Examworthyexamworthy.comMicrosoft 365 Administrator (MS-102) cheat sheet
Microsoft
Free to share. Examworthy is not affiliated with or endorsed by Microsoft; MS-102 and related marks belong to their respective owners.
At a glance
Format: Multiple choice, multiple response, and case studies, at a Pearson VUE testing center or online proctored
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
MS-102 is a precision exam across four admin pillars: almost every question names a requirement and the right answer is the least-privilege role or the documented Microsoft 365 service that meets it exactly, not the one that merely could.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
The User Administrator role can add a custom domain like contoso.com to a Microsoft 365 tenant.
Why it fails
User Administrator manages user accounts and licenses but cannot add tenant-scoped domains. Adding, modifying, or removing a domain affects the whole tenant and requires the Domain Name Administrator role.
Deploy and Manage a Microsoft 365 Tenant
Tempting but wrong
To see Defender for Endpoint device inventory you open a separate Endpoint portal in another browser session, distinct from the Defender portal.
Why it fails
There is no separate Endpoint portal. security.microsoft.com is the single unified Microsoft Defender surface. Device protection features are missing because the subscription lacks a Defender for Endpoint license - the portal only surfaces features for products you have licensed and provisioned.
Manage Security and Threats by Using Microsoft Defender XDR
Tempting but wrong
The Authentication Administrator role is enough to turn on self-service password reset for the tenant in the Microsoft Entra admin center.
Why it fails
Authentication Administrator manages individual users' authentication methods and credentials, but it does not own the tenant SSPR configuration on the Password reset blade. Enabling SSPR requires at least the Authentication Policy Administrator role.
Implement and Manage Identity and Access
Tempting but wrong
A custom sensitive information type pattern is built from a default classifier and a trainable classifier.
Why it fails
Trainable classifiers are a separate Purview content-classification mechanism and are not components of a SIT pattern. A custom SIT pattern requires a Primary element and may include one or more Supporting elements, each with their own character proximity.
Manage Compliance by Using Microsoft Purview
Tempting but wrong
The Helpdesk Administrator role is enough to add or remove a domain in Microsoft 365.
Why it fails
Helpdesk Administrator resets passwords and views service health but cannot manage domains. Adding, modifying, or removing a domain requires the Domain Name Administrator role because it affects the whole tenant.
Deploy and Manage a Microsoft 365 Tenant
Tempting but wrong
Defender for Endpoint device features appear once you turn on Defender XDR for the tenant from the Settings page.
Why it fails
Turning on Defender XDR does not provision Defender for Endpoint. Licensing is the gating factor: the Microsoft Defender portal only shows security features the subscription includes, so without a Defender for Endpoint license those device features stay hidden.
Manage Security and Threats by Using Microsoft Defender XDR
Tempting but wrong
Global Administrator is the correct least-privilege role for enabling self-service password reset.
Why it fails
Global Administrator can enable SSPR, but it is not least-privileged. The enable-SSPR tutorial explicitly names Authentication Policy Administrator as the minimum role for the task.
Implement and Manage Identity and Access
Tempting but wrong
A custom sensitive information type pattern is defined using an adaptive scope and a policy filter.
Why it fails
Adaptive scopes are used by retention and DLP policy targeting, not by SIT pattern definitions. A custom SIT pattern is structured from a Primary element plus optional Supporting elements with character proximity.
Manage Compliance by Using Microsoft Purview
Key terms
Exam-day rules
- Read least privilege or minimum permissions as the whole question. When those words appear, pick the narrowest role that documents the capability and treat User Administrator and Global Administrator as planted traps.
- Match the role to the task from memory. Domain management is Domain Name Administrator, service health is Service Support Administrator, SSPR configuration is Authentication Policy Administrator; do not default to a broad role because it sounds administrative.
- Let the named scenario decide Connect Sync versus Cloud Sync. Disconnected forests, eliminating a single sync server, or cloud-managed configuration point to Cloud Sync; device writeback or external SQL keep you on Connect Sync.
- Remember the Defender portal shows only licensed and provisioned products. If a feature is missing, suspect an absent licence before you blame a role scope or a separate portal session.
- Split Purview retention by level. A retention policy is location-level and a retention label is item-level, and only a label can declare a record; combine them for mixed requirements.
Revision schedule
- Day 1Map the blueprint and book a date
- Week 1Build the least-privilege role map
- Weeks 1 to 2Go deep on tenant administration (Domain 1)
- Weeks 2 to 3Lock identity and hybrid sync (Domain 2)
- Weeks 3 to 4Cover Defender XDR (Domain 3)