Earlier this month MS-102 was announced as the replacement for the MS-100 and MS-101 exams, reducing the number of exams required to attain the Microsoft 365 Certified: Enterprise Administrator Expert certification by one. Unlike the MD-102 exam which similarly replaces the MD-100 and MD-101 exams by mostly including MD-101 topics, MS-102 is fairly balanced in terms of balancing content from the two previous.
Let’s start off with major items in MS-100 that didn’t make their way into MS-102. The first section that didn’t survive is the Plan identity synchronization section. My prediction here is even though it’s not listed in the new exams, I’m going to assume that many of the topics will still be covered by the topics in Implement and manage identity synchronization with Azure AD. What does this mean in terms of exam preparation? Make sure you look at the removed section, as I think it might just fall into the category of assumed skills you should have for this exam that don’t need to be specifically mentioned.
Also falling by the wayside is Plan and implement application access. There are two main reasons why I can think of as to why this isn’t part of MS-102. The first is that while you could argue that this is mostly covering Azure AD functionality, therefore it could be in a Microsoft 365 exam, you could also argue that maybe it starts to get a little bit too identity admin specifc, or even starting to lean heavily on skills that an Azure app admin would have. The other though is that the topics are already covered in other exams such as SC-300 and AZ-500, for example. That doesn’t quite explain the removal of Microsoft Defender for Cloud Apps objective, but I’ll get back to that in the MS-101 conversation in a few paragraphs.
Up next we have an entire section being removed – Plan Microsoft 365 workloads and applications. This includes Plan and implement Microsoft 365 Apps deployment, Plan and implement Exchange Online deployments and Plan and implement Microsoft SharePoint Online, OneDrive, and Microsoft Teams. Overall I’m very happy with these items being removed, let me explain why. Microsoft 365 apps deployment is going to be covered in MD-102, so there’s less overlap. The others, which I’ll summarize as the Office 365 workloads, are things that I didn’t think should have been as much of a focus in MS-100.
My reasoning is that even though there was a small amount of Office 365 in the original version of this exam when it was released four years ago, it continued to expand and started shifting the exam to include way too much of it, and I preferred the identity heavy focus of the exam as it originally existed. There are already three Teams exams, two Exchange exams and a SharePoint exam, so it wasn’t like people couldn’t prove those skills elsewhere. I should also disclose that I’m much more passionate about non-productivity components of Microsoft 365, so I am quite biased.
Let’s move on to the casualties of MS-101 in the brave new world of MS-102. Once again we have entire section being retired – Plan and implement device services. This section includes Plan and implement device management by using Microsoft Endpoint Manager, Plan and implement device security and compliance by using Microsoft Endpoint Manager, Deploy and manage applications by using Microsoft Endpoint Manager, Plan for Windows client deployment and management and Plan and implement device enrollment. MS-101 has “Devices” in its name, so there obviously had to be Intune content, but now with the exam consolidations that are taking place, it’s easy to understand why all things Intune are now going only to be part of MD-102.
If we continue on to other items that aren’t moving forward from MS-101, we have Microsoft Defender for Cloud Apps. We saw this with MS-100 as well, so what can we interpret about the lack of Microsoft Defender for Cloud Apps in this exam? My best guess is based on Microsoft Defender for Identity not having been part of MS-101, they are focused on the Microsoft 365 Defender workloads that protect Microsoft 365 workloads directly rather than indirectly. Even though we can definitely argue that Microsoft Defender for Cloud Apps does provide additional protection to Microsoft 365, it’s not necssarily the same level of direct application of protection like we see with Defender for Office 365 and Defender for Endpoint. If only two of the Microsoft 365 Defender technologies could be included, I think the right choice has been made.
The two final culled objective areas are from the Manage Microsoft 365 compliance section, and they are Plan and implement information governance and Manage search and investigation. The big takeaway here is that if someone is focused on compliance, governance and/or information protection, then they should be looking at SC-400 instead. The retirement of MS-500 also supports this line of thinking.
This brings us to the final discussion before the exam resource section, should this change your exam plans? There are several ways we can approach this conversation, but let’s try to focus on it from a pure technology perspective. This means that other considerations such as the cost of multiple exams, the stress of multiple exams, differences in preparation time, existing certification deadlines for work etc. aren’t going to be part of this discussion. If these are things you want me to discuss, drop a comment below.
Exam weightings, strikethrough highlights either most of, or the entire objective domain doesn’t make it into MS-102.
- Deploy and manage a Microsoft 365 tenant (15–20%)
- Plan and manage user identity and roles (30–35%)
- Manage access and authentication (20–25%)
Plan Microsoft 365 workloads and applications (20–25%)
Plan and implement device services (35–40%)
- Manage security and threats by using Microsoft 365 Defender (25–30%)
- Manage Microsoft 365 compliance (30–35%)
- Deploy and manage a Microsoft 365 tenant (25–30%)
- Implement and manage identity and access in Azure AD (25–30%)
- Manage security and threats by using Microsoft 365 Defender (25–30%)
- Manage compliance by using Microsoft Purview (15–20%)
If the areas that are being retired are for technologies that are your weaknesses, it might be a good idea to go straight to MS-102. What this suggests, based on the objectives that carry forward is that you are comfortable with much of the Microsoft 365 security stack.
The opposite also applies – if the retiring objectives are your strengths, it makes more sense to do the current exams instead of waiting. Where this is most easily explainable is if we look at MS-101 removing all the device related content. If Intune is your strength, and your skills in the other two secions are average to good, you have a pretty chance of passing that exam because the device section is 40% of the exam.
Applying the same logic to MS-100, if your Microsoft 365 skills are mostly based on your exposure to Office 365 productivity workloads, it might be a good idea to do this exam. Even though the Office 365 section weighting is only 20-25%, your Office 365 skills should help you substantially in other parts of the exam. Just make sure that if you only with Office 365 environments with no additional AAD Premium licensing, that you spend time getting up to speed with the relevant Azure AD Premium P1 and P2 features.
Deploy and manage a Microsoft 365 tenant (25–30%)
Implement and manage a Microsoft 365 tenant
- Create a tenant
- Implement and manage domains
- Configure organizational settings, including security, privacy, and profile
- Identify and respond to service health issues
- Configure notifications in service health
- Monitor adoption and usage
Manage users and groups
- Create and manage users
- Create and manage guest users
- Create and manage contacts
- Create and manage groups, including Microsoft 365 groups
- Manage and monitor Microsoft 365 license allocations
- Perform bulk user management, including PowerShell
Manage roles in Microsoft 365
- Manage roles in Microsoft 365 and Azure AD
- Manage role groups for Microsoft Defender, Microsoft Purview, and Microsoft 365 workloads
- Manage delegation by using administrative units
- Implement privileged identity management for Azure AD roles
Implement and manage identity and access in Azure AD (25–30%)
Implement and manage identity synchronization with Azure AD
- Prepare for identity synchronization by using IdFix
- Implement and manage directory synchronization by using Azure AD Connect cloud sync
- Implement and manage directory synchronization by using Azure AD Connect
- Monitor synchronization by using Azure AD Connect Health
- Troubleshoot synchronization, including Azure AD Connect and Azure AD Connect cloud sync
Implement and manage authentication
- Implement and manage authentication methods, including Windows Hello for Business, passwordless, tokens, and the Microsoft Authenticator app
- Implement and manage self-service password reset (SSPR)
- Implement and manage Azure AD Password Protection
- Implement and manage multi-factor authentication (MFA)
- Investigate and resolve authentication issues
Implement and manage secure access
- Plan for identity protection
- Implement and manage Azure AD Identity Protection
- Plan Conditional Access policies
- Implement and manage Conditional Access policies
Manage security and threats by using Microsoft 365 Defender (25– 30%)
Manage security reports and alerts by using the Microsoft 365 Defender portal
- Review and take actions to improve the Microsoft Secure Score in the Microsoft 365 Defender portal
- Review and respond to security incidents and alerts in Microsoft 365 Defender
- Review and respond to issues identified in security and compliance reports in Microsoft 365 Defender
- Review and respond to threats identified in threat analytics
Implement and manage email and collaboration protection by using Microsoft Defender for Office 365
- Implement policies and rules in Defender for Office 365
- Review and respond to threats identified in Defender for Office 365, including threats and investigations
- Create and run campaigns, such as attack simulation
- Unblock users
Implement and manage endpoint protection by using Microsoft Defender for Endpoint
- Onboard devices to Defender for Endpoint
- Configure Defender for Endpoint settings
- Review and respond to endpoint vulnerabilities
- Review and respond to risks identified in the Microsoft Defender Vulnerability Management dashboard
Manage compliance by using Microsoft Purview (15–20%)
Implement Microsoft Purview information protection and data lifecycle management
- Implement and manage sensitive info types by using keywords, keyword lists, or regular expressions
- Implement retention labels, retention label policies, and retention policies
- Implement sensitivity labels and sensitivity label policies
Implement Microsoft Purview data loss prevention (DLP)
- Implement DLP for workloads
- Implement Endpoint DLP
- Review and respond to DLP alerts, events, and reports