Microsoft Study Guide

MS-101: Microsoft 365 Mobility and Security Study Guide

MS-101: Microsoft 365 Mobility and Security validates your ability to deploy and manage modern device services with Intune, implement Microsoft 365 security and threat management with the Defender suite and Entra ID Protection, and govern data through Microsoft Purview compliance, retention, and eDiscovery. It is aimed at Microsoft 365 Enterprise Administrators who, together with MS-100, complete the Microsoft 365 Certified: Enterprise Administrator Expert path. Expect scenario-heavy questions across Intune, Conditional Access, the Defender products, and Purview that test which feature solves a given business requirement.

Domain 1 Domain 2 Domain 3

Practice MS-101 questions free Create free account

Domain 1: Implement Modern Device Services

Key concepts you must know · 251 practice questions

Enforcing device-based access requires two parts working together: an Intune device compliance policy that evaluates the device (OS version, encryption, etc.) and marks it compliant/noncompliant, plus a Conditional Access policy that grants access only to compliant devices.
Co-management lets Configuration Manager (SCCM) and Intune jointly manage the same Windows 10/11 device; authority is moved category by category using workload sliders such as Compliance policies, Windows Update policies, and Endpoint Protection (Pilot Intune or Intune).
Windows Update for Business is configured in Intune through update rings, which set independent deferral periods (in days) for feature updates and quality updates, plus active hours and restart deadlines.
Feature update version control is done with a separate 'Feature updates for Windows 10 and later' policy that pins devices to a specific target version (for example 21H2) until you choose to move them.
App protection policies (MAM) protect corporate data inside apps like Outlook and Teams without enrolling the device; MAM-without-enrollment is the model for personally owned/BYOD devices.
A common Intune data-protection rule: users can copy/share data from managed apps only to other policy-managed apps, while any app may send data into the managed app (one-directional restriction).
Windows Autopilot identifies a device by its hardware hash (hardware ID), which is uploaded to register the device for zero-touch provisioning; Pre-provisioning (formerly White Glove) lets IT pre-stage the device before handing it to the user.
The built-in 'Microsoft 365 Apps for Windows 10 and later' app type in Intune deploys Office (Microsoft 365 Apps) without packaging; use the Win32 app (.intunewin) type for line-of-business apps and to configure detection rules and Dependencies.
Win32 app deployments support a Dependencies feature so prerequisite apps are installed (or verified) first, and an order/auto-install chain is evaluated at deploy time.
Device type enrollment restrictions can block specific platforms or block personally owned devices, while device limit restrictions cap how many devices a user can enroll.
Proactive remediations use a script package with a detection script plus a remediation script; running these requires devices to be Intune-enrolled or co-managed with the Endpoint analytics workload, and an eligible license.
Per-app VPN is configured inside a single device configuration profile (VPN settings), automatically connecting the VPN when a specified app such as Outlook launches.
When compliance settings conflict, troubleshoot by checking for a conflicting profile with higher priority or a profile assignment conflict; you can also set actions for noncompliance (notify, mark noncompliant after a grace period, retire/remove).
Android Enterprise enrollment modes include Personally owned with work profile (data isolated in an encrypted work container), Corporate-owned dedicated devices (kiosk/shared), Corporate-owned fully managed, and Corporate-owned with work profile.

Domain 2: Implement Microsoft 365 Security and Threat Management

Key concepts you must know · 240 practice questions

Onboard Intune-managed Windows devices to Microsoft Defender for Endpoint by creating an Endpoint Detection and Response (EDR) policy in the Intune admin center, which deploys the sensor and configures onboarding automatically.
Defender for Office 365 Safe Attachments with Dynamic Delivery delivers the email body immediately while the attachment is sandboxed, then releases the attachment once it is found clean; Safe Attachment actions include Block, Replace, and Monitor.
Defender for Office 365 Safe Links provides time-of-click URL rewriting and re-checks links at click time, protecting against URLs weaponized after delivery.
Microsoft Defender for Identity uses a sensor installed on domain controllers/AD FS servers to detect on-premises lateral movement such as Pass-the-Hash and Pass-the-Ticket using behavioral analytics.
Microsoft 365 Defender correlates related alerts across email, endpoints, identity, and apps into a single Incident, and Automated Investigation and Response (AIR) can investigate and auto-remediate threats, including custom playbooks.
Attack Surface Reduction (ASR) rules support Not configured/Disabled, Audit, Block, and Warn states; Audit mode logs what would have been blocked without enforcing, making it the right choice for impact testing.
Entra ID Identity Protection provides a sign-in risk policy (evaluates the risk of the current sign-in, for example atypical/impossible travel) and a user risk policy (evaluates account compromise, for example leaked credentials); responses include require MFA or block.
Remediate a high user-risk leaked-credential detection by requiring a secure self-service password reset, which dismisses the risk once the user confirms remediation; for a compromised account you can also revoke all refresh tokens and block sign-in.
Defender for Office 365 anti-phishing impersonation protection lets you add specific high-value users (executives) as protected users and protect custom domains against display-name and domain impersonation.
Microsoft Defender for Cloud Apps discovers shadow IT by ingesting firewall and proxy logs (Cloud Discovery) and can apply session/access policies through reverse-proxy Conditional Access App Control.
Threat Explorer (Explorer) in Defender for Office 365 lets analysts hunt and investigate emails, URLs, and malware in near real time and take actions such as soft delete; advanced hunting uses Kusto Query Language (KQL).
Govern application risk by disabling user consent for apps and configuring the admin consent workflow in Microsoft Entra ID so requests route to administrators for review.
Conditional Access can exclude a corporate network defined as a trusted named location (locations condition) so MFA is not prompted on-network, and 'require compliant device' or 'require MFA for admins' are common grant controls.
Security alerts surface in the Microsoft Purview/Defender Alert policies; Microsoft Secure Score and security baselines push Microsoft-recommended security configurations to devices to raise the organization's posture.

Domain 3: Manage Microsoft 365 Governance and Compliance

Key concepts you must know · 227 practice questions

Data Loss Prevention (DLP) policies are created in the Microsoft Purview compliance portal and scan content (email, Teams, SharePoint, OneDrive, endpoints) for sensitive information types; actions include block, encrypt, notify with a policy tip, generate an incident report, and allow override.
A policy tip notifies the user they are about to violate a DLP policy and can offer options to override (with optional business justification) or report a false positive.
Retention policies enforce org-wide retain/delete behavior by location (Exchange email, SharePoint, OneDrive, Teams); a retain action for 7 years on Exchange keeps email even if users try to delete it.
When a user deletes/edits retained content, the original is copied to the Preservation Hold Library (SharePoint/OneDrive) or the Recoverable Items folder (Exchange) and kept for the remaining retention period.
Retention labels can be published for manual application or applied via auto-labeling policies using conditions such as sensitive information types; a label that declares an item a record prevents users from changing or removing the label.
Sensitivity labels apply encryption (Azure Rights Management), content marking (headers/footers/watermarks), and access restrictions; encryption and content marking are configured within the sensitivity label settings.
Custom sensitive information types are built in Microsoft Purview under Data Classification using regular expressions, keyword lists, and supporting evidence/confidence levels for organization-specific patterns.
Trainable classifiers identify content that pre-trained classifiers cannot; you train a custom classifier with seed/positive sample content when categorizing organization-specific material.
eDiscovery (Standard) provides case management, content search, and legal hold; eDiscovery (Premium) adds custodian management, review sets, analytics, near-duplicate detection, email threading, and predictive coding.
Litigation Hold is applied per mailbox in Exchange to preserve all mailbox content; In-Place/eDiscovery holds scope preservation to a case and query.
Information barriers (configured in the Purview compliance portal) restrict communication and collaboration between defined segments of users (for example, blocking traders from talking to research) in Teams, SharePoint, and OneDrive.
Insider Risk Management correlates signals from Teams, email, SharePoint, devices, and optional HR connector data to flag risky behaviors such as bulk downloads or data exfiltration before a resignation.
Microsoft Priva handles privacy: Data Subject Requests (DSR/subject rights requests) help fulfill GDPR-style requests, while the Purview audit log search records admin and user activity across services.
Compliance Manager provides a compliance score and prioritized improvement actions mapped to regulations such as GDPR, HIPAA, and ISO, while audit logging must be turned on to enable later search and investigation.

MS-101 exam tips

Memorize which product solves which problem: Defender for Endpoint (devices/EDR), Defender for Office 365 (email/links/attachments), Defender for Identity (on-prem AD lateral movement), Defender for Cloud Apps (shadow IT/SaaS), and Entra ID Identity Protection (risk-based sign-in/user policies). Questions hinge on picking the right one.
For device-access scenarios, remember it always takes a compliance policy AND a Conditional Access policy together. A compliance policy alone evaluates but does not enforce access.
Distinguish sign-in risk (this login looks risky) from user risk (this account is likely compromised, for example leaked credentials), and know the standard remediations: MFA for sign-in risk, secure password reset for user risk.
Know the retention-vs-records and Standard-vs-Premium eDiscovery boundaries cold; exam answers frequently turn on a single capability such as review sets, custodians, or a record label that locks the item.
Watch for 'audit mode' and 'pilot/test' wording. ASR Audit mode, DLP test mode, and Conditional Access report-only mode all let you measure impact before enforcing, and are the right answer when the requirement is to evaluate without blocking.

Study guide FAQ

Is MS-101 still available, and what does it lead to?

MS-101 (with MS-100) was the path to the Microsoft 365 Certified: Enterprise Administrator Expert certification. Microsoft has since consolidated this content into the MS-102 exam. Study MS-101 material if you are using legacy resources, but verify the current exam on Microsoft Learn, as MS-102 now covers identity, security, and compliance in a single exam.

How is the exam scored and how long is it?

You need a scaled score of 700 to pass, the session is about 120 minutes, and you should expect roughly 40-60 questions including case studies, multiple choice, and select-all scenarios. Scores are scaled, so 700 does not mean 70 percent of questions correct.

How much Intune and PowerShell do I need to know?

Intune is heavily tested across device compliance, configuration profiles, app deployment (Microsoft 365 Apps vs Win32), enrollment restrictions, update rings, and Autopilot/Pre-provisioning. You should recognize key concepts and admin-center workflows; deep PowerShell scripting is rarely required, but you should know what tasks are done where (Intune admin center vs Purview portal vs Entra admin center).

What is the difference between sensitivity labels, retention labels, and DLP?

Sensitivity labels classify and protect data (encryption, marking, access). Retention labels and policies control how long content is kept or when it is deleted, and can declare records. DLP detects and prevents inappropriate sharing of sensitive information in motion. They are complementary: a document can be labeled sensitive, retained for 7 years, and still be blocked by DLP if a user tries to email it externally.

Test yourself: 718 MS-101 practice questions