MICROSOFT CERTIFICATION
MS-102 Administrator Expert Practice Exam
Exam Number: 3148 | Last updated 16-Apr-26 | 817+ questions across 4 vendor-aligned objectives
The MS-102 Administrator Expert certification validates the skills of administrators who deploy, manage, and monitor Microsoft 365 and hybrid environments including identity, security, and compliance. This exam measures your ability to work with Microsoft 365, Microsoft Entra ID, Microsoft Defender, Microsoft Purview, Exchange Online, SharePoint Online, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Deploy and Manage a Microsoft 365 Tenant (25–30%), Implement and Manage Identity and Access in Microsoft Entra ID (25–30%), and Manage Security and Threats by Using Microsoft Defender (25–30%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Additional domains tested include Manage Compliance by Using Microsoft Purview (15–20%). Together, these areas round out the full exam blueprint and ensure candidates possess well-rounded expertise across the certification scope.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
714
practice exam users
95.6%
satisfied users
92.5%
passed the exam
4.6/5
quality rating
Test your MS-102 Administrator Expert knowledge
10 of 817+ questions
Question #1 - Deploy and Manage a Microsoft 365 Tenant
A 5,000-user organization is migrating from on-premises Exchange to Exchange Online. They need to configure the M365 tenant including domain verification, DNS records, and licensing assignment.
Which administrative step must be completed before any user can send email from the custom domain?
A) Create Distribution Lists
B) Assign licenses first
C) Verify domain ownership by adding a TXT record to the public DNS and configure MX/Autodiscover/SPF records
D) Enable Multi-Factor Authentication
Show solution
Correct answers: B – Explanation:
Domain verification via DNS TXT record proves ownership, and subsequent MX/Autodiscover/SPF records route mail correctly. Licenses are needed but email will not route without domain configuration. MFA secures access but does not enable email. Distribution Lists require the domain to be verified first. Source: Check Source
Question #2 - Deploy and Manage a Microsoft 365 Tenant
A 5,000-user org migrates to Exchange Online. They need domain verification, DNS records, and licensing configured.
Which step must be completed before users can send email from the custom domain?
A) Create Distribution Lists and shared mailboxes before establishing the mail routing foundation
B) Assign licenses to all users first before performing any domain verification or DNS setup
C) Enable Multi-Factor Authentication for all accounts before configuring any email settings
D) Verify domain ownership via DNS TXT record and configure MX, Autodiscover, and SPF records
Show solution
Correct answers: D – Explanation:
Domain verification via DNS TXT proves ownership to Microsoft 365, and MX/Autodiscover/SPF records route mail correctly to Exchange Online for the custom domain. Licenses are needed but email cannot route without domain verification and proper DNS configuration completed first. MFA secures account access but does not enable email routing or domain configuration for the tenant. Distribution Lists and shared mailboxes require the domain to be verified and mail routing established before they can function. Source: Check Source
Question #3 - Deploy and Manage a Microsoft 365 Tenant
Marketing needs Viva Engage enabled but Finance does not. The admin needs per-department service control.
Which M365 admin capability should be used?
A) Manually adjust each of the 5,000 individual user accounts configuring service plans one by one
B) Group-based licensing with different service plan configurations assigned per department group
C) Enable all services globally for every user regardless of departmental needs or restrictions
D) Create separate M365 tenants per department fragmenting collaboration and identity management
Show solution
Correct answers: B – Explanation:
Group-based licensing assigns license packages with specific service plans enabled or disabled per security group, matching departmental requirements at scale. Enabling everything globally wastes licenses and may create compliance risks in regulated departments. Separate tenants per department fragment collaboration, directory, and identity management across the organization. Individual account adjustment does not scale for 5,000 users and requires manual maintenance for every personnel change. Source: Check Source
Question #4 - Deploy and Manage a Microsoft 365 Tenant
A company acquires another firm and needs cross-tenant migration of users, mailboxes, and OneDrive data.
Which migration approach should be planned?
A) Delete the acquired tenant entirely and start fresh losing all existing data and configurations
B) Share administrator credentials between tenants which violates security and accountability
C) Ask all acquired users to manually recreate their accounts and re-upload their documents
D) Cross-tenant migration using Microsoft tools with identity mapping and mailbox migration batches
Show solution
Correct answers: D – Explanation:
Cross-tenant migration tools handle identity mapping, mailbox content, OneDrive data, and Teams migration between tenants in a systematic governed process. Manual recreation loses all existing data, email history, and document collaboration context for the acquired users. Deleting the acquired tenant destroys all historical content, compliance records, and user configurations permanently. Sharing credentials violates individual accountability, audit requirements, and security best practices. Source: Check Source
Question #5 - Implement and Manage Identity and Access in Microsoft Entra ID
A company syncs on-premises AD to Entra ID with password hash sync. Some OUs should be excluded from synchronization.
Which tool and configuration should be deployed?
A) LDAP direct connection from Microsoft 365 which is not a supported identity sync mechanism
B) Azure AD Domain Services providing managed domain services without on-premises identity sync
C) Microsoft Entra Connect with password hash sync enabled and OU-based filtering configured
D) Manual user creation in Entra ID for each employee without any automated synchronization
Show solution
Correct answers: C – Explanation:
Entra Connect synchronizes on-premises AD objects to Entra ID with password hash sync for SSO, and OU-based filtering excludes specific organizational units from the sync scope. Manual creation does not maintain synchronization and drifts from the authoritative on-premises directory. AADDS provides managed domain services in Azure but does not perform identity synchronization from on-premises AD. LDAP direct connections are not a supported Microsoft 365 identity synchronization mechanism. Source: Check Source
Question #6 - Implement and Manage Identity and Access in Microsoft Entra ID
Global Admins need MFA, all users get Passwordless, and external guests must accept terms of use.
Which Entra ID features implement these requirements?
A) Group Policy Objects managing on-premises Windows domain settings which do not govern cloud identity policies
B) Conditional Access policies targeting admin roles, Authentication Methods enabling Passwordless, and Terms of Use for guests
C) Azure Firewall rules controlling network-level access without any identity-based policy evaluation
D) A single blanket MFA policy applied uniformly to every user account without any role-based differentiation
Show solution
Correct answers: B – Explanation:
Conditional Access allows granular policy targeting by role and user type. Authentication Methods policy enables Passwordless options. Terms of Use integrates with Conditional Access for guest acceptance enforcement. A blanket policy cannot differentiate between admin MFA and standard user Passwordless requirements. Azure Firewall operates at the network layer without identity-based conditional evaluation capability. GPOs manage on-premises Windows domain settings and do not govern Entra ID cloud identity policies. Source: Check Source
Question #7 - Implement and Manage Identity and Access in Microsoft Entra ID
The security team wants automatic detection and blocking of sign-ins from compromised credentials and impossible travel patterns.
Which Entra ID feature provides this threat detection?
A) Microsoft Entra ID Protection with risk-based Conditional Access policies for automated response
B) Password complexity requirements enforcing strong passwords without detecting compromised credentials
C) Azure Firewall threat intelligence providing network-level traffic analysis without identity context
D) Manual daily log review performed by security analysts checking each sign-in event individually
Show solution
Correct answers: A – Explanation:
Entra ID Protection evaluates sign-in risk signals including leaked credentials, unfamiliar locations, and impossible travel, triggering automatic Conditional Access responses. Azure Firewall operates at the network level and cannot evaluate identity-specific risk signals like credential compromise. Manual log review is reactive, slow, and cannot process the volume of sign-in events in large organizations. Password complexity prevents weak passwords but cannot detect credentials that have been compromised through data breaches. Source: Check Source
Question #8 - Manage Security and Threats by Using Microsoft Defender
Employees receive phishing emails with malicious attachments. The admin needs to prevent attachments from reaching mailboxes.
Which Defender feature should be configured?
A) Disable all email functionality entirely during the phishing attack to prevent any delivery
B) Microsoft Defender for Office 365 Safe Attachments detonating files in a sandbox before delivery
C) Instruct users via email not to open suspicious attachments relying on human judgment alone
D) Basic spam filtering only which may miss sophisticated phishing attacks with novel attachments
Show solution
Correct answers: B – Explanation:
Safe Attachments opens attachments in a sandbox environment detecting malicious behavior before delivery to user mailboxes, blocking threats proactively. Disabling all email halts legitimate business communication disproportionately to the threat. Basic spam filtering may miss sophisticated phishing attacks using novel attachment techniques. User instructions are unreliable against convincing phishing campaigns designed to bypass human judgment and awareness training. Source: Check Source
Question #9 - Manage Security and Threats by Using Microsoft Defender
An admin needs to simulate a phishing attack to measure employee security awareness and identify training needs.
Which Defender tool provides this capability?
A) Attack Simulation Training sending controlled realistic phishing simulations with tracking metrics
B) Azure DDoS Protection handling volumetric network-layer attacks without email simulation tools
C) Sending actual real phishing emails as a test which is illegal and could cause genuine harm
D) Microsoft Sentinel deploying SIEM analytics for threat detection without simulation capabilities
Show solution
Correct answers: A – Explanation:
Attack Simulation Training sends controlled, realistic phishing simulations tracking which users click links or enter credentials, identifying employees needing additional training. Sending real phishing emails is illegal, unethical, and could cause genuine harm to the organization. Sentinel provides SIEM/SOAR for threat detection and response but does not simulate phishing attacks for training purposes. DDoS Protection handles volumetric network attacks and has no email phishing simulation functionality. Source: Check Source
Question #10 - Manage Security and Threats by Using Microsoft Defender
The SOC needs unified security incidents across endpoints, email, identity, and cloud apps with automated investigation.
Which Microsoft security product provides this unified XDR experience?
A) Microsoft Defender XDR correlating alerts across endpoints, email, identity, and cloud applications
B) Windows Event Viewer displaying local Windows operating system events on individual machines
C) Azure Monitor tracking infrastructure performance metrics and diagnostic telemetry log data
D) Azure Security Center focusing primarily on Azure infrastructure resource compliance posture
Show solution
Correct answers: A – Explanation:
Defender XDR correlates alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into unified incidents with automated investigation and response capabilities. Azure Monitor collects infrastructure metrics and logs without security incident correlation or investigation features. Security Center focuses on Azure resource security posture management without the cross-domain XDR correlation. Event Viewer shows local machine events without centralized correlation, investigation, or automated response. Source: Check Source
Get 817+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the MS-102 Administrator Expert exam measures
- Deploy and Manage a Microsoft 365 Tenant (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement and Manage Identity and Access in Microsoft Entra ID (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Manage Security and Threats by Using Microsoft Defender (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Manage Compliance by Using Microsoft Purview (15–20%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Microsoft 365 Administrator: $100,000–$140,000 per year (based on Glassdoor and ZipRecruiter data)
- Cloud Identity Administrator: $95,000–$130,000 per year (based on Glassdoor and ZipRecruiter data)
- Enterprise Mobility Manager: $105,000–$145,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the MS-102 Administrator Expert exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.