Domain 1 · 25–30%

Deploy and manage a Microsoft 365 tenant

Standing up the tenant, configuring organisation-wide settings and service health, and managing the building blocks every other workload depends on: users, groups, licences and admin roles.

This domain breaks into three objectives:

Implement and manage a Microsoft 365 tenant — tenant, domains, org settings, health, updates, usage, Backup
Manage users and groups — users, external users, contacts, groups, shared mailboxes, licensing, bulk ops
Manage roles and role groups — RBAC, workload permissions, administrative units, PIM

1.1 Implement and manage a Microsoft 365 tenant

Creating a tenant

A tenant is a dedicated, isolated instance of Microsoft Entra ID created automatically when an organisation signs up for a Microsoft cloud subscription (M365, Azure, or Dynamics 365). It is the security and identity boundary for your organisation.

The tenant gets an initial default domain of the form yourcompany.onmicrosoft.com. This can never be deleted and is used as a fallback routing address.
Choose the country/region at sign-up — it is permanent and determines data residency and which services are available. It cannot be changed later.
Tenant type is set at creation: Workforce (employees) vs the newer external/CIAM configurations; for MS-102 think standard organisational (workforce) tenant.

Caveat — region & default domain are immutable

You cannot change the tenant country/region after creation, and the *.onmicrosoft.com domain cannot be removed. If asked to "move" data residency, the answer involves a new tenant / migration, not a setting.

Implementing and managing domains

Add a custom domain (e.g. contoso.com) so users sign in and send mail with your brand instead of *.onmicrosoft.com.

Add the domain in the Microsoft 365 admin center (or Entra admin center).
Verify ownership by adding a Microsoft-supplied TXT (or MX) record to your public DNS.
Configure DNS records for the services: MX (mail routing), CNAME for autodiscover, TXT for SPF, CNAME records for Teams/Skype (sip, lyncdiscover) and SRV records, plus optional DKIM CNAMEs.
Set the default domain used for new users if desired.

Record	Purpose	Notes / caveat
TXT	Domain ownership verification	Microsoft generates the value; verification can take up to 72 h for DNS propagation
MX	Routes inbound email to Exchange Online	Lowest preference number = highest priority
CNAME (autodiscover)	Outlook client auto-configuration	Points to `autodiscover.outlook.com`
TXT (SPF)	Anti-spoofing; lists authorised senders	Only one SPF record per domain — merge entries
CNAME (DKIM)	Signs outbound mail	Two selector CNAMEs; enable DKIM in Defender portal
SRV / CNAME (Teams)	Teams / federation discovery	Required for full Teams external connectivity

Removing / transferring a domain

You cannot remove a custom domain while it is still referenced — e.g. by user UPNs, proxy addresses, groups, or as the default. Re-point those objects first. The onmicrosoft.com domain remains as the fallback.

Organisation settings (Security & privacy, Organization profile)

Found under Microsoft 365 admin center → Settings → Org settings, grouped into Services, Security & privacy, and Organization profile.

Organization profile: Org name, address, technical contact, release preferences (Standard vs Targeted release for early features), and custom themes (logo, colours in the app header).
Security & privacy: Self-service password reset link, sharing settings, idle session timeout, privacy statement, and the password expiration policy (Microsoft recommends "never expire").
Services: Per-service toggles: Bookings, Cortana, Microsoft Forms, reports (anonymised names), user owned apps and services, mail, etc.

Release preferences

Targeted release can be set for the entire org or for selected users — useful to pilot UI/feature changes before they reach everyone on Standard release.

Monitoring Service Health & notifications

Health → Service health shows the live status of every service (Exchange, Teams, SharePoint, Entra, etc.). Each issue is an advisory (limited impact) or an incident (broad/critical impact).

flowchart LR A[Service event detected] --> B{Impact?} B -->|Limited| C[Advisory] B -->|Critical / widespread| D[Incident] C --> E[Message center post] D --> E E --> F[Email notifications
to chosen recipients]

Service Health feeds the Message center; configure email notifications to be alerted.

Message center (separate from Service health) announces upcoming changes, new/planned features and required actions — you can configure weekly digest emails and assign Message center reader role.
Configure Service health notifications (Preferences) to email up to 2 addresses per profile when incidents/advisories are posted.

Caveat — Service health vs Message center

Service health = current problems / outages. Message center = upcoming changes & roadmap actions. Exam questions test that you pick the right one.

Network connectivity insights

Under Health → Network connectivity. Microsoft 365 collects connectivity telemetry and surfaces a Network connectivity score per location.

Key guidance: follow the Microsoft 365 connectivity principles — identify & differentiate Optimize-category traffic, egress locally, avoid backhauling and hairpinning, and bypass proxies/inspection for Optimize endpoints.
Add office locations to get location-specific insights; data is collected from the Microsoft 365 client and the connectivity test tool (connectivity.office.com).

Microsoft publishes endpoints in three traffic categories — handle each differently at the network edge:

Category	Examples	Recommended handling
Optimize	Teams media, SharePoint/OneDrive, Exchange Online core	Bypass proxy/inspection, egress locally — highest performance impact
Allow	Other required M365 endpoints	Allow direct; low-overhead inspection acceptable
Default	Generic/ancillary services	Route via normal internet path/proxy

Caveat — Optimize traffic should bypass inspection

Performance problems in case studies usually point to backhauling or proxy/SSL inspection of Optimize traffic. The fix is local egress and bypassing inspection for Optimize endpoints — not adding bandwidth.

Software updates via the admin center

The Microsoft 365 Apps update channels control how often desktop Office apps get features/fixes:

Update channel	Feature cadence	Best for
Current Channel	~Monthly (as available)	Most users — newest features fastest default
Monthly Enterprise Channel	Once a month (predictable, 2nd Tuesday)	IT-managed orgs wanting a schedule
Semi-Annual Enterprise Channel	Every 6 months (Jan & Jul)	Highly regulated / line-of-business app testing

Within the admin center, Settings → Org settings → Microsoft 365 Apps Installation options and the Microsoft 365 Apps admin center (config.office.com) manage channels, servicing profiles, and inventory.

Deployment method	Use when
User self-install (portal)	Users have local admin; quickest, click-to-run from the portal
Office Deployment Tool (ODT)	Custom XML `configuration.xml` — pick architecture, channel, apps, languages; deploy locally or from a share
Cloud / Microsoft 365 Apps admin center config	Build a deployment package & servicing profile (auto-update rings) centrally
Intune / Configuration Manager	Managed push to devices at scale

Servicing profile

A servicing profile takes over update management for a set of devices — Microsoft auto-rolls updates in waves with monitoring/rollback, overriding the device's configured channel for those updates.

Monitoring adoption & usage

Reports → Usage: per-service activity (email, Teams, SharePoint, OneDrive, active users, etc.). Default retention windows of 7/30/90/180 days.
Microsoft 365 Adoption Score (Reports → Adoption Score): organisational benchmarks across communication, meetings, content collaboration, mobility, teamwork, plus endpoint/network experiences.
Privacy: in Org settings you can de-identify (conceal) user, group and site names in all reports.

Who can see reports

Global admin, global reader, report reader, and the relevant service admins (Exchange, Teams, SharePoint) can view usage reports.

Configure & manage Microsoft 365 Backup

Microsoft 365 Backup is a Microsoft-native, pay-as-you-go (Azure-billed, requires billing/syntex setup) service protecting Exchange Online, OneDrive, and SharePoint.

Provides fast, large-scale restore to a point in time within the last 365 days, with data kept inside the Microsoft 365 security/compliance boundary (no third-party copy).
Set up via the Microsoft 365 admin center → Settings → Microsoft 365 Backup; requires pay-as-you-go billing linked to an Azure subscription & resource group.
Backup policies target sites/accounts (by inclusion rules); restores are self-service and much faster than legacy methods.

Caveat — Backup ≠ Retention

M365 Backup protects against accidental/malicious data loss with fast point-in-time restore. Retention policies/labels (Purview) are for compliance/legal preservation. Don't confuse them — and Backup requires PAYG Azure billing enabled.

1.2 Manage users and groups

Creating & managing users (incl. external users)

Users live in Microsoft Entra ID. Create them in the M365 admin center or Entra admin center. Key attributes: UPN (sign-in name, must use a verified domain), display name, usage location (required before assigning licences), and group memberships.

Account type	How it is created	Sign-in
Cloud-only	Created directly in Entra ID	Entra credentials
Synchronised	Synced from on-prem AD via Entra Connect/Cloud Sync	Managed in on-prem AD
Guest (B2B)	Invited by email; UPN ends `#EXT#@tenant`	Their own home org / one-time passcode

External / guest users (Entra B2B): invited collaborators who authenticate with their own identity. Managed under Entra ID → External Identities: configure external collaboration settings (who can invite), guest user permissions, and cross-tenant access settings. Deleted users go to a recycle bin and are recoverable for 30 days.

Restore / soft-delete

Deleted Entra users are recoverable for 30 days from the deleted users list; after that they are permanently purged.

Governing external collaboration (Entra ID → External Identities):

External collaboration settings — who can invite guests (everyone / admins & specific roles / nobody), guest permission level, and an allow/deny domain list for invitations.
Cross-tenant access settings — granular B2B inbound/outbound trust per partner Entra tenant: which users/groups/apps, and whether to trust their MFA & device compliance claims (so guests don't re-do MFA).
Guests can authenticate via their home Entra account, a Microsoft account, one-time passcode email, or configured identity providers (Google/SAML).

Caveat — B2B vs B2C

Entra B2B = invite external business/partner users as guests into your workforce tenant (MS-102 scope). Entra External ID / B2C = customer-facing identity for your apps — a different tenant type, generally out of MS-102 scope. Trusting a partner's MFA is done in cross-tenant access settings, not per-user.

Mail contacts

Contacts (M365 admin center → Users → Contacts, or Exchange) are external people with no licence/mailbox who appear in the Global Address List. Useful for vendors/partners you email frequently. A mail-enabled user differs — it has a sign-in but mail delivered externally.

Groups, Microsoft 365 Groups & shared mailboxes

Group type	Purpose	Can assign licences?	Email?
Microsoft 365 Group	Collaboration: shared mailbox, calendar, SharePoint site, Planner, Teams	✅ (membership)	✅
Security group	Grant access to resources / apps; target policies	✅	❌ (unless mail-enabled)
Mail-enabled security	Security + email distribution	❌ for group licensing	✅
Distribution list	Email broadcast only	❌	✅

Membership types: Assigned (manual), Dynamic user, or Dynamic device (rule-based on attributes — requires Entra ID P1). A group can't be both dynamic-user and dynamic-device.

Shared mailboxes let multiple users read/send as a common address (e.g. support@). They are free up to 50 GB and need no licence — unless they exceed 50 GB or you enable In-Place Archive/Litigation Hold, which require an Exchange Online Plan 2 licence.

Caveat — dynamic membership needs P1

Dynamic group membership rules require Microsoft Entra ID P1. Plain assigned membership is free. Also: a shared mailbox needs a licence only when >50 GB or when placed on hold/archive.

Microsoft 365 Groups governance

Setting	What it controls
Creation restriction	Limit who can create M365 Groups (and so Teams/Planner) to members of a security group — set with Graph PowerShell (`EnableGroupCreation` = false + `GroupCreationAllowedGroupId`)
Naming policy	Add a prefix/suffix (e.g. `GRP_` + dept) and a blocked-words list. Requires Entra ID P1
Expiration policy	Auto-expire inactive groups after 180/365/custom days; owners must renew or the group (and its resources) is deleted. Requires Entra ID P1
Guest access	Allow/deny adding guests to groups (ties into External Identities settings)

Soft-delete window

A deleted Microsoft 365 Group (and its mailbox, site, Planner) is recoverable for 30 days, after which it is permanently removed — same window as deleted users.

Licences & group-based licensing

Licences can be assigned directly to a user or via group-based licensing (assign the licence to a group → all members inherit it). Group-based licensing requires Entra ID P1 for the licensing engine.

Usage location must be set on the user before any licence is assigned (drives service availability by region).
You can disable individual service plans within a licence (e.g. turn off Yammer while keeping Exchange).
If two groups assign overlapping licences, the user receives the union; conflicts (e.g. not enough licences, conflicting service plans) surface as licensing errors to resolve.

No licences left / direct vs inherited

You cannot remove a directly-inherited group licence from a single user — you must remove them from the group or move the assignment. If a group's licence count runs out, members show an error until more licences are added.

Bulk user management & PowerShell

Options: CSV bulk add/import in the admin center, and PowerShell. The MSOnline and AzureAD modules are deprecated/retired — the exam now expects Microsoft Graph PowerShell (and the Microsoft Entra PowerShell module).

# Modern: Microsoft Graph PowerShell SDK
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.ReadWrite.All"

# Bulk-create users from a CSV
Import-Csv users.csv | ForEach-Object {
  $pwd = @{ Password = 'P@ssw0rd!'; ForceChangePasswordNextSignIn = $true }
  New-MgUser -DisplayName $_.Name -UserPrincipalName $_.UPN `
    -MailNickname $_.Alias -AccountEnabled -PasswordProfile $pwd -UsageLocation "US"
}

Caveat — use Microsoft Graph PowerShell

If a question offers Connect-MsolService / AzureAD cmdlets vs Connect-MgGraph / Microsoft.Graph, the correct modern answer is Microsoft Graph PowerShell. MSOnline & AzureAD modules are retired.

1.3 Manage roles and role groups

Roles in Microsoft 365 & Entra ID

Apply least privilege: assign the most specific role for the task rather than Global Administrator. Microsoft recommends fewer than 5 Global Admins and emergency "break-glass" accounts.

Role	Can do	Cannot
Global Administrator	Everything, incl. billing & all admin centers	— (most privileged; minimise count)
Global Reader	Read-only across everything Global Admin sees	Make any changes
User Administrator	Create/manage users & groups, reset most passwords	Reset passwords of higher-privileged admins
Privileged Role Administrator	Manage role assignments & PIM settings	—
Helpdesk Administrator	Reset passwords for non-admin users, manage service requests	Manage admin accounts
Billing Administrator	Purchases, subscriptions, support tickets	Manage users/security
Exchange / SharePoint / Teams Admin	Manage that single workload	Other workloads

Entra roles vs Azure RBAC roles

Entra ID roles control access to Entra & M365 resources (identity, users, M365 services). Azure RBAC roles control Azure resource management (subscriptions, VMs). They are separate systems — a Global Admin is not automatically an Azure Owner (though they can elevate to gain access to all Azure subscriptions via a toggle).

Workload permissions (Defender XDR, Purview)

Microsoft Defender XDR & Microsoft Purview historically use their own role groups (e.g. Purview's Compliance Administrator, eDiscovery Manager; Defender's email & collaboration permissions). These can be managed in-portal or mapped from Entra roles.
Microsoft is consolidating these under Microsoft Defender XDR Unified RBAC and Entra roles — but role groups still appear on the exam (add/remove members to grant scoped admin rights without Global Admin).

Role group pattern

For Purview/Defender, you grant access by adding users to a role group (a bundle of granular roles). Create a custom role group when built-in ones don't fit least privilege.

Built-in role group	Grants
Compliance Administrator (Purview)	Manage most Purview compliance features (DLP, retention, labels)
Compliance Data Administrator	Compliance + data classification & device management
eDiscovery Manager / Administrator	Run eDiscovery cases; Administrator sees all cases
Records Management	Configure retention labels & records features
Security Administrator (Defender)	Manage security features & policies in the Defender portal
Security Reader / Global Reader	Read-only across security & compliance

Caveat — grant compliance access without Global Admin

To let someone manage DLP/retention without over-privileging, add them to the Compliance Administrator role group in Purview — not Global Administrator. Reader access for auditors → Global Reader or Security/Compliance Reader.

Delegation with Administrative Units (AUs)

An administrative unit scopes an admin's authority to a subset of users/groups/devices (e.g. one region or department). Requires Entra ID P1 for members; assigning roles scoped to an AU lets, say, a "London Helpdesk Admin" reset passwords only for London users.

flowchart TD GA[Global Admin
tenant-wide] --> AU1 GA --> AU2 subgraph Scoped delegation AU1[AU: Sales
Helpdesk Admin scoped here] AU2[AU: Europe
User Admin scoped here] end AU1 --> U1[Sales users only] AU2 --> U2[Europe users only]

Administrative units restrict a role assignment to only the members of that unit.

AU membership can be assigned or dynamic (rule-based, P1 required).
Restricted Management AUs (newer) protect members so that only AU-scoped admins — not tenant-level admins like User Admin — can manage them.

Privileged Identity Management (PIM)

PIM provides just-in-time, time-bound, approval-based privileged access — you make roles eligible rather than permanently active. Requires Microsoft Entra ID P2 (or Entra ID Governance).

PIM concept	Meaning
Eligible assignment	User can activate the role when needed (must request)
Active assignment	Role is permanently/temporarily active without activation
Activation	User elevates for a set window (e.g. 1–8 h), optionally requiring MFA, justification, ticket number, and approval
Access review	Recurring attestation that assignments are still needed
Alerts & audit	Notifications for suspicious activations; full audit history

flowchart LR E[Eligible assignment] --> R[User requests activation] R --> G{Activation requirements} G --> MFA[MFA / justification /
ticket number] G --> AP[Approval if required] MFA --> A[Role ACTIVE
for limited window] AP --> A A --> X[Auto-expires →
back to eligible]

PIM just-in-time flow: eligible → request → satisfy requirements → time-bound active → auto-expire.

Per-role settings (Role settings): max activation duration, require MFA on activation, require justification/ticket, require approval (and approvers), and activation/assignment notifications. Access reviews periodically re-attest eligibility.

Caveat — licence editions to memorise

PIM & Identity Protection = Entra ID P2. Conditional Access, SSPR (writeback for hybrid), dynamic groups, group-based licensing, administrative units = Entra ID P1. Security defaults & basic MFA = free. These licence facts are heavily tested.