The MS-102: Microsoft 365 Administrator exam is the certification exam for the Microsoft 365 Certified: Enterprise Administrator Expert credential. It replaced the MS-100 and MS-101 exams in September 2023, consolidating all Microsoft 365 administrator competencies into one comprehensive assessment.
Passing MS-102 proves you can deploy, configure, and manage Microsoft 365 tenants in enterprise environments. It's aimed at IT professionals who handle Microsoft 365 services including Exchange Online, SharePoint Online, Microsoft Teams, Entra ID (formerly Azure AD), Defender for Microsoft 365, and Microsoft Purview.
The exam tests real-world skills rather than pure memorization. You need to understand how the Microsoft 365 ecosystem interconnects โ how identity synchronization feeds into conditional access, how data loss prevention ties into sensitivity labeling, and how compliance policies affect the entire tenant. Studying scattered topics in isolation doesn't work well for MS-102; you need to understand the architecture holistically.
Microsoft updates MS-102 objectives periodically, so always verify the current skills measured document on Microsoft Learn before scheduling. As of 2025, the exam covers four functional groups: managing Microsoft 365 tenants, implementing identity synchronization and access, implementing security and threat protection, and managing compliance and data governance.
The exam costs $165 USD and consists of 40โ60 questions. You need a score of 700 out of 1000 to pass. Question types include multiple choice, drag and drop, scenario-based case studies, and lab simulations where you configure an actual Microsoft 365 environment in a sandboxed browser. Lab simulation questions are particularly challenging because they test procedural knowledge โ you must know exactly where settings live in the admin centers.
Understanding the exam domains helps you allocate study time where it matters most. MS-102 is divided into four major functional areas, each weighted differently in terms of how many questions you'll encounter.
The Manage a Microsoft 365 tenant domain covers approximately 25โ30% of the exam. This includes deploying Microsoft 365 Apps, managing Microsoft 365 Apps for enterprise, planning and implementing tenant configurations, monitoring Microsoft 365 health and usage, and troubleshooting services. You need to know how to use the Microsoft 365 admin center, PowerShell (Microsoft Graph PowerShell SDK and Exchange Online PowerShell), and diagnostic tools like the Microsoft Remote Connectivity Analyzer.
The Implement and manage identity and access in Microsoft Entra ID domain covers approximately 25โ30% of the exam. This is a deep dive into Entra ID configuration including directory synchronization with Microsoft Entra Connect, password hash sync versus pass-through authentication versus federation, MFA, self-service password reset, conditional access policies, Privileged Identity Management (PIM), and identity governance including entitlement management and access reviews.
The Manage security and threats by using Microsoft Defender XDR domain covers approximately 25โ30% of the exam. You need hands-on knowledge of Defender for Office 365, Defender for Endpoint onboarding and management, Defender for Identity, Microsoft Sentinel integration basics, attack simulation training, and the Microsoft Defender portal.
The Manage compliance by using Microsoft Purview domain covers approximately 15โ20% of the exam. This includes sensitivity labels and label policies, DLP policies, retention policies and retention labels, eDiscovery cases, communication compliance, and insider risk management.
Identity and security together make up over 50% of the MS-102 exam. If you're pressed for study time, prioritize Entra ID configuration and Microsoft Defender XDR over tenant management tasks. Compliance questions are fewer but tend to be the most precise โ policy rule logic must be exactly right.
The identity domain is where many candidates struggle, because it requires understanding both the conceptual architecture and the specific configuration steps in Entra ID.
Microsoft Entra Connect (formerly Azure AD Connect) synchronizes objects from on-premises Active Directory to Entra ID. You must understand synchronization rules, attribute filtering, and the difference between full synchronization and delta synchronization. The three main authentication methods โ password hash synchronization (PHS), pass-through authentication (PTA), and Active Directory Federation Services (AD FS) โ each have distinct security, performance, and infrastructure trade-offs.
PHS replicates password hashes to the cloud and provides the most resilience. PTA validates passwords against on-premises AD in real time but requires PTA agents to be online. AD FS provides full federation but demands significant infrastructure investment and has largely fallen out of favor for new deployments.
Conditional access policies are a major exam focus. You need to understand the grant controls (require MFA, require compliant device, require hybrid Entra joined device, require approved app) versus the session controls (sign-in frequency, persistent browser session, app-enforced restrictions). Named locations, sign-in risk and user risk policies from Entra ID Protection, and the interplay with device compliance from Intune are all tested. Know when to use report-only mode for testing new policies before enforcement.
Privileged Identity Management is consistently represented in the exam. PIM provides just-in-time privileged access โ users must explicitly activate eligible role assignments, provide a justification, and may require approval. You must know the difference between active assignments (always on) and eligible assignments (requires activation), how to configure role settings like activation duration and MFA requirements, and how access reviews work for both roles and group memberships.
Entra ID Governance features tested include entitlement management (access packages, catalogs, assignment policies, access reviews) and lifecycle workflows. Entitlement management automates access to groups, applications, and SharePoint sites through access packages. External identities โ B2B collaboration and B2B direct connect โ are also tested. Know the difference between invitation redemption, cross-tenant access settings, and how to configure trust settings for external Entra ID organizations.
Password Hash Synchronization (PHS) copies a hash of each user's on-premises password to Entra ID. Authentication happens in the cloud without contacting on-premises infrastructure.
Microsoft recommends PHS as the default for most organizations. When combined with Entra ID Protection, PHS also enables detection of leaked credentials from dark web data breach databases.
Pass-Through Authentication (PTA) validates user passwords directly against on-premises Active Directory in real time via lightweight agents installed on-premises.
PTA is a good choice for organizations with strict data sovereignty requirements that prevent storing any credential data in the cloud. However, plan for at least three PTA agents distributed across different servers for redundancy.
Active Directory Federation Services (AD FS) provides federated identity using your own STS (Security Token Service) infrastructure.
The Microsoft Defender XDR domain tests your ability to configure, manage, and respond to threats across the Microsoft 365 environment. The exam focuses heavily on configuration rather than incident response theory.
In Defender for Office 365, you must understand the difference between Plan 1 and Plan 2. Plan 1 adds safe links, safe attachments, and anti-phishing enhancements. Plan 2 adds threat investigation and response, attack simulator, and auto-investigation and remediation (AIR). Know how to configure anti-phishing policies including impersonation protection, spoof intelligence, and mailbox intelligence. Safe attachments policies should be set to block or dynamic delivery for maximum protection. Safe links should rewrite URLs and check at click time rather than just at delivery time.
Defender for Endpoint onboarding is tested at the configuration level: how to onboard Windows devices via Group Policy, Intune, Configuration Manager, and local script. Know the difference between audit mode (logs events but doesn't block) and block mode (actively prevents malicious actions). Attack surface reduction (ASR) rules reduce the attack surface by blocking behaviors like Office apps creating executable content or processes launching from email clients.
For Microsoft Purview compliance, sensitivity labels are one of the deepest topics. Understand the label scoping (items versus groups and sites), publishing labels to users, auto-labeling policies (service-side), and label priority (higher numbers = higher priority). DLP policies can be scoped to Exchange, SharePoint, OneDrive, Teams, devices, and cloud apps. Know how to configure DLP policy rules including conditions and actions such as restrict access, send notification, generate incident report, or block with override.
Retention policies and retention labels are frequently confused by candidates. Retention policies apply broadly to entire locations with a single retain-then-delete or delete-only action. Retention labels are applied per-item and can trigger disposition reviews or mark content as a record. The interaction between policies and labels follows a specific precedence: retain-then-delete wins over delete-only, longer periods win over shorter, and labels win over policies for specific items.
Safe Links (rewrite and check at click time), Safe Attachments (block or dynamic delivery), anti-phishing with impersonation protection, spoof intelligence, and mailbox intelligence. Included with Microsoft 365 Business Premium and some E3 variants.
Everything in Plan 1 plus: Threat Explorer and Real-time Detections, Attack Simulation Training, Automated Investigation and Response (AIR), Campaign Views, and Threat Trackers. Included with Microsoft 365 E5.
Set impersonation protection for key users and domains. Enable mailbox intelligence. Configure the action for impersonated senders to quarantine rather than junk. Enable safety tips and unusual character notifications.
Use Dynamic Delivery to prevent delays โ recipients get the message immediately with a placeholder while the attachment is scanned. Block or Replace modes hold the entire message, causing delays for end users.
The tenant management domain covers the operational side of running a Microsoft 365 environment โ the day-to-day administration tasks that Microsoft 365 administrators perform repeatedly.
Microsoft 365 Apps deployment is a significant sub-topic. You must understand the Office Deployment Tool (ODT) and configuration XML files for deploying Microsoft 365 Apps for enterprise. Know how to configure update channels: Current Channel (latest features monthly), Monthly Enterprise Channel (monthly but one to two months behind Current Channel), and Semi-Annual Enterprise Channel (twice per year, ideal for organizations that need more testing time). Microsoft 365 Apps admin center provides inventory reporting and servicing profiles for update management.
Microsoft 365 service health and monitoring is tested at a practical level. The Service Health dashboard shows incidents and advisories. You should know the difference between an incident (service is degraded or unavailable) and an advisory (service is available but degraded or with workarounds). The Message Center shows planned changes, major updates, and new features. PowerShell commands like Get-ServiceHealth via the Microsoft Graph PowerShell SDK let you automate health monitoring.
Licensing management includes assigning licenses to users directly or via group-based licensing. Know how to identify licensing conflicts and resolve them. License reports in the admin center or via Microsoft Graph can show which licenses are assigned, available, and consumed.
PowerShell administration is indispensable for the MS-102 exam. You need comfort with the Microsoft Graph PowerShell SDK, Exchange Online PowerShell, and SharePoint Online Management Shell. The exam presents PowerShell output and asks you to interpret it, or presents cmdlet options and asks which one accomplishes a specific task. Common cmdlets: Get-MgUser, Set-MgUser, Get-MgGroup, Get-Mailbox, Set-Mailbox, New-TransportRule, Get-SPOSite.
A structured study plan dramatically improves pass rates compared to unguided reading. Here's a framework that works for candidates with some Microsoft 365 experience.
Weeks 1โ2: Foundation. Start with Microsoft Learn's MS-102 learning path (free, official, and aligned to the exam objectives). Don't rush through it โ follow along in a trial tenant. Microsoft offers a free 30-day trial of Microsoft 365 E5, which gives you access to all Defender and Purview features. Create test users, configure synchronization with a small test AD, and work through each feature hands-on.
Weeks 3โ4: Identity deep dive. Spend dedicated time on Entra ID. Configure Entra Connect in a lab, deploy conditional access policies in report-only mode, enable PIM for a test role, and walk through the entitlement management access package workflow. The Microsoft documentation for Entra ID is excellent โ the conceptual architecture articles are worth reading alongside the how-to guides.
Weeks 5โ6: Security and compliance. Work through Defender for Office 365 configuration, set up a simulation attack in Attack Simulator, configure DLP policies and test them with synthetic sensitive documents, and create retention labels with disposition reviews. Navigate the Microsoft Purview compliance portal repeatedly until you know instinctively where each feature lives.
Weeks 7โ8: Practice tests and gap analysis. Switch to active recall: take full practice exams under timed conditions, note every question you got wrong or guessed on, and review those specific topics. Don't re-read the entire material โ targeted gap review is far more efficient at this stage. Review the Microsoft documentation for each topic you missed rather than going back to a general study guide.
Candidates often ask whether they need the Microsoft 365 E5 trial or if an E3 trial will suffice. The honest answer is that you need E5 for full preparation. Defender for Office 365 Plan 2 features โ Attack Simulation Training, Threat Explorer, and AIR โ are E5-only. Purview insider risk management and communication compliance are also E5-only.
Without hands-on experience in these areas, you'll be going into the lab simulation questions blind. The 30-day trial is sufficient if you start your hands-on labs in the first two weeks of your study plan and keep notes as you work through each feature area.
One often-overlooked preparation resource is the Microsoft Tech Community blog and the What's New in Microsoft 365 updates. Microsoft frequently adds new features that quickly appear in exam updates. If an MS-102 objective mentions a feature that seems unfamiliar from your existing knowledge, check whether it's a recent addition. The Microsoft Learn documentation for newer features like Entra External ID, Microsoft Security Exposure Management, and Purview Data Lifecycle Management has improved significantly and often provides the clearest explanation of how features interconnect.
Practice tests are the single most valuable preparation tool for MS-102, but only if you use them correctly. The goal isn't to memorize question-answer pairs โ it's to identify gaps in your understanding so you know where to study next.
Use practice tests in two modes. First, take a full timed test at the start of your preparation to baseline your current knowledge and identify which domains need the most work. Then use targeted practice sets for individual domains throughout your study period. In the final week, take two to three full timed tests to simulate exam conditions and build the mental stamina required for 120 minutes of focused exam work.
When you get a question wrong, don't just read the answer โ understand why the wrong answers are wrong. Microsoft exam questions are carefully written so that each wrong answer represents a plausible but incorrect approach. Understanding why each distractor is wrong deepens your understanding far more than simply confirming the correct answer.
For lab simulation questions, practice navigating Microsoft 365 admin centers quickly. The Entra admin center, Microsoft 365 admin center, Defender portal, and Purview compliance portal each have their own navigation patterns. Familiarity with where features live saves critical minutes during the actual exam. Beyond practice tests, the Microsoft documentation (learn.microsoft.com) is the authoritative source for MS-102 content. When exam questions are ambiguous, the correct answer is almost always based on official Microsoft documentation rather than best practices you may have learned on the job.
One common mistake candidates make is waiting until they feel "ready" to take practice tests. Don't wait โ start taking practice tests in week one, even if you expect to fail them. Early exposure to the question format and content scope helps direct your study more efficiently than following a generic study guide chapter by chapter. The discomfort of getting questions wrong early is far preferable to discovering your weakest areas the night before the actual exam.