MS-102 Step-by-Step Guide: Real Admin Scenarios for Entra, Intune, Purview, and Defender

From Practice Questions to Real Admin Wins: Step-by-Step MS-102 Scenarios (With Exact Portal Paths and Verification)

If you have ever worked through MS-102 practice questions and felt confident about the answer but not the execution, you are not alone. The exam compresses real-world admin work into short scenarios. Your job as a Microsoft 365 admin is to translate those scenarios into the correct control plane, the right portal, and a repeatable implementation.

This post does exactly that.

You will find seven shuffled MS-102-style scenarios, rewritten as practical playbooks. Each one includes:

• What the scenario is testing
• Step-by-step portal instructions
• Verification steps (how to prove it worked)
• Common pitfalls and rollback guidance

---

Question 1: Require MFA for App1 only (not tenant-wide)

What this scenario is testing

This is a Microsoft Entra Conditional Access requirement. Per-user MFA is not granular enough when the requirement is “MFA for only one application.”

Step-by-step (Microsoft Entra admin center)

1. Open Microsoft Entra admin center.
2. Go to Protection → Conditional Access.
3. Select Create new policy.
4. Name: CA - Require MFA for App1.
5. Under Users:
   • Select the target user/group.
   • Exclude emergency access (break-glass) accounts.
6. Under Target resources (Cloud apps):
   • Choose Select apps → select App1.
7. Under Grant controls:
   • Select Grant access.
   • Check Require multi-factor authentication.
8. Set Enable policy to Report-only first (recommended).
9. Click Create.

Verify

1. Sign into App1 as a test user and confirm MFA is prompted.
2. Sign into another app and confirm MFA is not forced by this policy.
3. Review Entra Sign-in logs:
   • Open the sign-in event → Conditional Access tab → confirm the policy applied.

Common pitfalls

• Not excluding break-glass accounts.
• Turning it on globally before validation.
• Another Conditional Access policy already forcing MFA for all apps.

Rollback

• Set the policy to Off or revert to Report-only.

---

Question 2: Enable BitLocker automatically for Windows 10 devices enrolling in Intune

What this scenario is testing

A compliance policy checks encryption. It does not enable BitLocker. To turn on BitLocker you must use a configuration approach, typically Endpoint security disk encryption.

Step-by-step (Intune admin center)

1. Go to Intune admin center.
2. Navigate to Endpoint security → Disk encryption.
3. Select Create policy.
4. Platform: Windows 10 and later.
5. Profile: BitLocker.
6. Configure:
   • Enable BitLocker silently where supported
   • Store recovery keys in Microsoft Entra ID
   • Set encryption method (XTS-AES is common)
7. Assign to your target group.
8. Select Create.

Verify

1. On the device, run:manage-bde -status Confirm protection is On.
2. In Entra admin center (device object), confirm a BitLocker recovery key is present.
3. In Intune, confirm the policy shows as Succeeded for the device.

Common pitfalls

• Only creating a compliance policy and expecting encryption to happen.
• TPM not ready, device not compatible, or user not a local admin in certain configurations.
• Assigning to the wrong group (user vs device targeting mismatch).

Rollback

• Remove the assignment or set the disk encryption policy to Not configured for affected settings.

---

Question 3: User2 fails to sign in as user2@fabrikam.com (UPN mismatch / domain issue)

What this scenario is testing

This is a UPN suffix alignment and sync issue. “Allow log on locally” is irrelevant to cloud authentication. For synced identities, you must add the UPN suffix in on-prem AD, update the UPN, then sync.

Step-by-step (On-prem AD: Add UPN suffix)

1. Open Active Directory Domains and Trusts.
2. Right-click the top node → Properties.
3. Under UPN Suffixes, add: fabrikam.com.
4. Click Add → OK.

Step-by-step (Update User2 UPN)

1. Open Active Directory Users and Computers.
2. Locate User2 → Properties.
3. Go to Account tab.
4. Update User logon name to end with @fabrikam.com.
5. Click Apply → OK.

Step-by-step (Force Azure AD Connect sync)

On the Azure AD Connect server:

Start-ADSyncSyncCycle -PolicyType Delta

Verify

1. In Entra admin center → Users → User2:
   • Confirm the UPN changed to user2@fabrikam.com.
2. Test sign-in.

Common pitfalls

• Domain not verified in Microsoft 365/Entra.
• Editing cloud UPN while the user is synced (will revert).
• Multiple identity sources (cloud-only vs synced) not understood.

Rollback

• Revert the UPN to the previous suffix and re-sync.

---

Question 4: Enforce encryption + Defender real-time protection, and block noncompliant devices

What this scenario is testing

You must build a compliance definition and an enforcement gate:

• Intune compliance policy defines what “compliant” means.
• Conditional Access blocks access for devices that are not compliant.

Step-by-step A (Create the compliance policy)

1. Intune admin center → Devices → Compliance policies → Create policy.
2. Platform: Windows 10 and later.
3. Configure compliance settings to require:
   • Encryption (BitLocker)
   • Microsoft Defender Antivirus / real-time protection (as available)
4. Assign to the target users/devices.
5. Create.

Step-by-step B (Create Conditional Access enforcement)

1. Entra admin center → Protection → Conditional Access → Create new policy.
2. Users: target group (exclude break-glass).
3. Target resources: select required apps (often All cloud apps in exam scenarios).
4. Grant controls:
   • Require device to be marked as compliant
5. Enable Report-only first, then On.

Verify

1. In Intune: device → Device compliance shows Compliant/Noncompliant.
2. Attempt access from a noncompliant device and confirm it is blocked.
3. Check Entra sign-in logs to confirm the CA decision.

Common pitfalls

• Enabling CA before devices have time to enroll and evaluate compliance.
• Missing exclusions for emergency access accounts.
• Confusing “compliance” with “configuration.” Compliance does not remediate.

Rollback

• Switch CA policy back to Report-only or Off.
• Adjust compliance rules or assignment scope.

---

Question 5: Engineering users must enroll mobile devices and get a higher device limit

What this scenario is testing

This is Intune Enrollment restrictions plus priority handling:

• Device type restrictions determine which platforms can enroll.
• Device limit restrictions determine how many devices a user can enroll.
• If a user matches multiple restrictions, the highest priority policy applies.

Step-by-step A (Confirm platform enrollment is allowed)

1. Intune admin center → Devices → Enrollment → Enrollment restrictions.
2. Open Device type restrictions.
3. Confirm that Engineering is allowed to enroll the needed platform (iOS/Android).
4. If needed, create a dedicated restriction:
   • Create restriction → allow required platforms → assign to Engineering → raise priority.

Step-by-step B (Confirm device limit for Engineering)

1. Go to Device limit restrictions.
2. Ensure the Engineering policy sets the correct device limit (example: 15).
3. Ensure Engineering restriction has the correct priority relative to Default.

Verify

• Enroll a test device using an Engineering user.
• Confirm enrollment succeeds and device appears in Intune.

Common pitfalls

• Users belong to multiple groups and get caught by a higher priority rule.
• Fixing device limit while platform is blocked (or vice versa).

Rollback

• Lower the priority of the Engineering rule or revert limit.
• Temporarily assign Engineering to Default if needed to restore service.

---

Question 6: Configure Attack Simulation Training (Credential Harvest + training)

What this scenario is testing

This is about configuring Attack simulation training campaigns and selecting appropriate technique and training experiences.

Step-by-step (Microsoft 365 Defender portal)

1. Open Microsoft 365 Defender.
2. Go to Email & collaboration → Attack simulation training.
3. Select Launch a simulation.
4. Choose the social engineering technique:
   • Example: Credential harvest
5. Configure:
   • Target users/group
   • Payload template
   • Scheduling
6. Select the training experience:
   • Example: Mass Market Phishing
7. Launch the simulation.

Verify

• Confirm campaign status shows running/completed.
• Review results: click rate, credential entry attempts, training completion.

Common pitfalls

• Launching tenant-wide without piloting.
• Training content that does not match the simulated technique.

Rollback

• Stop/cancel the simulation campaign and adjust scope.

---

Question 7: Auto-labeling policy. What do you do first?

What this scenario is testing

Auto-labeling can impact a lot of content quickly. The correct first step is simulation mode to validate match quality and reduce false positives.

Step-by-step (Microsoft Purview compliance portal)

1. Open Microsoft Purview compliance portal.
2. Go to Information protection / Sensitivity labels (UI varies).
3. Create or edit an Auto-labeling policy.
4. Select locations:
   • Exchange, SharePoint, OneDrive (as required)
5. Define conditions:
   • Sensitive info types (SITs) or classifiers
6. Choose the label to apply.
7. Set policy mode to Simulation.
8. Run simulation and review results.
9. Tune conditions.
10. Move to enforce mode only after results are acceptable.

Verify

• Review simulation report outputs.
• After enabling, verify labeled items in the targeted workloads.

Common pitfalls

• Enabling enforcement immediately, creating widespread mislabeling.
• Scoping too broadly without a pilot.

Rollback

• Switch policy back to Simulation or disable it.
• Adjust conditions and scope.

---

Cheat Sheet: Which portal do I use?

• App-specific MFA: Entra Conditional Access
• BitLocker enablement: Intune Endpoint security (Disk encryption)
• UPN sign-in mismatch: On-prem AD UPN suffix + Azure AD Connect sync
• Block noncompliant devices: Intune compliance + Entra Conditional Access
• Mobile enrollment controls: Intune Enrollment restrictions
• Attack simulations: Microsoft 365 Defender
• Auto-labeling: Microsoft Purview (Simulation first)