You have covered tenant configuration, compliance policies and endpoint management. The MS-102 feels like it’s taking shape. Then a scenario question asks why a Conditional Access policy isn’t blocking a risky sign-in, or why Identity Protection risk signals aren’t triggering MFA – and you realize identity and access got studied at the surface level when the exam goes much deeper.
Identity and access is one of the heaviest domains on the MS-102. It’s not tested as isolated features – it’s tested as a decision framework.
Why Identity and Access Trips Up MS-102 Candidates
Most candidates study Conditional Access, MFA and Identity Protection as three separate topics. They memorize what each one does and move on.
The exam builds scenarios where all three interact. A risky user triggers Identity Protection. That risk signal feeds into Conditional Access. Conditional Access enforces MFA or blocks access entirely. If you don’t understand how those layers connect, you’ll diagnose the wrong component when a scenario describes a failure.
That connection is what this guide is built around.
Conditional Access: The Policy Logic the Exam Tests Precisely
Conditional Access is an if-then engine. If a set of conditions is met, then enforce a set of controls. The exam tests whether you understand both sides of that equation – and what happens when conditions overlap or conflict.
Assignments define who and what the policy applies to. Users, groups, roles, cloud apps and sign-in conditions like location, device platform and client app type are all assignment options. The exam tests exclusions specifically – a user excluded from a policy doesn’t have that policy applied, even if they meet every other condition. Misconfigured exclusions are a direct exam scenario.
Grant controls define what happens when conditions are met. Require MFA, require compliant device, require hybrid Azure AD join, require approved app – these can be combined with AND or OR logic. The exam tests the difference: requiring MFA AND a compliant device means both must be satisfied. Requiring MFA OR a compliant device means either is sufficient. Getting that logic wrong changes the security outcome entirely.
Named locations are tested in scenarios about geographic access control. Trusted named locations – defined by IP ranges – can be excluded from MFA requirements. The exam uses this in scenarios where users on the corporate network shouldn’t be prompted for MFA but remote users should. Misconfiguring the named location or applying it to the wrong policy condition is a deliberate trap.
Report-only mode is a concept candidates skip. A Conditional Access policy in report-only mode evaluates sign-ins against the policy conditions but doesn’t enforce anything. The exam tests this in scenarios about testing a new policy without impacting users – report-only is the correct approach before switching a policy to enabled.
MFA: Registration, Methods and the Gaps the Exam Exploits
MFA on the MS-102 isn’t just about enabling it. The exam tests the registration process, authentication methods and what happens when MFA configuration doesn’t match organizational requirements.
The combined security information registration experience lets users register both MFA and self-service password reset methods in one place. The exam tests this in scenarios where users haven’t registered – a Conditional Access policy requiring MFA will block access entirely for users who haven’t completed registration. The fix involves a registration campaign or a temporary access pass, not disabling the policy.
Authentication methods matter for specific exam scenarios. The Microsoft Authenticator app supports passwordless sign-in, MFA push notifications and number matching. SMS and voice call are legacy methods that are less secure. The exam tests scenarios where an organization wants to eliminate SMS-based MFA – the answer involves the Authentication Methods policy, not the legacy MFA settings in the Microsoft 365 admin center.
Number matching is tested specifically. Without number matching, MFA fatigue attacks – where an attacker repeatedly sends MFA push notifications hoping the user approves one – are viable. Number matching requires the user to enter a number displayed on the sign-in screen into the authenticator app. The exam presents MFA fatigue scenarios and expects you to identify number matching as the mitigation.
Per-user MFA is the legacy approach. Conditional Access-based MFA is the modern approach. The exam distinguishes these and tests why per-user MFA and Conditional Access MFA can conflict – a user with per-user MFA enabled will always be prompted for MFA regardless of Conditional Access policy conditions.
Identity Protection: Risk Signals and Policy Behavior
Identity Protection generates risk signals that the exam tests at a specific level of detail – not just what the signals mean, but how they feed into access decisions.
Sign-in risk reflects the probability that a specific authentication request wasn’t made by the legitimate user. Atypical travel, anonymous IP address, malware-linked IP and unfamiliar sign-in properties are all sign-in risk detections. The exam tests which detection type fits a described scenario – a user signing in from two geographically distant locations within an hour is atypical travel, not an anonymous IP detection.
User risk reflects the probability that a user account is compromised. Leaked credentials – where a username and password pair appears in a known breach database – is the most heavily tested user risk detection. The exam presents a scenario where a user’s credentials appear in a dark web dump and asks which risk level is assigned and what the remediation workflow looks like.
Risk-based Conditional Access policies are where Identity Protection connects to enforcement. A sign-in risk policy can require MFA when sign-in risk is medium or higher. A user risk policy can require a password change when user risk is high. The exam tests what happens when these policies aren’t configured – risk detections occur but no enforcement happens, because Identity Protection doesn’t block access on its own.
Risk remediation is tested too. A user can remediate sign-in risk by completing MFA – this confirms the sign-in was legitimate and dismisses the risk. User risk remediation requires a secure password change. An admin can manually dismiss risk or confirm compromise. The exam uses these remediation paths in scenarios about clearing risk states and restoring access.
How Conditional Access, MFA and Identity Protection Work as a Framework
This is the integration point the exam builds its hardest scenarios around.
A user signs in from an unfamiliar location. Identity Protection detects an anonymous IP and raises the sign-in risk to medium. A Conditional Access policy targeting medium sign-in risk requires MFA. The user completes MFA. The sign-in risk is remediated. Access is granted.
Now introduce a failure. The Conditional Access policy exists but is in report-only mode – no enforcement happens. Or the user is excluded from the policy – no MFA prompt appears. Or the user hasn’t registered for MFA – the MFA requirement blocks access entirely instead of prompting.
Each of those failures is an exam scenario. The question describes a symptom and asks you to identify the cause. Candidates who studied each component separately struggle here because the symptom doesn’t point directly to one feature – it requires tracing the decision chain from detection through policy evaluation to enforcement.
Exam Scenarios That Appear Repeatedly
A Conditional Access policy requiring MFA isn’t prompting a specific user – check whether the user is in an exclusion group or whether per-user MFA is already satisfying the requirement before Conditional Access evaluates. A risky sign-in isn’t being blocked despite an Identity Protection policy – the Conditional Access policy linked to the risk signal is in report-only mode.
A user is blocked from signing in despite completing MFA – user risk is high and the user risk policy requires a password change, not just MFA completion. An organization wants to test a new Conditional Access policy without affecting users – report-only mode is the correct approach before enabling enforcement.
Reinforcing these decision chains with Exam Dumps for Microsoft MS-102 Exam that reflect the exam’s scenario-based format builds the diagnostic reasoning the MS-102 rewards – not just familiarity with individual features.
Access Reviews and Privileged Identity Management
These two features extend the identity framework and appear in MS-102 scenarios more than candidates expect.
Access Reviews automate the process of validating whether users still need access to specific resources. An Access Review can be configured for group membership, application assignments, or Azure AD role assignments. The exam tests what happens when a reviewer doesn’t respond – the access can be automatically removed or left unchanged depending on the review configuration. Knowing which default applies is a direct question.
Privileged Identity Management controls how privileged roles are assigned. Just-in-time access means eligible users must activate their role before using it – the role isn’t permanently assigned. The exam tests activation requirements – an eligible user who hasn’t activated their role can’t perform privileged actions even though the role is assigned. That distinction between eligible and active assignment catches candidates who haven’t studied PIM specifically.
The Bottom Line
Identity and access on the MS-102 is tested as a connected framework, not a feature list. Conditional Access evaluates conditions and enforces controls. Identity Protection generates risk signals that feed those conditions. MFA sits at the enforcement layer but depends on registration and method configuration to work correctly.
Understand how a failure in any one layer affects the others. Build that diagnostic thinking, then test it against real exam scenarios. That’s the preparation for the MS-102 rewards.