MS-102 Managing Identity and Access

Question 1

Passwordless authentication

Answer 1

creates a complete experience for all employees, so they no longer need passwords to sign in to the network. Instead, Microsoft Entra ID lets them sign-in with biometrics or a tap using:

Windows Hello for Business
the Microsoft Authenticator app
a compatible FIDO2 security key

Question 2

Microsoft Entra verifiable credentials

Answer 2

Verifiable credentials let organizations confirm information—like their education or the professional certifications someone provides—without collecting and storing their personal data.

Question 3

default password expiration policy in Microsoft 365

Answer 3

sets users’ passwords to never expire

Question 4

To change the default password expiration policy,

Answer 4

Sign in to the Microsoft 365 admin center and, if necessary, select Show all in the navigation pane.

In the navigation pane, select Settings and then select Org settings.
On the Org settings page, the Services tab is displayed by default. Select the Security & privacy tab.

In the Security & privacy tab, select Password expiration policy.

Question 5

To access Microsoft Entra Password Protection, you must be assigned one of the following roles

Answer 5

Global Administrator, Security Administrator, or Privileged Role Administrator.

Question 6

To enable the custom banned password list and add entries to it,

Answer 6

In the Microsoft 365 admin center, in the navigation pane under the Admin centers group, select Identity.

In the Microsoft Entra admin center, select Protection in the navigation pane to expand the group, and then select Authentication methods.

On the Authentication methods | Policies page, in the middle pane under the Manage section, select Password protection.

On the Authentication methods | Password protection page, set the Enforce custom list option to Yes.

Add strings to the Custom banned password list, one string per line. The following considerations and limitations apply to the custom banned password list:

Question 7

complete the following steps to create a Conditional Access policy

Answer 7

In the Microsoft Intune admin center, select Endpoint security in the left-hand navigation pane.

On the Endpoint security | Overview page, under the Manage section in the middle pane, select Conditional Access.

On the Conditional Access | Policies page, select +New policy on the menu bar.

Question 8

Port 80

Answer 8

Enables outbound HTTP traffic for security validation such as TLS/SSL certificate revocation lists.

Question 9

Port 443

Answer 9

Enables user authentication against Microsoft Entra ID.

Question 10

Security Defaults

Answer 10

provides a basic level of security by turning on MFA, blocks legacy authentication protocols, and requires users to register for Microsoft Entra MFA.

Question 11

enable or disable security defaults from the Properties pane for Microsoft Entra ID

Answer 11

In the Microsoft Entra admin center, in the left-hand navigation pane, select Overview.

On the Overview page for your organization’s tenant, the system displays the Overview tab by default. Select the Properties tab.

Under the Security Defaults section, select the Manage security defaults link.

Question 12

enable multifactor authentication on a per-user basis in the Microsoft 365 admin center

Answer 12

In the Microsoft 365 admin center, in the left-hand navigation pane, select Settings and then select Org settings.

On the Org settings page, under the Services tab (which is displayed by default) select Multifactor authentication.

In the Multifactor authentication pane that appears, select Configure multifactor authentication.

On the multifactor authentication page, two tabs are available - one for users and one for service settings.

On the users tab, you can enable (or disable) multifactor authentication for one or more users. You can

Question 13

five passwordless authentication option

Answer 13

Windows Hello for Business
Platform Credential for macOS
Platform single sign-on (PSSO) for macOS with smart card authentication
Microsoft Authenticator
Passkeys (FIDO2)
Certificate-based authentication

Question 14

Password writeback

Answer 14

. Microsoft Entra Premium includes the ability to write back passwords. This feature enables organizations to implement self-service password reset for synchronized identities and federated identities

Question 15

Smart Lockout

Answer 15

locks out bad actors who are trying to guess users’ passwords or use brute-force methods to gain access. It can recognize sign-ins coming from valid users and treat them differently than ones of attackers and other unknown source

Question 16

To check or modify the Smart Lockout values for an organization

Answer 16

Sign in to the Microsoft Entra admin center and navigate to Protection > Authentication methods > Password protection.

Set the Lockout threshold, based on how many failed sign-ins the organization allows on an account before its first lockout. The default is 10.

Set the Lockout duration in seconds, to the length in seconds of each lockout. The default is 60 seconds.

Question 17

Microsoft Defender for Identity

Answer 17

cloud-based security solution. It uses your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Question 18

To view and use Microsoft XDR Defender Security Reports what roles do you need to have

Answer 18

Organization Management
Security Administrator
Security Reader
Global Reader

Question 19

How Microsoft Secure Score works

Answer 19

You’re given points for the following actions:

Configuring recommended security features
Doing security-related tasks
Addressing the recommended action with a third-party application or software, or an alternate mitigation

Question 20

recommended action statuses

Answer 20

To address, Planned, Risk Accepted, Resolved through third party and resolver through alternate mitigation

Question 21

To Address

Answer 21

You recognize the recommended action is necessary and plan to address it at some point in the future. This state also applies to partially completed actions.

Question 22

Planned

Answer 22

There are concrete plans in place to complete the recommended action.

Question 23

Risk accepted

Answer 23

Organizations should always balance security with usability. Keep in mind, not every recommendation works for your environment. In those instances, you can choose to accept the risk, or the remaining risk, and not enact the recommended action. This status doesn’t receive any points. You can view this action in history or undo it at any time.

Question 24

Resolved through third party and Resolved through alternate mitigation.

Answer 24

An internal tool or a third-party application already addressed the recommended action. You gain the points the action is worth, so your score more closely reflects your overall security posture.

Question 25

Microsoft Entra Privileged Identity Management (PIM).

Answer 25

PIM is a cloud-based solution that enables organizations to control and monitor the access and permissions of their employees and administrators.

Question 26

Eligible admins

Answer 26

users that need privileged access periodically, but not all-day, every day. The role is inactive until the user needs access. At that point, the user must complete an activation process and become an active admin for a predetermined amount of time.

Question 27

To use PIM, you need one of the following paid or trial licenses:

Answer 27

Microsoft Entra Premium P2 Enterprise Mobility + Security (EMS) E5

Question 28

eligible

Answer 28

role assignment that requires a user to perform one or more actions to use the role.

Question 29

Microsoft Entra ID Protection

Answer 29

cloud-based solution that helps an organization monitor and report compromised or abused identities within its environment.

Question 30

user must be assigned one of the following roles to access Microsoft Entra ID Protection:

Answer 30

Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator.

Question 31

Sign-in risk.

Answer 31

reflects the probability the identity owner doesn't authorize a given authentication request

Question 32

User risk.

Answer 32

User risk reflects the overall likelihood that a bad actor compromised a given identity. User risk contains all the risk activities for a given user, i

Question 33

How does Microsoft Entra ID Protection investigate risk events?

Answer 33

it uses advanced machine learning to detect suspicious activities based on signals

Question 34

To turn on each policy required by your organization

Answer 34

In the Microsoft 365 admin center, in the left-hand navigation pane, select Show all. In the left-hand navigation pane, under Admin centers, select Identity. In the Microsoft Entra admin center, in the left-hand navigation pane, select Identity, select Protection, and then select Identity Protection. On the Identity Protection | Dashboard page, the system displays the three default policies in the middle navigation pane under the Protect section (User risk policy, Sign-in risk policy, and Multifactor authentication registration policy). Select each of the three policies that your organization wants to enforce, and on its policy page, toggle the Policy enforcement switch to Enabled.