MS-102 prep, Microsoft 365 Administrator Expert roadmap with ARIA
The Microsoft 365 Certified: Administrator Expert (MS-102) is 120 minutes, roughly 40 to 55 questions, 700 out of 1000 to pass, expert level, four domains weighted equally across tenant deployment, identity and access, security operations, and compliance. I prep you for it with a CAT evaluation that finds which domain is actually dragging your score, a roadmap that sequences the four domains so each phase builds on the one before, and an error backlog that tags the specific Microsoft admin trap you hit, not just the topic. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=MS-102.
TL;DR
- 120 minutes, 40 to 55 questions, 700 out of 1000 passing score, four domains, expert level.
- Four equal domain weights means no single domain dominates, but integration scenarios draw from all four at once.
- Replaced MS-100 and MS-101 in October 2023. No partial credit from the old path.
- Annual renewal required every year via a free Microsoft Learn assessment.
- The hardest part is not any single topic. It is holding four overlapping admin surfaces in your head simultaneously.
What the MS-102 exam is
MS-102 is the current single-exam path to the Microsoft 365 Certified: Administrator Expert credential. It replaced the two-exam MS-100 plus MS-101 path in October 2023. The exam targets enterprise M365 administrators who manage tenant-wide services, not workload specialists. It expects you to reason across Exchange Online, Teams, SharePoint, Entra ID, Microsoft Defender, and Microsoft Purview as connected systems, not independent silos.
About 40 to 55 scenario-based questions in 120 minutes. Every question describes a real enterprise situation and asks what to configure, where, and why. Passing score is 700 on a 1000-point scale.
The domain blueprint splits roughly equally across four areas:
| Domain | Weight | What it covers |
|---|---|---|
| Deploy and manage a Microsoft 365 tenant | 25% | Tenant creation and configuration, admin center navigation, licensing management, service health monitoring, hybrid environment planning, domain and DNS management, message hygiene basics. |
| Implement and manage identity and access | 25% | Microsoft Entra ID user and group lifecycle, Conditional Access policy design, Security Defaults vs CA, hybrid identity with Entra Connect Sync, MFA and SSPR configuration, administrative role assignment. |
| Manage security and threats | 25% | Microsoft 365 Defender (MDE, MDO, MDI) for enterprise protection, alert triage in the Defender portal, attack simulation, Exchange Online Protection policies, Safe Attachments and Safe Links configuration. |
| Manage compliance in Microsoft 365 | 25% | Microsoft Purview compliance portal, sensitivity labels and retention labels, DLP policies, eDiscovery tiers (Content Search vs Core vs Premium), communication compliance, insider risk management basics, audit log configuration. |
The equal weights mean the exam can and does write integration questions that span two or three domains at once. A scenario about a user who should be able to access a Teams meeting recording but cannot might turn on licensing, a sensitivity label, a DLP policy, or a Conditional Access condition. Expert-level means following the chain.
How ARIA preps you for it
ARIA owns your MS-102 prep end to end. Four phases, weighted to your weakest domain and to the integration patterns the exam tests in its hardest questions.
The CAT evaluation. Your first session is a 15 to 25 question adaptive test across the four MS-102 domains. It converges on your actual skill level per domain, not your estimated one. Read the full CAT explainer for mechanics. If the eval shows you are strong on tenant basics but shaky on Purview compliance, your roadmap reflects that: compliance gets the first phase, fundamentals get the last.
The personalized roadmap. A novice across all four domains gets the heaviest roadmap. An experienced M365 admin who knows deployment and identity but has never touched eDiscovery gets a shorter path with the compliance phase as the clear priority. Phases sequence worst domain to best. The final phase builds integration practice where questions combine two or more domain areas.
The daily task engine. One task per day. Roadmap practice sessions advance milestones. Free-play tasks improve readiness but do not. Full mechanic is in the two-lane rule.
The error backlog. Every wrong answer is tagged with the trap type, not just the domain. Sub-patterns I track for MS-102 include "Security Defaults vs Conditional Access boundary", "sensitivity label vs retention label scope confusion", "eDiscovery tier selection", "least-privilege admin role assignment", "Purview console vs Defender portal ownership", "message trace vs audit log scope", and "Entra Connect Sync vs Cloud Sync topology". A trap retires only after three correct answers in a row, spaced.
The gauntlet. Readiness score of 60 unlocks the demo test. Readiness of 80 unlocks the gauntlet. MS-102 is expert-level and the gauntlet on this cert is harder than on associate-level exams. The pass guarantee requires at least one gauntlet pass at 80 percent or higher before exam day.
Common pitfalls on MS-102
These are the six traps that quietly pull the most points on this exam. Each has a structural answer.
1. Security Defaults and Conditional Access cannot coexist
The trap: Security Defaults apply baseline protections to every user in the tenant, including requiring MFA for all admins and blocking legacy authentication. When Security Defaults are enabled, all custom Conditional Access policies are disabled. The exam writes a scenario where an organization wants to require MFA only for a specific group, or wants to exclude a service account from MFA. The structurally correct answer requires disabling Security Defaults first and creating a Conditional Access policy. Candidates who try to add a CA policy on top of Security Defaults are choosing an answer that describes something that cannot be configured.
A specific trap that appears in community forums: organizations that enable Security Defaults after already having legacy mail clients configured find that IMAP and POP connections fail silently for some users. The symptom described in the exam stem is "mobile Outlook works but third-party mail clients cannot authenticate for a subset of users." The root cause is the legacy auth block in Security Defaults, not a misconfigured CA policy.
2. Sensitivity labels vs retention labels
Both are Microsoft Purview tools. They look similar in the compliance portal and they both "label content." They do completely different things. Sensitivity labels protect data in motion and at rest: they can apply encryption, enforce access restrictions, add watermarks, and prevent downloading to unmanaged devices. Retention labels govern data lifecycle: they tell the system how long to keep content, whether it is subject to a hold, and when to delete it.
The exam writes scenarios where a legal hold needs to be placed on mailbox content. That is a retention label or an eDiscovery hold, not a sensitivity label. Candidates who pick sensitivity labels because the word "label" appears in the scenario are choosing wrong.
3. eDiscovery tier selection
Microsoft Purview has three search and discovery tools at different license levels. Content Search is available to any tenant and supports search and export with no case management. Core eDiscovery adds case management, legal holds on mailboxes and sites, and export; it requires an E3 or equivalent license. Premium eDiscovery adds custodian management, conversation threading, AI-powered review sets, and long-term hold audit trails; it requires an E5 or Compliance add-on.
The exam describes a compliance scenario and asks which tool is appropriate. The trap is picking Premium eDiscovery when the scenario only needs a legal hold (Core), or picking Content Search when the scenario requires placing a hold on a specific custodian's mailbox (Core minimum).
4. Least-privilege admin role assignment
MS-102 tests the principle of least privilege constantly. The wrong answer is almost always "Global Administrator" because it technically works. The right answer is the workload-specific role: Exchange Administrator for mailbox operations, Teams Administrator for Teams policies, Security Administrator for Defender configurations, Compliance Administrator for Purview operations.
The exam writes scenarios where a user needs to run a content search or create a compliance policy. Global Admin can do it, but the correct least-privilege answer is Compliance Administrator or eDiscovery Manager, and the exam rewards the specific role.
5. Microsoft 365 Defender portal vs Microsoft Purview compliance portal
Two separate admin consoles with adjacent-looking names and completely separate ownership. Microsoft 365 Defender (security.microsoft.com) owns threat protection: MDE device onboarding, MDO email security policies, MDI identity threat detections, incident and alert management, attack simulation. Microsoft Purview (compliance.microsoft.com) owns governance and compliance: sensitivity labels, retention labels, DLP policies, communication compliance, eDiscovery, insider risk, audit log.
The exam writes scenarios asking where to configure a specific control. Picking the wrong portal is a pattern that cuts across multiple questions on the same sitting.
6. Message trace vs audit log for email investigation
Message trace in Exchange Online tracks the delivery path of individual messages in near-real time for up to 10 days (extended trace goes back 90 days). It answers "did this specific message deliver, and why or why not." The unified audit log records all M365 workload events (mailbox access, SharePoint edits, Teams meetings, admin actions) for 90 days standard, one year for E3, ten years for E5 with the proper license.
The trap: a scenario where a security team needs to find out who accessed a shared mailbox over the last six months. Message trace does not record mailbox access, only message delivery. The audit log does. Candidates who conflate the two tools pick the wrong one.
Common questions
Does MS-102 replace MS-100 and MS-101?
Yes. Microsoft merged the two-exam path into a single MS-102 exam in October 2023. Partial credit from MS-100 alone does not transfer. If you passed both and held the credential, it remained. If you are starting now, MS-102 is the only path.
How long does MS-102 prep take?
At 30 minutes a day, expect 10 to 14 weeks for someone with real M365 tenant experience. At 45 minutes a day, 7 to 10 weeks. Expert-level certs test judgement across integrated domains. Candidates who rush often pass individual topic quizzes but fail the scenario-heavy exam sections.
What is the difference between MS-102 and SC-300 for identity topics?
MS-102 covers identity as one of four equal domains, at the depth an enterprise admin needs for day-to-day operations. SC-300 is the dedicated identity cert and goes significantly deeper: entitlement management, access review configuration, phishing-resistant auth methods, hybrid identity topologies, and app registration mechanics all get full exam weight there. If your MS-102 CAT eval flags identity as weak, studying at SC-300 depth there will serve you on both certs.
Is MS-102 required before SC-300 or SC-200?
No formal prerequisites for any of the three. MS-102 gives you the broadest M365 admin foundation. SC-300 and SC-200 are narrower and deeper on identity and security operations respectively. The order depends on your role and current gaps, not Microsoft's requirements.
Does MS-102 require annual renewal?
Yes. It is a Modern Work certification and requires a free annual renewal assessment on Microsoft Learn. Missing the window requires resitting the full exam. My dashboard tracks your renewal date and surfaces a reminder when you are 60 days out.
What is the pass guarantee for MS-102?
MS-102 qualifies. The five conditions: every milestone completed, every phase completed, two mock exams passed at 700 or higher, one gauntlet passed at 80 percent or higher, and a live readiness score of 80 or above. Meet all five in the 60-day eligibility window, sit the exam, and if you do not pass, you get a full refund of the Exam Ready plan. Details at the pass guarantee page.
Start your MS-102 prep
The gap between "I admin M365 every day" and "I can pass MS-102" is usually in one of two places: compliance (Purview) or the integration scenarios. The CAT evaluation tells you which one in 15 minutes and builds a roadmap from there.
Start your free MS-102 evaluation at claudelab.me/onboarding/select-cert?code=MS-102.
Related reading: the Azure cert roadmap article covers where MS-102 sits in the broader Microsoft certification track, and the SC-300 page covers the identity cert that pairs with this one.