M365 Support Engineer (L2) – Real Interview Questions & Answers Enterprise Scenarios

This article is based on real interview questions shared by a candidate after clearing multiple technical rounds for an L2 Microsoft 365 Support role.

These questions reflect actual enterprise-level scenarios covering Entra ID (Azure AD), Exchange Hybrid, Intune, Security, Compliance, and Microsoft Purview.

If you are working as an L2 M365 Support Engineer or preparing for internal movement or job change, this guide will help you understand what interviewers expect and how to answer confidently.

M365 Support Engineer (L2) – Real Interview Questions & Answers

Azure AD Connect & Identity Synchronization

1. What issues have you faced with Azure AD Connect, and how did you troubleshoot them?

Common Issues

• Objects not syncing to Azure AD
• Password hash sync delays
• Duplicate users
• Sync service stopped or staging mode confusion

My Troubleshooting Approach

1. Check Azure AD Connect Health
2. Verify Sync Service Manager (miisclient)
3. Validate AD attributes (UPN, proxyAddresses)
4. Review event logs on the AAD Connect server
5. Run Start-ADSyncSyncCycle

This structured approach helps isolate whether the issue is AD-side, sync engine, or Azure AD-side.

2. What is the difference between Hard Match and Soft Match?

Soft Match (Default)

• Matching based on UserPrincipalName or primary SMTP address.
• Happens automatically during first sync.

Hard Match

• Matching based on immutableId in Azure AD.

Required when:

• On-prem user was deleted
• Cloud user recreated
• Soft match fails

Hard match is used during migration scenarios when automatic matching fails.

3. What is Password Hash Synchronization (PHS), and how does it work?

Password Hash Synchronization synchronizes a hashed version of the on-prem AD password hash to Azure AD. Authentication happens in the cloud, but passwords remain secure as they are never stored in plain text.

It provides:

• Simplicity
• High availability
• Reduced infrastructure dependency

Flow

1. AD DS password hash
2. Rehashed by AAD Connect
3. Encrypted & sent to Azure AD
4. Used for cloud authentication 

Used For

• Backup authentication method
• Replace ADFS
• Hybrid Identity

4. What happens if a cloud-only user changes their password when PHS is enabled?

For cloud-only users, the password change is applied directly in Azure AD. PHS does not affect cloud-only users because there is no on-premises identity source.

Exchange Online & Outlook

5. What are hidden folders in Outlook, and why are they important?

Hidden folders such as

1.Sync Issues

This folder logs synchronization-related problems between Outlook and Exchange.

2.Conflicts

This folder stores conflicting versions of items when Outlook and Exchange detects simultaneous changes.

3.Local Failures

This folder logs failures where Outlook fails to upload changes to the Exchange server.

4.Server Failures

This folder records failures where the Exchange server rejects changes sent by Outlook.

5.Conversation History

This folder stores:

• Lync / Skype for Business conversations
• Microsoft Teams chat history (legacy scenarios)

6.Recoverable Items – Purges

The Purges folder stores items that are permanently deleted by users (Shift+Delete or emptied Deleted Items).

• Normally emptied after retention period
• If Litigation Hold is enabled, items remain preserved

7.Recoverable Items – Versions

The Versions folder stores previous versions of items that were modified.

Used when:

• Litigation Hold is enabled
• Retention policies track item changes

This allows investigators to see what was changed and when.

Hidden folders in Outlook and Exchange Online are system-managed folders used for synchronization, conflict resolution, auditing, and compliance. They ensure mailbox integrity, data retention, and legal preservation even when users delete or modify content.

6. Difference between a Security Group and a Mail-Enabled Security Group?

• Security Group is used for permissions and access control.
• Mail-Enabled Security Group can be used for both access control and email distribution.

Mail-enabled security groups are commonly used for license assignment, SharePoint access, and notifications.

7. Have you worked on Exchange or Microsoft 365 migration? Explain your role.

I performed mailbox migration batches, resolved migration failures (Match failures, Corrupt items, Large items), monitored migration endpoints, configured Autodiscover, performed hybrid configuration wizard, validated mail flow, and resolved throttling issues.

Microsoft Intune (Endpoint Management) 

8. What types of policies are available in Microsoft Intune?

• Configuration Profiles
• Compliance Policies
• App Protection (MAM)
• Endpoint Security Policies
• Update Policies
• Device Restriction Policies
• Enrollment Restrictions
• Conditional Access (with Entra ID)

Each policy serves a different purpose related to security, configuration, and compliance.

9. Difference between Configuration and Compliance policies?

• Configuration policies define how a device should be set up.
• Compliance policies define rules to evaluate device health.

Compliance policies are typically used with Conditional Access.

10. How does device enrolment work in Intune?

Devices can be enrolled via:

• Azure AD Join
• Hybrid Azure AD Join
• Company Portal
• Apple DEP / Android Zero-touch

Prerequisites include:

• Valid Intune license
• Proper enrolment restrictions
• Device platform support

Data Loss Prevention (DLP) & Compliance

11. What is a DLP policy and its purpose?

A DLP policy prevents sensitive data leakage by:

• Detecting sensitive information
• Blocking sharing or emailing
• Alerting administrators

It is used across Exchange, SharePoint, OneDrive, and Teams.

12. How do you block random or custom number patterns in DLP?

By creating a Custom Sensitive Information Type (CustSIT) using:

• Regular expressions
• Supporting elements
• Confidence levels

This is useful for:

• Employee IDs
• Internal account numbers
• Non-standard identifiers

13. What is a Sensitive Information Type (SIT)?

A SIT is a predefined or custom pattern used by DLP to detect sensitive data such as:

• Credit card numbers
• PAN
• Passport numbers
• Employee IDs

SITs are the foundation of DLP policies.

14. What if a mailbox and archive are full and Litigation Hold is enabled?

In this case:

• Data cannot be deleted permanently

The solution is to:

• Increase archive storage
• Enable auto-expanding archive
• Review retention policies

Deleting data is not allowed when Litigation Hold is active.

Hybrid Exchange & Mail Flow

15. How does centralized mail flow work in hybrid Exchange?

Centralized Mail Flow routes:

• Outbound emails from Exchange Online → On-prem → Internet
• Inbound emails → On-prem → Exchange Online

This allows consistent compliance and security controls.

16. Mail flow scenarios in hybrid setup

• EXO → Internet: Direct via EXO or via on-prem (if centralized)
• Internet → EXO mailbox: MX → EXO Protection → Mailbox
• Large hybrid org: Cloud users receive mail via EXO, on-prem users via Exchange servers

Exchange Online Mail Flow Troubleshooting: Step-by-Step Admin Guide

Azure AD Connect Architecture (Enterprise)

17. How many Azure AD Connect servers are needed for 100k+ users

Typically:

• 1 Active AAD Connect server
• 1 Staging server for failover

Design depends on:

• User count
• Object count
• Sync frequency
• High availability requirements

18.Additional components needed for resiliency

• SQL Server HA
• Load-balanced ADFS (if used)
• Multiple DCs
• Azure AD Connect Staging server
• Dedicated Sync Service Account

19. How do you troubleshoot an object not syncing?

1. Check AAD Connect Health
2. Validate object in Sync Service Manager
3. Check attribute filtering
4. Review synchronization rules
5. Validate OU filtering
6. Email contact with same username

20. Where can you check active vs staging AAD Connect servers?

Go to Microsoft Entra Portal → Entra → Entra Connect → Connect Sync → Health and analytics → Sync Services, click on your default tenant name.

Here you can see all your Entra connect server. For identify which server is active and which one stagging you can click any server and see which server is exporting data that server will be active and the one server in which no exporting is showing will be stagging server.

Microsoft Purview & Information Protection

21. How have you implemented compliance? (sample)

I configured retention labels, DLP policies, sensitivity labels, audit log search, insider risk policies, and monitored activity alerts. 

22. Behavior of Sensitivity Labels: Public / Internal / Confidential

1. Public: No restrictions
2. Internal: Limited sharing
3. Confidential: Encryption, access restrictions, watermarking

23. How does encryption work in M365?

Data at Rest

• BitLocker
• Azure Storage Encryption
• Distributed Key Encryption

Data in Transit

• TLS
• HTTPS
• S/MIME
• OME (Office Message Encryption) 

24. What is Microsoft Information Protection (MIP)?

Microsoft Information Protection

• Framework within Purview
• Handles classification, labeling, encryption

Integrated with:

• SharePoint
• Exchange
• OneDrive
• Teams

25. How do you combine sensitivity labels with mail flow rules?

By creating Exchange transport rules that:

• Detect sensitivity labels
• Block or restrict external emails
• Notify users

26. Block specific external domains in SharePoint

• SharePoint Admin Center → Policies → Sharing Policies → More external sharing setting → Allow domain
• Add allowed/blocked domains list

27. Where to view PII reports in Purview?

Purview → Record Management →

• Content Explorer
• Activity Explorer
• Sensitive Information Types Dashboard

Conclusion

This blog covers the most realistic, enterprise-grade M365 L2 interview questions, complete with deep-dive expectations for a support engineer role handling hybrid identity, Exchange Online, Intune, Purview, Security, and DLP.