MS-102 Microsoft 365 Administrator: Tenant Management, Security, and Compliance

Tenant administration for MS-102 covers the full breadth of M365 admin. Microsoft 365 Admin Center: central hub for all M365 admin tasks — user creation, licence assignment, service health, billing. Role-based administration: multiple admin roles with varying scopes — Global Admin (unrestricted), Exchange Admin (Exchange Online only), Teams Admin (Teams policies), Security Admin (Defender and compliance settings). Principle of least privilege: assign the most restrictive role that meets the admin's needs. Microsoft 365 Copilot administration: Copilot requires M365 E3/E5 base licence plus Copilot add-on, enable per user or group, review Copilot usage reports (Microsoft 365 Admin Center > Reports > Adoption score), configure data boundary settings. eDiscovery and Purview: Content Search (find emails and Teams messages — keyword query syntax, date ranges, mailbox filters), Core eDiscovery (preserve, collect, review, export content for legal requests), Purview eDiscovery Premium (custodian management, advanced ML-based review, export in EDRM XML format). Information barriers: restrict communication between groups (e.g., investment banking and retail banking cannot communicate via Teams — compliance requirement).

Exchange Online is the M365 email platform. Mailbox types: User mailbox (individual users), Shared mailbox (accessible by multiple users, no licence required for read/send — requires licence for mobile access), Room mailbox (meeting room calendars — bookable resource), Equipment mailbox (projectors, vehicles — bookable). Mail flow: connectors (inbound from on-premises, outbound to on-premises or third-party) — hybrid configuration wizard automates connector creation for Exchange hybrid. Mail flow rules (transport rules): evaluate messages in transit and apply actions (add disclaimers, redirect messages, block sensitive data). Anti-spam and anti-phishing: Exchange Online Protection (EOP) — included with all M365 plans, Defender for Office 365 Plan 1/2 adds Safe Links and Safe Attachments. DKIM (DomainKeys Identified Mail): cryptographic signature in email headers — prove email actually sent from your domain. DMARC (Domain-based Message Authentication): policy for how receivers should handle email that fails SPF or DKIM checks (quarantine or reject). SPF record: lists authorised sending IPs for your domain. Implement all three (SPF + DKIM + DMARC) for full email authentication.

Teams administration for MS-102. Teams policies: meeting policies (allow/deny cloud recording, screen sharing, external participants), messaging policies (allow editing/deleting messages, read receipts), calling policies (PSTN calling permissions if Teams Phone licensed). Teams Phone (Direct Routing vs Calling Plans): Calling Plan purchases phone numbers from Microsoft, Direct Routing connects on-premises telephony to Teams via a Session Border Controller (SBC). Sensitivity labels: Microsoft Purview Information Protection labels classify and protect content — applied to emails, Office documents, Teams channels, SharePoint sites. Label actions: encryption (rights management — control who can open, edit, print), content marking (headers, footers, watermarks), auto-labelling (based on sensitive information types or trainable classifiers). SharePoint administration: site collections (Teams-connected sites, communication sites, classic sites), storage limits per site, external sharing settings (Anyone link, authenticated guests, block external sharing). Retention policies and retention labels: keep content for a defined period (legal hold, regulatory retention), delete content after a period, or both. Adaptive scopes: dynamically target policies to users or sites based on attributes (department, country, site classification).