Loading…
Microsoft 365 Administrator interviews test your knowledge across Exchange Online, Teams, SharePoint, Entra ID, and Defender. These are the questions hiring managers actually ask.
M365 Admin interviews range from "explain what a distribution list is" (help desk level) to "design a Conditional Access policy that blocks legacy auth without locking out MFA-registered users" (senior admin level). Know which level you're interviewing for — the questions scale significantly.
Start in the Exchange Admin Centre with Message Trace — search by sender for the last 48 hours. If the message shows "Failed" or "Filtered as spam", expand to see the reason. Common causes: (1) A mail flow rule is blocking the message — check Transport Rules for rules that redirect or block based on sender/recipient/content. (2) The user's mailbox is on a spam blocklist — check the tenant's IP reputation or outbound connector settings. (3) A DLP policy is preventing external sending for content matching a sensitive type. (4) The domain's SPF/DKIM/DMARC records are misconfigured, causing the receiving server to reject. Check MXToolbox for the external domain's MX and SPF records.
A shared mailbox is a full mailbox that multiple users can send from and receive into, accessed via Outlook without a dedicated licence (up to 50 GB without licence, 100 GB with Exchange Plan 2). It has its own email address. A distribution list (or M365 Group) is an address that forwards email to all members — it doesn't store messages itself. Use shared mailboxes for: team inboxes (support@, info@), where staff need to see and respond to messages. Use distribution lists for: announcements and newsletters, where you just need to reach a group.
SPF (Sender Policy Framework) specifies which IP addresses are authorised to send email for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages that receiving servers verify using a public key in DNS — proves the message wasn't altered in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM fails — quarantine, reject, or none — and provides reporting. When all three are configured and aligned, email spoofing your domain becomes extremely difficult. DMARC alignment requires the From domain to match either the SPF-authenticated domain or the DKIM signing domain.
Conditional Access is Azure AD's (Entra ID's) policy engine — it evaluates signals (user, device, location, app, risk) and enforces access controls (require MFA, compliant device, block). To design without lockouts: always test in Report-only mode first, exclude the break-glass account and service accounts, exclude the Microsoft Intune Enrolment application from device compliance requirements (or users can never enrol), and pilot on a test group before broad deployment. The most common lockout scenario: enabling "require compliant device" for all users when most aren't enrolled in Intune — always scope by group first.
This is a likely account compromise. Immediate actions: (1) In Entra ID → Users → select user → Revoke sessions (invalidates all existing tokens). (2) Reset the user's password. (3) Check sign-in logs for what was accessed after the successful login — look for mailbox access, SharePoint downloads, or admin portal activity. (4) Check if any mail forwarding rules were created in the mailbox (a common persistence mechanism). (5) If sensitive data was accessed, escalate to your security/legal team for potential breach notification assessment. (6) Enable MFA if not already enabled. Report the sign-in as compromised in Identity Protection to improve Microsoft's threat intelligence.
By default, all licensed users can create Microsoft 365 Groups, which creates a Team. To restrict: in Azure AD, create a security group of users who ARE allowed to create groups. Then use PowerShell to set the group creation policy: Set-AzureADDirectorySetting with EnableGroupCreation = false and GroupCreationAllowedGroupId set to your allowed group's object ID. This restricts M365 Group creation (and therefore Team creation) to only that group. Note: this also affects Planner, SharePoint team sites, and Yammer Communities.
Sensitivity labels (Microsoft Purview) classify and protect content. Applied to a SharePoint site, a label can enforce: external sharing settings (who can share outside the org), device access controls (unmanaged devices get browser-only access), private channel creation restrictions, and Teams meeting settings. Files labelled with protection (encryption + access rights) carry their protection wherever they go — if a file labelled "Confidential" is downloaded and emailed, the protection travels with it. For this to work, Azure AD Rights Management must be active and the label must be configured with encryption.
Get-MailboxFolderStatistics -Identity * -FolderScope Inbox | Where-Object {$_.ItemsInFolder -gt 50000} | Select Identity, ItemsInFolder. For large environments, this can be slow — use Get-Mailbox -ResultSize Unlimited to get all mailboxes first, then pipe through ForEach-Object. In practice, schedule this as a report via a PowerShell runbook in Azure Automation rather than running ad-hoc.
Import the CSV with $users = Import-Csv "users.csv". For each user, use Set-MgUserLicense from the Microsoft Graph PowerShell module (the legacy Set-MsolUserLicense is being retired). Better practice for production: use group-based licensing — assign the licence to an Azure AD group, then add users to the group. Microsoft automatically assigns and removes licences as group membership changes. This is more maintainable than per-user scripting.
Practice all 13 M365 admin scenario questions in InterviUni's M365 Administrator mock interview. You'll get scored feedback on every answer.
Practice AI mock interviews, check your ATS score, or start a cert course — free.