Microsoft 365 Interview questions and answers

Ace your interview with below top 50 most asked Microsoft 365 interview questions and answers. We have categorized these Microsoft 365 interview questions and answers in below categories:

Watch video

Join us on our YouTube channel and watch Microsoft 365 Interview questions and answers to gain required knowledge and understanding on Microsoft 365 concepts.

Top 10 frequently asked Microsoft 365 interview questions and answers

Microsoft 365 interview questions for freshers

Q1. What is the difference between Office 365 and Microsoft 365?

Answer. Office 365 and Microsoft 365 both work on subscription-based cloud model. The difference between Office 365 and Microsoft 365 is, the services provided with each subscription.

Office 365 subscriptions include Office 365 Apps, Exchange Online, SharePoint Online, Microsoft Teams and OneDrive for Business.

Whereas, Microsoft 365 includes all Office 365 services, and on top of that it includes, “Mobility and Security solution”, and Windows Operating System.

Q2. How to recover emails those were deleted by a user from his mailbox?

Answer. If a user has deleted his emails from the Deleted Items folder, he can recover them from from Recover Deleted Items folder. But if emails are deleted from Recover Deleted Items folder as well, then an administrator can run e-discovery or Content Search on the mailbox and he can recover those emails. Provided, the litigation hold hold was applied on the mailbox.

If Litigation Hold was not applied on the mailbox, and the emails are deleted from the Recover Deleted Items folder as well, those emails cannot be recovered.

Q3. All users of Microsoft 365 tenant are not able to receive emails. What could be the issue?

Answer. If all the users of Microsoft 365 Tenant are not able to receive emails, then the issue can be with MX record. You need to make sure the MX record for your Office 365 domain is correctly published in public DNS.

Because if MX record is not published correctly, all emails sent from the external domains will be dropped and users of your tenant will not be able to receive emails.

Q4. What is the difference between Cutover migration and Staged migration?

Answer. If your on-premises Exchange Server version is 2003 or later, and you have less than 2,000 mailboxes, you can use cutover migration. In cutover migration all the user accounts are created automatically when you start migration batch, and emails are migrated to the mailboxes.

And if your on-premises Exchange Server version is 2003 or 2007, and you have more than 2,000 mailboxes, you can use Staged migration. Staged migration is done in batches and it requires Azure AD Connect server. In staged migration first we need to synchronize the users from on-premise to Office 365 and then we start migration.

Q5. What is Microsoft Entra ID?

Answer. Microsoft Entra ID (Azure Active Directory) is a cloud-based identity and access management service. Microsoft Entra ID helps you to access Microsoft Online services, like Exchange Online, SharePoint Online, Microsoft Teams, or Microsoft Azure.

Even you can deploy your own applications in Microsoft Entra ID and users can access those applications. Microsoft Entra ID is also responsible to authenticate the users and to provide access to the services.

Q6. What is the difference between routable and non-routable domain?

Answer. A domain that can’t be used to send and receive emails, is called a non-routable domain. A non-routable domain contains .local as a domain suffix. For example contoso.local. This type of domains are used in on-premise Active Directory forest.

Whereas a routable domain is, that can be used to send and receive emails. For example a domain that is purchased from the domain provider and has the DNS records published on the internet. For example contoso.com.

Q7. What is the difference between client-side rules and server-side rules?

Answer. Client-side rules are the inbox rules that are created in outlook client. Client-side rules are only triggered when Outlook application is up and running. If we close outlook client the rules will not get triggered on the emails.

Whereas Server-side rules are the rules those are triggered on the emails even if the email application is not running. One of the examples of server-side rules are out of office rules.

Q8. What is Global Address List (GAL)?

Answer. Global Address List is a master list that contains all the recipients of your Exchange Online organization. Whenever you create a mail enabled recipient in Exchange Online, like a user, group or a public folder, all these recipients are added automatically within Global Address List. With the help of Global Address list, you can view all the recipients and their contact information using Outlook client or Outlook on the web (OWA).

Q9. What is Litigation Hold?

Answer. Litigation Hold is used to place mailbox contents on hold. If a mailbox is placed under Litigation Hold, and if user will delete his emails, those emails will be retained within the Purges folder for the duration defined under Litigation Hold.

Purges folder is a subfolder of Recover Deleted Items folder, that is not visible to the end-users or administrators. Administrators can use PowerShell or MFCMAPI tool to view the Purges folder. When emails are placed in Purges folder, users cannot recover them. But Administrators can run Content Search or eDiscovery and they can recover those emails.

Q10. What is a Shared Mailbox?

Answer. A shared mailbox is a type of mailbox that is used for collaboration. Multiple users can have permission on the shared mailbox and they can add it to their Outlook client or in OWA. If one user will send email to the shared mailbox, all the users who have access to that shared mailbox will be able to see the email.

Administrators can assign full access permission on the shared mailbox so that users can add them to their accounts as a secondary mailbox. We can assign SendAs or Send on behalf permissions on the shared mailbox to send emails using shared mailbox email address.

By default the storage space for shared mailbox is 50GB. But if you want to increase the storage space, you can assign Exchange Online Plan2 license to the shared mailbox.

Q11. What is Microsoft 365?

Answer. Microsoft 365 is cloud-based subscription model. A subscription model is, where you need to purchase a license/subscription to use certain services.
Microsoft 365 includes multiple services like, Exchange Online, Microsoft 365 Apps, Microsoft Teams, SharePoint Online, OneDrive for business and much more.

Microsoft 365 is also called Software as a Service (SaaS), where you are only responsible to access the services. You are not responsible for the storage or the security of your services. Under Software As a Service model, data storage, security of data, updates, maintenance, everything is managed by the service provider.

Q12. What is Exchange Online?

Answer. Exchange Online is a cloud-based messaging platform that provides access to the features like, calendars, emails, address book, contacts, and tasks. In order to use Exchange Online, you need a supported subscription like, Exchange Online Plan1, Plan2, Office 365 Business Premium, Office 365 E3 or E5. And once you have supported Exchange Online license, you can access your emails and calendars through Outlook desktop client, mobile app, or from OWA.

In Exchange Online, Administrators can manage Exchange services from Exchange Admin Center. They can manage the email flow, transport rules, they can secure email flow with the help of EOP policies, they can trigger retention policies to the mailboxes, they can manage the recipients, they can enforce security policies, and much more.

Q13. What is a Security Group?

Answer. A Security Group is used to assign permissions or the policies in bulk. You can assign a single policy to multiple users or the devices at the same time. You can use Security groups in Microsoft 365 to assign bulk permissions, and in Microsoft Entra ID you can use Security groups to assign permissions on the users or to the devices.

Few examples of security group usage are, when you want to assign same license to multiple users, you create security group and add members. Then you assign license to the security group, and all the members inherit the license from the group itself.

Another example is where you want to apply a compliance policy to the enrolled devices. You add the devices within the security group, and apply the policy to the security group, and all the devices inherit the policy from the group.

Q14. What is the difference between Distribution Group and Dynamic Distribution Group?

Answer. Distribution group and dynamic distribution group are used to distribute emails to their members. The only difference between these 2 groups is, how you add members within the groups.

In distribution group you add members manually. But in Dynamic Distribution group, you add members with the help of conditions. For example, if a user’s Department attribute is set to HR, or a user’s City attribute is set to Delhi. This way you can easily segment the users, add members to the dynamic distribution groups.

Q15. What is the use of TXT, MX, and CNAME DNS records?

Answer. TXT record is used to verify a domain in Office 365. SPF and DMARC both use TXT record. That means, if you want to add SPF or DMARC record for office 365 domain, you need to publish TXT record.

MX record is used to receive emails. With the help of MX record, you tell the servers, where to deliver emails those are sent to your domains. In Office 365, the value for MX record is domain-com.mail.protection.outlook.com.

CNAME record is used for Autodiscover, which is a service used to configure Outlook profiles. In Office 365, the value for CNAME record is Autodiscover.Outlook.com. CNAME is also used for DKIM records. To create DKIM, you create 2 CNAME records.

Q16. What is the difference between Global Administrator and Global Reader role?

Answer. Global Administrator is the highest privileged role in Office 365. The global administrator role provides the highest level of permissions for the Office 365 account. A Global Administrator can manage all the tasks within Microsoft Online Services.

Whereas a Global Reader role is a view only permission. A Global Reader can view everything that a Global Administrator can view. But Global Reader cannot make any changes or modifications within Microsoft Online Services.

Q17. What happens when you delete an email from Inbox?

Answer. When you delete an email from Inbox, that email goes to the Deleted Items folder. That email is retained in Deleted Items folder for 30 days and can be recovered from that folder.

After 30 days that email will be moved to Recover Deleted Items folder of the mailbox. Email will be ratained there for 14 days which is the default value. And after this period is expired, the email will be purged and will not be recoverable (if litigation hold or in-place hold is not applied on the mailbox).

If you want to increase the default value to retain the emails longer than 14 days, you PowerShell command Set-Mailbox -Identity “User1” -RetainDeletedItemsFor 30.

Q18. How many types of Retention Tags are available in Office 365?

Answer. In Office 365 there are 3 types of Retention Tags. Default Policy Tag (DPT), Retention Policy Tag (RPT), and Personal Tag.

“Default Policy Tag” is applied to the complete mailbox. Default Policy Tag has 3 actions. Move to Archive, Permanently Delete, Delete And Allow Recovery.

“Retention Policy Tag” is applied to the default folders. Like, Inbox, Sent Items, or Deleted Items. Retention Policy Tags have 2 actions. Delete And Allow Recovery, and Permanently Delete.

Personal Tags can only be applied by the users on the custom folders or emails. Personal tags also have 3 actions as Default Policy Tag.

Q19. How to identity a SPAM email?

Answer. To identity if an email is SPAM , take out the email header of that email sample, and look for SCL value. If SCL value is equal or more than 5, that means the email is marked as SPAM by the email filtering server.

You can also identity a SPAM email by looking at its contents. If you see spelling errors, malicious links in the body of the email, or malicious attachments, that indicates its a SPAM email.

Q20. What does SCL-1 and NSPM mean in Exchange?

Answer. SCL-1 is the value stamped by the email filtering server, that indicates the email is either an internal email or the SPAM filtering server hasn’t take any action on that email. One of the reasons for this could be, you have a Transport Rule in Exchange to bypass SPAM filtering on the sender’s email or domain.

NSPM stands for Not SPAM. This indicates the email that you have received is not a Spam email as per the email filtering server.

Office 365 interview questions and answers for experienced

Q21. What is Autodiscover?

Answer. Autodiscover is a service of Exchange Server that automatically configures outlook profile. Autodiscover service was introduced with Exchange Server 2007.

When Autodiscover was not introduced, users used to provide email server details along with their username and password to configure their outlook profiles. This process was very time consuming. But Autodiscover service lets users to configure their outlook profile using only username and password. Autodiscover finds the email server automatically using the email address, and configures the mailbox.

Autodiscover works Inside the Firewall and Outside the Firewall as well. There are multiple services in Exchange those rely on Autodiscover. Like, Free/Busy, mailbox permissions, cross-premises permissions, and clients use Autodiscover to find the EWS endpoint URL.

Q22. Explain EOP architecture?

Answer. Exchange Online Protection is a cloud-based email filtering service that protects your organization against spam, malware, and other email threats. Exchange Online Protection scans all incoming and outgoing emails in your tenant.

Exchange Online Protection has multiple filtering servers that filter emails. These filters are Connection Filter, Anti-Malware Filter, Transport Rules and DLP, ATP, Anti-Spam/Content Filter, and Zero-hour Auto Purge.

Q23. How does SPF record work?

Answer. SPF record is used to validate if the email is sent by a legitimate sender. A sender adds their email server’s IP address or the Full Qualified Domain Name in SPF record, when recipient email server will receive the email, it will extract the domain name from the FROM header.

With the help of domain name, recipient email server will go to public DNS, and will check if the IP address or the server name from which the email was sent, is added within the SPF record or not. If it is added, SPF record will pass and if it is not added, in that case SPF record will fail.

Q24. How does DKIM work?

Answer. DKIM is an email security standard which is designed to make sure the emails are not altered during the transmission from source to destination. As soon as you send an email DKIM uses public-key cryptography to sign that email with a private key.

When recipient email server receives email, it checks “d=domain.com” value in email header. With the help of domain name, recipient email server reaches to public DNS and finds the CNAME record.

Recipient email server uses these CNAME records to validate the email signatures. Once the signatures are verified by the recipient email server, DKIM will pass, and the email is treated as authentic email.

Q25. How to identity delay in email delivery?

Answer. There are 2 ways to check if there was any delay in email delivery. You can collect email header and look for hops. Hops will show you the time taken by email to travel from one hop to another. From here you can identity how much was the delay.

The second way is to use Extended Message Trace. In Extended Message Trace you can look for DeliveryLatency field. This will show you the delay if there was any while delivering the email.

Q26. What is conditional email routing?

Answer. In some scenarios we might have to route our emails to a different email server. For example, if you have multiple sites around the globe, you might want to route emails to a specific site. You can do this using connectors and mail flow rules.

You will create an outbound connector in Exchange Online. That is Office 365 to Your Organization’s email server. And will create a transport rule to route all emails through this connector. This type of routing is called conditional email routing.

Q27. What is sandbox in ATP?

Answer. Sandbox in ATP is a virtual detonation chamber where attachments are scanned.

As soon as an email reaches ATP, this email is moved to this virtual environment. If an attachment is found unsafe, that attachment is rejected. If attachment is safe, both the email and the attachment are delivered to the recipient inbox.

Q28. What is dynamic delivery in ATP?

Answer. When an attachment enters the safe attachment sandbox environment, a detonation chamber analyses the attachment and determines whether this attachment is safe or not. This process takes upto 30 minutes to scan the attachment depending on the file size.

With Dynamic Delivery of safe attachments, that delay is eliminated by sending the body of the email to the recipient and the actual attachment undergoes the safe attachments scan. That means the email is delivered to the user’s mailbox, but the attachment is sent for further scanning.

While the attachment is being scanned, the users can read and reply to the email. After scan, if attachment is found safe, it is attached with the email in the user’s mailbox. And if attachment is found unsafe, it is rejected.

Q29. What is the difference between IPM subtree and non-IPM subtree?

Answer. Every user mailbox is divided in two subtrees, IPM (interpersonal messaging) subtree and non-IPM subtree. IPM subtree contains the folders those are visible in Outlook client and in OWA. For example, Inbox, Calendar, Sent Items and Junk folder.

Non-IPM subtree contains Recoverable Items folder and its subfolders those are not visible in Outlook client and OWA. Recoverable Items folder contains below subfolders: Deletions, Versions, Purges, Audits, DiscoveryHolds, Calendar Logging, and SubstrateHolds. Non-IPM subtree folders can only be checked using Powershell or MFCMAPI.

Q30. What is the difference between online archive and auto-expanding archiving?

Answer. Online Archive is an auxiliary space provided to the mailboxes that has its own folders structure. Online archive doesn’t consume the actual mailbox space. We can use retention policies and tags to move emails from the mailbox to online archive. And once online archive is enabled, users can access it in Outlook client or in OWA as a secondary mailbox.

Auto-expanding archiving is a feature in Exchange Online that provides upto 1.5 TB additional storage space when online archive mailbox is full. When the archive mailbox gets close to its storage limit, additional storage space is automatically created and this process continues until the mailbox archive reaches 1.5 TB.

Q31. What are the different types of relay methods available in Microsoft 365?

Answer. In Microsoft 365 we can use one of the below 3 methods to relay emails.

Client Submission
Direct Send
and SMTP Relay with Connector

Client Submission: Client submission method is used when you want to send emails to internal and external users. This option is also compatible with Multi Factor Authentication. This option requires a device to relay emails that can support TLS 1.2.

Direct Send: If your requirement is to send emails only to the internal users, you can use Direct Send method. This option doesn’t require TLS 1.2.

SMTP Relay: If your requirement is to send emails to both internal and external users, and if your device doesn’t support TLS 1.2, you can use SMTP relay with connector to relay your emails.

Q32. How many types of mail flow connectors we can create in Exchange Online?

Answer. In Exchange Online we can create 2 types of connectors. Inbound connector and Outbound connector. Inbound connector is used to accept emails from the external servers, and the outbound connector is used to route emails to external servers.

In Exchange Online we can create a connector to send or receive emails from a 3rd party email filtering server. This type of connector is called Partner connector.

We can also create a connector to send or receive emails from another email server. For example from on-premises Exchange Server. This type of connector is called Your organization’s email server.

Q33. What is High risk delivery pool (HRDP)?

Answer. High risk delivery pool is a pool of low reputation IP addresses that is managed by Microsoft. This pool contains low reputation IP addresses those are used to route spam emails. If a tenant is sending bulk emails or SPAM emails, Microsoft route these emails using HRDP IP addresses to reduce the risk of the normal outbound IPs being added within the block list.

To identify if the email is being routed through low reputation IP addresses, collect email header and look for SFP and SCL values. If SCL value is 5 or greater than 5, and SFP value is 1501, that means the email is routed through HRDP.

Q34. What is the best option to import PST files in bulk to Microsoft 365 mailboxes?

Answer. If an administrator wants to upload PST files in bulk, he can use Network Upload in Office 365. Using network upload we can create a csv file to map the PST files with target mailboxes and can upload PST files in bulk instead of doing it one by one.

Q35. A user is not able to send emails, what could be the issue?

Answer. If one user is not able to send emails, we need to check if the user is getting any error or NDR. If there is an NDR, we will troubleshoot according to the error given in NDR.

If there is no NDR, we will check if the email shows under Sent Items folder. If this doesn’t show under Sent Items folder, that means the email wasn’t actually sent from the application. So we need to troubleshoot on the application level.

If email is reflecting in Sent Items, then we need to check in message trace whether the email was delivered to the recipient or it was failed. This is how you can troubleshoot this issue.

Q36. What is the difference between mail-enabled and mail-disabled recipients?

Answer. Mail-enabled recipients are the recipients those have an email address assigned. Where as a mail-disabled recipient is that do not have email address assigned.

Q37. What is Zero-hour auto purge (ZAP)?

Answer. Zero-hour auto purge (ZAP) or ZAP is a protection feature of Microsoft Defender for Office 365. When email is delivered to the mailbox after all the checks performed by Exchange Online Protection (EOP), zero-hour auto purge scans that email within the mailbox and it detects and removes spam, phishing, or malware emails.

Even if the email is moved to the other folder, zero hour auto purge will still scan the email and if it finds spam or malware within the email, it will remove the email. But the user will not receive a notification if the email was removed by ZAP.

Q38. What is Connecting IP Address in email header?

Answer. Connecting IP address is the IP address of the email server that has processed the email. For example if a Gmail user will send an email, that email will be processed by the google email server. If google mail server has IP address 1.2.3.4, this IP address will be added within the email header as a connecting IP address. You can find connecting IP address in the email header under Forefront Antispam Report Header.

Q39. What is SPAM Confidence level?

Answer. Whenever an email is passed through Exchange Online Protection, SPAM filters scan the emails and assigns a score on each email. This score helps EOP to identity if the email is a spam email or not. This score is called Spam confidence level.

If SCL value is -1, this indicates the email was an internal email, or SPAM filtering did not take any action on that email because you had a transport rule to bypass “spam filtering” on the sender. If SCL value is 0 or 1, that means spam filtering did not mark this email as spam. If SCL value is 5 or 6, this means the spam filtering marked this email as spam email. And if SCL value is 8 or 9, this means spam filtering marked that email as high spam. You can find the SCL value in email header under Forefront Antispam Report Header.

Q40. What is a SPOOF email and how would you identify a SPOOF email?

Answer. A spoof email is a type of email that is not sent from the actual sender. Spoof emails are used for spam or phishing attacks. One of the examples of spoof email is, an external user sends an email to your organization by using one of your user’s email address and asks for confidential information.

To identify a spoof email analyze the email header and look for FROM address and Return-Path. If both headers have same values that means this is not a spoof email. But if both headers have a different email address, that indicates this is a spoof email.

An external user can spoof email addresses or even your domains can be used for spoofing attacks. To prevent from spoofing, you can either create a mail flow rule or you can use Impersonation under Anti-Phishing policies.

Q41. Emails sent from relay application are marked as spam by recipients, what could be the reason?

If all the emails sent from relay application are marked as spam by the recipients, one of the reasons for this issue could be incorrect SPF record.

When we relay emails from an application we use a static IP addrress. We need to add this IP address within the SPF record for our domain to avoid emails being marked as spam. We also need to make sure DKIM and DMARC are published along with SPF.

The other reason can be the contents being used within the email. You can look for URLs within the email, attachments, or the signatures that have URLs redirecting to another sites.

Q42. What is mail flow rule?

Answer. Mail flow rules or transport rules are used to control the email routing on the organization level. With the help of mail flow rules we can block the emails, we can route emails to different sites, we can encrypt the emails using message encryption, and much more.

A mail flow rule is made of 3 components. Conditions, Actions, and Exceptions. Conditions identify the emails on which action is required. Action specifies what to do with the email if condition is met. And exception identify the emails on which action is not required.

Q43. What is the difference between mail flow rules and inbox rules?

Answer. Mail flow rules are used to control the email routing on the tenant level. Mail fow rules are trigerred while the emails are in transit state. That means the mail flow rules are triggered before emails are delivered to the mailbox. Mail flow rules are managed from Exchange Admin Center.

Where as inbox rules are used to control email routing within the mailbox. Inbox rules are triggered on the emails post emails are delivered to the mailbox. Inbox rules are managed from Outlook or OWA.

Q44. What is False positive and false negative email and how to manage them?

Answer. When a legitimate email is marked as spam by EOP, this is called false positive. And when a spam email is marked as legitimate email by EOP, that is called false negative.

To report false positive and false negative emails, administrators can use Submissions in Microsoft 365 Defender. In Submission portal admins can report emails, URLs, and the attachments.

Users can also report false positive or false negative emails from OWA (built-in Report button) or using Microsoft Report Message and Report Phishing add-ins in Outlook.

After emails are submitted in Submission portal, Microsoft analyzes the emails and adjust the filters accordingly.

Q45 Scenario. Administrator needs email samples from a mailbox, but he doesn’t have permission or the password of the mailbox. How can he get the email samples?

Answer. If an administrator doesn’t has permission on the mailbox or if he doesn’t has password of the account, he can run e-discovery or content search on the mailbox.

In e-discovery and content search we have an option to Preview the search results. Using preview option an administrator can view the emails and can download the email sample as well. And it doesn’t require permission on the mailbox or account password.

Q46 Scenario. An administrator wants to know from which IP address emails were deleted from the mailbox. How can he get these details?

Answer. Administrator can run audit logs in Microsoft Purview or Compliance portal to check activities done on the mailbox.

Under Exchange mailbox activities, administrator will select Moved messages to Deleted Items folder and Deleted messages from Deleted Items folder. And will add the user under Users field and will run search. After running search admin can export the results to CSV file and can find the IP address under ClientIP field.

Q47. What is Exchange Web Services (EWS)?

Answer. Exchange Web Services or EWS is an API that works on both Exchange Online and Exchange on-premises. Exchange Web Services lets applications to access mailbox items, for example emails, calendars or contacts.

Exchange Web Services was introduced with Exchange Server 2007. This API is used by application developers to develop applications that need access to the mailbox items.

EWS is also used while migrating the mailboxes, while making changes within the mailbox items, and while retrieving the data from Exchange.

Exchange Web Services allows applications to access data locally and remotely. That let’s you to access your mailbox information from anywhere.

Q48. What is the difference between basic authentication and modern authentication?

Answer. Basic authentication is a less secure and single authentication method where users can access an application by just providing their username and password. In basic authentication username and password are passed in a plain text encoded with base64. Because of this reason basic authentication was combined with SSL to encrypt the passwords. Being a single authentication method basic authentication can be easily compromised.

Modern Authentication is a method of identity management that offers more secure authentication and authorization. Some examples of Modern Authentication protocols are SAML, WS-Federation, and OAuth. Modern authentication provides features like MFA, smart cards and certificate-based authentication that protects your accounts even if your password is compromised.

Q49. What is the role of connection filter in EOP?

Answer. Connection filter is the first email filter server within EOP. As soon as an email reaches Exchange Online Protection, connection filter adds the Connecting IP address to X-FOREFRONT-ANTISPAM-REPORT within the email header. Connection filter also check the connecting IP address if it is listed on internet or not.

Then connection filter compares the connecting IP against the safe list that is maintained by Microsoft. If this IP is not found in that safe list, a value is added within the email header with IPV:NLI.

Then connection filter does Directory Based Edge Blocking (DBEB) check, and if the recipient is not found in Azure AD the email is dropped.

The next check is done on the allow list and block list of the connection filtering policy to check if the connecting IP is added in allow list or block list (IPV:CLI).

Connection filter also checks the safe sender list maintained by the users on their outlook client or OWA.

Q50. How would you identify if mail flow rule was triggered on an email?

Answer. To identity if a mail flow rule or a transport rule was triggered on the email, you can either run message trace in Exchange Admin center, or, you can run Extended Message Trace.

In message trace, click the email that you want to analyze, and expand “Events”. Under events, you will see the name and GUID value of the “mail flow rule” that was trigerred on the email.

You can also run Extended Message Trace in Exchange Admin Center, and download the csv file. In this report, look for S:TRA=ETR. (Next to this value you will find the guid of the transport rule that was triggered on the email.) To identity the rule with the help of guid value, you need to run Get-TransportRule | fl command in Exchange Online PowerShell, and match the guid with the output. This way you can find, which rule was triggered on the email.

We welcome you to browse our other articles on Interview Q&A and MS Exams:
MS-203: Microsoft 365 Messaging: Questions and Answers
SC-900 Exam Questions and Answers
Exam MS-102: Microsoft 365 Administrator questions and answers
40+ Exchange Hybrid Interview questions and answers
50+ Exchange Online Mail Flow Interview questions and answers
Exchange Online Protection (EOP) interview questions and answers
Exchange Server 2019 Interview Questions and Answers
Exchange Server 2010 Interview Questions and Answers
50+ Microsoft Exchange Server Interview Questions and Answers
Top 40+ Azure Active Directory interview questions and answers
40+ Azure AD Connect Interview Questions and Answers
Top 50+ Office 365 Interview questions and answers

Happy Learning!!