Microsoft 365July 7, 202611 min read

MS-102 Practice Questions (2026): 10 Free Microsoft 365 Administrator Questions with Answers

Ten exam-style questions across all four MS-102 domains — each with the correct answer and a plain-English explanation on click. Score yourself at the end to see if you are exam-ready.

40–60Questions
120 minDuration
700/1000To pass
4Domains
$165USD fee

The MS-102: Microsoft 365 Administrator exam is the tenant-wide gate for the Microsoft 365 Certified: Administrator Expert badge. It rewards administrators who have actually run a Microsoft 365 tenant — domains and DNS, Microsoft Entra users, groups and roles, Conditional Access, Microsoft Defender XDR, and Microsoft Purview — not people who only memorised feature names.

Below are 10 free MS-102 practice questions written in the same style as the real exam, spread across all four domains of the 2026 blueprint and weighted toward the heaviest ones. Read each one, pick your answer, then hit Show answer & explanation. Keep score — there is a readiness check at the bottom.

How to use this: answer honestly before revealing. The explanation matters more than the letter — if you got it right for the wrong reason, treat it as wrong and revisit that admin center in the docs.

10 MS-102 practice questions

Q1EasyTenant & domains

You add the custom domain contoso.com to your Microsoft 365 tenant. Before the domain can be used, Microsoft must confirm you own it. Which DNS record proves ownership?

  1. An MX record pointing mail to Exchange Online
  2. The TXT (or MX) verification record with the unique value Microsoft supplies
  3. A CNAME record for autodiscover
  4. An SPF record authorizing Microsoft to send mail
Show answer & explanation
Correct: B

To verify a domain, Microsoft gives you a unique TXT (or MX) record to add at your DNS host; it then queries DNS for that value to confirm you control the zone. The routing MX (A), autodiscover CNAME (C), and SPF (D) records are only added after verification to enable mail flow and services — none of them prove ownership.

Q2MediumUsers & licensing

Every user placed in the "Sales" security group must automatically receive a Microsoft 365 E5 license and lose it when removed from the group, with no manual assignment. What should you configure?

  1. A dynamic distribution group with a mail-flow rule
  2. Group-based licensing on the Sales group
  3. A nightly PowerShell task that runs a license cmdlet
  4. A Conditional Access policy that grants the license
Show answer & explanation
Correct: B

Group-based licensing assigns a license to a group; members inherit it in near real time and it is removed automatically when they leave the group. A scheduled script (C) works but is not the built-in, self-healing mechanism. Distribution groups (A) handle mail, not licensing. Conditional Access (D) governs sign-in access, not license assignment.

Q3MediumRoles & delegation

A help-desk technician must reset passwords for non-administrator users and require them to re-register their MFA methods, but must have no other admin rights. Which single built-in Microsoft Entra role is the least-privilege fit?

  1. Global Administrator
  2. Authentication Administrator
  3. User Administrator
  4. Security Administrator
Show answer & explanation
Correct: B

The Authentication Administrator role can reset passwords and manage or force re-registration of authentication methods (including MFA) for non-admin users — exactly the task and nothing more. Global Administrator (A) grants everything. User Administrator (C) can create and delete users and manage far more than passwords. Security Administrator (D) manages security features, not user credential resets.

Q4EasyIdentity sync

You must synchronize users from several disconnected on-premises Active Directory forests into one Microsoft Entra tenant using a lightweight, cloud-managed agent, with no server running a full sync engine or SQL database. Which tool fits?

  1. Microsoft Entra Connect Sync
  2. Microsoft Entra Cloud Sync
  3. Active Directory Federation Services (AD FS)
  4. Microsoft Identity Manager (MIM)
Show answer & explanation
Correct: B

Entra Cloud Sync uses lightweight agents configured from the cloud and natively supports multiple disconnected forests, with no local SQL or heavy sync server. Connect Sync (A) is the heavier on-premises engine that installs a database and does more provisioning work. AD FS (C) handles federated authentication, not directory sync. MIM (D) is legacy identity management, not the recommended Microsoft 365 sync path.

Q5MediumConditional Access

You must force multifactor authentication for all users who hold privileged directory roles whenever they sign in to the Microsoft admin portals, without affecting standard users. What is the correct design?

  1. Enable security defaults for the whole tenant
  2. A Conditional Access policy scoped to directory roles, targeting the Microsoft admin portals, that requires MFA
  3. Enable per-user (legacy) MFA on every account
  4. A sign-in risk policy set to block
Show answer & explanation
Correct: B

Conditional Access can scope its assignment to specific directory roles and to the Microsoft Admin Portals app, then grant with "require multifactor authentication" — precise and role-based. Security defaults (A) apply MFA to everyone with no granularity. Per-user MFA (C) hits all users and cannot be scoped by role or app. A risk policy that blocks (D) denies access rather than prompting for MFA.

Q6HardAuthentication

Users keep setting weak passwords such as "Contoso2026!" that still satisfy complexity rules. You must reject these banned patterns on your on-premises Active Directory, not just in the cloud. What do you deploy?

  1. Self-service password reset (SSPR)
  2. Microsoft Entra Password Protection with the DC agent and a custom banned-password list
  3. A Conditional Access sign-in frequency policy
  4. Smart lockout only
Show answer & explanation
Correct: B

Entra Password Protection extends Microsoft's global and your custom banned-password lists to on-premises AD by installing the Password Protection proxy plus a domain controller agent, so weak passwords are rejected right at the DC. SSPR (A) lets users reset their own passwords but does not ban weak ones. Sign-in frequency (C) controls re-authentication timing. Smart lockout (D) throttles brute-force attempts but does not evaluate password strength.

Q7EasyDefender for Office 365

You want unknown email attachments detonated in an isolated sandbox before they reach the mailbox, to catch zero-day malware. Which Microsoft Defender for Office 365 feature do you enable?

  1. Safe Attachments
  2. Safe Links
  3. The anti-spam policy
  4. Zero-hour auto purge (ZAP) only
Show answer & explanation
Correct: A

Safe Attachments opens attachments in a detonation sandbox to detect zero-day malware before the message is delivered. Safe Links (B) rewrites and time-of-click checks URLs, not attachments. The anti-spam policy (C) scores bulk and spam mail. ZAP (D) retroactively removes malicious mail already delivered — it does not pre-detonate attachments.

Q8MediumDefender for Office 365

Security wants to measure how many employees click a fake phishing link and then automatically assign remedial training to those who fail, using native Microsoft 365 tooling. Which feature do you use?

  1. Attack simulation training in Microsoft Defender for Office 365
  2. Microsoft Defender Vulnerability Management
  3. Conditional Access report-only mode
  4. Microsoft Secure Score recommendations
Show answer & explanation
Correct: A

Attack simulation training launches benign phishing campaigns, tracks who clicks or enters credentials, and can auto-assign targeted training to those who fall for it. Vulnerability Management (B) scans devices for CVEs. Report-only Conditional Access (C) previews policy impact on sign-ins. Secure Score (D) recommends posture improvements but does not run phishing simulations.

Q9HardDefender XDR

Analysts need to run one KQL query across email, identity, endpoint, and cloud-app signals to hunt a token-theft pattern, and view all correlated alerts as a single incident. Where do they work?

  1. Advanced hunting and Incidents in the Microsoft Defender portal (Defender XDR)
  2. Microsoft Purview Audit (Premium) search
  3. Azure Monitor Log Analytics only
  4. The Microsoft 365 admin center service health page
Show answer & explanation
Correct: A

Microsoft Defender XDR correlates alerts from Defender for Office 365, Identity, Endpoint, and Cloud Apps into unified incidents, and advanced hunting lets you query all those tables with one KQL query in the Defender portal. Purview Audit (B) searches activity logs but does not correlate XDR alerts or expose the hunting schema. Log Analytics (C) is Sentinel/Azure telemetry, not the built-in XDR experience. Service health (D) reports outages, not threats.

Q10MediumPurview DLP

You must stop users from sharing files that contain credit-card numbers externally through SharePoint Online, OneDrive, and Teams, and warn them with a policy tip. What do you configure?

  1. A retention label policy
  2. A Microsoft Purview DLP policy using the Credit Card Number sensitive info type
  3. A sensitivity label set to "Confidential"
  4. An eDiscovery (Premium) hold
Show answer & explanation
Correct: B

A Purview Data Loss Prevention (DLP) policy scoped to SharePoint, OneDrive, and Teams and matching the built-in Credit Card Number sensitive information type can block or restrict external sharing and show the user a policy tip. Retention labels (A) govern how long content is kept or deleted, not sharing. Sensitivity labels (C) classify and can encrypt but do not by themselves block a share based on detected content. An eDiscovery hold (D) preserves content for investigations.

What these questions cover

The 10 questions are weighted to mirror the real MS-102 blueprint, so your score here is a rough proxy for the live exam. These are the four domains and their 2026 exam weights:

Manage security & threats with Microsoft Defender XDR30–35%
Deploy & manage a Microsoft 365 tenant25–30%
Implement & manage Microsoft Entra identity & access25–30%
Manage compliance with Microsoft Purview10–15%

Score yourself

Count how many of the 10 you got right before revealing the answer. Then read the band you land in honestly — the goal is a real pass, not a good feeling.

0–5Not ready yet. You are guessing on core admin tasks. Rebuild fundamentals in tenant setup, Entra identity, and Defender XDR before booking.
6–8Close. You know the admin centers but slip on edge cases (Cloud Sync vs Connect, Conditional Access scoping, DLP). Drill a full timed bank and target weak domains.
9–10Exam-ready signal. Confirm with a couple of full-length timed mocks under exam conditions, then book with confidence.

Want the full MS-102 question bank?

These 10 are a taster. The ExamCert MS-102 app runs hundreds of exam-style questions with explanations, timed mocks, and weak-domain tracking — the real exam interface, on your phone.

MS-102 exam FAQ

How many questions are on the MS-102 exam?

Typically 40 to 60 questions in about 120 minutes, mixing multiple choice, multi-select, drag-and-drop, hotspot, and one or more case studies. Case studies lock once you leave them, so read each scenario fully before answering.

What score do I need to pass MS-102?

A scaled 700 out of 1000. Because scoring is scaled, 700 is not the same as 70% correct — harder and case-study items carry more weight.

Is MS-102 still current in 2026?

Yes. MS-102 is the active Microsoft 365 Administrator exam and a requirement for the Microsoft 365 Certified: Administrator Expert certification. The April 2026 blueprint rebalanced the domains so Microsoft Defender XDR is now the heaviest area (30–35%), followed by tenant management and Entra identity — make sure your prep leans into Defender XDR.

Are these MS-102 practice questions enough to pass?

They are essential but not sufficient. MS-102 is hands-on and tenant-wide — practice in a Microsoft 365 developer or trial tenant, configure the admin centers yourself, and use practice questions to find and close weak domains.

ExamCert Team — we build exam-style practice banks and prep apps for 90+ IT certifications. Questions here are original, written to match the MS-102 objectives; they are not real exam items.

Related: MS-102 exam guide · MD-102 Endpoint Administrator guide · Free practice tests