Microsoft Study Guide

MS-102: Microsoft 365 Administrator Study Guide

MS-102: Microsoft 365 Administrator validates your ability to deploy and manage a Microsoft 365 tenant, implement and manage identity and access with Microsoft Entra ID, and manage security, threats, and compliance across the platform. It is aimed at administrators who plan, deploy, and operate Microsoft 365 services for an organization and who coordinate with specialist administrators for workloads such as Exchange, SharePoint, and Teams. Expect roughly 40-60 questions in 120 minutes, including case studies, with a passing score of 700 out of 1000.

Domain 1 Domain 2 Domain 3 Domain 4

Practice MS-102 questions free Create free account

Domain 1: Deploy and Manage a Microsoft 365 Tenant

Key concepts you must know · 195 practice questions

Custom domain ownership is verified by adding a TXT (or alternatively MX) DNS record containing the unique verification token Microsoft generates; TXT is preferred because it does not interfere with existing mail flow.
A subdomain (for example, sales.contoso.com) can only be added after the parent domain (contoso.com) has been added and verified in the same tenant.
A domain can belong to only one Microsoft 365 tenant at a time; you must remove it from any other tenant before adding it to yours.
The Service health dashboard shows real-time incidents and advisories affecting your tenant's services; the Message center notifies admins about upcoming changes, new features, and planned maintenance with advance notice.
The Office Customization Tool (OCT) at config.office.com is the web-based tool for building the configuration.xml used by the Office Deployment Tool (ODT) to install and customize Microsoft 365 Apps.
Microsoft 365 Apps update channels include Current Channel (frequent updates), Monthly Enterprise Channel (predictable monthly cadence), and Semi-Annual Enterprise Channel (features about every six months for maximum stability and testing time).
Targeted release (formerly First Release) can be enabled for the entire organization or for selected users in Org settings > Organization profile > Release preferences, so a pilot group previews features early.
Usage reports under Reports > Usage show adoption and activity for Teams, SharePoint, OneDrive, Exchange, and more; by default user names are de-identified to protect privacy, and an admin must turn off concealment in Org settings > Reports to show identifiable data.
Bulk-create users by uploading a CSV file in the Microsoft 365 admin center, or manage users at scale with the Microsoft.Graph PowerShell module (the Azure AD and MSOnline modules are deprecated).
The organization profile (company name, address, billing and technical contacts) is set in Settings > Org settings and applies to the entire tenant, separate from individual user accounts.
Licenses are viewed and assigned under Billing > Licenses; group-based licensing assigns and reclaims licenses automatically as users join or leave a group.
For mail flow to Microsoft 365, point the MX record to <tenant>.mail.protection.outlook.com and publish an SPF TXT record that includes include:spf.protection.outlook.com.
FastTrack for Microsoft 365 provides no-cost deployment and adoption guidance for organizations with at least 150 eligible licenses.
Microsoft 365 installation options under Settings > Org settings control which Office apps and update channel users can self-install from the portal.

Domain 2: Implement and Manage Identity and Access

Key concepts you must know · 174 practice questions

Dynamic membership groups use attribute-based rules (for example, department or location) to add or remove members automatically; dynamic groups require Microsoft Entra ID P1 and a group can be dynamic for users OR for devices, not both.
Microsoft Entra Connect synchronizes on-premises AD objects to Entra ID; password hash synchronization (PHS) syncs password hashes to the cloud, while pass-through authentication (PTA) validates passwords against on-premises AD without storing hashes in the cloud.
Common sync errors include duplicate (conflicting) attribute values such as a duplicated proxyAddress or userPrincipalName between objects.
Conditional Access policies enforce access controls based on signals (user, location, device, app, risk); a named location defines trusted IP ranges so you can require MFA for users outside the corporate network.
Always exclude break-glass (emergency access) and service accounts from a Conditional Access policy by adding them to the policy's exclusion list to avoid lockout.
Security defaults provide baseline tenant-wide MFA enforcement for free; Conditional Access (requires Entra ID P1) offers granular control but cannot be used at the same time as security defaults.
Self-service password reset (SSPR) requires Entra ID P1 or P2; if a user cannot reset their password, the most common cause is that they have not registered the required authentication methods.
The Helpdesk Administrator role can reset passwords only for non-administrator users; a single user can hold multiple admin roles simultaneously, supporting least-privilege delegation.
Microsoft Entra Privileged Identity Management (PIM) provides just-in-time, time-bound, eligible role activation, and can require approval and justification before a privileged role is activated.
Microsoft Entra ID Protection detects risks: impossible travel (atypical travel) flags sign-ins from geographically distant locations too close in time to be physical travel; sign-in risk and user risk policies can require MFA or a password change.
Windows Hello for Business provides passwordless authentication using biometrics or PIN, with the private key protected by the device TPM and public-key cryptography.
Microsoft Entra B2B collaboration invites external guests with their own credentials; B2B direct connect underpins Teams shared channels for trusted cross-tenant collaboration.
Restrict app risk by setting user consent to 'Do not allow user consent' so users cannot grant apps access to organizational data, and use the admin consent workflow for requests.
Microsoft Entra access reviews periodically recertify group membership, app access, and role assignments; legacy authentication (for example, Exchange ActiveSync and other older clients) should be blocked because it cannot enforce MFA.

Domain 3: Manage Security and Threats

Key concepts you must know · 183 practice questions

Exchange Online Protection (EOP) is included with every plan that has Exchange Online mailboxes and provides baseline anti-malware, anti-spam, and anti-spoofing (spoof intelligence) at no extra cost.
Anti-phishing policies in Defender for Office 365 add user (and domain) impersonation protection plus mailbox intelligence; add high-value recipients such as the CEO to the impersonation protection list.
Safe Attachments detonates attachments in a sandbox before delivery; Dynamic Delivery delivers the message body immediately with a placeholder and reattaches the file after scanning to avoid delays.
Safe Links rewrites and scans URLs at time-of-click in email and Office documents, checking against Microsoft threat intelligence and blocking newly malicious sites.
Defender for Office 365 Plan 1 includes Safe Attachments, Safe Links, and anti-phishing; Plan 2 adds Threat Explorer, Attack simulation training, and Automated Investigation and Response (AIR).
Email authentication uses SPF (authorized senders, configured first), DKIM (cryptographic signing enabled per domain in the Defender portal), and DMARC; a DMARC record with p=reject tells receivers to reject messages that fail authentication.
Threat Explorer (Plan 2) lets you investigate threats and use the Purge action to soft- or hard-delete malicious messages already delivered to mailboxes.
Attack surface reduction (ASR) rules block risky behaviors (such as Office apps spawning child processes) and are deployed via Microsoft Intune or Group Policy as part of Defender for Endpoint.
Microsoft Secure Score quantifies your identity, device, and app security posture and provides prioritized, impact-rated improvement actions to track maturity over time.
When an account is compromised, the immediate remediation is to reset the user's password and revoke active sessions (sign-ins/refresh tokens) to terminate attacker access.
Microsoft Entra Smart Lockout protects against password-spray and brute-force attacks by locking out attackers while distinguishing legitimate users by familiar location.
Microsoft Defender for Cloud Apps is the CASB that discovers shadow IT and controls cloud app usage; Microsoft Defender for Identity uses sensors on domain controllers to detect identity-based attacks on-premises.
Unified audit logging is enabled and searched in the Microsoft Purview portal under Audit, capturing activity across Exchange, SharePoint, Teams, and other workloads.
Microsoft Purview Message Encryption is applied through Exchange Online mail flow (transport) rules to encrypt outbound mail meeting defined conditions.

Domain 4: Manage Compliance

Key concepts you must know · 166 practice questions

Data Loss Prevention (DLP) policies detect sensitive data (using built-in or custom sensitive information types) across Exchange, SharePoint, OneDrive, Teams, and endpoints, then block, warn, or encrypt; a policy can block with user override requiring business justification that is logged.
Sensitive information types (SITs) match patterns such as credit card numbers; you can create a custom SIT when built-in types do not match your data (for example, an internal employee ID format).
Retention policies (location-based) and retention labels (item-level) govern how long content is kept and what happens after; auto-apply retention label policies can apply a label automatically based on a keyword query or SIT match.
When retention and deletion settings conflict, retention always wins: content is retained for the full period before any deletion takes effect (for example, retain 5 years then delete).
Retention settings apply across Exchange Online mailboxes, SharePoint Online sites, OneDrive, Microsoft 365 group sites/Teams, and Teams chat and channel messages.
Sensitivity labels classify and protect content with metadata that travels with the file; a single label can apply Azure Rights Management encryption and visual markings (headers, footers, watermarks) at once.
Auto-labeling policies in Purview apply sensitivity labels automatically to content at rest in SharePoint/OneDrive and to email in transit, without relying on the user.
eDiscovery (Standard) combines content search with the ability to place legal holds across Exchange, SharePoint, OneDrive, and Teams; eDiscovery (Premium) adds custodian management, advanced indexing, review sets, and analytics.
A legal hold (eDiscovery hold) preserves content so it cannot be permanently deleted while litigation or investigation is in progress, even if a user tries to delete it.
Microsoft Purview Compliance Manager provides a compliance score and prioritized improvement actions mapped to regulations, combining Microsoft-managed and customer-managed actions that update as work is completed.
Default unified audit log retention is 180 days for most plans, and 1 year (365 days) with Audit (Premium), which is included with Microsoft 365 E5; if audit search returns nothing, audit logging may not be enabled.
Information barriers prevent specified groups (for example, Finance and external contractors) from communicating or collaborating, so an unauthorized user is denied access to that team or channel.
Microsoft Purview Message Encryption (often via DLP or mail flow rule action) protects outbound email so only authorized recipients can read it.
Insider risk management and communication compliance detect and mitigate internal risks such as data theft and policy violations, while records management governs the full retention-and-disposal lifecycle of high-value records.

MS-102 exam tips

Read case studies twice: identify the tenant's licensing (Entra ID P1 vs P2, Defender Plan 1 vs Plan 2, E3 vs E5) first, because the correct tool often depends on which features the subscription actually includes.
Memorize the DNS record map for Microsoft 365: TXT for domain verification, MX to <tenant>.mail.protection.outlook.com, SPF TXT including spf.protection.outlook.com, and CNAME/TXT for DKIM and autodiscover.
Know which admin center owns each task: Microsoft 365 admin center (tenant, users, licenses), Entra admin center (identity, Conditional Access, PIM), Defender portal (threats, Safe Links/Attachments), and Purview portal (DLP, retention, eDiscovery, Audit).
Distinguish look-alike features under pressure: PHS vs PTA, Security defaults vs Conditional Access, Safe Attachments vs Safe Links, retention policy vs retention label, and eDiscovery Standard vs Premium.
Watch for the 'first/immediate step' phrasing: for compromised accounts reset password and revoke sessions; for email auth configure SPF first; and always exclude break-glass accounts before enforcing Conditional Access.

Study guide FAQ

How is MS-102 structured and what is the passing score?

MS-102 covers four domains (tenant deployment, identity and access, security and threats, and compliance), runs 120 minutes, and typically includes 40-60 questions with one or more case studies. You need 700 on a scale of 1000 to pass; the score is scaled, not a simple percentage of questions correct.

Do I need to know PowerShell for the exam?

Yes, at a working level. Focus on the Microsoft.Graph PowerShell module (the modern replacement for the deprecated AzureAD and MSOnline modules) and the Exchange Online module. You should recognize cmdlets for bulk user, license, and policy management, but most tasks are also tested through the admin center UIs.

How much do licensing tiers matter on MS-102?

A lot. Many questions hinge on whether a feature is available: SSPR and Conditional Access require Entra ID P1, PIM and Identity Protection require P2, Threat Explorer/AIR/Attack simulation require Defender for Office 365 Plan 2, and 1-year audit retention plus advanced compliance features come with E5. Always check the stated subscription before picking an answer.

What is the difference between MS-102 and the older MS-100/MS-101 exams?

MS-102 consolidated and replaced the retired MS-100 (tenant and identity) and MS-101 (mobility, security, and compliance) into a single Microsoft 365 Administrator exam. It reflects current branding (Microsoft Entra, Microsoft Purview, Microsoft Defender) and remains the prerequisite-level exam for the Microsoft 365 Certified: Administrator Expert path.

Test yourself: 718 MS-102 practice questions