contracts often share distinctive characteristics including signature blocks, whereas clauses, party identification sections, and termination clauses that machine learning models detect even when specific wording varies. This contextual understanding provides more accurate classification with fewer false positives than simple keyword matching.

Organizations benefit from automated contract classification by ensuring consistent handling of legally significant documents without relying on users to recognize and classify contracts manually. Contracts often contain sensitive terms, confidential business arrangements, or proprietary information requiring special protection. Automatic classification ensures all contracts receive appropriate security controls and retention settings regardless of where they are created or stored within Microsoft 365.

Option B is incorrect because keyword-based retention policies use simple text matching that may miss contracts not containing specific keywords or generate false positives for non-contract documents mentioning legal terms. Option C is incorrect because manual document classification relies on user awareness and action which leads to inconsistent application and users overlooking contracts that should be classified. Option D is incorrect because SharePoint content types organize documents within SharePoint but do not automatically detect and classify contract documents across Microsoft 365 workloads.

Question 127:

You need to ensure that all Microsoft Planner tasks containing specific project codes are automatically classified and protected. What should you configure?

A) Sensitivity label with auto-labeling for Planner

B) Planner task policy

C) Data Loss Prevention policy for Planner

D) Microsoft 365 group classification

Answer: C

Explanation:

Data Loss Prevention policies for Planner provide content-based protection that detects when tasks contain sensitive information patterns such as project codes and enforces organizational policies to prevent unauthorized access or sharing. When you create DLP policies targeting Microsoft 365 Groups locations which include Planner tasks, you can configure rules that detect custom sensitive information types matching your project code formats. The policy can restrict sharing, generate alerts, or apply additional protections when tasks contain these codes.

DLP policies continuously monitor Planner task content including task titles, descriptions, and comments. When project codes matching configured patterns are detected, the policy evaluates the context and takes actions based on configured rules. For sensitive project codes, the policy might prevent adding external guests to plans containing those tasks, restrict plan sharing outside the organization, or generate alerts to compliance administrators for review.

Implementing DLP for Planner requires creating custom sensitive information types that define the patterns for project codes used in your organization. These patterns might include alphanumeric formats, specific prefixes or suffixes, or regex patterns matching project identification schemes. Once defined, these custom sensitive information types can be referenced in DLP policy rules that specifically target Planner content.

The DLP policy provides incident reporting showing which plans and tasks triggered policy matches, who created or modified the content, and what protective actions were taken. This visibility helps organizations monitor how sensitive project information is used in collaborative planning tools. Policy tips can educate users when they create tasks containing sensitive project codes, promoting awareness about data handling requirements.

Option A is incorrect because while sensitivity labels can classify content, Planner does not currently support direct sensitivity label application and auto-labeling for individual tasks; protection is better implemented through DLP policies. Option B is incorrect because Planner task policy is not a specific feature for content-based classification and protection; DLP policies provide this capability. Option D is incorrect because Microsoft 365 group classification applies labels at the group level rather than providing task-specific content analysis and protection based on project codes.

Question 128:

Your organization needs to prevent users from printing documents classified as highly confidential from Office applications. What should you configure?

A) Sensitivity label with print restriction in protection settings

B) Information Rights Management template

C) Data Loss Prevention policy blocking print

D) Conditional Access policy for Office apps

Answer: A

Explanation:

Sensitivity labels with print restrictions in protection settings provide document-level controls that prevent users from printing files classified as highly confidential regardless of which device or location they use to access the documents. When you configure a sensitivity label for highly confidential content, you can enable encryption and usage rights that specifically deny print permissions while allowing other operations like viewing and editing. This ensures sensitive information cannot be extracted through physical printed copies.

The label protection settings use encryption technology to enforce usage restrictions. When users open highly confidential documents in Office applications like Word, Excel, or PowerPoint, the application checks the label’s protection settings and disables printing functionality. Users who attempt to print see error messages explaining that the document’s classification prevents printing. The restriction persists regardless of whether users access documents on corporate networks, remote locations, or personal devices.

Sensitivity labels with print restrictions integrate with Rights Management Services to enforce protection consistently across all supported Office applications and platforms including Windows, Mac, iOS, and Android. The protection travels with the document, so restrictions remain effective even when files are downloaded, copied to removable media, or shared with others. Recipients of protected documents face the same print restrictions unless they have permissions explicitly granting print rights.

Organizations implementing print restrictions should consider legitimate business scenarios where printing might be necessary and configure label permissions accordingly. Some users might require print permissions based on their roles or specific business needs. Labels support custom permission assignment where specific users or groups receive enhanced rights including printing while general users face restrictions. This flexibility enables balanced protection that prevents unauthorized printing while accommodating necessary exceptions.

Option B is incorrect because Information Rights Management templates provide encryption and usage rights but sensitivity labels are the modern recommended approach for document protection with more flexible configuration and better integration with Microsoft 365 compliance features. Option C is incorrect because DLP policies detect and prevent data loss through channels like email and external sharing but do not enforce usage restrictions like print blocking for classified documents. Option D is incorrect because Conditional Access policies control access to applications based on authentication conditions but do not enforce document-level usage restrictions within applications.

Question 129:

You need to delegate the ability to manage Azure AD groups without granting permissions to manage users or other directory objects. Which role should you assign?

A) Groups Administrator

B) User Administrator

C) Directory Synchronization Accounts

D) Cloud Application Administrator

Answer: A

Explanation:

Groups Administrator role provides comprehensive permissions to create, manage, and delete all types of Azure AD groups including security groups, Microsoft 365 groups, and distribution groups without granting broader directory management capabilities. Users assigned this role can manage group membership, configure group settings, handle group lifecycle policies, manage group naming policies, and configure group-based licensing. This role follows the principle of least privilege by limiting access to group management tasks only.

The Groups Administrator can manage all group properties including name, description, membership type, and visibility settings. They can add or remove members from groups, designate group owners, configure group expiration policies, and manage deleted groups from the Azure AD recycle bin. The role provides permissions necessary for comprehensive group lifecycle management supporting organizational needs for collaboration team management and security group administration.

Groups Administrators can manage group-based license assignments where licenses are allocated to groups and automatically assigned to group members. This capability enables efficient license management for teams and departments without requiring direct user license manipulation. They can also configure dynamic group membership rules that automatically populate groups based on user attributes like department, location, or job title.

The role does not include permissions to create or modify user accounts, reset passwords, manage devices, configure directory settings, or manage other administrative roles. This separation ensures that group management responsibilities can be delegated to departmental managers or team leads without granting excessive privileges. Organizations benefit from distributed group administration while maintaining security through appropriate role boundaries.

Option B is incorrect because User Administrator has extensive permissions including user account management and password resets beyond group management, which exceeds the requirement for group-only administration. Option C is incorrect because Directory Synchronization Accounts role is specialized for accounts used by Azure AD Connect synchronization services rather than group management. Option D is incorrect because Cloud Application Administrator manages enterprise applications and application registrations rather than Azure AD group administration.

Question 118:

Your company needs to ensure that all SharePoint document libraries automatically version documents and retain the last 50 versions. What should you configure?

A) Document library versioning settings with major versions

B) Information management policy for versioning

C) SharePoint site collection version limits

D) Content type versioning configuration

Answer: A

Explanation:

Document library versioning settings with major versions provide granular control over how SharePoint tracks changes to documents stored in libraries. When you configure versioning settings for a document library, you can specify whether to create versions when documents are modified, how many versions to retain, and whether to track both major and minor versions. To ensure the last 50 versions are retained, you access the library settings and enable versioning with a limit of 50 major versions.

Versioning in SharePoint creates a new version entry each time a user saves changes to a document, allowing organizations to track document evolution and restore previous versions when needed. The version history records who made changes, when modifications occurred, and optionally requires check-in comments explaining the changes. By setting the version limit to 50, older versions beyond this threshold are automatically deleted to manage storage consumption while maintaining sufficient history for most business scenarios.

When configuring versioning, you can choose between major versions only or major and minor versions. Major versions represent published states of documents visible to all users with read permissions, while minor versions represent draft states visible only to users with edit permissions. For scenarios requiring 50 versions, major version tracking alone provides straightforward version management without the complexity of draft versions.

The versioning configuration applies specifically to the document library where it is enabled, allowing different libraries within the same site to have different versioning policies based on content requirements. Critical document libraries might retain more versions while temporary collaboration spaces might limit versions to reduce storage usage. Library owners and site administrators can modify versioning settings to adjust retention limits as organizational needs evolve.

Option B is incorrect because information management policies are legacy features that have been largely replaced by retention policies and labels in modern SharePoint Online compliance frameworks. Option C is incorrect because site collection version limits set organization-wide defaults but individual library versioning settings provide the specific configuration needed to retain exactly 50 versions. Option D is incorrect because content type versioning configuration affects content type definitions rather than the actual version retention behavior in document libraries.

Question 119:

You need to prevent users from accessing Microsoft 365 services when their devices are not compliant with security policies. What should you configure?

A) Conditional Access policy requiring device compliance

B) Device enrollment restrictions

C) Mobile Device Management policy

D) Azure AD device settings

Answer: A

Explanation:

Conditional Access policies requiring device compliance provide identity-based access control that evaluates device compliance status before granting access to Microsoft 365 services. When you create a Conditional Access policy targeting cloud applications like Exchange Online, SharePoint, and Teams, you can configure grant controls that require devices to be marked as compliant before allowing access. This ensures that only devices meeting organizational security standards can access corporate resources regardless of user location or network.

The policy works by evaluating the device compliance status reported by Microsoft Intune during user authentication. When users attempt to access Microsoft 365 services, Azure AD checks whether their device is enrolled in Intune and marked as compliant based on device compliance policies. If the device is not compliant, the Conditional Access policy blocks access and directs users to enroll their device or remediate compliance issues before access is granted.

Device compliance policies in Intune define the security requirements that devices must meet including encryption enablement, minimum operating system versions, antivirus software presence, jailbreak detection, and password complexity. Devices that fail to meet any configured requirement are marked as non-compliant. The combination of compliance policies and Conditional Access creates a comprehensive security framework ensuring corporate data is accessed only from secure devices.

This approach supports bring-your-own-device scenarios where personal devices can access corporate resources only when they meet security standards. The policy evaluates compliance continuously, so if a device falls out of compliance after initial access is granted, subsequent authentication attempts are blocked until compliance is restored. Organizations can configure different compliance requirements for different device platforms including Windows, iOS, Android, and macOS.

Option B is incorrect because device enrollment restrictions control which devices can enroll in MDM but do not enforce access requirements based on compliance status. Option C is incorrect because MDM policies define device configurations and compliance criteria but must be combined with Conditional Access policies to enforce access restrictions. Option D is incorrect because Azure AD device settings control device registration options but do not enforce compliance-based access control for Microsoft 365 services.

Question 120:

Your organization wants to ensure that all calendar events created by executives are automatically classified as confidential. What should you configure?

A) Sensitivity label auto-labeling policy for calendar items

B) Exchange transport rule for calendar events

C) Outlook default classification settings

D) Information Rights Management for calendars

Answer: A

Explanation:

Sensitivity label auto-labeling policies for calendar items provide automated classification that applies labels to calendar events based on sender identity without requiring manual user action. When you create an auto-labeling policy in Microsoft Purview, you can configure conditions that detect calendar events created by specific users or members of executive groups and automatically apply confidential sensitivity labels. This ensures consistent classification of executive communications without relying on executives remembering to label their calendar invitations.

The auto-labeling policy continuously monitors calendar event creation and evaluates whether events meet the configured conditions. When executives create calendar appointments or meeting invitations, the policy automatically applies the confidential label before the invitations are sent to attendees. The label can include protection settings such as encryption or access restrictions that prevent attendees from forwarding invitations to unauthorized recipients or modifying event details.

Auto-labeling for calendar items supports condition-based application using attributes like sender email address, group membership, or keywords in meeting subjects. For executive calendar events, you typically configure the policy to identify senders who are members of an executive distribution group or security group. The policy applies labels transparently without requiring executive action or awareness, ensuring comprehensive protection for sensitive meeting information.

Once applied, sensitivity labels persist with calendar events throughout their lifecycle. If events are forwarded or copied, the label travels with the event ensuring consistent protection. Attendees see visual indicators showing that events are classified as confidential, promoting awareness about handling requirements. The labels integrate with Data Loss Prevention policies that can enforce additional protections for confidential calendar content.

Option B is incorrect because Exchange transport rules process email messages rather than calendar events and do not provide calendar-specific classification capabilities. Option C is incorrect because Outlook default classification settings are client-side configurations that users control individually and cannot be centrally enforced for specific user groups like executives. Option D is incorrect because Information Rights Management provides encryption capabilities but does not automatically classify calendar events based on sender identity without additional automation.

Question 121:

You need to delegate the ability to manage SharePoint site collections without granting access to create new sites. Which role should you assign?

A) SharePoint Administrator with site creation restrictions

B) Site Collection Administrator

C) SharePoint Service Administrator

D) Sites Administrator role

Answer: B

Explanation:

Question 122:

Your company needs to ensure that all Teams meetings can only be joined by users from your organization. What should you configure?

A) Teams meeting policy with lobby settings

B) External access settings in Teams admin center

C) Azure AD Conditional Access policy

D) Teams guest access restrictions

Answer: A

Explanation:

Question 123: You need to ensure that all OneDrive files shared externally expire after 90 days. What should you configure?

A) OneDrive sharing link expiration policy

B) SharePoint external sharing time limits

C) Azure AD B2B invitation expiration

D) File access review policy

Answer: A

Explanation:

Question 124:

Your organization needs to prevent users from uploading files larger than 100MB to SharePoint Online. What should you configure?

A) SharePoint file size restriction policy

B) Web application file upload limits

C) Site collection storage quota

D) Document library versioning settings

Answer: A

Explanation:

Question 125:

You need to delegate the ability to manage Microsoft 365 service health incidents and messages. Which role should you assign?

A) Service Support Administrator

B) Global Administrator

C) Helpdesk Administrator

D) Message Center Reader

Answer: A

Explanation:

Question 126:

Your company wants to automatically classify documents containing legal contracts. What should you implement?

A) Trainable classifier for legal contracts with sensitivity labels

B) Keyword-based retention policy

C) Manual document classification

D) SharePoint content type for contracts

Answer: A

Explanation:

Question 127:

You need to ensure that all Microsoft Planner tasks containing specific project codes are automatically classified and protected. What should you configure?

A) Sensitivity label with auto-labeling for Planner

B) Planner task policy

C) Data Loss Prevention policy for Planner

D) Microsoft 365 group classification

Answer: C

Explanation:

Question 128:

Your organization needs to prevent users from printing documents classified as highly confidential from Office applications. What should you configure?

A) Sensitivity label with print restriction in protection settings

B) Information Rights Management template

C) Data Loss Prevention policy blocking print

D) Conditional Access policy for Office apps

Answer: A

Explanation:

Question 129:

You need to delegate the ability to manage Azure AD groups without granting permissions to manage users or other directory objects. Which role should you assign?

A) Groups Administrator

B) User Administrator

C) Directory Synchronization Accounts

D) Cloud Application Administrator

Answer: A

Explanation:

Question 130:

Your company wants to ensure that emails sent to distribution groups with more than 500 members are automatically approved before delivery. What should you configure?

A) Distribution group moderation with member count threshold

B) Mail flow rule with recipient count condition

C) Transport rule for large distribution groups

D) Exchange recipient policy

Answer: B

Explanation:

Mail flow rules with recipient count conditions provide the capability to intercept and require approval for emails sent to large audiences including distribution groups with many members. When you create a mail flow rule in Exchange Online, you can specify conditions that detect when messages are sent to recipient counts exceeding specified thresholds such as 500 recipients. The rule can then route these messages to designated approvers who must review and approve them before delivery to the full recipient list.

The mail flow rule evaluates all outbound messages and counts the total number of recipients including distribution group members. When a message addressed to a distribution group would result in more than 500 recipients receiving the email, the rule matches the condition and triggers the approval action. The message is held in a queue while approval notifications are sent to designated moderators who can review the content, sender, and intended audience before deciding whether to approve or reject delivery.

Approval workflows through mail flow rules provide centralized control over mass communications without requiring individual moderation configuration for each large distribution group. This approach ensures consistent approval requirements across all large-audience emails regardless of which specific groups are involved. Organizations benefit from preventing accidental mass communications, unauthorized announcements, or potential email storms that could impact email system performance.

The mail flow rule can be configured with exceptions for trusted senders such as communications teams or executives who routinely send legitimate mass communications. The rule might also include conditions that combine recipient count with other factors like subject keywords or sender department to refine when approval is required. Audit logs capture all approval decisions providing accountability for mass communication authorization.

Option A is incorrect because distribution group moderation settings apply to specific groups individually rather than providing organization-wide control based on recipient count thresholds across all possible distribution group combinations. Option C is incorrect because transport rule for large distribution groups is essentially the same concept as mail flow rule; the correct configuration requires recipient count conditions rather than group-specific identification. Option D is incorrect because Exchange recipient policy is not a feature that implements message approval based on recipient counts; mail flow rules provide this functionality.

Question 131:

You need to ensure that all Microsoft Stream videos are accessible only to users who have completed security training. What should you configure?

A) Azure AD Conditional Access policy with group membership requirement

B) Stream sharing permissions

C) Microsoft 365 group membership requirements

D) Stream video access policy

Answer: A

Explanation:

Azure AD Conditional Access policy with group membership requirements provides identity-based access control that evaluates whether users belong to specific groups before granting access to applications like Microsoft Stream. When you create a Conditional Access policy targeting the Stream application, you can configure grant controls that require users to be members of a security group containing only users who have completed security training. This ensures Stream access is restricted to trained users who understand information security responsibilities.

The policy implementation involves creating an Azure AD security group that serves as the trained users group. As employees complete security training, they are added to this group through manual processes or automated workflows integrated with learning management systems. The Conditional Access policy checks group membership during authentication to Stream. Users not in the trained users group receive access denied messages directing them to complete required training.

Conditional Access provides flexible enforcement options including blocking untrained users entirely or allowing limited access with restrictions. Organizations might configure policies that permit trained users to view and upload videos while untrained users can only view but not contribute content. The policy can also be phased in with different requirements for different user populations based on roles or departments.

The group membership approach enables dynamic access control that automatically grants Stream access when training is completed and users are added to the appropriate group. This reduces administrative burden compared to manually managing individual user permissions for Stream. The policy integrates with training completion tracking systems ensuring access rights reflect current training status.

Option B is incorrect because Stream sharing permissions control video-level sharing but do not provide application-level access control based on training completion status across all Stream content. Option C is incorrect because Microsoft 365 group membership requirements control access to groups and team sites rather than implementing conditional application access based on training completion. Option D is incorrect because Stream video access policy is not a distinct feature; application access control is implemented through Azure AD Conditional Access policies.

Question 132:

Your organization needs to ensure that deleted Microsoft 365 groups can be recovered for 45 days. What should you configure?

A) Azure AD deleted group retention period

B) Group lifecycle policy

C) Microsoft 365 backup policy

D) Group recovery settings

Answer: A

Explanation:

Azure AD deleted group retention period controls how long deleted Microsoft 365 groups and their associated resources remain recoverable before permanent deletion. By default, Azure AD retains deleted groups for 30 days in the soft-deleted state where they can be restored through the Azure AD portal or PowerShell. While the default retention cannot be extended beyond 30 days through configuration, the soft-delete mechanism ensures groups remain recoverable for this period regardless of when deletion occurred.

When groups are deleted, they move to a soft-deleted state where all group properties, memberships, and associated resources including SharePoint sites, Exchange mailboxes, and Teams are preserved. During the retention period, administrators can restore deleted groups through the Azure AD admin center where they appear in the deleted groups section. Restoration recovers the complete group configuration including members, owners, settings, and connected resources.

The 30-day retention period provides reasonable protection against accidental deletions while managing storage costs for deleted content. Organizations needing longer retention for compliance reasons should implement additional safeguards such as requiring approval before group deletion or maintaining backups of critical groups. Third-party backup solutions can provide extended retention beyond the Azure AD soft-delete period for organizations with specific recovery requirements.

Group administrators and global administrators have permissions to restore soft-deleted groups. The restoration process is straightforward through the Azure AD portal or can be automated using PowerShell scripts for bulk recovery scenarios. After successful restoration, groups and all connected resources return to their pre-deletion state with members and settings intact.

Option B is incorrect because group lifecycle policy manages group expiration and renewal for active groups rather than controlling retention of already-deleted groups. Option C is incorrect because Microsoft 365 backup policy is not a built-in feature; soft-delete provides the native recovery mechanism for deleted groups. Option D is incorrect because group recovery settings are not a distinct configuration option; recovery capability is provided through the Azure AD soft-delete mechanism with its default retention period.

Question 133:

You need to prevent users from creating Power Apps that connect to external data sources. What should you configure?

A) Power Platform Data Loss Prevention policy

B) Power Apps creation restrictions

C) Azure AD application consent settings

D) Power Platform environment settings

Answer: A

Explanation:

Power Platform Data Loss Prevention policies provide governance controls over which data connectors can be used in Power Apps and Power Automate within your tenant. These policies classify connectors into business data groups and non-business data groups with rules preventing data sharing between groups. By blocking external data source connectors or classifying them as non-business data while classifying internal connectors as business data, you prevent apps from accessing external sources.

DLP policies for Power Platform are created in the Power Platform admin center where administrators define connector classifications. Connectors like SharePoint, OneDrive, and SQL Server might be classified as business data connectors allowed in apps, while external connectors like Twitter, Facebook, or third-party services are blocked entirely or classified as non-business. The policy enforces these restrictions when users create or modify apps preventing inclusion of blocked connectors.

When users attempt to add blocked connectors to Power Apps, they receive error messages explaining that organizational policy prevents using those connectors. Existing apps using prohibited connectors may be disabled until modified to comply with DLP policies. This enforcement ensures applications cannot exfiltrate organizational data to external services or introduce unsecured data sources into the environment.

DLP policies can be scoped to specific environments allowing different connector restrictions for development versus production environments. Development environments might permit more connectors for testing while production environments enforce strict limitations. Policies can also exclude specific users or groups who need access to external connectors for legitimate business purposes while restricting general users.

Option B is incorrect because Power Apps creation restrictions control who can create apps rather than limiting which connectors those apps can use. Option C is incorrect because Azure AD application consent settings control permissions for enterprise applications rather than Power Platform connector usage in apps. Option D is incorrect because Power Platform environment settings include various configurations but connector restrictions are specifically implemented through Data Loss Prevention policies.

Question 134:

Your company wants to automatically delete all voicemail messages older than 180 days. What should you configure?

A) Retention policy for Exchange with voicemail inclusion

B) Voicemail retention settings

C) Exchange Online mailbox policy

D) Unified Messaging policy

Answer: A

Explanation:

Retention policies for Exchange with voicemail inclusion provide automated lifecycle management for voicemail messages stored in Exchange Online mailboxes. Microsoft Teams Phone System and other unified communications solutions store voicemail messages in user mailboxes in the conversation history folder. When you create a retention policy targeting Exchange locations, you can configure it to delete voicemail messages after 180 days, ensuring old messages do not consume mailbox storage indefinitely.

Retention policy for Exchange with voicemail inclusion because voicemail messages in Microsoft 365 are stored directly in users’ Exchange Online mailboxes, typically in the Voicemail or Conversation History folder. To automatically delete voicemail messages after a specific time period—such as 180 days—you must use Microsoft 365 retention policies that specifically target Exchange content.

With an Exchange-focused retention policy, you can configure rules that identify voicemail items and apply a delete action after a defined retention period. This ensures old voicemail messages are automatically removed without requiring manual user action, supporting compliance, storage management, and consistent data lifecycle practices.

Option B, voicemail retention settings, is incorrect because Teams Phone System no longer uses legacy Unified Messaging (UM) voicemail settings, and these settings cannot enforce automated deletion based on message age.

Option C, an Exchange Online mailbox policy, does not provide item-level lifecycle management for voicemail and cannot automatically delete voicemail messages after a specific number of days.

Option D, Unified Messaging (UM) policy, is outdated because modern Microsoft 365 voicemail is handled through Cloud Voicemail, not legacy Unified Messaging. UM policies do not apply to current Teams/Exchange voicemail storage.

Question 135:

You need to ensure that all Microsoft Whiteboard content is retained for 7 years for compliance purposes. What should you configure?

A) Retention policy for Whiteboard content

B) SharePoint retention settings

C) Microsoft 365 group retention policy

D) Azure storage retention configuration

Answer: A

Explanation:

Retention policies for Whiteboard content provide the mechanism to preserve digital whiteboard content created in Microsoft Whiteboard for specified compliance retention periods. Microsoft Whiteboard stores content in Azure-based storage associated with user accounts and shared whiteboards. When you create retention policies in Microsoft Purview that target Whiteboard locations, you can configure seven-year retention ensuring whiteboard content is preserved even if users delete whiteboards or modify content.

The retention policy applies to all whiteboards created by users in the organization including personal whiteboards and those shared with other users or groups. When the policy is active, deleted whiteboards remain preserved in hidden storage locations accessible through eDiscovery and content search tools for the duration of the retention period. This ensures compliance with regulatory requirements mandating retention of collaborative work products and meeting artifacts.

Whiteboard retention policies work similarly to retention policies for other Microsoft 365 workloads by preserving content snapshots at the time of policy application and tracking subsequent changes. The policy captures whiteboard content including text, drawings, images, and other elements added during collaboration sessions. Organizations subject to compliance requirements for retaining meeting records and collaborative work products benefit from automated whiteboard retention.

Configuration involves creating a retention policy in the Microsoft Purview compliance portal and selecting Whiteboard as one of the target locations. You specify the seven-year retention period and configure whether content should be deleted automatically after retention expires or retained indefinitely. The policy applies organization-wide or can be scoped to specific users based on compliance requirements.

Option B is incorrect because SharePoint retention settings do not govern Microsoft Whiteboard content which is stored separately from SharePoint sites. Option C is incorrect because Microsoft 365 group retention policies target group-connected content like emails and files rather than Whiteboard content. Option D is incorrect because Azure storage retention configuration is infrastructure-level rather than the compliance-focused retention policies needed for Whiteboard content preservation.

Question 136:

Your organization needs to prevent guest users from seeing other members in Microsoft Teams. What should you configure?

A) Teams guest access settings with member visibility restrictions

B) Azure AD external collaboration settings

C) Information barriers

D) Teams privacy settings

Answer: A

Explanation:

Teams guest access settings with member visibility restrictions provide controls over what guest users can see when accessing Teams including the ability to view team membership and roster information. In the Teams admin center, you configure guest access policies that determine whether guests can see organizational charts, directory information, and team member lists. By restricting these visibility settings, you prevent guest users from discovering and viewing other team members beyond their immediate collaboration needs.

When you configure guest access settings to restrict member visibility, guests accessing Teams can participate in channel conversations and meetings but cannot browse full team rosters or search the organizational directory for other users. This prevents guests from mapping organizational structures or identifying personnel beyond their authorized collaboration scope. The restriction helps protect privacy and security by limiting what external participants learn about internal organization.

Guest access settings apply uniformly to all guests in the organization providing consistent restrictions across all Teams where guests participate. Organizations can balance collaboration effectiveness with information security by allowing guests necessary access to channels and files while preventing broader organizational visibility. The settings complement other guest restrictions like preventing guests from creating channels or accessing certain team features.

Implementation requires careful consideration of legitimate collaboration scenarios where guests might need to identify appropriate team members for specific discussions or questions. Some organizations implement guest access restrictions strictly for sensitive teams while allowing normal visibility in teams focused on external collaboration. Regular review of guest access patterns helps optimize restriction settings for security and productivity.

Option B is incorrect because Azure AD external collaboration settings control guest invitation and broad directory visibility but Teams-specific member visibility is configured through Teams guest access settings. Option C is incorrect because information barriers segment communications between internal user groups rather than controlling what guest users can see. Option D is incorrect because Teams privacy settings control team and channel visibility for organizational users rather than guest-specific visibility restrictions.

Question 137:

You need to delegate the ability to manage Microsoft 365 subscriptions and licenses without granting other administrative permissions. Which role should you assign?

A) License Administrator

B) Billing Administrator

C) User Administrator

D) Global Administrator

Answer: B

Explanation:

Billing Administrator role provides comprehensive permissions to manage Microsoft 365 subscriptions, purchases, invoices, and license assignments without granting broader administrative capabilities across user management or service configuration. Users assigned this role can view and manage all aspects of billing including purchasing additional licenses, managing existing subscriptions, viewing invoices, updating payment methods, and handling support tickets related to billing issues.

The Billing Administrator can assign licenses to users from available subscription pools, remove licenses when users no longer need them, and modify license assignments to enable or disable specific service plans within subscriptions. They have visibility into subscription usage and can generate reports showing license allocation across the organization. This role is essential for finance personnel or procurement teams managing Microsoft 365 costs without requiring access to technical configurations or user data.

Billing Administrators access subscription management through the Microsoft 365 admin center billing section where they can view all active subscriptions, upcoming renewals, purchase history, and cost analytics. They can add payment methods, update billing information, and download invoices for accounting purposes. The role provides financial management capabilities while maintaining separation from IT operations and security functions.

Organizations benefit from delegating billing administration to finance departments ensuring appropriate oversight of Microsoft 365 expenditures while preventing financial personnel from accessing user accounts or service configurations. The role separation supports compliance with financial controls and audit requirements by limiting billing system access to authorized finance staff.

Option A is incorrect because License Administrator can assign and remove licenses but does not have permissions to manage subscriptions, make purchases, or access billing information and invoices. Option C is incorrect because User Administrator manages user accounts and properties but does not have comprehensive subscription and billing management capabilities. Option D is incorrect because Global Administrator has unlimited permissions which far exceeds the requirement for billing and subscription management violating least privilege principles.

Question 138:

Your company wants to ensure that all Power BI reports containing financial data are automatically classified with retention labels. What should you configure?

A) Auto-apply retention label policy with trainable classifier for financial data

B) Power BI sensitivity labels

C) SharePoint retention policy

D) Data Loss Prevention policy for Power BI

Answer: A

Explanation:

Auto-apply retention label policies with trainable classifiers for financial data provide automated classification of Power BI reports based on content analysis using machine learning. While Power BI itself stores reports in Power BI service infrastructure, you can implement classification by configuring auto-apply policies that detect financial content patterns in connected data sources or report metadata. Trainable classifiers recognize financial data characteristics like balance sheets, revenue reports, and financial calculations automatically applying appropriate retention labels.

The implementation involves creating custom trainable classifiers or using pre-built financial document classifiers that analyze content accessible to Microsoft 365 compliance tools. When Power BI reports are exported to SharePoint or OneDrive as files, the auto-apply policies can detect financial data patterns and apply retention labels ensuring proper lifecycle management. The labels enforce retention periods required for financial records compliance.

Organizations can also implement label application at the Power BI workspace level by configuring sensitivity labels that Power BI supports. These labels can be manually applied or automated through Power BI governance processes. The labels then integrate with Microsoft Purview compliance tools to enforce retention and protection requirements for financial reports.

Effective financial data classification in Power BI requires combining multiple approaches including Power BI workspace labeling, sensitivity labels for reports and datasets, and retention policies for exported files. This multi-layered approach ensures financial reports receive appropriate retention treatment regardless of how users access or distribute them.

Option B is incorrect because Power BI sensitivity labels provide classification but are primarily designed for access control and encryption rather than automated retention policy application based on content analysis. Option C is incorrect because SharePoint retention policies apply to SharePoint content but do not automatically detect and classify Power BI reports based on financial content. Option D is incorrect because Data Loss Prevention policies detect and prevent data loss but do not apply retention labels for lifecycle management.

Question 139:

You need to prevent users from forwarding emails containing customer personal information outside the organization. What should you configure?

A) Data Loss Prevention policy with forwarding restriction for sensitive information types

B) Mail flow rule blocking external forwarding

C) Sensitivity label with forwarding protection

D) Exchange Online Protection policy

Answer: A

Explanation:

Data Loss Prevention policies with forwarding restrictions for sensitive information types provide comprehensive protection that detects customer personal information in emails and prevents forwarding to external recipients. DLP policies include pre-built sensitive information types for personal data like social security numbers, passport numbers, driver license numbers, and financial account information. When you create a DLP policy for Exchange Online, you configure rules that detect these information types and block forwarding when recipients are outside the organization.

The policy scans all email content including message bodies, attachments, and headers as messages flow through Exchange Online. When customer personal information is detected and the email is addressed to or forwarded to external recipients, the policy can block the message, quarantine it for review, or redirect it to compliance officers. Policy tips can warn users before they send messages explaining that the content violates data protection policies.

DLP policies provide detailed incident reports showing who attempted to forward sensitive information, what data types were detected, recipient information, and actions taken by the policy. These reports support compliance investigations and help organizations identify users who may need additional training on data protection requirements. The policies enforce regulatory compliance requirements like GDPR that restrict personal information transfers outside the organization.

Configuration includes specifying sensitivity thresholds that determine how many instances of personal information trigger policy actions. High confidence detections might block messages immediately while lower confidence detections generate warnings allowing users to confirm legitimacy. The policy can include exceptions for approved external partners or encrypted communication channels.

Option B is incorrect because mail flow rules blocking external forwarding apply broadly without content analysis and would block all external forwarding rather than specifically preventing forwarding of customer personal information. Option C is incorrect because sensitivity labels require either manual application or auto-labeling which may not catch all instances of personal information being forwarded in real-time. Option D is incorrect because Exchange Online Protection focuses on anti-spam and anti-malware rather than content-based data loss prevention.

Question 140:

Your organization needs to ensure that all SharePoint communication sites follow a specific branding and layout template. What should you configure?

A) Site design with communication site template

B) Hub site association

C) SharePoint theme customization

D) Master page deployment

Answer: A

Explanation:

Site designs with communication site templates provide automated provisioning of standardized branding, layout configurations, and structural elements when new communication sites are created. Site designs use JSON-based site scripts that define actions executed during site creation including applying themes, creating pages with specific layouts, adding web parts, configuring navigation, and setting site properties. When users create communication sites, they can select from available site designs ensuring consistent branding across the organization.

Communication site templates within site designs can specify homepage layouts, header configurations, footer content, color schemes, fonts, and logo placement. The design can create pre-configured pages like news pages, event pages, or departmental pages that follow organizational standards. This automation eliminates manual configuration after site creation ensuring immediate brand compliance.

Site designs can be published organization-wide or restricted to specific user groups. Organizations might create multiple communication site designs for different purposes like corporate announcements, departmental news, or project showcase sites. Each design implements appropriate branding and layout standards for its intended use case. Site administrators can update published designs to evolve templates as branding requirements change.

The site design approach provides governance over communication site appearance while maintaining flexibility for content authors. Users receive sites pre-configured with approved branding and layouts but can still customize content and add pages within the design framework. This balances standardization needs with content creator autonomy.

Option B is incorrect because hub site association connects sites for shared navigation and branding but does not automatically provision specific layouts and structural elements during communication site creation. Option C is incorrect because SharePoint theme customization applies colors and fonts but does not provide comprehensive layout templates and structural provisioning. Option D is incorrect because master pages are legacy SharePoint customization mechanisms not used in modern SharePoint communication sites which use different rendering architecture.

Exam

Related posts:

Leave a Reply Cancel reply