AZ-104 makes you an Azure administrator. MS-102 makes you an M365 administrator — the distinction matters more than most candidates realise.

Azure and Microsoft 365 share the same identity foundation — Microsoft Entra ID — but the rest of the stack diverges sharply. AZ-104 tests compute, storage, networking, and Azure-native services. MS-102 tests collaboration infrastructure, enterprise messaging, compliance frameworks, and the security overlay that runs across the M365 productivity stack. A candidate who has passed AZ-104 and attempts MS-102 without preparation will find the Purview compliance portal, Defender for Office 365 policy configuration, and Exchange Online mail flow rules entirely unfamiliar. The skill sets are adjacent, not overlapping.

The consolidation from MS-100 + MS-101 into a single MS-102 exam changed what is tested. The two-exam track separated identity and services (MS-100) from device and app management (MS-101). MS-102 integrates them into five functional areas that reflect how M365 administration actually works — an admin managing a Conditional Access policy is simultaneously doing identity work, security work, and compliance work. The single-exam format rewards administrators who think across the stack rather than in siloed domains.

MS-102 sits above the associate tier. Microsoft positions it explicitly as an Expert credential, meaning it assumes working knowledge of Entra ID tenant management, Exchange Online basics, and Teams administration before the candidate reaches the exam room. Candidates who approach MS-102 as their first Microsoft certification will struggle with the breadth of assumed context. The recommended path is MS-900 (M365 Fundamentals) → one associate cert (AZ-104 or MD-102) → MS-102, though none of these are enforced prerequisites.

The five functional areas of MS-102

Functional Area 1 — Deploy and Manage a Microsoft 365 Tenant (~21%)

Foundation administration of the M365 tenant itself: subscription management, admin center configuration, and the tooling that administrators use daily. This area establishes the baseline competence the rest of the exam builds on.

  • Tenant configuration: Microsoft 365 admin center navigation, organizational profile settings, and service health monitoring. The exam tests how to identify and respond to service incidents using the Message Center and Service Health dashboard — distinguishing advisories (informational, no action needed) from incidents (active service degradation requiring action or workaround).
  • PowerShell administration: Microsoft Graph PowerShell SDK (Connect-MgGraph) has replaced the legacy MSOnline (Connect-MsolService) and AzureAD modules. The exam tests Graph PowerShell for bulk user operations, license assignment, and report generation. The Get-MgUser, New-MgUser, Set-MgUser, and Get-MgSubscribedSku cmdlets are high-frequency exam topics. Exchange Online PowerShell (Connect-ExchangeOnline) remains separate from Graph PowerShell and is tested for mail flow and recipient management tasks.
  • License management: assigning, modifying, and removing Microsoft 365 licenses via the admin center and PowerShell. License-based service plans — understanding which services are included in which SKU (E3 vs E5, Business Premium vs Business Standard), disabling specific service plans within a license assignment, and resolving licensing conflicts. The exam tests how to identify users with missing licenses and the correct remediation steps.
  • Microsoft 365 Apps deployment: Office Deployment Tool (ODT) for enterprise-managed installations, Microsoft 365 Apps admin center for cloud update management, and update channel selection (Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel). The exam tests the business scenarios that map to each update channel rather than ODT XML syntax.

Functional Area 2 — Implement and Manage Identity and Access (~25%)

The largest functional area and the one with the most direct overlap with AZ-104. MS-102 goes deeper on hybrid identity scenarios and privileged access governance than the Azure administrator exam.

  • Microsoft Entra ID fundamentals: tenant architecture, user types (member vs guest), group types (Microsoft 365 groups vs security groups vs distribution lists vs mail-enabled security groups — each with distinct capabilities and limitations), and administrative unit scoping for delegated administration across large organisations. The exam tests which group type is required for specific workloads: Microsoft 365 groups for Teams channels and shared mailboxes, security groups for application and SharePoint access, distribution lists for email distribution only.
  • Hybrid identity: Microsoft Entra Connect (formerly Azure AD Connect) for on-premises Active Directory synchronisation vs Microsoft Entra Cloud Sync (lightweight agent, no on-premises server required, limited to a subset of Entra Connect scenarios). The exam distinguishes the two: Cloud Sync supports multi-forest synchronisation and is recommended for new deployments, but does not support Hybrid Exchange, device writeback, or group writeback. Password Hash Synchronisation (PHS), Pass-Through Authentication (PTA), and Federation (ADFS) as authentication options — the exam tests failure behaviour and fallback scenarios for each.
  • Conditional Access: policy components (assignments — users, cloud apps, conditions; access controls — grant, session), the evaluation order when multiple policies apply (all matching policies are evaluated; the most restrictive grant control wins), and named locations for IP-based policy scoping. The difference between block and grant with MFA controls — the exam presents scenarios where blocking is appropriate (unmanaged devices accessing sensitive apps) versus MFA-step-up (all external access). Report-only mode for policy impact assessment before enforcement.
  • Privileged Identity Management (PIM): just-in-time role activation workflow (eligible → activate → active → expires), approval workflows for sensitive roles (Global Administrator, Exchange Administrator), activation duration limits, and access reviews for privileged role assignments. The exam tests the distinction between eligible assignments (require activation, PIM required) and active assignments (always active, no PIM required) — and which to use for which role type based on the principle of least privilege.
  • Entitlement management and access reviews: access packages for bundling resource access (groups, SharePoint sites, Teams, applications), access review configuration for periodic recertification of group memberships and role assignments, and the lifecycle workflows that automate onboarding and offboarding tasks. The exam tests the correct tool for each scenario: access packages for structured access request/approval workflows, access reviews for ongoing recertification, lifecycle workflows for automated provisioning triggers.

Functional Area 3 — Manage Security and Threats (~26%)

The highest-weighted functional area and the one most commonly underestimated by candidates with a background in on-premises IT. M365 security operates through the Microsoft 365 Defender portal (now Microsoft Defender XDR) and spans email, identity, endpoint, and cloud app protection from a unified console.

  • Microsoft Defender for Office 365: Plan 1 (anti-phishing, Safe Links, Safe Attachments — included in Business Premium and E3) vs Plan 2 (adds Attack Simulator, Threat Trackers, Automated Investigation and Response — included in E5). Safe Attachments policy modes: Block (block detected malware, deliver clean), Dynamic Delivery (deliver body immediately, replace attachment with placeholder until scan completes), Replace (replace attachment with notification), Monitor (deliver and track). Safe Links wraps URLs at click time and re-evaluates them against updated threat intelligence — the exam tests the policy settings that control which users and which URL types are protected.
  • Exchange Online Protection (EOP): the baseline anti-spam and anti-malware layer that applies to all Exchange Online tenants before Defender for Office 365 policies. Anti-spam policies (bulk complaint level thresholds, spam confidence level thresholds, phishing and spoofing actions), anti-malware policies, connection filtering (IP allow/block lists), and outbound spam policies. Quarantine management: who can release quarantined messages, admin quarantine vs user-accessible quarantine, and retention periods.
  • Microsoft Secure Score: the tenant-level measurement of security posture across identity, devices, apps, and data. The exam tests how to interpret improvement actions, distinguish between implemented, planned, risk accepted, and third-party coverage statuses, and how Secure Score connects to specific policy configurations (enabling MFA for all users adds a fixed point value; enabling Defender for Endpoint adds another). Secure Score is a relative benchmark, not an absolute measure of security — a score of 70% means 70% of the recommended controls are implemented, not that the tenant is 70% secure.
  • Microsoft Purview Insider Risk Management: policies for detecting risky user behaviour patterns (data theft by departing employees, general data leaks, security policy violations), the indicators that trigger alerts (bulk file downloads, mass file deletion, sending sensitive data outside the organisation), and the workflow from alert → case → investigation → action. The exam tests how Insider Risk Management integrates with HR connectors for resignation event triggers and how communication compliance policies provide the complementary communication-channel coverage.
  • Attack simulation training: launching simulated phishing campaigns, selecting payload types (credential harvest, link in attachment, drive-by URL), assigning training modules to users who click simulation links, and interpreting simulation reports. The exam tests the legitimate administrative use case — measuring click rate, identifying highest-risk users, and driving security awareness training completion — not the technical mechanics of phishing.

Functional Area 4 — Manage Compliance (~16%)

Microsoft Purview compliance portal covers data governance, information protection, and legal/regulatory obligations. This area tests whether the M365 administrator can configure the controls that satisfy compliance requirements, not whether they can interpret the regulations themselves.

  • Data Loss Prevention (DLP): DLP policies detect and act on sensitive information across Exchange Online, SharePoint Online, OneDrive, Teams, and Defender for Cloud Apps. Policy components: locations (which workloads are covered), conditions (sensitive information types, labels, content), and actions (audit, block with override, block without override, notify). The exam tests the correct action for a given business requirement — audit-only for new policies during testing, block with user override when user judgement is appropriate, hard block for regulated data like payment card numbers.
  • Retention policies and retention labels: retention policies apply automatically to all content in a location; retention labels apply to specific items and can be applied manually or auto-applied via policy. The priority order when conflicting settings apply: explicit label retention wins over policy retention; retain-then-delete beats delete-only. The exam tests the correct tool for each scenario: retention policy for broad location-based retention, auto-apply label for content-driven retention based on sensitive information types or keywords.
  • Microsoft Purview eDiscovery: eDiscovery Standard (case-based search and export, available in E3) vs eDiscovery Premium (custodian management, review sets, advanced analytics, requires E5 or E5 Compliance add-on). Legal hold: placing a hold on a user’s mailbox or SharePoint site preserves content in place regardless of user deletion actions — the exam tests the difference between an in-place hold and a litigation hold, and when each applies. Content search as the baseline tool for all eDiscovery work.
  • Microsoft Purview Communication Compliance: policies that monitor Teams messages, Exchange email, and third-party platform content for regulatory compliance violations (financial services communications requirements, code of conduct violations, sensitive information disclosure). The exam tests the reviewer workflow, alert investigation interface, and the remediation actions available (notify user, escalate to case, report to compliance officer).

Functional Area 5 — Manage Microsoft 365 Apps and Services (~12%)

Day-to-day administration of the collaboration services that M365 users interact with: Exchange Online, SharePoint Online, Teams, and the supporting infrastructure that keeps them running.

  • Exchange Online administration: accepted domains (authoritative, internal relay, external relay) and when each type is appropriate for hybrid or multi-domain tenants, connectors (inbound connectors for mail flowing into Exchange from on-premises or third-party systems; outbound connectors for controlled routing of mail to specific destinations), and mail flow rules (transport rules) for header manipulation, message encryption trigger, and disclaimer injection. The exam tests how to troubleshoot mail flow issues using Message Trace — interpreting status events, identifying where a message was blocked or rerouted, and reading enhanced status codes.
  • Microsoft Teams administration: Teams admin center policies (meeting policies, messaging policies, calling policies, app permission policies), the distinction between global (org-wide default) policies and custom policies assigned to specific users or groups, and the package assignment model for applying multiple policies simultaneously. External access (federation with other Entra ID tenants) vs guest access (B2B collaboration within a specific team) — the exam tests the correct configuration for each use case and the admin controls that govern what guests can do within Teams channels.
  • SharePoint Online and OneDrive: site collection administration (hub sites, communication sites, team sites), external sharing settings at the organisation level vs the site level (the more restrictive setting always wins), and sharing link defaults (Anyone links vs Specific people vs People in your organisation). OneDrive storage quotas, known folder move (KFM) for redirecting Desktop, Documents, and Pictures to OneDrive for Business, and the sync client health monitoring available through the SharePoint admin center.
  • Microsoft Viva and Copilot for Microsoft 365: the exam increasingly includes Viva Insights (personal and manager analytics, privacy considerations), Viva Learning (training content surfaced in Teams), and the administrative prerequisites for Copilot for Microsoft 365 deployment (Entra ID assignment, licensing, sensitivity label configuration to prevent oversharing). These areas carry lower question weight than the core functional areas but appear in scenario questions testing integration awareness.
The MS-102 exam question that trips the most candidates: Conditional Access policy evaluation. When two policies both match a sign-in, Microsoft does NOT apply only the most restrictive — it applies ALL matching policies and then evaluates the combined result. A block policy and a grant-with-MFA policy targeting the same user both apply; the block wins. Candidates who expect “last write wins” or “most specific wins” behaviour get these questions wrong consistently.

How MS-102 compares to other Microsoft certifications

MS-102 occupies the expert tier alongside AZ-305 (Azure Solutions Architect Expert) and SC-100 (Cybersecurity Architect Expert). Within the Microsoft 365 certification family, the progression is MS-900 (Fundamentals) → associate certs (MD-102 Modern Desktop, MS-700 Teams Administrator, MS-721 Collaboration Communications Systems Engineer) → MS-102 Expert. The Expert tier does not require passing associate certs, but the associate exams serve as useful preparation for specific functional areas of MS-102 — MD-102 covers device management and Intune in depth that MS-102 only touches, and MS-700 covers Teams administration that MS-102 tests at a higher level.

The annual renewal model distinguishes MS-102 from most certifications in the market. Rather than a two-year expiry requiring full re-examination, Microsoft offers a free online renewal assessment each year. The renewal assessment covers new features and capability updates added to the M365 platform since the last renewal — passing it extends certification for another year. This model rewards administrators who stay current with the platform rather than those who memorise and forget; it also means the MS-102 credential reflects a practitioner’s ongoing engagement with the technology, not a point-in-time exam result from two or three years ago.

Why it matters for cert candidates

MS-102 rewards breadth over depth. The exam presents administrator scenarios that cross functional area boundaries — a Conditional Access policy affects identity, security, and compliance simultaneously. Study each functional area in isolation but test yourself with scenarios that require integrating two or three areas to arrive at the correct answer. Pay particular attention to the Defender for Office 365 policy configuration options (Safe Attachments modes, Safe Links settings) and the Purview retention label priority rules — both appear frequently and require precise knowledge of the available options. The official Microsoft MS-102 study guide on Microsoft Learn is authoritative and free; the practice assessments available on the certification page reflect the current exam format.

Test your MS-102 knowledge across all five functional areas with expert-level practice questions on CertQuests.

Start MS-102 Practice Questions →