Microsoft 365 Tenant
25-30%of exam
Entra Identity + Access
25-30%of exam
Defender XDR Security
30-35%of exam
Purview Compliance
10-15%of exam
Quick Facts
- Exam
- MS-102
- Credential
- M365 Administrator Expert
- Pass
- 700/1000
- Time
- 100 min
- Level
- Expert
- Vendor
- Pearson VUE
- Blueprint
- Apr 28 2026
- Skill
- Administer tenant
Domain Weights
Tenant 25 | Entra 25 | Defender 30
Tenant: 25-30Entra: 25-30Defender: 30-35Purview: 10-15
Health vs Message Center
Service Health
- Incidents
- Advisories
- Current impact
Message center
- Planned changes
- Feature rollouts
- Retirements
Outage vs roadmap
Tenant Picker
- Prove domain→TXT record
- Route mail→MX record
- Pilot features→Targeted release
- Track incidents→Service Health
- Track changes→Message center
- Automate users→Graph PowerShell
- Scope admins→Admin units
- Elevate roles→PIM
Tenant Setup
- Tenant
- M365 boundary
- Initial domain
- onmicrosoft.com kept
- Custom domain
- Verified DNS name
- TXT record
- Ownership proof
- MX record
- Mail routing
- Org profile
- Tenant details
- Targeted release
- Pilot features
- Network insights
- Connectivity checks
Users + Groups
- User
- Account object
- Guest
- External user
- Contact
- Address object
- Shared mailbox
- Delegated mailbox
- M365 group
- Collaboration group
- Security group
- Access assignment
- Dynamic group
- Rule membership
- Group licensing
- Automatic licenses
Roles + PIM
- Global Admin
- Full tenant control
- User Admin
- User lifecycle
- Security Admin
- Security configuration
- Compliance Admin
- Purview administration
- Role group
- Workload permissions
- Admin unit
- Scoped delegation
- PIM
- Just-in-time roles
- Eligible role
- Activation required
Health + Adoption
- Service Health
- Incidents/advisories
- Message center
- Planned changes
- Usage reports
- Workload activity
- Adoption Score
- Usage signals
- Software updates
- Apps update status
- M365 Backup
- Backup/restore
- Admin center
- Common tasks
- Graph PowerShell
- Bulk automation
Sync Order
Fix, sync, monitor, troubleshoot
IdFix firstConnect or CloudConnect HealthFix errors
Connect Sync vs Cloud Sync
Connect Sync
- Full engine
- Custom rules
- Complex hybrid
Cloud Sync
- Light agent
- Cloud managed
- Simple forests
Complex vs lightweight
Access Picker
- Clean AD→IdFix
- Complex sync→Connect Sync
- Light sync→Cloud Sync
- Monitor sync→Connect Health
- Reset passwords→SSPR
- Bootstrap login→TAP
- Risk-based access→Conditional Access
- Risk detections→Identity Protection
Identity Sync
- IdFix
- Pre-sync cleanup
- Connect Sync
- Full sync engine
- Cloud Sync
- Lightweight agent
- Connect Health
- Sync monitoring
- PHS
- Password hash sync
- PTA
- Pass-through auth
- Federation
- AD FS sign-in
- Filtering
- Scope control
CA Flow
If assignments meet conditions, enforce controls
Users/appsRisk/locationGrant/sessionReport-only first
Defaults vs Conditional Access
Security Defaults
- Basic baseline
- Few choices
- No exclusions
Conditional Access
- Granular rules
- Named exclusions
- Risk/device conditions
Simple vs controlled
Authentication
- MFA
- Extra factor
- SSPR
- Password reset
- Auth methods
- Allowed factors
- Authenticator
- Push/passkey
- FIDO2
- Phishing-resistant key
- WHfB
- Device-bound credential
- TAP
- Temporary bootstrap
- Password Protection
- Bad-password blocking
Secure Access
- Conditional Access
- If/then policy
- Assignments
- Users/apps scope
- Conditions
- Risk/device/location
- Grant controls
- Block/allow requirements
- Session controls
- Runtime limits
- Report-only
- Test impact
- What If
- Policy simulation
- Identity Protection
- Risk detection
XDR Flow
Score, alert, incident, hunt, respond
Secure ScoreAlertsIncidentsAdvanced hunting
Incident vs Alert
Incident
- Grouped alerts
- Investigation container
- Timeline view
Alert
- Single signal
- Detection event
- Evidence source
Case vs signal
Security Picker
- Improve posture→Secure Score
- Group alerts→Incidents
- Query signals→Advanced hunting
- Protect email→Defender O365
- Find campaign→Threat Explorer
- Train phishing→Attack simulation
- Protect devices→Defender Endpoint
- Find shadow IT→Cloud Discovery
Defender XDR
- Incident
- Grouped alerts
- Alert
- Detected signal
- Secure Score
- Posture metric
- Exposure Mgmt
- Attack-path view
- Advanced hunting
- KQL investigation
- Custom detection
- Scheduled hunt
- Threat intel
- Adversary context
- Action center
- Response queue
Defender vs Purview
Defender XDR
- Threat protection
- Incidents/alerts
- Hunting
Purview
- Compliance controls
- Labels/retention
- DLP
Threats vs compliance
Office Protection
- EOP
- Baseline mail filtering
- Safe Links
- URL detonation
- Safe Attachments
- File detonation
- Anti-phishing
- Impersonation defense
- Preset policies
- Standard/Strict baselines
- Threat Explorer
- Email investigation
- Attack simulation
- Phishing training
- Restricted entities
- Blocked senders
Endpoint + Cloud
- MDE onboarding
- Device enrollment
- Endpoint settings
- Security controls
- TVM
- Vulnerability dashboard
- ASR rules
- Attack surface reduction
- Cloud Apps
- SaaS protection
- App connector
- SaaS integration
- Activity log
- App events
- Cloud Discovery
- Shadow IT
Purview Flow
Detect, label, retain, prevent, review
SITSensitivityRetentionDLP
Sensitivity vs Retention
Sensitivity label
- Classify/protect
- Encryption
- Content marking
Retention label
- Retain/delete
- Records
- Disposition
Protect vs preserve
Compliance Picker
- Detect SSNs→SIT
- Classify files→Sensitivity label
- Publish labels→Label policy
- Retain locations→Retention policy
- Retain items→Retention label
- Block sharing→DLP policy
- Block USB→Endpoint DLP
- Audit activity→Activity explorer
Information Protection
- SIT
- Sensitive pattern
- Keyword list
- Term matching
- Regex
- Pattern matching
- Sensitivity label
- Classify/protect
- Label policy
- Publish labels
- Auto-labeling
- Automatic classification
- Content explorer
- Sensitive content
- Activity explorer
- Label/DLP events
Content vs Activity Explorer
Content explorer
- Where data lives
- Sensitive items
- Content inventory
Activity explorer
- What happened
- Label events
- DLP events
Where vs what
Retention + DLP
- Retention policy
- Location-wide retention
- Retention label
- Item-level retention
- Label policy
- Publish retention
- Disposition
- End review
- DLP policy
- Data movement control
- Endpoint DLP
- Device actions
- Policy tip
- User warning
- DLP alert
- Policy match
Common Traps
Current weights
Study guide controls ≠ Exam page may lag
Health vs change
Health is outages ≠ Message center changes
Domain verify vs mail
TXT proves ownership ≠ MX routes mail
Authentication vs authorization
Entra signs in ≠ Roles allow actions
Security defaults vs CA
Defaults are broad ≠ CA is granular
Alert vs incident
Alert is signal ≠ Incident groups alerts
Threat vs compliance
Defender stops attacks ≠ Purview governs data
Endpoint DLP prerequisite
DLP defines policy ≠ MDE onboards device
Last Minute
- 1.Weights: 25-30/25-30/30-35/10-15
- 2.TXT verifies; MX routes
- 3.Health = incidents; Message = changes
- 4.Groups license; roles authorize
- 5.PIM = just-in-time admin
- 6.IdFix before sync
- 7.Connect Sync = complex hybrid
- 8.Cloud Sync = lightweight agent
- 9.CA = if/then access
- 10.Defender = threats; Purview = data
- 11.Content = where; Activity = what
- 12.Endpoint DLP needs MDE
Buy on Amazon
Take courses on Udemy
Learning path on PluralsightSame family resources
Explore More Microsoft Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.
VideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)VideoPL-300 Power BI Data Analyst Exam Guide 2026 (FREE)ArticleFREE MS-102 Exam Guide 2026: Pass Microsoft 365 Administrator (Entra, Defender XDR, Purview)24 min readArticleSC-401 Exam Guide 2026: Pass Microsoft Info Security FREE32 min readArticleFREE DP-600 Exam Guide 2026: Pass Microsoft Fabric Analytics Engineer (Direct Lake, DAX, Semantic Models)27 min readArticleFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)24 min read