What is the MS-102 exam?

Exam MS-102: Microsoft 365 Administrator is the Microsoft role-based exam that earns the Microsoft 365 Certified: Administrator Expert credential. It tests your ability to deploy and manage a Microsoft 365 tenant, implement Microsoft Entra identity and access, manage security and threats with Microsoft Defender XDR, and manage compliance with Microsoft Purview. MS-102 launched March 28, 2023 and replaced the retired MS-100 + MS-101 pair.

How much does MS-102 cost in 2026?

The MS-102 exam fee is $165 USD in the United States. Fees vary by country (for example, approximately $55 in India and £113 in the UK) due to local currency, tax, and Microsoft regional pricing. Microsoft periodically offers discount vouchers via partner training, Microsoft Learn Challenges, and Microsoft Ignite / Build events.

What is the passing score for MS-102?

MS-102 uses a scaled scoring model from 1 to 1000, and the passing score is 700. Microsoft does not publish per-item weighting; case-study and performance-based lab items generally count for more than simpler multiple-choice items. You receive your pass/fail result and scaled score immediately at the test center or OnVUE session end, with a detailed skills breakdown emailed within 1-3 business days.

What is the difference between MS-102 and MS-100 / MS-101?

MS-100 (Microsoft 365 Identity and Services) and MS-101 (Microsoft 365 Mobility and Security) were the two-exam pair required for the old Microsoft 365 Certified: Enterprise Administrator Expert credential. Both retired on September 30, 2023. MS-102 consolidated the content into a single exam with heavier emphasis on Microsoft Entra ID (formerly Azure AD), Microsoft Defender XDR, and Microsoft Purview. Old MS-100/MS-101 holders cannot renew those credentials and must sit MS-102 to earn the current Administrator Expert title.

Do I need to know PowerShell and Microsoft Graph for MS-102?

You do not need to write production scripts, but MS-102 can include drag-and-drop cmdlet-ordering items and performance-based labs that use the Microsoft 365 admin center, the Entra admin center, and occasionally Microsoft Graph PowerShell. Know the basics: Connect-MgGraph, Get-MgUser, New-MgGroup, Set-Mailbox, and the Exchange Online V3 module. Candidates who can do common admin tasks with both the GUI and PowerShell score materially higher.

MS-102 is considered moderately difficult for experienced M365 administrators and harder for newcomers. Microsoft does not publish pass rates, but community reporting puts first-time pass rates roughly in the 55-65% range. Difficulty comes from the breadth (four domains across tenant admin, identity, security, compliance), the case-study format, and the Defender XDR domain which is weighted 30-35%. Plan 8-12 weeks of ~8-10 hour/week preparation plus hands-on tenant time.

How long is the MS-102 exam?

The MS-102 exam gives candidates 100 minutes of exam time, with roughly 20 additional minutes for instructions, the non-disclosure agreement, and tutorial, for a total seat time of approximately 120 minutes. It contains approximately 40-60 items, including multiple choice, multi-select, drag-and-drop, case studies, and performance-based lab questions. Approved accommodations add extra time when requested through Pearson VUE.

What happens if I fail MS-102?

Microsoft's exam retake policy allows a 24-hour wait after your first failed attempt. For attempts 2, 3, 4, and 5 you must wait 14 days between attempts. You may take MS-102 a maximum of 5 times per 12-month period. Each retake requires paying the full $165 fee. After a failure, review your skill-area breakdown (emailed within 1-3 business days), target the weakest domain, spend at least two weeks in hands-on M365 tenant practice, and do two timed full-length mocks before rebooking.

How long is the Microsoft 365 Administrator Expert certification valid?

The Microsoft 365 Certified: Administrator Expert certification is valid for one year from the date you pass MS-102. Renewal is FREE through Microsoft Learn via an unproctored online assessment that opens 6 months before expiration. The renewal assessment is shorter than the full exam (typically 25-35 questions) and focuses on what has changed in Microsoft 365 since your initial certification. If a certification lapses, it cannot be renewed and you must retake the full MS-102.

Should I take MS-102 or SC-300 first?

MS-102 covers tenant-wide Microsoft 365 administration across identity, security, and compliance. SC-300 (Microsoft Certified: Identity and Access Administrator Associate) is identity-focused: Entra ID design, hybrid identity, authentication methods, Conditional Access, identity governance. If your role owns the broader M365 tenant, take MS-102 first. If your role is identity-specialist, take SC-300 first. Many modern workplace teams expect both, and there is substantial overlap in the Entra ID content.

What is the salary for a Microsoft 365 Administrator in 2026?

US Microsoft 365 Administrator total compensation in 2026 typically ranges $85,000-$130,000, with a median near $100K-$108K per Glassdoor, ZipRecruiter, Salary.com, and Robert Half's 2026 Tech Salary Guide. Senior / collaboration engineer roles reach $115K-$145K; M365 architects $140K-$190K; identity / security architects $160K-$220K+. LinkedIn Talent Insights shows 20,000+ open US roles tagged "Microsoft 365 administrator" with 15-25% year-over-year growth. MS-102 certification typically adds a 10-15% compensation premium at the same experience level.

What is Microsoft Entra ID and why does MS-102 test it so heavily?

Microsoft Entra ID is the 2023 rebrand of Azure Active Directory (Azure AD). It is Microsoft's cloud-based identity and access management service - the identity backbone for every Microsoft 365 workload, plus thousands of SaaS apps via SSO. MS-102 tests Entra ID heavily because nothing else in M365 works without it: users, licensing, roles, Conditional Access, MFA, SSO, device identity, and Defender for Identity all flow through Entra. Domain 2 explicitly covers Entra identity synchronization (Connect Sync vs Cloud Sync), authentication methods, Conditional Access, and Identity Protection.

FREE MS-102 Exam Guide 2026: Pass Microsoft 365 Administrator

MS-102 Exam Guide 2026: The Only Walkthrough Built Around the Current Skills Measured Outline

If you are a Microsoft 365 administrator in 2026, the single certification that defines your career tier is Exam MS-102: Microsoft 365 Administrator. It is the sole exam standing between you and the Microsoft 365 Certified: Administrator Expert credential - a role-based cert that regulated industries, MSP partners, and enterprise tenants explicitly call out in job descriptions.

Most guides on the internet still reference MS-100 and MS-101, the two-exam predecessor pair Microsoft retired in 2023. If a study plan mentions "sit MS-100 first," it is out of date. This guide is written exclusively for the 2026 exam window: current skills-measured weights, the Entra ID + Defender XDR + Purview stack, the $165 USD Pearson VUE fee, the 700/1000 passing score, and the free Microsoft Learn renewal.

MS-102 At-a-Glance (2026)

Item	Detail (2026)
Full Name	Exam MS-102: Microsoft 365 Administrator
Credential Earned	Microsoft 365 Certified: Administrator Expert
Delivery	Pearson VUE (test center or online-proctored OnVUE)
Questions	~40-60 items (multiple choice, multi-select, drag-and-drop, case studies, lab/performance-based)
Time Limit	100 minutes of exam time (~120 minutes total seat time with NDA, instructions, tutorial)
Passing Score	700 out of 1000 (scaled)
Exam Fee	$165 USD (varies by country; India ~$55, UK £113)
Prerequisites	None to sit MS-102; however MS-102 is itself the prerequisite for the Administrator Expert credential
Languages	English, Japanese, Chinese (Simplified), German, French, Spanish, Korean, Portuguese (Brazil), Italian
Certification Validity	1 year; renew FREE on Microsoft Learn (6-month window opens before expiration)
Retake Policy	24-hour wait after 1st fail; 14-day wait for attempts 2-5; max 5 attempts per 12 months
Launched	March 28, 2023 (replacing MS-100 + MS-101, both retired September 30, 2023)
Related	AZ-104 (Azure Administrator), SC-300 (Identity & Access Administrator), SC-400 (Information Protection), MS-700 (Teams Administrator)

Source: Microsoft Learn exam page (learn.microsoft.com/credentials/certifications/exams/ms-102), Microsoft MS-102 Study Guide, and Pearson VUE scheduling portal.

Start Your FREE MS-102 Prep Today

Start FREE MS-102 practice questions for the Microsoft 365 Administrator examPractice questions with detailed explanations

Why MS-102 (and Why It Replaced MS-100 + MS-101)

Before March 28, 2023, to earn the Microsoft 365 Certified: Enterprise Administrator Expert title you had to pass two exams:

MS-100: Microsoft 365 Identity and Services - tenant planning, identity synchronization, federation, and workloads.
MS-101: Microsoft 365 Mobility and Security - device management, threat protection, information governance, and compliance.

Both exams retired on September 30, 2023. Microsoft consolidated the content into a single exam - MS-102 - and renamed the credential simply Microsoft 365 Certified: Administrator Expert (dropping "Enterprise"). The new exam is narrower in scope than MS-100 + MS-101 combined, but tests each domain deeper and with heavier emphasis on Entra ID, Microsoft Defender XDR, and Microsoft Purview - the three pillars Microsoft has invested most aggressively in since 2023.

If you hold old MS-100 or MS-101 credentials, you can no longer renew them. The only path to the current Administrator Expert title is MS-102.

Who Should Sit MS-102

The Microsoft skills outline targets professionals who:

Administer Microsoft 365 tenants end-to-end: tenant setup, domains, licensing, role-based access.
Manage identity via Microsoft Entra ID (formerly Azure AD), Entra Connect Sync / Cloud Sync, and hybrid identity.
Operate security controls across Microsoft Defender XDR (Defender for Office 365, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps).
Manage compliance via Microsoft Purview (DLP, Information Protection, eDiscovery, Insider Risk, Communication Compliance).
Support cross-workload governance across Exchange Online, SharePoint Online, OneDrive, Teams, and Intune.

Candidate Profile	Why MS-102 Fits
Existing M365 admins with MS-100/MS-101	Only current path to Administrator Expert; old credentials cannot be renewed
Help desk / IT pros moving into admin roles	Validates cross-workload admin competency at the Expert tier
Azure admins (AZ-104) expanding into M365	Natural lateral move; ~30% of content overlaps with Entra fundamentals
MSPs and Microsoft partners	MS-102 frequently required for partner competency designations
Security-adjacent admins	Exposure to Defender XDR and Purview sets up SC-200, SC-300, SC-400 paths

If your role is purely identity-focused, sit SC-300 (Identity & Access Administrator Associate) instead. If your role is purely security operations, sit SC-200 (Security Operations Analyst). MS-102 is the right choice when you own the tenant broadly, not just one workload.

Build MS-102 Mastery with FREE Practice Questions

Access FREE MS-102 practice questionsPractice questions with detailed explanations

MS-102 Skills Measured (2026 Domain Weights)

The official Microsoft Learn skills outline for MS-102 has been revised multiple times since launch - most recently in early 2026 - reflecting the rebrands (Azure AD -> Microsoft Entra ID, Microsoft 365 Defender -> Microsoft Defender XDR) and new GA features (Conditional Access for workload identities, Purview Insider Risk auto-labeling, Defender XDR unified portal). Always verify against the current PDF at aka.ms/MS-102-study-guide before test day.

Domain	2026 Weight	What It Covers
1. Deploy and manage a Microsoft 365 tenant	25-30%	Tenant setup, domains, organizational settings, users/groups/licenses, roles, health and adoption reporting
2. Implement and manage Microsoft Entra identity and access	15-20%	Entra ID Connect Sync / Cloud Sync, hybrid identity, authentication methods, Conditional Access, identity protection
3. Manage security and threats by using Microsoft Defender XDR	30-35%	Defender for Office 365, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, incident response
4. Manage compliance by using Microsoft Purview	15-20%	DLP, Information Protection (sensitivity labels), retention, eDiscovery, Insider Risk, Communication Compliance

Source: Microsoft MS-102 Study Guide, 2026 revision.

Domain 3 (Defender XDR) is the heaviest single domain. Do not under-study it.

Domain 1: Deploy and Manage a Microsoft 365 Tenant (25-30%)

This is the "core admin" domain - tenant hygiene, users, groups, licensing, and cross-workload oversight.

Plan and configure the tenant

Initial tenant setup, tenant name, and primary domain.
Add and verify custom domains (TXT / MX records), plan domain-based email routing.
Configure organizational settings: release preferences (targeted release), password policies, self-service settings.
Configure usage analytics (Microsoft 365 usage reports, Viva Insights organizational analytics).

Manage users, licenses, and mail-enabled objects

Create, modify, bulk-import, and delete user accounts (admin center, PowerShell, Graph).
Assign licenses directly vs via group-based licensing; understand license conflicts and dependencies.
Manage guest users (B2B collaboration) and contact objects.
Manage mailboxes, shared mailboxes, distribution groups, Microsoft 365 groups, and mail-enabled security groups.

Manage roles and role groups

Use Microsoft 365 admin roles (Global Admin, Exchange Admin, Teams Admin, SharePoint Admin, User Admin, Security Admin, Compliance Admin, etc.).
Apply Privileged Identity Management (PIM) just-in-time elevation for Entra ID roles.
Limit Global Admin count to the recommended 2-4 break-glass accounts.

Monitor tenant health and service

Service health dashboard, Message center advisories, Microsoft 365 health status API.
Adoption Score trends and Viva Insights organizational reports (some signals now surfaced through Viva Insights).
Tenant-wide reports (active users, email activity, OneDrive storage, Teams usage).

Domain 2: Implement and Manage Microsoft Entra Identity and Access (15-20%)

Entra ID is the backbone of every other domain. This section is short but dense.

Plan and implement identity synchronization

Entra Connect Sync (traditional AD Connect Sync, on-prem server) - full tenant sync, filtering, password hash sync, pass-through authentication.
Entra Cloud Sync (lightweight agent, cloud-managed) - multi-forest, preview features, and when to pick Cloud Sync vs Connect Sync.
Hybrid configurations: federation with AD FS vs pass-through auth vs password hash sync + seamless SSO.
Object filtering, attribute filtering, Entra Connect Health monitoring.

Manage authentication methods

Authentication methods policy (migration from legacy MFA/SSPR policies).
Methods: Microsoft Authenticator (push + number matching), FIDO2 security keys, Windows Hello for Business, passkeys, SMS, voice, OATH tokens, Temporary Access Pass (TAP).
Passwordless rollout and phishing-resistant MFA enforcement.
Combined registration experience (SSPR + MFA).

Conditional Access and identity protection

Design Conditional Access policies: users/groups, cloud apps, conditions (sign-in risk, user risk, device platform, location, client apps), controls (grant/block, require MFA, compliant device, terms of use).
Report-only mode vs enabled; What-If tool; sign-in logs.
Identity Protection: user risk + sign-in risk policies; risky users / risky sign-ins remediation.
Workload identity Conditional Access (service principals) - newer scope in 2026.

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR (30-35%)

The largest domain and the one that changed most in the 2026 outline. Microsoft unified "Microsoft 365 Defender" into Microsoft Defender XDR with a single portal at security.microsoft.com.

Microsoft Defender for Office 365

Safe Attachments, Safe Links, anti-phishing, anti-spam, anti-malware policies.
Preset security policies (Standard, Strict) vs custom.
Configuration analyzer and secure score recommendations.
Attack simulation training.
Threat Explorer, Real-time detections, and incident investigation.

Microsoft Defender for Endpoint

Onboarding workflows (Intune, Group Policy, local script, Configuration Manager).
Attack Surface Reduction (ASR) rules, tamper protection, controlled folder access.
Endpoint detection and response (EDR), live response, automated investigation and response (AIR).
Vulnerability management, device groups, device tags.

Microsoft Defender for Identity

Sensors on domain controllers and AD FS servers.
Detect reconnaissance, credential theft (Pass-the-Hash, Pass-the-Ticket, Golden Ticket), lateral movement.
Integrate with Defender XDR for hybrid identity signals.

Microsoft Defender for Cloud Apps (formerly Cloud App Security / MCAS)

Connect SaaS apps, shadow IT discovery (Cloud Discovery), session policies via reverse proxy.
App governance, OAuth app policies, Conditional Access App Control.

Defender XDR unified operations

Incidents, alerts, advanced hunting (KQL across email, identity, endpoint, cloud).
Microsoft Secure Score.
Automated attack disruption.

Domain 4: Manage Compliance by Using Microsoft Purview (15-20%)

Purview is the rebrand that absorbed the old Microsoft 365 Compliance Center.

Data Loss Prevention (DLP)

Policies across Exchange Online, SharePoint, OneDrive, Teams chat, Defender for Cloud Apps, on-prem (via Purview Information Protection scanner), and endpoint DLP (Windows/macOS).
Sensitive info types (SITs), exact data match (EDM), trainable classifiers.
Policy tips, incident reports, overrides.

Information Protection and sensitivity labels

Create, publish, and auto-apply sensitivity labels.
Encryption with Azure Rights Management, content marking, access restrictions.
Label policies per group, mandatory labeling, default labels.
Protect Teams, SharePoint sites, and M365 Groups with container labels.

Retention and records management

Retention policies vs retention labels, adaptive scopes vs static scopes.
Records management (declare, lock, review disposition).

eDiscovery

eDiscovery (Standard) vs eDiscovery (Premium): case workflow, custodians, holds, collections, reviews, export.
Content Search vs eDiscovery case search.

Insider Risk Management and Communication Compliance

Policy templates: data theft by departing users, data leaks, general data leaks, offensive language.
Alerts, cases, and investigation workflow.

Cost and Registration (2026)

Item	Cost	Notes
Exam fee (US)	$165	Varies by country
Microsoft 365 Developer Program tenant	$0	Free sandbox with sample users/data (conditions apply)
Microsoft Learn training	$0	Free official learning path + sandbox labs
OpenExamPrep practice	$0	Free scenario bank with AI explanations
MeasureUp practice tests	~$129	Closest to the real item style (optional)
Instructor-led bootcamp (Andy Malone, John Christopher, Pluralsight)	$200-$2,000	Optional
Renewal	$0	Free Microsoft Learn assessment yearly
Typical all-in first-time cost	$165-$500	Lower end if self-study only

Register via the MS-102 page on Microsoft Learn - the Schedule Exam button hands off to Pearson VUE. Pick test center or online-proctored (OnVUE). Confirm your Microsoft Learn profile name matches your government-issued ID exactly; mismatches cause same-day cancellations.

Renewal: FREE on Microsoft Learn After 1 Year

Like every Microsoft role-based certification, MS-102 is valid for one year from the date you pass. Renewal is FREE via Microsoft Learn - a browser-based, unproctored assessment opens in your Microsoft Learn profile 6 months before expiration. It is typically 25-35 questions focused on what has changed in Microsoft 365 since your initial pass (new Entra features, Defender XDR updates, Purview releases). You can retake the renewal unlimited times.

If a certification lapses, it cannot be renewed. You would need to re-sit the full MS-102 at $165. Set a calendar reminder 9 months after your pass date.

8-12 Week MS-102 Study Plan

Most candidates come from AZ-104, MS-100/MS-101 alumni work, or hands-on M365 admin roles. This plan assumes ~8-10 hours per week.

Week	Focus	Deliverable
Week 1	Tenant fundamentals, domains, licensing	Provision a free M365 Developer tenant; verify a custom domain
Week 2	Users, groups, roles, PIM	Bulk-import 25 users via CSV + PowerShell; configure PIM for Global Admin
Week 3	Entra ID basics, Connect Sync vs Cloud Sync	Install Entra Cloud Sync in a lab; sync on-prem OU
Week 4	Authentication methods, passwordless, Conditional Access	Build 3 Conditional Access policies: require MFA, block legacy auth, require compliant device
Week 5	Defender for Office 365 + Defender for Endpoint	Enable preset Strict policies; onboard a test device to Defender
Week 6	Defender for Identity + Defender for Cloud Apps	Install MDI sensor (lab DC); connect a SaaS app to Defender for Cloud Apps
Week 7	Defender XDR unified: incidents, hunting, Secure Score	Run 5 KQL advanced-hunting queries across email + endpoint
Week 8	Purview DLP + sensitivity labels	Publish a sensitivity label with encryption; build a DLP policy across Exchange/SharePoint/Teams
Week 9	Purview retention + eDiscovery + Insider Risk	Create a retention policy; open a mock eDiscovery Premium case
Week 10	Review weak domains, take first timed mock	Target >70% on full-length mock
Week 11	Remediation + hands-on gap labs	Close weakest 2 sub-domains with Microsoft Learn modules
Week 12	Two timed full-length mocks; rest day before	Score >75% consistently before booking

If you are an experienced M365 admin, compress to 6-8 weeks by skipping Weeks 1-2.

Recommended MS-102 Resources (FREE-First)

Resource	Type	Why It Helps
OpenExamPrep MS-102 Practice (FREE)	Free, unlimited	Scenario items mapped to the 2026 skills outline with AI explanations
Microsoft Learn MS-102 learning path	Free	Official modules across all four domains; includes sandbox labs
Microsoft 365 Developer Program tenant	Free	90-day renewable sandbox tenant with sample users, Teams, SharePoint content
Microsoft MS-102 Study Guide (PDF)	Free	Authoritative skills-measured list; print it and check off weekly
Andy Malone MVP (YouTube)	Free	The gold standard for MS-102 walkthroughs; full exam cram + domain deep dives
John Christopher / JC Pierre (YouTube / Udemy)	Free + paid	Full MS-102 course with demos, popular on Udemy
Pluralsight MS-102 path	Paid	Structured video course from multiple Microsoft MVPs
MeasureUp MS-102 Practice Tests	Paid ($129)	Closest to the real item style and difficulty
Microsoft Tech Community (M365 admin, Defender, Purview)	Free forum	Real-world troubleshooting and product-team AMAs
Merill Fernando's "Entra.News" newsletter	Free	Weekly Entra ID updates

Hands-On Microsoft 365 Trial Tenant Strategy

MS-102 is not a memorize-the-facts exam. Case studies embed 2-4 pages of tenant context and multiple linked questions, and drag-and-drop + performance-based items reward real admin muscle memory. Without a live tenant you will run out of the 100 minutes.

Use the Microsoft 365 Developer Program (free, renewable) to provision a trial tenant with:

25 sample users with realistic Exchange/SharePoint/Teams content
E5 license-equivalent capabilities (Defender XDR, Purview, Entra ID P2) for dev/test
A refreshable sandbox you can reset between study sessions

If your employer has a Microsoft 365 E5 tenant, ask for a sandbox sub-tenant or a non-production OU. For Entra Connect Sync labs, spin up a small Hyper-V or Azure VM with AD DS.

Build at least these six scenarios end-to-end:

Custom domain verification + pilot user cutover from on-prem Exchange.
Entra Cloud Sync from an on-prem AD lab into a trial tenant.
Conditional Access: MFA for all users, block legacy auth, require compliant device for sensitive apps.
Defender for Endpoint onboarding via Intune, plus ASR rules + tamper protection.
DLP policy across Exchange/SharePoint/OneDrive/Teams with sensitive info types + policy tips.
eDiscovery Premium case: add custodian, place hold, run collection, review, export.

If you have built all six, you will recognize every scenario on the exam.

Test-Day Strategy: The Case-Study Format

MS-102 uses case studies, standalone items, and performance-based labs the same way other Microsoft Expert-tier exams do. The case-study format is where most first-time failures happen.

Before you sit:

Confirm your Microsoft Learn profile name matches your government ID exactly.
If online-proctored, run the Pearson VUE OnVUE system check 24 hours in advance.
Clear your desk; the proctor will ask for a 360-degree room scan.

During the exam:

Case studies appear as standalone timed sections (typically 2-3 cases). Once you submit a section you cannot return to it - but within a section you can flag, move back and forth, and review.
Read the question first, then skim the case study for the specific detail. Do not read all 4 pages twice.
Budget ~4-5 minutes per case-study item and ~1.5-2 minutes per standalone item.
On any ambiguous item, pick the option that is most aligned with Microsoft's current recommended best practice (Conditional Access over legacy MFA, Entra Cloud Sync over Connect Sync for new small deployments, Defender XDR unified portal over standalone Defender for Office).
Flag anything under 90% confidence; Microsoft gives you the full section time to revisit flagged items.

After the exam:

Immediate pass/fail with scaled score (0-1000, pass = 700).
A skills-measured breakdown is emailed within 1-3 business days.
If you fail, wait 24 hours for retake #1, 14 days for retakes 2-5.

Common Pitfalls That Sink First-Time Scores

Confusing Conditional Access with Identity Protection. Conditional Access grants or blocks access based on signals; Identity Protection detects risky users / risky sign-ins. Conditional Access consumes the risk signals Identity Protection generates. The exam uses subtle wording to separate them - pay attention to whether the question is about detection (Identity Protection) or enforcement (Conditional Access).
Not knowing the Defender XDR vs Purview boundary. Defender XDR is threats (malware, phishing, identity attacks, endpoint compromise). Purview is compliance (DLP, labels, retention, eDiscovery, insider risk). Example: a DLP policy alerting on PII exfiltration is Purview, not Defender. An anti-phishing policy quarantining a message is Defender, not Purview. Never confuse the two portals.
Studying MS-100 / MS-101 content. Federation with AD FS, Skype for Business hybrid, legacy Intune UI - all out of scope. If a resource still teaches those, it is out of date.
Under-studying Entra Cloud Sync vs Connect Sync trade-offs. Every revision of the outline has pushed Cloud Sync harder. Know the feature parity gaps (device writeback, password writeback, complex filtering) and when each is the right answer.
Skipping PowerShell / Graph completely. The exam is not a scripting test, but drag-and-drop items can include cmdlet ordering (Connect-MgGraph, Get-MgUser, New-MgGroup). Know the Microsoft Graph PowerShell module basics.
Ignoring Preset security policies in Defender for Office. "Standard" and "Strict" presets are the recommended modern answer over hand-rolled custom policies in most scenarios - Microsoft rewards the preset option.
Forgetting that DLP endpoint extension requires onboarding. Endpoint DLP only works on devices onboarded to Defender for Endpoint. This trips up case-study questions about DLP coverage on unmanaged devices.
No timed full-length practice. 100 minutes with case studies + performance-based labs + standalone items is tight. Two timed mocks minimum before test day.

Career Value and Salary (Microsoft 365 Administrator, 2026)

Microsoft 365 admin roles remain one of the most durable cloud-ops career tracks. Every enterprise that runs Exchange Online, SharePoint, Teams, or Intune needs people who can administer the tenant, enforce security, and manage compliance. MS-102 is explicitly referenced in many MSP and regulated-industry job descriptions.

Source (2026)	Microsoft 365 Administrator Pay
Glassdoor (US, "Microsoft 365 Administrator")	Median total comp ~$102,000/yr; range $85K-$130K
ZipRecruiter (M365 Admin, US)	Average $96,000/yr; range $72K-$125K
Salary.com (Microsoft 365 Administrator II)	Median $108,000/yr; range $90K-$128K
Robert Half Tech Salary Guide 2026	Systems admin + M365 range $90K-$135K with cert premium
LinkedIn Talent Insights	20,000+ US roles tagged "Microsoft 365 administrator"; 15-25% YoY growth

M365 Admin Career Ladder

Role	Typical 2026 US Pay	Next Step
Help desk / Tier 1 support	$45K-$65K	Earn MS-900 then MS-102
M365 Administrator (mid)	$85K-$120K	MS-102 + SC-300 or MS-700
Senior M365 / Collaboration Engineer	$115K-$145K	MS-102 + SC-300 + SC-400 + team lead scope
M365 / Modern Workplace Architect	$140K-$190K	MS-102 + AZ-104 + SC-100 + architectural ownership
Identity / Security Architect	$160K-$220K+	MS-102 + SC-100 + SC-300 + enterprise scope

The MS-102 + SC-300 pair is the single highest-ROI certification combination for M365 admins in 2026, unlocking both the Administrator Expert title and the Identity & Access Administrator Associate title.

Deep Dives on Three Topics Competitor Guides Skim

1. Entra Connect Sync vs Entra Cloud Sync

This is the most testable Domain 2 topic. Both tools sync on-prem Active Directory into Entra ID, but they differ meaningfully.

Factor	Entra Connect Sync	Entra Cloud Sync
Agent footprint	Full server install with SQL Server Express or SQL Server	Lightweight agent, any domain-joined Windows Server 2016+
Configuration	Local wizard, server-side rules	Cloud-managed in the Entra admin portal
Multi-forest	Single agent; complex rules needed	Multiple agents per forest natively supported
Device writeback	Supported	Not supported (as of early 2026)
Password writeback	Supported	Supported
Group writeback	Supported (to AD DS as security groups)	Limited
Complex attribute flows	Full rules engine	Basic attribute mapping; no custom sync rules
When to pick	Large tenants, complex AD, hybrid Exchange with device writeback	New small/mid deployments, multi-forest M&A, AD with minimal customization

The exam frequently asks "which is the minimal solution to sync a new forest after an acquisition" - the answer is usually Cloud Sync.

2. Conditional Access Nuance (What Trips Candidates Up)

Report-only mode is not the same as disabled. Report-only still evaluates the policy and logs the result, but never enforces - essential for pre-production testing.
Grant controls use AND/OR: "Require MFA AND Require compliant device" is much stricter than "Require MFA OR Require compliant device."
What-If tool is your friend for troubleshooting - use it to simulate specific user + app + condition combos.
Excluded users (break-glass accounts) should always include at least two emergency Global Admin accounts with long passphrases stored in a vault.
Workload identity Conditional Access (for service principals) is a newer premium feature; the exam tests when it applies.
Legacy authentication (IMAP, POP, SMTP AUTH, older Office clients) must be blocked via a dedicated Conditional Access policy; Microsoft's Security Defaults block it by default for tenants that have them enabled.

3. Purview DLP + Information Protection Interaction

Sensitivity labels classify and optionally encrypt content.
DLP policies enforce actions (block, warn, audit) based on conditions including "content contains sensitive info type X" or "content has sensitivity label Y."
The labeled-content approach scales better than sensitive-info-type matching alone because labels survive file format changes.
Auto-labeling (service-side) applies labels at rest in SharePoint/OneDrive/Exchange without user action - a Purview E5 feature.
Endpoint DLP requires devices onboarded to Defender for Endpoint and covers Windows 10/11 and macOS; Linux support is limited.

Case-study items often present a scenario where sensitive data leaks from a managed device to an unmanaged USB drive - the right answer combines endpoint DLP (to block the action) with a sensitivity label (to classify the content in the first place).

How MS-102 Fits into the Broader Microsoft Certification Path

Exam	Role	When to Sit
MS-900 Microsoft 365 Fundamentals	Entry	Optional warmup if you are new to M365
MS-102 Microsoft 365 Administrator	Admin Expert	This exam
SC-300 Identity & Access Administrator	Identity	Natural next step after MS-102
SC-400 Information Protection Administrator	Compliance	Deeper Purview focus
SC-200 Security Operations Analyst	Security ops	Deeper Defender XDR + Sentinel focus
MS-700 Teams Administrator	Teams	If Teams is your primary workload
AZ-104 Azure Administrator	Azure ops	Complementary Azure admin scope
SC-100 Cybersecurity Architect	Architect	Senior/architect-tier capstone

MS-102 + SC-300 + SC-400 is the "Modern Work + Security" trio many enterprises expect.

Keep Training with FREE MS-102 Practice

Practice MS-102 scenario questionsPractice questions with detailed explanations

Frequently Missed 2026 Details (Competitor Guides Get These Wrong)

MS-100 and MS-101 are gone. If a guide recommends taking them first "for background," it is out of date - they retired September 30, 2023.
Azure AD is now Microsoft Entra ID. Old terminology (AAD Connect, AAD Conditional Access) still appears in community posts but the exam uses current Entra naming.
Microsoft 365 Defender is now Microsoft Defender XDR with a unified portal at security.microsoft.com.
Preset security policies (Standard, Strict) in Defender for Office are the recommended modern answer over custom policies in most scenarios.
Entra Cloud Sync is preferred over Connect Sync for new, smaller, or multi-forest deployments when device writeback is not required.
Passwordless + phishing-resistant MFA (FIDO2, Windows Hello for Business, passkeys, certificate-based authentication) is the direction every new Microsoft identity question pushes toward.
Endpoint DLP requires Defender for Endpoint onboarding - DLP alone does not cover the device channel.
Renewal is free and unproctored - and opens 6 months before expiration, not after.

Official Sources Used

Microsoft Learn - Exam MS-102: Microsoft 365 Administrator (skills outline, 2026 revision)
Microsoft Learn - MS-102 Study Guide (aka.ms/MS-102-study-guide)
Microsoft 365 Certified: Administrator Expert credential page
Microsoft Entra ID / Entra Connect Sync / Entra Cloud Sync documentation
Microsoft Defender XDR documentation (security.microsoft.com)
Microsoft Purview documentation (purview.microsoft.com)
Pearson VUE Microsoft exam scheduling portal (fee and retake policy)
Microsoft Learn credential renewal policy (6-month renewal window, free online assessment)
Glassdoor / ZipRecruiter / Salary.com / Robert Half - 2026 salary references
LinkedIn Talent Insights - M365 admin job demand signals

Certification details, fees, and skills measured may be revised by Microsoft. Always confirm current requirements directly on learn.microsoft.com before scheduling.

FREE MS-102 Exam Guide 2026: Pass Microsoft 365 Administrator (Entra, Defender XDR, Purview)

✓Key Facts