19 min read4 domains coveredFree practice, no sign-up
The Microsoft 365 Administrator certification (MS-102) tests whether you can run a real Microsoft 365 tenant end to end: stand it up, wire identity and access, defend it with Microsoft Defender XDR, and govern its data with Microsoft Purview. It is not a trivia exam about which blade lives where. It is about knowing the least-privilege role that does a job, the exact service that satisfies a stated requirement, and the documented behaviour that decides a yes-or-no scenario the way Microsoft Learn describes it.
It suits practising administrators: people who already manage Microsoft 365, Exchange Online, or Microsoft Entra ID and now need to prove they can do it across all four pillars to Microsoft's standard. The exam mixes multiple choice, multiple response, and case studies, and the case studies in particular reward someone who can read a set of constraints and pick the one configuration that meets every one of them. Hands-on time in the admin centres matters more than any single study guide.
The exam is pass-or-fail on precision. Several options in a question are usually plausible, and only one matches the documented Microsoft behaviour or the minimum role that gets the task done. Memorising what a feature does is the easy half. Knowing which role is least privilege for it, which location-level versus item-level control to reach for, and which product surfaces a setting is the half that decides your score. Practising on scenario questions with a worked explanation, and a reason every wrong option is wrong, beats re-reading documentation you already nod along to.
MS-102 is a precision exam across four admin pillars: almost every question names a requirement and the right answer is the least-privilege role or the documented Microsoft 365 service that meets it exactly, not the one that merely could.
Difficulty
Intermediate
Best for
Practising Microsoft 365 administrators and Microsoft Entra, Exchange, security, or compliance admins who manage a live tenant and need to prove competence across tenant administration, identity and access, Defender XDR threat protection, and Purview compliance.
Prerequisites
None enforced. Microsoft recommends working knowledge of Microsoft 365 workloads, Microsoft Entra ID, networking, DNS, and PowerShell. Real time spent in the Microsoft 365 admin centre, the Microsoft Entra admin centre, the Defender portal, and the Purview portal is what actually carries you.
Typically 40 to 60 questions
Questions
120 min
Time allowed
700 / 1000
Pass mark
$165
Exam cost (USD)
199
Practice questions
How this exam thinks
One habit decides this exam: read the requirement for its exact constraint, then pick the role or service that satisfies it and nothing more. Most questions name a task and several roles or features that could plausibly do it, and the keyed answer is the one Microsoft Learn documents as correct, usually the least-privilege role or the purpose-built control. When the question says minimum permissions or least privilege, that word is the whole test: User Administrator and Global Administrator are nearly always traps planted to reward over-provisioning.
The default tie-breaker is least privilege that still completes the task. Adding a domain wants Domain Name Administrator, not a generic helpdesk or user role; viewing service health wants Service Support Administrator, not something broader; enabling self-service password reset wants Authentication Policy Administrator, not Authentication Administrator or Global Administrator. Reach for a higher role only when the scenario names a job that genuinely needs it. The narrowest role that documents the capability is the answer.
The rest is a set of discriminations the exam leans on, each driven by the requirement. Identity splits Connect Sync from Cloud Sync by the named scenario, such as disconnected forests or eliminating a single sync server. Defender XDR surfaces only the products you have licensed and provisioned, and routes tasks to the right portal capability such as alert tuning over a mail flow rule. Purview splits location-level retention policies from item-level retention labels, and remembers that only labels can declare records, while a multi-location DLP policy is constrained to conditions both locations support. Name the constraint, then choose the role, service, or setting built for it.
What each domain tests and how to study it
The MS-102 blueprint is split across 4 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Stand up and administer a Microsoft 365 tenant: configure organisational settings, manage users, contacts, and licences, assign the least-privilege admin role for each task, and add and verify custom domains with the right DNS records.
In one sentenceThe heaviest domain: running the tenant day to day, with least-privilege role assignment and domain management as the recurring decisions.
Recall check: answer these from memory first
Which least-privilege role adds, modifies, or removes a custom domain, and which two roles are planted as traps because they sound administrative but cannot?
Which least-privilege role lets an operator view the Service health page, and what distinguishes an advisory from an incident there?
Name the admin centre and the setting that lets a distribution list accept email from senders outside the organisation.
What it tests. Operating the tenant from the admin centres. Configuring organisational settings and choosing the correct admin centre for a task; managing users, contacts, distribution lists, and licence assignment, including documented behaviours such as allowing external senders to a distribution list; assigning roles and role groups by least privilege, where Domain Name Administrator adds domains and Service Support Administrator views service health; and managing custom domains end to end, adding, verifying, and configuring the DNS records that prove ownership and route mail. It also tests reading the Service health page correctly, distinguishing an advisory with a workaround from an incident where a major function is down.
How to study it. Build a role-to-task table and drill it until the least-privilege answer is automatic, because that is what most questions in this domain turn on. Pair each common task with its narrowest role: add or remove a domain is Domain Name Administrator, view service health is Service Support Administrator, reset passwords is Helpdesk Administrator, manage licences is User Administrator. Then practise the domain-onboarding flow, knowing which DNS records verify ownership and which route mail. Learn the Service health vocabulary precisely: an advisory means partial impact, often with a workaround, while the service stays available; an incident means a major function is unavailable. Read the worked explanation on every practice question and note exactly why the broader role was wrong.
Easy to confuse
Domain Name Administrator versus User Administrator. Domain Name Administrator is the least-privilege role that can add, modify, or remove a tenant domain, a tenant-wide change; User Administrator manages users and licences but cannot touch domains. When the task is domain management, User Administrator is the over-broad-sounding trap that still cannot do the job.
Service Support Administrator versus Helpdesk Administrator. Service Support Administrator is the purpose-built least-privilege role for viewing Service health and opening support requests; Helpdesk Administrator can also see service health but is centred on password and user support. For a least-privilege service-health view, Service Support Administrator is the canonical answer.
Advisory versus incident on the Service health page. An advisory means some users are affected while the service remains available, often with a workaround; an incident means the service or a major function is unavailable with noticeable impact. Advisory equals partial impact plus workaround, incident equals critical loss.
Worked example from the MS-102 bank
lock_openFree sampleDeploy and Manage a Microsoft 365 Tenantmedium
A new administrator wants to add the contoso.com custom domain to your Microsoft 365 tenant. Which directory role grants the minimum permissions required to add, modify, or remove a domain?
AUser Administrator role in the Microsoft 365 admin center
BDomain Name Administrator role in the Microsoft 365 admin centercheck_circle Correct
CService Support Administrator role in the Microsoft 365 admin center
DHelpdesk Administrator role in the Microsoft 365 admin center
Adding or removing a Microsoft 365 domain requires the Domain Name Administrator role, not generic helpdesk or user roles. Microsoft Learn explicitly requires the Domain Name Administrator role to add, modify, or remove a domain because the change affects the whole tenant. Customized administrators or regular users cannot make this change.
Why A is wrong: User Administrator manages user accounts and licenses but cannot add tenant-scoped domains.
Why B is correct: Correct. Microsoft Learn explicitly requires the Domain Name Administrator role to add, modify, or remove a domain because the change affects the whole tenant.
Why C is wrong: Service Support Administrator views service health and creates service requests, not domain configuration.
Why D is wrong: Helpdesk Administrator resets passwords and views service health but cannot manage domains.
What you must be able to do. Implement and manage Microsoft Entra identity, authentication methods, and Conditional Access, and choose the correct hybrid identity tool, Microsoft Entra Connect Sync or Cloud Sync, for the stated scenario while respecting licensing and least privilege.
In one sentenceThe identity layer: users, groups, authentication methods, Conditional Access, and the Connect Sync versus Cloud Sync decision driven by the named scenario.
Recall check: answer these from memory first
Which least-privilege role enables self-service password reset on the Password reset blade, and why is Authentication Administrator the wrong pick?
Name three documented scenarios where Microsoft Entra Cloud Sync wins over Connect Sync, and two that still require Connect Sync.
Microsoft Entra Connect is free, but which licensing tier does Connect Health require for any user of the tenant?
What it tests. Managing identity and access on Microsoft Entra ID. Provisioning users, groups, and external identities; configuring authentication methods such as SMS and self-service password reset with the least-privilege role, where enabling SSPR is Authentication Policy Administrator; building Conditional Access policies; and implementing hybrid identity, choosing between Microsoft Entra Connect Sync and Cloud Sync by the documented scenario, and knowing the licensing line where Connect is free but Connect Health needs Microsoft Entra ID P1 or P2. It also tests documented side effects, such as SMS sign-in causing users to be skipped from cross-tenant synchronisation.
How to study it. Drill two things until they are reflexes: the least-privilege authentication roles and the Connect Sync versus Cloud Sync split. For roles, separate Authentication Policy Administrator, which configures the SSPR and authentication-method policies, from Authentication Administrator, which resets credentials for users; the configuration task is Policy, not the broader admin. For hybrid identity, learn Cloud Sync by its flagship scenarios, disconnected forests without a trust, eliminating a single on-premises sync server as a point of failure, and cloud-managed configuration, while Connect Sync still owns device writeback and external SQL. Memorise the licensing line: Connect is free, Connect Health is P1 or P2. Watch for documented side effects like SMS sign-in skipping users from cross-tenant sync.
Easy to confuse
Authentication Policy Administrator versus Authentication Administrator. Authentication Policy Administrator configures the tenant authentication-method and SSPR policies, the least privilege to enable SSPR; Authentication Administrator resets users' authentication methods and credentials. Configuring the policy is Policy Administrator, acting on a user's methods is Authentication Administrator.
Microsoft Entra Connect Sync versus Cloud Sync. Cloud Sync uses lightweight provisioning agents and wins on disconnected forests without a trust, high availability with multiple agents, and cloud-managed configuration; Connect Sync is the on-premises engine still required for device writeback and customer-hosted SQL. Match the choice to the named scenario, not familiarity.
Microsoft Entra Connect versus Connect Health licensing. Using Microsoft Entra Connect to synchronise identities is free at any tier; the Connect Health monitoring portal requires Microsoft Entra ID P1 or P2 assigned in the tenant. Free covers sync itself, P1 or P2 covers Health insights.
Worked example from the MS-102 bank
lock_openFree sampleImplement and Manage Identity and Accessmedium
You need to turn on self-service password reset for a pilot group in the Microsoft Entra admin center. Which role grants the least privilege required to complete the configuration on the Password reset blade?
AAssign the Authentication Policy Administrator role to the operator.check_circle Correct
BAssign the Authentication Administrator role to the SSPR operator.
CAssign the User Administrator role to the SSPR pilot operator.
DAssign the Global Administrator role to the SSPR pilot operator.
Authentication Policy Administrator is the minimum role to enable SSPR via the Microsoft Entra admin center. The enable-SSPR tutorial states the configuring account needs at least the Authentication Policy Administrator role. That role can open Entra ID > Password reset and change Properties, Authentication methods, Registration, Notifications, and Customization without granting broader directory or user-management rights.
Why A is correct: Correct. The enable-SSPR tutorial states the configuring account needs at least the Authentication Policy Administrator role.
Why B is wrong: This role manages user authentication methods and credentials but does not own the tenant SSPR configuration on the Password reset blade.
Why C is wrong: User Administrator can manage users and reset passwords, but the SSPR enablement steps call out Authentication Policy Administrator as the minimum role.
Why D is wrong: Global Administrator works, but it is not the least-privileged role; the tutorial explicitly names Authentication Policy Administrator as the minimum.
What you must be able to do. Manage security across Microsoft Defender XDR: read reports and alerts in the Defender portal, protect email and collaboration with Defender for Office 365, protect endpoints with Defender for Endpoint, and route each task to the right capability with the right role.
In one sentenceThe threat-protection layer: the Defender portal and its three workloads, where portal surface and the correct capability are decided by what you have licensed.
Recall check: answer these from memory first
Why does a Defender for Office 365-only customer see no device protection in the Defender portal, and what is the general rule that explains it?
Which Defender capability suppresses noisy benign alerts without disabling automated investigation and response, and where is it configured?
Which built-in roles can both read and write Secure Score recommendations, and which two reader or scoped roles cannot?
What it tests. Defending the tenant with Microsoft Defender XDR. Reading security reports, alerts, and Secure Score in the Defender portal, and knowing which built-in roles can read versus write Secure Score recommendations; protecting email and collaboration with Defender for Office 365, including suppressing noisy benign alerts with alert tuning rules without disabling automated investigation and response; protecting endpoints with Defender for Endpoint; and understanding portal behaviour, where the Defender portal surfaces only the products you have licensed and provisioned, and Cloud App discovery data refreshes four times a day.
How to study it. Anchor on the rule that the Defender portal shows only the products you have licensed and provisioned, then learn each workload's go-to capability and role. For Defender for Office 365, learn alert tuning rules as the documented way to suppress benign noise without touching AIR, distinct from a mail flow rule or an anti-spam threshold. For Secure Score, memorise the read-and-write roles, Security Administrator plus the workload admins Exchange and SharePoint, against read-only roles like Global Reader. Know small documented facts the exam likes, such as Cloud App discovery updating four times a day. Drill scenario questions and on each one name why a capability in another portal was the wrong destination.
Easy to confuse
Alert tuning rules versus mail flow rules for suppressing alerts. Alert tuning rules in the Defender portal suppress noisy benign alerts without affecting automated investigation and response or email notifications; mail flow rules in the Exchange admin centre act on message routing, not on alert noise. To quiet alerts while keeping AIR, the answer is alert tuning.
Security Administrator versus Global Reader for Secure Score. Security Administrator, with the Exchange and SharePoint workload admins, can read and write Secure Score recommendations, editing status, notes, and zones; Global Reader and scoped roles like Authentication Administrator can only read. Write access means the workload and security admins, not the readers.
Defender portal surface versus licensing and provisioning. The Defender portal hides features for products you have not licensed and provisioned; it is not a role scope problem or a separate portal session. If endpoint features are missing for a Defender for Office 365-only tenant, the cause is the absent Endpoint licence, not configuration.
Worked example from the MS-102 bank
lock_openFree sampleManage Security and Threats by Using Microsoft Defender XDRmedium
You sign in to the Microsoft Defender portal as a Defender for Office 365-only customer. Why do you not see device protection features or the Defender for Endpoint device inventory in the portal?
AThe portal hides features for products you have not licensed and provisioned.check_circle Correct
BDevice protection requires a separate browser session at the Endpoint portal.
CDefender XDR has not been turned on for the tenant from the Settings page.
DThe Microsoft Entra ID role assigned is missing the Endpoint operator scope.
Apply the documented Microsoft 365 / Microsoft Entra ID behaviour to the scenario. In the Microsoft Defender portal customers see only the security features their subscription includes. With Defender for Office 365 but no Defender for Endpoint license, device protection features are not surfaced.
Why A is correct: Correct. In the Microsoft Defender portal customers see only the security features their subscription includes.
Why B is wrong: There is no separate Endpoint portal; the Defender portal at security.microsoft.com is the unified surface.
Why C is wrong: Turning on Defender XDR does not provision Defender for Endpoint; licensing is the gating factor.
Why D is wrong: Roles control access to surfaced features, not whether unlicensed product features appear at all.
What you must be able to do. Implement Microsoft Purview information protection, data lifecycle management, and data loss prevention: choose location-level retention policies versus item-level retention labels, declare records correctly, and build DLP policies that respect each location's supported conditions.
In one sentenceThe compliance layer: Purview retention and DLP, where policy versus label and per-location support decide the right configuration.
Recall check: answer these from memory first
Which retention mechanism applies at the location level and which at the item level, and which one can declare items as records?
When a DLP policy spans SharePoint and Teams, why is a sensitivity-label condition unavailable, and what conditions remain usable?
Where is a deleted SharePoint file preserved so a retention policy is honoured, and where does the Exchange equivalent live?
What it tests. Governing data with Microsoft Purview. Information protection and data lifecycle management, including custom sensitive information types built from a primary element and supporting elements, and retention applied at the right level, location-level retention policies versus item-level retention labels, with only labels able to declare records; where retained content is preserved, the Preservation Hold library for SharePoint and OneDrive versus Recoverable Items for Exchange; and data loss prevention policies, including the documented constraint that a multi-location DLP policy can use only conditions every selected location supports, so sensitivity-label conditions do not apply when Teams shares a policy with SharePoint.
How to study it. Burn in two splits. First, retention policy versus retention label: a policy is location-level and applies to a whole mailbox, site, or OneDrive, while a label is item-level for a folder, document, or message and is the only mechanism that can mark items as records. The mixed-requirement pattern, a baseline policy plus a longer label that declares records, is a recurring scenario. Second, DLP per-location support: when several locations share one policy, only conditions supported by all of them are available, and No takes precedence over Yes, so a Teams-plus-SharePoint policy cannot use sensitivity labels. Learn where retained content lives by workload: Preservation Hold library for SharePoint and OneDrive, Recoverable Items for Exchange, SubstrateHolds for Teams and Copilot.
Easy to confuse
Retention policy versus retention label. A retention policy is location-level and retains everything in a mailbox, site, or OneDrive; a retention label is item-level and is the only control that can mark an item as a record. For mixed needs, combine a baseline policy with a longer-retention label rather than stacking two policies.
Preservation Hold library versus Recoverable Items folder. SharePoint and OneDrive preserve retained copies of edited or deleted content in the Preservation Hold library on the site; Exchange uses the Recoverable Items folder in the mailbox. Match the preservation location to the workload, with SubstrateHolds covering Teams and Copilot.
Single-location versus multi-location DLP policy conditions. A DLP policy targeting one location can use every condition that location supports; once multiple locations share a policy, only conditions all of them support remain, and No takes precedence over Yes. To use a sensitivity-label condition where Teams is involved, give SharePoint its own policy.
Worked example from the MS-102 bank
lock_openFree sampleManage Compliance by Using Microsoft Purviewhard
You add the SharePoint and Teams locations to a single DLP policy. You then attempt to use a sensitivity label as the only content condition for the policy's rule. The sensitivity label condition will be available for both locations in the rule editor. Is this statement correct?
AYes
BNocheck_circle Correct
Apply the documented Microsoft 365 / Microsoft Entra ID behaviour to the scenario. The keyed answer follows the documented behaviour. When multiple locations are selected, No takes precedence over Yes in the content support matrix. SharePoint supports sensitivity labels but Teams does NOT, so the combined policy can use only conditions supported by both locations (effectively SITs and trainable classifiers). To use sensitivity labels you must put SharePoint in its own policy.
Why A is wrong: When multiple locations are selected, No takes precedence over Yes in the content support matrix. SharePoint supports sensitivity labels but Teams does NOT, so the combined policy can use only conditions supported by both locations (effectively SITs and trainable classifiers). To use sensitivity labels you must put SharePoint in its own policy.
Why B is correct: Correct. The keyed answer follows the documented behaviour.
A study plan that works
Map the blueprint and book a date
Day 1
Read the official Microsoft skills outline and the four domains with their weights. Book a provisional date now, because a fixed date turns open-ended study into a plan and is the strongest predictor of actually sitting. Note that tenant administration and Defender XDR are the two heaviest domains, more than half the exam between them.
Build the least-privilege role map
Week 1
Before drilling any domain, build the role-to-task table the whole exam rests on: Domain Name Administrator for domains, Service Support Administrator for service health, Authentication Policy Administrator for SSPR, Helpdesk Administrator for password resets, the Secure Score read-and-write roles. Use the recall prompts in this guide: cover the answer, pick the narrowest role from the task, then reveal. If you reach for Global Administrator, you do not own it yet.
Go deep on tenant administration (Domain 1)
Weeks 1 to 2
This is the largest domain, so it gets the most time. Drill admin-centre selection, user and licence management, the distribution-list and Service health behaviours, and the full add-and-verify-a-domain DNS flow. Practise on scenario questions and read the worked explanation on every one, including the ones you got right, watching for the least-privilege word that picks the role.
Lock identity and hybrid sync (Domain 2)
Weeks 2 to 3
Separate Authentication Policy Administrator from Authentication Administrator, then drill the Connect Sync versus Cloud Sync split by named scenario, the Connect Health P1 or P2 licensing line, and documented side effects like SMS sign-in skipping cross-tenant sync. Configure SSPR and a Conditional Access policy in a test tenant if you can, because hands-on locks the blades in memory.
Cover Defender XDR (Domain 3)
Weeks 3 to 4
Anchor on the rule that the Defender portal surfaces only licensed and provisioned products, then learn each workload's go-to capability: alert tuning for benign noise, the Secure Score read-and-write roles, and small documented facts like Cloud App discovery refreshing four times a day. Drill scenario questions and name why a capability in another portal was the wrong destination.
Lock Purview compliance and drill weak domains (Domain 4)
Weeks 4 to 5
Burn in retention policy versus label, the records-declaration rule, the preservation locations by workload, and the multi-location DLP condition constraint. Then use your per-domain accuracy to attack the two domains dragging you down, not to re-read what you already know, and space the review across a few days.
Sit a timed mock and calibrate
Weeks 5 to 6
Take at least one full timed mock under exam conditions, including a case study, to rehearse pacing and the flag-and-return habit. Treat the score as a per-domain readiness signal, not a single number, and review every missed question, naming the role or documented behaviour you misread, before you book or sit.
Know when you're ready
Readiness for MS-102 is a measured score on scenario questions you have not seen before, not a feeling that the admin centres are familiar. Those are different things, and the gap between them is where people fail. Re-reading documentation builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself: if you can read a fresh scenario, name the constraint, and pick the least-privilege role or the documented control while explaining why each other option is wrong, you know it; if you can only nod along to an explanation, you do not yet.
Be especially wary of early confidence on roles and on the Purview splits. Knowing what a role or feature does is the easy half; choosing the narrowest role that still completes a task, or the right level of retention, when two options look plausible, is the half the exam actually tests. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every one of the four domains comfortably on unseen questions across more than one session, not scraping a single pass.
This guide gives you the map. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free MS-102 questions with worked explanations. No sign-up.
Read least privilege or minimum permissions as the whole question. When those words appear, pick the narrowest role that documents the capability and treat User Administrator and Global Administrator as planted traps.
Match the role to the task from memory. Domain management is Domain Name Administrator, service health is Service Support Administrator, SSPR configuration is Authentication Policy Administrator; do not default to a broad role because it sounds administrative.
Let the named scenario decide Connect Sync versus Cloud Sync. Disconnected forests, eliminating a single sync server, or cloud-managed configuration point to Cloud Sync; device writeback or external SQL keep you on Connect Sync.
Remember the Defender portal shows only licensed and provisioned products. If a feature is missing, suspect an absent licence before you blame a role scope or a separate portal session.
Split Purview retention by level. A retention policy is location-level and a retention label is item-level, and only a label can declare a record; combine them for mixed requirements.
Check every location a DLP policy spans. Once multiple locations share one policy, only conditions all of them support are available and No beats Yes, so a Teams-and-SharePoint policy cannot use sensitivity labels.
Budget time for case studies and flag and move on. Read each case study's constraints once, collect the clear marks first, and return to the hard items so a single scenario does not eat your clock.
Frequently asked questions
Is MS-102 hard?
It is an associate-level exam, and the difficulty is precision rather than breadth. Most questions name a requirement where several roles or features look plausible and only one matches the documented Microsoft behaviour or the minimum role that completes the task. Scenario practice with worked explanations matters far more than memorising what each feature does.
How long should I study for MS-102?
Most candidates already administering Microsoft 365 are ready in five to six weeks of steady study. Less hands-on exposure means more time in the admin centres and on the least-privilege role decisions and the Purview retention and DLP splits the exam leans on.
Do I need PowerShell for this exam?
You should be comfortable reading and reasoning about administration tasks that PowerShell can perform, but the exam centres on choosing the right service, role, and configuration in the admin centres rather than writing scripts. Knowing which portal and which role does a job carries you further than syntax.
Which domains should I focus on?
Tenant administration and Defender XDR are the two heaviest domains and deserve the most time, with identity and access close behind. Compliance with Microsoft Purview is the smallest but rewards a clean retention-policy-versus-label and DLP decision, so do not leave it short.
What is the difference between a retention policy and a retention label?
A retention policy applies at the location level to a whole mailbox, SharePoint site, or OneDrive account; a retention label applies at the item level to a folder, document, or message and is the only mechanism that can declare an item as a record. Mixed requirements usually combine a baseline policy with a longer-retention label.
Why does the Defender portal hide some features?
The Microsoft Defender portal surfaces only the products you have licensed and provisioned, so a Defender for Office 365-only tenant sees no Defender for Endpoint device features. It is not a role scope issue or a separate browser session; the missing licence is the cause.
How many practice questions should I do before booking?
Enough that every one of the four domains clears comfortably on questions you have not seen, and a full timed mock including a case study feels comfortable on pacing. Quality of review beats raw volume: on every question, read the explanation and name the role or documented behaviour that picked the answer, including on the ones you got right.
Is the MS-102 Microsoft 365 Administrator certification worth it?
It is a well-established credential for administrators who manage Microsoft 365 tenants and need to demonstrate competence across identity, security, and compliance as a whole rather than just one workload. The exam is genuinely demanding on precision, so candidates who prepare thoroughly tend to come away with a clearer mental model of least-privilege roles and the Purview data governance splits than they had before, which has practical carry-over into daily administration. A common next step is a role-specific certification such as MS-700 for Teams administration or one of the Microsoft security specialist paths for those moving deeper into Defender XDR or Purview.
Examworthy is not affiliated with or endorsed by Microsoft. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. MS-102 and related marks belong to their respective owners.
