Lab 01: Practice Questions
Scenario-Based Questions
Question 1
Scenario: You create a new user account for an employee. The employee tries to sign in but receives an error that they cannot access any Microsoft 365 applications.
The user can sign in to the Azure portal successfully.
What is the MOST likely cause?
A) The user's password has expired
B) The user's account is blocked
C) The user does not have a usage location set
D) The user is not a member of any groups
Answer
C) The user does not have a usage location set
Explanation: Usage location is REQUIRED before licenses can be assigned. Without a license, the user cannot access M365 apps (Outlook, Teams, SharePoint). They can still sign in to Azure portal because Entra ID authentication works without a license.
- A is incorrect: If password expired, they couldn't sign in to Azure portal either
- B is incorrect: Blocked accounts cannot sign in anywhere
- D is incorrect: Group membership doesn't affect M365 app access directly
Question 2
Scenario: Your organization has the following requirement:
- All users in the Marketing department should automatically be added to a group called "SG-Marketing-All"
- When users leave Marketing, they should be automatically removed
What type of group should you create?
A) Microsoft 365 group with assigned membership
B) Security group with assigned membership
C) Security group with dynamic membership
D) Distribution group
Answer
C) Security group with dynamic membership
Explanation: Dynamic groups use rules based on user attributes. A rule like (user.department -eq "Marketing") would automatically add/remove users based on their department attribute.
Requirements:
- Entra ID P1 or P2 license
- Department attribute must be populated for users
Question 3
Scenario: A manager requests that you delete a former employee's account. Two weeks later, the manager realizes they need access to the employee's OneDrive files.
What should you do?
A) Contact Microsoft support to recover the account
B) Restore the user from the Deleted users section
C) Recreate the account with the same email
D) The data is permanently lost
Answer
B) Restore the user from the Deleted users section
Explanation: Deleted users remain in a soft-delete state for 30 days. During this time, you can restore them with all their data intact (OneDrive, mailbox, etc.). After 30 days, the user and data are permanently deleted.
Question 4
Scenario: You need to create 200 user accounts for new employees starting next month. HR has provided an Excel spreadsheet with all user details.
What is the MOST efficient method to create these accounts?
A) Create each user manually in the portal
B) Use the Bulk create users feature with a CSV file
C) Write a PowerShell script
D) Create users through Microsoft 365 Admin Center
Answer
B) Use the Bulk create users feature with a CSV file
Explanation: For large numbers of users with data already in spreadsheet format, bulk create is most efficient:
- Export data as CSV in the required template format
- Upload via Entra ID → Users → Bulk operations → Bulk create
- All users created in single operation
PowerShell would work but requires more technical effort. Manual creation is impractical for 200 users.
Question 5
Scenario: You have two groups:
- SG-Project-A (Security group)
- M365-Project-A (Microsoft 365 group)
A user asks: "What's the difference? Which should I use?"
Which statements are TRUE? (Select all that apply)
A) Security groups can be used to assign Azure RBAC permissions
B) Microsoft 365 groups automatically get a shared mailbox and calendar
C) Security groups can be mail-enabled
D) Microsoft 365 groups can be used for RBAC permissions
E) Only Microsoft 365 groups appear in Outlook
Answer
A, B, D, E are TRUE
Explanations:
- A: TRUE - Security groups are the primary way to assign Azure resource permissions
- B: TRUE - M365 groups automatically provision SharePoint site, mailbox, calendar, Planner
- C: FALSE - Security groups CANNOT be mail-enabled (you'd use distribution groups or M365 groups for email)
- D: TRUE - M365 groups CAN be used for RBAC (they function as security groups too)
- E: TRUE - M365 groups appear in Outlook, Teams, SharePoint; security groups do not
Question 6
Scenario: An employee is going on a 3-month sabbatical. You need to ensure:
- They cannot access company resources during the sabbatical
- Their account and data are preserved
- They can resume access when they return
What should you do?
A) Delete the user account
B) Block the user's sign-in
C) Remove the user from all groups
D) Change the user's password
Answer
B) Block the user's sign-in
Explanation: Blocking sign-in:
Immediately prevents all access
Preserves the account and all data
Maintains group memberships
Can be easily reversed when employee returns
Deleting would remove data after 30 days
Removing from groups loses access configuration
Changing password still allows sign-in with new password
Question 7
Scenario: You're configuring self-service group management. The security team is concerned about users creating too many groups.
Which setting should you configure?
A) Restrict user ability to access groups features in My Groups = Yes
B) Users can create security groups = No AND Users can create Microsoft 365 groups = No
C) Owners can manage group membership requests = No
D) Enable group naming policy
Answer
B) Users can create security groups = No AND Users can create Microsoft 365 groups = No
Explanation: This directly prevents users from creating groups. Admins must create all groups.
- A would restrict accessing existing groups, not creation
- C only affects membership requests for existing groups
- D adds prefixes/suffixes but doesn't prevent creation
Quick Knowledge Check
What is the maximum number of groups a user can be a member of?
Answer
Technical limit is around 2,048, but Microsoft recommends keeping it under 100 for performance.What happens to a user's assigned licenses when their account is deleted?
Answer
Licenses are automatically unassigned and returned to the available pool for reassignment.Can you convert a Security group to a Microsoft 365 group?
Answer
No. Group type cannot be changed after creation. You must create a new group and migrate members.What role is needed to create users in Entra ID?
Answer
User Administrator or Global AdministratorHow long are deleted users retained before permanent deletion?
Answer
30 daysCan a guest user own a group?
Answer
By default no, but this can be enabled in tenant settings.
Real-World Challenge
Scenario: You're designing the identity structure for a new project with these requirements:
- 50 internal employees from different departments
- 10 external contractors
- Need to share a SharePoint site for documents
- Need a Teams channel for communication
- Only internal employees should be able to create new documents
- Contractors should have read-only access
- Project managers need to manage membership
Design the group structure. Consider:
- What type of groups would you create?
- How would you handle different permission levels?
- How would you manage external contractors?
Suggested Approach
Groups to create:
M365-ProjectX-Team (Microsoft 365 group)
- All 60 members (employees + contractors)
- Provides Teams channel and SharePoint site
- Owners: Project managers
SG-ProjectX-Contributors (Security group)
- 50 internal employees only
- Used for SharePoint "Edit" permission
SG-ProjectX-Readers (Security group)
- 10 contractors
- Used for SharePoint "Read" permission
SharePoint permissions:
- M365-ProjectX-Team: Site membership (basic access)
- SG-ProjectX-Contributors: "Edit" permission on document library
- SG-ProjectX-Readers: "Read" permission on document library
Contractor management:
- Invite as B2B guests
- Add to M365 group for Teams access
- Add to Readers group for SharePoint permissions
- Set up access review to periodically validate contractor access