Free MS-102 Practice Questions – 2025 Updated

Here is the reasoning for each policy assignment:

1. Device1 (Windows 11): The requirement is to encrypt Word files. An App protection policy for Windows devices includes data protection settings, such as encrypting corporate data, which protects data at the application level.
2. Device2 (iOS): The goal is to block native/third-party mail clients and force the use of an approved app (like Microsoft Outlook) to access Microsoft 365. A Conditional Access policy is used to enforce this by setting the "Grant" control to "Require approved client app." This blocks all non-approved applications from accessing the specified cloud resources (like Exchange Online).
3. Device3 (Android): The requirement is to block access from Word if the device is jailbroken. Critically, this device is Not enrolled in Intune. An App protection policy can be applied to unenrolled devices (MAM-WE) and uses "Conditional launch" settings. These settings can check for device conditions, such as being "Jailbroken/rooted," and then block access to corporate data within the app.

Microsoft Intune Documentation (App protection policy for Device3):

Source: Microsoft Learn, "App protection policy settings for Android"

Reference: In the "Conditional launch" section, "Device conditions" includes the setting Jailbroken/rooted devices. The available actions for this setting are Block access, Wipe data, or Warn. This directly maps to the requirement for Device3.

Location: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android#conditional-launch

Microsoft Entra Documentation (Conditional Access for Device2):

Source: Microsoft Learn, "Conditional Access: Grant controls"

Reference: The "Require approved client app" grant control is used to force specific applications to be used for accessing cloud apps. The documentation states, "This control requires that a client app from an approved list is used to access the selected cloud apps... Examples of approved client apps include... Microsoft Outlook." This control effectively blocks native mail clients.

Location: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-approved-client-app

Microsoft Intune Documentation (App protection policy for Device1):

Source: Microsoft Learn, "App protection policy settings for Windows"

Reference: The "Data protection" section for Windows APP settings lists a setting to Encrypt corporate data. This setting, when configured, ensures that corporate data within policy-managed apps (like Word) is encrypted on the device.

Location: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-windows#data-protection

A. From the SharePoint Online site, create an alert.

SharePoint alerts notify users of changes to content (add, modify, delete) but do not have a specific, reliable trigger for sharing events. They are not designed for policy-based monitoring.

B. From the SharePoint Online admin center, modify the sharing settings.

These settings control if and how users can share content (e.g., disabling anonymous links). They do not provide a mechanism to send notifications when a sharing event occurs.

C. From the Microsoft 365 Defender portal, create an alert policy.

While alert policies can be triggered by audit log events, including sharing, DLP is the more specific and purpose-built service for monitoring and controlling data sharing based on content and context.

1. Microsoft Learn. "Learn about data loss prevention." Microsoft Purview Documentation. This document outlines the capabilities of DLP, stating, "A DLP policy allows you to... Show a policy tip to users who are about to share sensitive information... Send an email notification to your compliance officer when a user shares sensitive information." This confirms that sending notifications based on sharing is a core DLP function.

2. Microsoft Learn. "Create and Deploy data loss prevention policies." Microsoft Purview Documentation. Under the "Policy settings" section, it details how to configure rules. For the "Actions" configuration, it lists "Send alerts to admins" and allows customization of who receives the alert and the email content, directly supporting the solution.

3. Microsoft Learn. "Create an alert to get notified when a file or folder changes in SharePoint." Microsoft Support Documentation. This article shows that the available triggers for SharePoint alerts are for when items are changed, added, or deleted, with no specific option for "when an item is shared."

Activity explorer is the correct feature because its specific function is to provide a visual interface for monitoring activities related to information protection, including sensitivity labels. It aggregates data from the unified audit log to show when a label was "applied, changed, or removed" and by whom.

• Compliance Manager is incorrect as it tracks an organization's overall compliance posture against regulations and standards, not specific file-level user activities.
• Content explorer is incorrect as it is used to view the contents of files that have been classified, not the activity logs of when the classifications occurred.

According to official Microsoft documentation, the Activity explorer interface surfaces data from the last 30 days. While the underlying Microsoft 365 E5 audit log retains this data for one year, the Activity explorer tool itself is limited to a 30-day visualization window.

Microsoft. (2024, September 27). Get started with activity explorer. Microsoft Learn. Retrieved October 20, 2025.

Reference: This document states, "Activity explorer provides a historical view... of activities related to... sensitivity labels..." and "Activity explorer... activities are available in Activity explorer for 30 days."

Microsoft. (2024, September 27). Learn about content explorer. Microsoft Learn. Retrieved October 20, 2025.

Reference: This document confirms that Content explorer's function is to "view the items that were summarized in... data classification" to "review the content in its native format."

Microsoft. (2024, June 21). Learn about auditing solutions in Microsoft Purview. Microsoft Learn. Retrieved October 20, 2025.

Reference: This document clarifies that while Microsoft 365 E5 licenses include a "default retention of one year" for audit logs (the data source), this is distinct from the 30-day visualization window of the Activity explorer tool itself.

Save Copies: The policy setting "Save copies of org data" is set to "Block". This prevents users from saving organizational data to arbitrary locations, such as unmanaged local storage. However, the exception setting "Allow user to save copies to selected services" is explicitly configured to permit saving to "SharePoint". Therefore, SharePoint Online is the only configured allowable location.

Copy/Paste: The policy setting "Receive data from other apps" is set to "All Apps". Furthermore, the setting "Restrict cut, copy, and paste between other apps" is set to "Policy managed apps with paste in". This specific value explicitly allows users to paste data from any app (managed or unmanaged) into policy-managed apps (like the Word document on OneDrive).

Microsoft Learn. (n.d.). Android app protection policy settings in Microsoft Intune. Retrieved October 20, 2025.

Reference for Statement 1: In the "Data protection" section, under "Data Transfer," the documentation for the "Allow user to save copies to selected services" setting states: "When Save copies of org data is set to Block, you can allow end users to save copies of org data to a selected service, such as SharePoint."

Reference for Statement 2: In the same "Data Transfer" section, the documentation for "Restrict cut, copy, and paste between other apps" explains the value "Policy managed apps with paste in": "Allow cut or copy from any app and paste into policy-managed apps." The "Receive data from other apps" setting further confirms this, as "All apps" allows "data transfer from any app" into the managed app.

Users that can enable RBAC: To enable role-based access control (RBAC) within the Microsoft Defender for Endpoint settings, a user must hold either the Global Administrator (Admin1) or Security Administrator (Admin2) role in Azure Active Directory (Azure AD).

Users that will no longer have access: Before MDE RBAC is enabled, access to the portal is governed by Azure AD roles, including Global Administrator, Security Administrator, Security Operator, and Security Reader. When MDE RBAC is turned on, users who only have Security Operator (Admin3) or Security Reader (Admin4) roles immediately lose their access. Global and Security Administrators (Admin1, Admin2) retain their access. The Application Administrator (Admin5) role does not grant access to the Defender portal, so Admin5 never had access to lose.

Microsoft Learn. (2025, October 15). Manage portal access using role-based access control. "To turn on role-based access control (RBAC)... You need to have a Global Administrator or Security Administrator role in Azure AD." (Retrieved from the "Turn on role-based access control" section).

Microsoft Learn. (2025, October 15). Manage portal access using role-based access control. "When you turn on role-based access control, users with only Global Administrator or Security Administrator roles in Azure AD retain access to the portal with full permissions... Other roles in Azure AD (such as Security Operator or Security Reader) lose access to the portal..." (Retrieved from the "Turn on role-based access control" section).

Microsoft Learn. (2025, October 11). Permissions in the Microsoft 365 Defender portal. This document details the permissions granted by Azure AD built-in roles, confirming that Application Administrator is not a role that provides default access to Microsoft Defender for Endpoint data. (Retrieved from the "Azure AD built-in roles" section).

A. a session policy: Session policies are used for real-time monitoring and control of user sessions (e.g., blocking downloads from unmanaged devices), not for generating alerts based on the rate of activity.

B. a file policy: File policies are designed to scan and apply controls to files at rest within connected cloud applications (e.g., finding publicly shared sensitive files), not to monitor real-time user activities.

D. an anomaly detection policy: Anomaly detection policies alert on deviations from a learned behavioral baseline. While there is a "Mass download" policy, it triggers when a user's activity is unusual compared to their baseline, not based on a fixed, predefined threshold like "50 files in 60 seconds".

1. Microsoft Learn. (2024). Activity policies in Microsoft Defender for Cloud Apps. This document explicitly states that activity policies can be used to "Trigger an alert when a user performs the same activity a defined number of times in a defined timeframe." This directly maps to the question's requirement. (Section: "Create an activity policy").

2. Microsoft Learn. (2024). Anomaly detection policies in Microsoft Defender for Cloud Apps. This source describes the "Mass download by a single user" policy, clarifying that it "identifies a user that downloads an unusually high number of files compared to the learned baseline." This confirms it is for behavioral anomalies, not fixed thresholds. (Section: "Mass download by a single user").

3. Microsoft Learn. (2024). Session policies. This document details how session policies provide "granular visibility into cloud apps and the ability to control different actions within a session in real time," which is distinct from rate-based alerting. (Section: "What are session policies?").

4. Microsoft Learn. (2024). File policies. This source explains that file policies are used to "scan for specific files that may put you at risk," focusing on files at rest rather than user actions. (Section: "What are file policies?").

This scenario depends on two factors: Role Permissions (what a user can do) and Device Group Access (what devices a user can act on). A user must have both the correct permission and access to the device group.

1. User1 can run an antivirus scan on Device2. (No)

• Permission: User1 is in Group1, which has Role1. Role1 grants "View data" and "Alerts investigation." Running an antivirus scan is an "Active remediation action," which Role1 does not have.
• Access: Device2 is in the "Ungrouped devices" group, which is scoped for access by Group2. User1 is in Group1.
• Conclusion: User1 fails on both permission and access.

1. User2 can collect an investigation package from Device2. (No)

• Access: User2 is in Group2, and Device2's group is scoped to Group2. User2 does have access to the device.
• Permission: User2 is in Group2, which has Role2. Role2 only grants "View data." Collecting an investigation package requires "Alerts investigation" or "Active remediation actions" permission.
• Conclusion: User2 has access but lacks the necessary permission.

1. User3 can isolate Device1. (No)

• Permission: User3 is in Group3, which has the "Microsoft Defender for Endpoint administrator" role. This role does include "Active remediation actions," which is required to isolate a device.
• Access: Device1 is in the "ATP1" device group, which is scoped for access by Group1. User3 is in Group3.
• Conclusion: User3 has the permission but lacks access to the device group containing Device1.

Microsoft Defender for Endpoint Documentation (learn.microsoft.com). Create and manage roles for role-based access control.

Relevance: This document details the built-in roles and their specific permissions. It confirms that actions like running an AV scan or isolating a device fall under "Active remediation actions." It also confirms that collecting an investigation package is part of "Alerts investigation" or "Active remediation actions," both of which are beyond "View data."

Microsoft Defender for Endpoint Documentation (learn.microsoft.com). Create and manage device groups in Microsoft Defender for Endpoint.

Relevance: This document explains that to perform actions on devices, a user must be part of a user group (like Group1, Group2, or Group3) that is explicitly granted "User access" to the corresponding device group (like ATP1 or Ungrouped devices). This confirms the access scoping logic used in the explanation.

A. Yes: This is incorrect because the proposed steps will not make the Windows 10 WUfB settings available in the GPMC, as the templates are copied to the wrong location.

1. Microsoft Learn. (2023, October 12). Create and manage the Central Store for Group Policy Administrative Templates in Windows. "To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a Windows domain controller... The Group Policy tools use only the .admx files that are in the Central Store. The tools ignore any .admx files that are stored in the local PolicyDefinitions folder... The path is \\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions."

2. Microsoft Learn. (2023, September 21). Active Directory Domain Services Functional Levels in Windows Server. This document details the features enabled by different functional levels. None of these features are related to the management of Group Policy settings from specific Administrative Templates. This confirms that raising the functional level is an unnecessary step for the stated goal.

A. Active users in the Microsoft 365 admin center

This view can show if a user has a license, but it does not provide an efficient way to filter or report on all users based on the group assignment method.

B. Reports in Microsoft Purview compliance portal

The Microsoft Purview compliance portal is used for data governance, risk management, and compliance, not for license management or reporting on license assignments.

D. Reports in the Microsoft 365 admin center

The reports in this section focus on service usage, user activity, and adoption metrics, not on the administrative details of how licenses were assigned (e.g., direct vs. group-based).

---

1. Microsoft Entra ID Documentation, "Assign licenses to users by group membership in Microsoft Entra ID." Microsoft Learn. This document outlines the procedure for group-based licensing. It specifies the navigation path: "Sign in to the Microsoft Entra admin center... Browse to Identity > Billing > Licenses." It then details how to select a product and view the groups to which it is assigned.

2. Microsoft Entra ID Documentation, "What is group-based licensing in Microsoft Entra ID?" Microsoft Learn. This foundational document explains that group-based licensing is managed within Microsoft Entra ID, establishing the Entra admin center as the correct location for this task.

3. Microsoft 365 Documentation, "Microsoft 365 Reports in the admin center." Microsoft Learn. This source details the available reports in the Microsoft 365 admin center. A review of the reports, such as "Active users" or product usage reports, confirms they show license status and usage but do not detail the assignment source (direct vs. group).

To configure the dynamic membership rule, two conditions must be met, joined by the -and operator.

1. Guest User Selection: The first part of the rule must identify users who are guests. The user.userType attribute holds this information. The -eq (equals) operator provides a precise match for the string value "Guest".
2. Department Selection: The second part must find users whose department attribute contains the word "Support". The -contains operator is used for partial string matches, which will correctly find "Support" within values like "IT support" and "SupportCore".

The operator -in is incorrect as it is used to check if a property matches any value in a collection (e.g., user.department -in ["Sales", "Finance"]), not for partial string matching.

Microsoft Entra ID Documentation (Official Vendor). "Dynamic membership rules for groups in Microsoft Entra ID." Microsoft Learn.

Reference (Box 1): In the section "Rule for guests," Microsoft provides the exact syntax for finding guest users: (user.userType -eq "Guest"). This confirms -eq is the correct operator for matching the "Guest" user type.

Reference (Box 2): In the section "Supported expression rule operators," the -contains operator is defined as "String contains. Performs partial string matches." This is the correct operator for finding "Support" as a substring within the user.department attribute.

Reference (Incorrect Options): The same document clarifies that the -in operator is used to "Match against a collection of constants" (e.g., an array of strings), which is not the requirement for either condition.

The Microsoft 365 admin center's "Add multiple users" wizard is designed to import users in bulk using a Comma Separated Values (CSV) file.

According to the official Microsoft 365 documentation for this procedure, the CSV file template has several available columns, but only two are mandatory for the import to function:

1. User Name: This field is used for the User Principal Name (UPN), which is the user's sign-in ID (e.g., [email protected]).
2. Display Name: This is the friendly name that appears for the user in the address book and other Microsoft 365 services.

All other properties, such as First Name, Last Name, and Department, are optional.

Microsoft Learn. (2024, September 27). Add several users at the same time to Microsoft 365 - Microsoft 365 admin.

Page/Section: In the "Import multiple users" panel description and the "Fill out the CSV file" section.

Quote/Paraphrase: The documentation states, "On the Import multiple users panel, you can optionally download a sample CSV file... The required column headers are User Name and Display Name."

Microsoft Learn. (2024, June 12). Bulk create users in the Microsoft Entra admin center. (Microsoft Entra ID is the underlying identity service for Microsoft 365).

Page/Section: "Understand the CSV template" section.

Quote/Paraphrase: The documentation for the corresponding bulk-create template in Microsoft Entra (Azure AD) confirms this requirement. The template properties list "User principal name [userPrincipalName] Required." and "Name [displayName] Required." "User principal name" corresponds to "User Name," and "Name" corresponds to "Display Name."

A. 1: A single group cannot be used, as it's impossible to selectively assign the Power BI Pro and Visio licenses to only specific members within that one group.

B. 2: Using only two groups (e.g., one for Research and one for Marketing) would require assigning the common licenses (O365 E3 and EMS E5) to both groups, creating redundant management.

D. 4: Four groups are unnecessary. The two licenses required by all users (Office 365 E3 and EMS E5) can be efficiently assigned to a single "all users" group.

E. 5: Five groups are excessive. There are only three distinct licensing policies required for the specified user populations (All Users, Research, and Marketing).

1. Microsoft Entra documentation, "What is group-based licensing in Microsoft Entra ID?": This document outlines the core principles. It states, "You can assign one or more license products to a group." This supports assigning both Office 365 E3 and EMS E5 to a single "All Users" group. It also explains that a user who is a member of multiple groups inherits the union of all assigned licenses, which is the principle that makes the three-group solution work. (See the section "How does group-based licensing work?").

2. Microsoft Entra documentation, "Assign licenses to users by group membership in Microsoft Entra ID": This guide provides scenarios for license management. The examples illustrate the best practice of using a base group for common licenses and then layering additional licenses for specific user sets via other groups, which directly supports the three-group answer. (See the section "Group-based licensing scenarios").

3. Microsoft Entra documentation, "Group-based licensing additional scenarios": This document details more complex situations, including how the system resolves license conflicts when a user is in multiple groups. The principle of license inheritance (union of services) is foundational to the solution requiring separate groups for separate license assignments. (See the section "Use multiple groups to manage licenses").

A. Message Center Reader: While this role can view the Service health dashboard, its primary purpose is to read announcements about planned changes. The Service Support Administrator is a more suitable role for actively investigating service issues.

B. Reports Reader: This role is incorrect. It only grants permissions to view usage reports (e.g., app usage, user activity) and does not provide access to the Service health dashboard.

D. Compliance Administrator: This role is incorrect. It is focused on managing compliance features like eDiscovery and data loss prevention and has no permissions related to viewing service health.

1. Microsoft Learn. (n.d.). About admin roles in the Microsoft 365 admin center.

Section: "Service support admin"

Content: "Can open support requests with Microsoft, and views the service dashboard and message center." This confirms that the role has the necessary viewing permissions for the task.

Section: "Reports reader"

Content: "Can view usage data and the reports dashboard in Microsoft 365 admin center..." This confirms the role lacks permission for service health.

Section: "Message center reader"

Content: "Can read service notifications and health status in the Message center and on the Service health dashboard." This shows the role has technical permission but is less functionally aligned than the Service Support Administrator for an investigative task.

2. Microsoft Learn. (n.d.). How to check Microsoft 365 service health.

Section: "How to check service health"

Content: "To view service health, you must be a global administrator or a service support admin." (Note: The documentation sometimes provides a simplified list; the "About admin roles" page is more comprehensive, but this reference highlights Service Support Admin as a primary role for this function). This directly links the Service Support Administrator role to the action of checking service health.

Statement 1 (Yes): The User Administrator role, which can reset passwords, is assigned to Group1. Admin1 is a member of Group1. The assignment is Active from March 15, 2023, to August 15, 2023. Since July 15, 2023, falls within this active period, Admin1 has the permissions.

Statement 2 (No): The Exchange Administrator role is assigned to Group2. Admin2 is a member of Group2, and the date June 20, 2023, is within the assignment window. However, the assignment type is Eligible, not Active. This means Admin2 must first go through the Privileged Identity Management (PIM) process to activate the role. Without activation, the user does not have the permissions.

Statement 3 (Yes): The User Administrator role is assigned to Group1. Admin3 is a member of Group1. The assignment is Active from March 15, 2023, to August 15, 2023. Since May 1, 2023, falls within this active period, Admin3 has the permissions.

Microsoft Entra documentation. (n.d.). Assign Microsoft Entra roles in Privileged Identity Management. Microsoft Learn. Retrieved October 20, 2025.

Reference: Section "Assign a role"

Quote: "There are two types of role assignments... Eligible assignments require the user to perform an action to use the role... Active assignments don't require the user to perform any action to use the role. Users assigned as active have the privileges assigned to the role."

Microsoft Entra documentation. (n.d.). Microsoft Entra built-in roles: User Administrator. Microsoft Learn. Retrieved October 20, 2025.

Reference: "User Administrator" role description table.

Quote: "Users with this role can... reset passwords... for all users and some administrators."

A. User1 is not configured as Privacy contact; Microsoft will not notify this user about breaches.

C. User3 is listed as Technical contact only; technical contacts do not receive data-breach notices.

D. User1 lacks any contact role and User2 alone meets the privacy-contact requirement.

E. User3 (technical) is excluded from breach notifications; only User2 qualifies.

1. Microsoft Docs – “Manage your Azure AD organization’s privacy and contact info”, section “Privacy contact” (para. 2) and “Notifications for personal data breaches” (https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-tenant-properties).

2. Microsoft 365 Compliance Center documentation – “How Microsoft provides data-breach notifications” (GDPR guidance), see “Customer privacy contacts” section (2023-05-18 version).

3. University of Washington, INFOSEC 542 course notes – “GDPR Articles 33–34 and cloud provider obligations”, slide 15 (cites reliance on designated privacy contact for breach notice).

The first thing you need to do before you implement directory synchronization is to purchase a custom domain name. This could be the domain name that you use in your on-premise Active Directory if it’s a routable domain name, for example, contoso.com. If you use a non-routable domain name in your Active Directory, for example contoso.local, you’ll need to add the routable domain name as a UPN suffix in Active Directory. Incorrect: Not C: No need to rename the Active Directory forest. As we use a non-routable domain name contoso.local, we just need to add the routable domain name as a UPN suffix in Active Directory. Reference: https://docs.microsoft.com/en-us/office365/enterprise/set-up-directory-synchronization

A. a Microsoft 365 group that has assigned membership

Microsoft 365 groups are intended for collaboration (Teams, SharePoint, etc.) and cannot be assigned Azure AD administrative roles.

B. a Microsoft 365 group that has dynamic user membership

Similar to assigned Microsoft 365 groups, dynamic ones also cannot be assigned Azure AD administrative roles, making this option unsuitable.

D. a security group that has dynamic user membership

While a dynamic security group can be made role-assignable, this option introduces unnecessary complexity. The scenario does not require rule-based, automated membership.

1. Microsoft Learn. (2023). Use Microsoft Entra groups to manage role assignments. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/entra/identity/roles/groups-concept.

Section: "How do role assignments to groups work?" states, "To assign a role to a group, you must create a new security or Microsoft 365 group with the isAssignableToRole property set to true." Note: While the text mentions M365 groups, the linked creation process and prerequisites clarify that only security groups are fully supported for all administrative roles. The core concept is the isAssignableToRole property, which is a feature of security groups.

2. Microsoft Learn. (2023). Compare groups in Microsoft 365. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide.

Table: "Comparing groups" clearly distinguishes the primary purpose of Security groups ("For granting access to Microsoft 365 resources...") from Microsoft 365 groups ("For collaboration..."). This supports using a security group for resource access and role assignment.

3. Microsoft Learn. (2023). Create a role-assignable group in Microsoft Entra ID. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/entra/identity/roles/groups-create-rule.

Section: "Create a role-assignable group" outlines the steps. It shows that you can select either "Assigned" or "Dynamic User" as the membership type. This confirms both C and D are technically possible, but C represents the simpler, default configuration suitable for the scenario described.

B. Enable Microsoft 365 usage analytics: This service provides reports on user adoption and usage of Microsoft 365 services, not security event monitoring for administrative privilege changes.

C. Create an Insider risk management policy: Insider risk management is designed to detect and manage risks like data theft or policy violations, not to trigger alerts for standard administrative privilege escalations.

D. Create a communication compliance policy: This feature monitors user communications (e.g., email, Teams) for policy violations like harassment or inappropriate sharing, which is unrelated to Exchange administrative roles.

1. Microsoft Purview Documentation, "Turn auditing on or off": "Before you can search the audit log, you have to first turn on auditing in the Microsoft Purview compliance portal... After you turn on auditing, user and admin activity from your organization is recorded in the audit log and retained for 90 days... You can use the audit log data for your alert policies". This explicitly states that auditing must be enabled before alert policies can use the data.

Source: Microsoft Learn. Section: Turn auditing on or off.

2. Microsoft Purview Documentation, "Alert policies in Microsoft Purview": "Alert policies allow you to categorize the alerts, and assign policies to different users... The alerts are generated for the activities that are logged in the audit log." This confirms that alert policies are fundamentally dependent on the audit log.

Source: Microsoft Learn. Section: How alert policies work.

3. Microsoft Defender for Cloud Apps Documentation, "Anomaly detection alerts": The "Elevation of Exchange admin privilege" is a built-in anomaly detection policy. These policies work by analyzing user activities. The documentation states, "Microsoft Defender for Cloud Apps integrates directly with Microsoft Purview's Audit Log to pull activity logs from various services." This shows the data source for the specific alert is the audit log.

Source: Microsoft Learn. Section: Anomaly detection policies.

A. Delete the workspace.

This is a destructive action that removes the existing environment. While it might be part of a cleanup process, it is not the first step required to begin storing data in a new location.

C. Onboard a new device.

Onboarding a new device without creating a new workspace would send its data to the existing US-based workspace, which contradicts the stated goal.

D. Offboard the test devices.

Offboarding devices is a necessary step in migrating them to the new workspace, but the new workspace must be created first to serve as their destination.

---

1. Microsoft Learn. (2024). Data storage and privacy in Microsoft Defender for Endpoint.

Section: "Data storage location"

Content: "When you turn on the service, you're asked to choose the location where you want your Microsoft Defender for Endpoint-related data to be stored... Once configured, you cannot change the location where your data is stored." This confirms the immutability of the data location and that it's set during initial configuration.

2. Microsoft Learn. (2024). Set up Microsoft Defender for Endpoint deployment.

Section: "Phase 2: Set up" > "Step 1. Set up your Microsoft Defender for Endpoint environment"

Content: The documentation describes the setup wizard, which begins with selecting the data storage location. This establishes that creating the environment (workspace) is the process where the location is defined.

3. Microsoft Learn. (2024). Offboard devices from the Microsoft Defender for Endpoint service.

Section: "Offboard a device using a local script"

Content: This document details the process for removing a device's connection to the service. This is a distinct step performed on a per-device basis and logically follows the creation of a new workspace to which the device will be migrated.

A. The Exchange admin center is used for mail flow configuration and recipient management, not for remediating security-blocked entities.

B. The Microsoft Purview compliance portal handles data governance, information protection, and eDiscovery, not real-time threat management or unblocking compromised accounts.

C. The Microsoft 365 admin center is for general administration, such as user management and license assignment, but lacks the specific security tools to manage the Restricted entities list.

E. The Microsoft Entra admin center is for identity and access management. While you might reset a compromised user's password here, you cannot unblock them from the Restricted entities list.

1. Microsoft. (2024). Remove blocked users from the Restricted entities page. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-protection-unblock-user.

Reference Point: The article explicitly states, "In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Restricted entities." This directly identifies the correct portal.

2. Microsoft. (2024). Outbound spam protection in EOP. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-protection-about.

Reference Point: In the section "Outbound spam filtering policy," the document notes that when a user exceeds the sending limits, "The user is added to the Restricted entities page in the Microsoft 365 Defender portal."

3. Microsoft. (2024). Alert policies in the Microsoft 365 Defender portal. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/alert-policies-defender-portal.

Reference Point: Under the "Default alert policies" section, for the policy "User restricted from sending email," it specifies that admins can "view the details of the restricted user on the Restricted entities page in the Microsoft 365 Defender portal."

A. Create a data loss prevention (DLP) policy that has a Content is shared condition.

Data Loss Prevention (DLP) policies are designed to prevent the exfiltration of sensitive data, not to protect users from inbound threats like malicious links.

B. Modify the safe links policy Global settings.

Modifying global settings would apply the restrictions to all users in the organization, which violates the requirement that users in other departments must not be restricted.

C. Create a data loss prevention (DLP) policy that has a Content contains condition.

This is incorrect for the same reason as option A. DLP policies focus on outbound data protection, not on scanning and blocking inbound malicious URLs.

1. Microsoft Learn. (2024). Set up Safe Links policies in Microsoft Defender for Office 365. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide.

Section: "Create Safe Links policies". This section explicitly details the process of creating a new policy and applying it to specific users, groups, or domains, which is the required action.

2. Microsoft Learn. (2024). Safe Links in Microsoft Defender for Office 365. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide.

Section: "Safe Links policies". This section states, "There is no default Safe Links policy... To get Safe Links scanning of URLs, you need to create one or more Safe Links policies." This confirms that creating a new policy is the standard procedure for implementation.

3. Microsoft Learn. (2024). Learn about data loss prevention. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp.

Section: "What DLP policies contain". This document clarifies that DLP policies are for identifying and protecting sensitive items, which is a different function than protecting users from malicious URLs. This supports why options A and C are incorrect.

A. Microsoft Purview: This is a suite of solutions for unified data governance, risk, and compliance management; it does not analyze or compare specific threat protection policy settings like Safe Links.

B. Azure AD Identity Protection: This tool focuses on detecting and remediating identity-based risks, such as risky sign-ins or leaked credentials, not on the configuration of email security policies.

C. Microsoft Secure Score: While Secure Score provides recommendations to improve security posture, it is a broader measurement tool. The configuration analyzer is the specialized feature for a direct, detailed comparison of specific policy settings against Microsoft's recommended baselines.

1. Microsoft Learn. "Configuration analyzer for security policies in EOP and Microsoft Defender for Office 365." Microsoft Docs, Microsoft, 2023. In the "What is the configuration analyzer?" section, it states, "Configuration analyzer...provides a central location to find and fix security policies where the settings are below the Standard protection and Strict protection profile settings...The analyzer compares the settings in your existing custom policies to the settings from Standard and Strict protection."

2. Microsoft Learn. "Preset security policies in EOP and Microsoft Defender for Office 365." Microsoft Docs, Microsoft, 2023. This document details the Standard and Strict protection profiles that the configuration analyzer uses as a baseline for comparison. The "Policy settings in preset security policies" section lists the specific Safe Links settings that are evaluated.

3. Microsoft Learn. "Microsoft Secure Score." Microsoft Docs, Microsoft, 2023. The overview section explains that Secure Score is a "measurement of an organization's security posture" and provides "improvement actions." This confirms its role as a high-level posture management tool, distinct from the granular policy comparison function of the configuration analyzer.

A. Alert notifications: This setting only configures who receives email notifications when an alert is generated; it does not influence the enforcement actions that block or allow access.

B. Alert suppression: This is used to hide specific alerts from the dashboard to reduce noise. It does not change the underlying protection policy or stop the blocking action.

C. Custom detections: These are rules created from advanced hunting queries to proactively generate alerts for specific threat activities, not to configure allow/block lists for web access.

D. Advanced hunting: This is a query-based threat hunting tool used for investigating security events. It is not used to configure endpoint protection policies like URL filtering.

1. Microsoft Learn. (2024). Create indicators for IPs and URLs/domains. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain.

Section: "Create an indicator for IPs, URLs, or domains from the settings page": This document explicitly states, "You can create an indicator for an IP, URL, or domain... The actions available are: Allow, Audit, Warn, Block execution, and Block and remediate." It further clarifies, "The allow action will take precedence over any other block settings." This directly supports using an "Allow" indicator to override a block.

2. Microsoft Learn. (2024). Web protection. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-protection-overview.

Section: "Prerequisites" and "Web threat protection": This document confirms that the block page is part of web protection. It also states, "To allow access to some websites, you can create a custom allow list using custom indicators," directly linking the problem scenario to the "Indicators" feature as the solution.

3. Microsoft Learn. (2024). Custom detection rules. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/custom-detection-rules.

Section: "Overview": This source explains that custom detections use advanced hunting queries to "proactively monitor for and respond to various events and system states." This confirms its purpose is detection, not policy enforcement for web access.

Based on official Microsoft documentation, the full version of Attack simulation training requires a Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 license.

However, the Microsoft 365 E3 subscription, as specified in the question, includes a limited "trial" subset of the feature's capabilities. This trial offering is restricted to:

1. The Credential harvest social engineering technique.
2. The "Mass Market Phishing" and "ISA Phishing" training experiences.

Therefore, of the options provided in the drop-down menus, only Credential harvest and Mass Market Phishing are available for a Microsoft 365 E3 subscription. The other techniques, such as Link to malware and Malware attachment, are part of the full feature set available only in the higher-tier licenses.

Microsoft. (2025, February 4). Get started using Attack simulation training - Microsoft Defender for Office 365. Microsoft Learn.

Reference (Note section): "Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering."

URL: https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-get-started

Microsoft. (2025, July 25). Microsoft Defender for Office 365 service description. Microsoft Learn.

Reference (Feature availability table): This document's feature matrix confirms that "Attack simulation training" is not included in "Defender for Office 365 Plan 1" (part of E3) but is included in "Defender for Office 365 Plan 2" (part of E5), which substantiates why E3 only has a limited trial.

URL: https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description

Microsoft Security Blog. (2020, November 10). Attack simulation training public preview now open to all E3 customers. Microsoft Tech Community.

Reference (Paragraph 5): "After Attack simulation training becomes generally available, all E3 customers will retain access to a trial version of the product which will include a smaller subset of capabilities."

URL: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/attack-simulation-training-public-preview-now-open-to-all-e3/ba-p/1873169

A. Create a new Anti-malware policy: Anti-malware policies in Defender for Office 365 primarily scan attachments in email messages, not files at rest within SharePoint, OneDrive, or Teams.

B. Configure the Safe Links global settings: Safe Links protects users by scanning and rewriting URLs (links) in emails and Office documents to block access to malicious websites, not by scanning the files themselves.

C. Create a new Anti-phishing policy: Anti-phishing policies are designed to protect against email-based attacks like user impersonation, domain spoofing, and other phishing attempts, not to scan files for malware.

1. Microsoft Learn. "Safe Attachments for SharePoint, OneDrive, and Microsoft Teams." Microsoft Docs. Accessed May 20, 2024.

Section: "How Safe Attachments for SharePoint, OneDrive, and Microsoft Teams works"

Quote/Content: "When a file in SharePoint, OneDrive, or Microsoft Teams has been identified as malicious, the file is locked using direct integration with the file stores... people can't open, copy, move, or share the file." This confirms the feature's function.

Section: "Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in the Microsoft Defender portal"

Quote/Content: "In the Microsoft Defender portal... go to Policies & rules > Threat policies > Safe Attachments in the Policies section. On the Safe Attachments page, select Global settings." This confirms it is configured via Global settings.

2. Microsoft Learn. "Set up Safe Attachments policies in Microsoft Defender for Office 365." Microsoft Docs. Accessed May 20, 2024.

Section: "Global settings for Safe Attachments"

Quote/Content: "Global settings for Safe Attachments tune the protection for files in SharePoint, OneDrive, and Microsoft Teams... These settings are not included in Safe Attachments policies." This explicitly distinguishes the global setting from standard policies.

In Microsoft Defender for Endpoint, device groups are processed by rank. A device can only belong to one group at a time. When a device matches the rules for multiple groups, it is assigned only to the highest-ranked group that it matches.

1. Statement 1: Based on the (implied) rules, Computer1's initial properties match the criteria for Group3. It does not match the rules for the higher-ranked Group1 or Group2. Therefore, it is assigned to Group3 only.
2. Statement 2: The "demo" tag is the (implied) criteria for Group1, which holds the highest rank. When this tag is added to Computer1, the device now matches the criteria for both Group1 and Group3. Because Group1 has a higher rank, the device is immediately moved from Group3 and becomes a member of Group1 only.

Microsoft (2025). Create and manage device groups in Microsoft Defender for Endpoint. Microsoft Learn.

Section: "Create device groups"

Reference: "If a device is matched to more than one group, it's added only to the highest-ranked group. ... When defining a group, you'll also set its rank. The rank determines the order of precedence if a device matches more than one group. The device will be assigned to the highest-ranked group it matches."

Microsoft (2025). Device group-based role-based access control (RBAC). Microsoft Learn.

Section: "Device groups"

Reference: "Devices can only be in one device group at a time. If a device matches more than one device group, it will be added to the device group with the highest rank."

A. From a domain controller install an Authentication Agent: The first Authentication Agent is installed as part of the Azure AD Connect setup wizard, not as a separate preliminary step. This is an implementation task, not a preparation task.

B. From the Microsoft Entra admin center, configure an authentication method: The authentication method (Pass-through Authentication) is selected and enabled during the Azure AD Connect installation wizard, not pre-configured directly in the admin center beforehand.

D. Modify the email address attribute for each user account: While the email attribute is important, the primary attribute for Azure AD sign-in is the User Principal Name (UPN). Preparing the UPN is the direct and necessary action.

1. Add a custom domain name (E) and UPN Suffix (C, F): Microsoft 365 Documentation, "Prepare for directory synchronization". Under the section "userPrincipalName attribute," it states, "Before you synchronize your on-premises directory with your Azure AD tenant, it's important to clean up your on-premises directory... It's highly recommended that you change the default .local suffix to a verified domain suffix, such as contoso.com, to match the Azure AD UPN." This confirms the need to add a verified domain (E), add the UPN suffix on-premises (C), and update users' UPNs (F).

Source: Microsoft Learn. (2023). Prepare for directory synchronization to Microsoft 365. Section: "userPrincipalName attribute".

2. Add and Verify a Custom Domain (E): The Azure AD Connect prerequisites explicitly state the need for a verified custom domain. "Before you start, make sure that you have the following prerequisites in place... An Azure AD tenant... Add and verify the domain you plan to use in Azure AD."

Source: Microsoft Learn. (2023). Prerequisites for Azure AD Connect. Section: "Before you begin".

3. Implementation vs. Preparation (A, B): The Pass-through Authentication Quickstart guide shows that enabling the feature and installing the agent are steps performed within the Azure AD Connect wizard. "Step 1: Enable the feature... If you're installing Azure AD Connect for the first time, choose the custom installation path. At the User sign-in page, choose Pass-through authentication as the sign-in method." This confirms that enabling the method (B) and installing the first agent (A) are part of the implementation phase.

Source: Microsoft Learn. (2023). Azure AD Pass-through Authentication: Quickstart. Section: "Step 1: Enable the feature".

When Security defaults are enabled in a Microsoft Entra ID (part of Microsoft 365) tenant, a specific set of baseline security policies is enforced. This policy mandates that all users must register for multi-factor authentication (MFA).

For the registration method, Security defaults strictly requires the use of the Microsoft Authenticator app using notifications. Other methods, such as SMS or voice calls, are not available for registration under this specific policy.

Furthermore, the policy grants users a 14-day grace period, starting from their first sign-in, to complete this MFA registration. If the user fails to register within this timeframe, their sign-in will be blocked until registration is complete.

Microsoft Learn. (n.d.). Security defaults in Microsoft Entra ID. Microsoft Entra documentation. Retrieved October 20, 2025.

Section: "Requiring users to register for multifactor authentication"

Quote 1: "All users in your tenant must register for multifactor authentication (MFA) in the form of the Microsoft Authenticator app."

Quote 2: "Users have 14 days to register for multifactor authentication by using the Microsoft Authenticator app."

Microsoft Learn. (n.d.). Providing a default level of security in Microsoft Entra ID. Microsoft Entra documentation. Retrieved October 20, 2025.

Section: "Multifactor authentication"

Quote: "This policy requires all users to register for multifactor authentication... Users are required to register for multifactor authentication using the Microsoft Authenticator app with notifications. After 14 days, the user can't sign in until they register for multifactor authentication."

A. This option is incorrect because, by default, user objects are also synchronized along with group objects.

B. This option is incorrect because, by default, group objects are also synchronized along with user objects.

C. This option is incorrect because user objects with non-routable UPN suffixes like .local are still synchronized by default.

1. Microsoft Learn. (2023). Azure AD Connect sync: Understanding the default configuration. "The out-of-box rules are designed to be the most common rules for a customer's configuration. For this reason, the default configuration generates a configuration that synchronizes all Users, Groups, and Contacts from all your Active Directory forests."

2. Microsoft Learn. (2023). Prepare a non-routable domain for directory synchronization. "If you synchronized your Active Directory before changing the UPN suffix of a user from a non-routable domain to a routable domain, the UPN of the synchronized user might be using the default onmicrosoft.com domain." This statement confirms that users with non-routable domains are indeed synchronized.

3. Microsoft Learn. (2023). Prerequisites for Azure AD Connect. Under the "Accounts" section, it details the accounts needed to read from Active Directory, implying that objects like Users and Groups are the target of this read operation for synchronization. The document assumes these standard objects are part of the sync.

A. 3: Incorrect. The three "Block" policies have fundamentally different scopes (all users by location, R&D users by device, most users by application) and cannot be merged into one.

C. 5: Incorrect. This is inefficient. The requirements to enforce MFA and require a compliant device for external access can be combined into a single policy's grant controls.

D. 6, E. 7, F. 8: Incorrect. These options represent an inefficient configuration that fails to combine compatible requirements, violating the principle of creating the minimum number of policies.

1. Microsoft Learn, Azure Active Directory Documentation. "Conditional Access: Grant". This document explains that multiple grant controls, such as "Require multi-factor authentication" and "Require device to be marked as compliant," can be combined within a single policy by selecting "Require all the selected controls." This supports creating a single policy for the first two requirements.

Source: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant, Section: "Require all the selected controls".

2. Microsoft Learn, Azure Active Directory Documentation. "Conditional Access policy components". This document outlines the structure of a policy, showing that assignments (Users, Cloud apps, Conditions) apply to the entire policy. Since the three "Block" requirements have different user, application, and condition assignments, they must be configured in separate policies.

Source: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies, Section: "Assignments".

3. Microsoft Learn, Azure Active Directory Documentation. "Conditional Access: Block access". This source clarifies that "Block access" is a distinct control that overrides any "Grant" controls. This justifies separating block policies from grant policies.

Source: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session#block-access.

4. Microsoft Learn, Azure Active Directory Documentation. "Conditional Access: Conditions". This document details the various conditions that can be used, such as "Device platforms" and "Locations," confirming that these are distinct conditions that would necessitate separate policies when combined with different user or application scopes.

Source: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions, Sections: "Device platforms" and "Locations".

Tool: The correct tool is IdFix. The Microsoft 365 IdFix tool is specifically designed to query an on-premises Active Directory environment to identify and report potential object synchronization issues, such as duplicate or malformed proxyAddresses and userPrincipalName attributes, before synchronization with Azure AD is configured.

Required group membership: The solution must adhere to the principle of least privilege. To identify issues, the IdFix tool only requires read access to the Active Directory domain. By default, all members of the Domain Users group (as part of the Authenticated Users principal) have the necessary read permissions to query the directory. The other roles (Domain Admins, Server Operators, Enterprise Admins) all possess excessive privileges not required for this read-only analysis task.

Microsoft Entra Documentation. (2024). Microsoft 365 IdFix tool. Microsoft Learn.

Reference: This document explicitly introduces IdFix as the tool to "identify and remediate a large number of object synchronization errors" in Active Directory before synchronization. It notes the tool queries the on-premises environment to detect problems like duplicates and formatting issues.

Microsoft Entra Documentation. (2024). Prerequisites for Microsoft 365 IdFix. Microsoft Learn.

Reference: Under the "Prerequisites" section, the documentation states: "IdFix must be run by an account that has read access to the on-premises Active Directory domain." This confirms that administrative privileges are not required. The "Domain Users" group provides this level of access, fulfilling the least privilege requirement.

Statement 1 (Yes): The IP address 131.107.50.10 falls within the Location2 range (131.107.50.0/24), which is a Trusted location. The Conditional Access (CA) policy applies to "All users" (including User1) accessing "App1" from "all trusted locations." Because the connection is from a trusted location, the policy's conditions are met, and the grant control "Require multi-factor authentication" is enforced. The CA policy overrides User1's per-user "Disabled" status.

Statement 2 (Yes): The IP address 131.107.20.15 falls within the Location1 range (131.107.20.0/24), which is also a Trusted location. Just as with Statement 1, the CA policy applies because the user is connecting from a trusted location, and MFA is required.

Statement 3 (No): The IP address 131.107.5.5 is not part of a "Trusted location" (Location1 or Location2). Therefore, the CA policy's condition "Include all trusted locations" is not met. When a CA policy targets a user and app, it supersedes per-user MFA settings. Since the policy's conditions are not met, the "Require MFA" grant control is not applied, and the system does not fall back to the per-user "Enforced" status. MFA is not required.

Microsoft Learn. (n.d.). Location condition in Azure Active Directory Conditional Access. Retrieved October 20, 2025. (See sections on "Named locations" and "Trusted locations," which confirm that CA policies use these definitions for location-based conditions.)

Microsoft Learn. (n.d.). Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events. Retrieved October 20, 2025. (See section "Conditional Access policies," which states, "If a Conditional Access policy is activated... this policy takes precedence over the per-user Azure AD Multi-Factor Authentication setting.")

Microsoft Learn. (n.d.). Configure Azure AD Multi-Factor Authentication settings. Retrieved October 20, 2025. (See section "Trusted IPs," which clarifies that this legacy feature works with per-user MFA but is superseded by Conditional Access named locations.)

B. Modern authentication is a foundational tenant-wide setting that enables protocols like OAuth 2.0. It does not provide the granular, per-application control needed to enforce MFA on just App1.

C. The "Users and groups" settings on an enterprise application are used to assign access permissions (i.e., who can use the app), not to configure authentication strength requirements like MFA.

D. The legacy Multi-Factor Authentication service settings apply MFA on a per-user basis for all sign-ins. This method lacks the required granularity to target a single, specific application.

1. Microsoft Entra documentation, "What is Conditional Access?": "Conditional Access policies are if-then statements, if a user wants to access a resource, then they must complete an action. ... Common signals that Conditional Access can take into account when making a policy decision include ... Cloud application the user is trying to access."

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/identity/conditional-access/overview, Section: "Common signals".

2. Microsoft Entra documentation, "Conditional Access: Cloud apps or actions": "Cloud apps or actions is a critical piece of a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications or actions. ... Administrators can choose from the list of applications that include built-in Microsoft applications and any Microsoft Entra integrated applications including gallery, non-gallery, and applications published through Application Proxy."

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps, Section: "Cloud apps".

3. Microsoft Entra documentation, "Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication": This tutorial explicitly guides users to "Create a Conditional Access policy" and under "Assignments > Cloud apps or actions," select the specific application, and then under "Access controls > Grant," select "Require multifactor authentication."

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa, Section: "Create a Conditional Access policy".

4. Microsoft Entra documentation, "Enable per-user Microsoft Entra multifactor authentication to secure sign-in events": "We no longer recommend per-user MFA. To provide the best experience for users and administrators, we recommend Conditional Access policies to secure sign-in events." This source clarifies that per-user MFA (Option D) is a legacy approach and Conditional Access is preferred for its flexibility.

Source: Microsoft Learn, learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates, Introduction section.

Microsoft Entra Identity Protection (included in M365 E5) categorizes risks into user risk and sign-in risk.

1. User Risk Policy: A user risk represents the probability that an identity is compromised, based on detections calculated offline. The "Leaked credentials" detection, which finds user credentials on the dark web, is a user risk. Therefore, a user risk policy is configured to detect and act on this specific threat.
2. Require Password Change: When a user risk policy is triggered, it can enforce controls to remediate the risk. The recommended self-remediation control for a high user risk (like leaked credentials) is "Require password change". This forces the user to complete a self-service password reset (SSPR) flow, which also validates their identity (typically with MFA) before allowing them to create a new, secure password.

Microsoft Entra documentation | What are risk detections?

Reference: Under the section "User risk detections," the "Leaked credentials" detection is defined: "This risk detection indicates that the user's valid credentials have been leaked. We find these credentials on the dark web..." This detection is explicitly categorized as contributing to user risk.

Source: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#user-risk-detections

Microsoft Entra documentation | Identity Protection policies

Reference: This document details the two main policy types. It states, "The user risk policy detects the probability that a user identity is compromised" and lists "Leaked credentials" as a risk it detects.

Source: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies (See section: "User risk policy")

Microsoft Entra documentation | Remediate risks and unblock users

Reference: Under the "Self-remediation" section, it states: "For user risk, users must perform self-service password reset (SSPR) to remediate their risk. This action requires the user to change their password." This directly links user risk remediation to the "Require password change" control.

Source: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock#self-remediation

Azure AD Connect's Organizational Unit (OU) filtering is the primary mechanism for determining which objects are in scope for synchronization. If an OU is deselected, all objects within that OU are filtered out and will not be provisioned in Azure AD.

1. User1 syncs to Azure AD: No

• User1 is located in the OU1 container. As OU1 is assumed to be deselected, the User1 object is out of scope and is not synchronized.

1. User2 syncs to Azure AD: No

• User2 is also located in OU1. Like User1, this object is out of scope because its container is not selected for synchronization.

1. Group2 syncs to Azure AD: No

• Group2 is located in OU1. The filtering applies to all object types, including groups. Since the Group2 object resides in the deselected OU1, it is also filtered out.

Microsoft (2023, August 18). Azure AD Connect sync: Configure filtering. Microsoft Learn.

Section: "Organizational unit–based filtering"

Quote/Paraphrase: This documentation details the OU-based filtering wizard. It states, "By default, all OUs are selected... If you unselect an OU, the objects in this OU aren't synchronized to Azure AD." This directly supports the explanation that deselecting OU1 (where all three objects reside) results in none of them being synchronized.

Microsoft (2023, September 15). Azure AD Connect: Design concepts - Filtering. Microsoft Learn.

Section: "Filtering" and "Scoping"

Quote/Paraphrase: This document confirms that OU-based filtering is a primary "scoping" mechanism. Objects must be within the defined scope to be evaluated by the synchronization rules. If an object is "scoped-out" by deselecting its OU, the sync engine will not process it further.