Exam tips & high-yield caveats
The traps, licence boundaries and "which tool" distinctions MS-102 loves to test. Skim this the night before — it stitches the four domains into the decisions the exam actually asks you to make.
Always verify
Microsoft renames and re-licenses products frequently (Azure AD → Entra ID, M365 Defender → Defender XDR, Compliance center → Purview). These caveats reflect the current GA picture — confirm against the official docs before relying on any single fact.
The licensing map — the #1 tested distinction
Countless questions resolve to "what licence is required?". Burn this in:
| Capability | Minimum licence |
|---|---|
| Security defaults, basic MFA, SSPR for cloud users (password change) | Free Entra ID Free |
| Conditional Access policies | P1 |
| SSPR password writeback to on-prem AD | P1 |
| Dynamic group membership | P1 |
| Group-based licensing | P1 |
| Administrative units | P1 |
| Entra Connect Health monitoring | P1 |
| On-prem Password Protection (enforce) | P1 |
| Identity Protection (risk policies, leaked creds) | P2 |
| Privileged Identity Management (PIM) | P2 |
| Access reviews, Entitlement management | P2 / Entra ID Governance |
| Defender for Office 365 (Safe Links/Attachments) | Defender O365 P1 |
| Threat Explorer, Attack Simulation, AIR | Defender O365 P2 / E5 |
| Auto-labeling, Endpoint DLP, records mgmt, EDM/trainable classifiers, Insider Risk | M365 E5 / E5 Compliance |
| Manual sensitivity/retention labels, baseline DLP, OME | M365 E3 |
Rule of thumb
If it involves risk or just-in-time privilege → P2. If it involves conditional access, dynamic/automation, hybrid writeback, or scoped admin → P1. If it's automatic classification/DLP on the endpoint → E5.
"Which tool / which feature?" decision table
| The requirement says… | Answer |
|---|---|
| Current outages affecting users right now | Service health |
| Upcoming feature changes & required actions | Message center |
| Clean up duplicate UPN/proxyAddresses before sync | IdFix |
| Sync multiple disconnected forests, lightweight | Entra Cloud Sync |
| Sync devices / Hybrid Join / Exchange hybrid writeback | Entra Connect Sync |
| Just-in-time elevation with approval for admin roles | PIM |
| Scope a helpdesk admin to one department only | Administrative unit |
| Block sign-in from risky countries / require MFA off-network | Conditional Access |
| Auto-remediate compromised identities (leaked creds) | Identity Protection (+ CA risk policy) |
| Detonate attachments in a sandbox before delivery | Safe Attachments |
| Protect against URLs weaponised after delivery | Safe Links + ZAP |
| Find unsanctioned SaaS (shadow IT) from traffic logs | Cloud Discovery (Defender for Cloud Apps) |
| Block file download on unmanaged device in real time | Conditional Access App Control / session policy |
| Hunt across email + device + identity with KQL | Advanced hunting (Defender XDR) |
| Keep/delete data on a schedule (lifecycle) | Retention labels/policies |
| Classify + encrypt + watermark a document | Sensitivity label |
| Stop USB copy of sensitive files on a laptop | Endpoint DLP |
| Fast point-in-time restore of mailbox/OneDrive/SharePoint | Microsoft 365 Backup |
Conflict-resolution rules to memorise
Conditional Access
All policies are evaluated; explicit Block overrides any Grant. Within a grant, "require all" = AND, "require one" = OR. Always exclude break-glass accounts.
Retention (in order)
1) Retain > delete · 2) longest retention wins · 3) explicit label > implicit policy · 4) shortest deletion wins.
Threat policy precedence
Strict preset > Standard preset > custom (by priority number) > Built-in/Default. Lower priority number = applied first.
Sensitivity label order
Label lower in the list = higher sensitivity / priority. One sensitivity + one retention label can coexist on an item.
PowerShell & tooling gotchas
- Use Microsoft Graph PowerShell (
Connect-MgGraph,New-MgUser) and the Microsoft Entra PowerShell module. The old MSOnline (Connect-MsolService) and AzureAD modules are retired — wrong answers if offered as the modern approach. - Force directory sync:
Start-ADSyncSyncCycle -PolicyType Delta(incremental) on the Connect server. - Exchange Online tasks → Exchange Online PowerShell V3 module (
Connect-ExchangeOnline). - Bulk users without scripting → CSV import in the M365 admin center.
"Test before enforce" patterns
Several features share a pilot-then-enforce model — recognise which mode goes with which feature:
| Feature | Pilot / test mode |
|---|---|
| Conditional Access | Report-only mode + What If tool |
| DLP policy | Simulation / test mode (with or without policy tips) |
| ASR rules (Defender for Endpoint) | Audit mode before Block |
| On-prem Password Protection | Audit mode before Enforce |
| Federation → managed auth migration | Staged rollout |
| Attack Simulation Training | Benign simulated phishing + auto-assigned training |
Old name → new name (don't get tricked)
| You may still see… | Current name |
|---|---|
| Azure Active Directory (Azure AD) | Microsoft Entra ID |
| Azure AD Connect / AAD Connect cloud sync | Microsoft Entra Connect Sync / Cloud Sync |
| Microsoft 365 Defender / Microsoft Threat Protection | Microsoft Defender XDR |
| Office 365 ATP | Microsoft Defender for Office 365 |
| Microsoft Cloud App Security (MCAS) | Microsoft Defender for Cloud Apps |
| Microsoft 365 compliance center | Microsoft Purview portal |
| AIP / Azure Information Protection labels | Purview sensitivity labels |
| Office Message Encryption (OME) | Microsoft Purview Message Encryption |
Question-format strategy
- Case studies
- Read the requirements & existing environment first, then the questions. Answers must satisfy all stated constraints (cost, "minimise admin effort", "least privilege"). You usually can't return to a case study after leaving it.
- Build list / drag-and-drop ordering
- Order matters — e.g. add domain → verify TXT → configure MX/CNAME; or create label → publish policy → apply. Eliminate impossible first steps.
- "Yes/No" repeated-scenario sets
- Same setup, 3 variations. Each is independent — a previous "No" doesn't imply the next. Watch the subtle wording change.
- Hotspot / dropdowns
- Each dropdown is scored independently. Don't let one uncertain field shake your confidence on the others.
- "Minimise administrative effort" / "least privilege"
- These phrases steer you to group-based, built-in role, preset policy, or automatic answers over manual/custom ones.
Day-before checklist
✅ Licence map (Free/P1/P2/E3/E5) ✅ Service health vs Message center ✅ Connect Sync vs Cloud Sync ✅ CA block-wins + report-only ✅ Retention conflict order ✅ Sensitivity vs retention label ✅ Safe Links vs Safe Attachments ✅ Cloud Discovery vs connector vs session control ✅ Graph PowerShell (not MSOnline/AzureAD) ✅ Endpoint DLP needs onboarding.
Take the free practice assessment
Microsoft offers an official MS-102 practice assessment — use it to find weak areas, then revisit the matching domain page here.