Skip to main content

Microsoft 365 and Security Certification changes

· 6 min read

Earlier this year Microsoft announced the retirement of Microsoft 365 Security Administrator certification (commonly known by its exam designation MS-500). This wasn't a surprise as the content was generally replaced by the newer specialty certifications and the SC line of exams.

However I was surprised to find that Microsoft also retired the Microsoft 365 Enterprise Administrator syllabus and exams, and its replacement is far more security focused than before.

In brief

Microsoft is retiring the Microsoft 365 Security Administrator Associate certification, and its exam (MS-500) as of end of June.

There is no direct replacement certification.

Microsoft is also retiring the two exams MS-100 (Identity and Services) and MS-101 (Mobility and Security) that are currently required for Microsoft 365 Enterprise Administrator Expert. These are replaced by a single exam, MS-102, and the list of exam topics has changed.

The certification is also renamed to Microsoft 365 Administrator Expert and will continue to have same pre-requisites as before.

The Desktop Administrator certification is similarly revamped, with two exams being replaced by one, and certification getting renamed to Endpoint Administrator.

Exam stack up

For the comparison, we'll refer to the Study Guides posted by Microsoft for each exam: MS-100, MS-101, MS-102, MS-500.

MS-102 Sections Weighting

For later reference, these are the stated skills measured on this exam:

  • Deploy and manage a Microsoft 365 tenant (25–30%)

  • Implement and manage identity and access in Azure AD (25–30%)

  • Manage security and threats by using Microsoft 365 Defender (25–30%)

  • Manage compliance by using Microsoft Purview (15–20%)

MS-100 vs MS-102

Applications are no longer in scope - while MS-100 had "Plan Microsoft 365 workloads and applications" at 20–25%, this is not in MS-102.

General tenant administration is assessed differently: while "Deploy and manage a Microsoft 365 tenant" was 15–20% in MS-100, it is now 25–30%.

The reason for that is the new MS-102 includes users/groups/roles topics in this category - previously, these were in the separate category of "Plan and manage user identity and roles", at 30–35%.

The above category also included identity synchronization topics - these are now covered under "Implement and manage identity and access in Azure AD" (25–30% weight), which also covers most topics from the old "Manage access and authentication" section (20–25% weight). Notably, all items relating to Application access are no more, keeping with the earlier noted theme of removing Application related topics.

MS-101 vs MS-102

Previously, the Enterprise Administrator syllabus included device management, tenant set up and administration, and various security topics.

In the updated version, device management is gone. There is no mention of Intune that I can see - it would appear that this is now purely within the Endpoint Administrator certification.

Considering that the old MS-101 had "Plan and implement device services" weighted at 35–40%, that is a massive change.

Both the old MS-101 and the new MS-102 have "Manage security and threats by using Microsoft 365 Defender" at 25–30% weight - and considering that this is a two-to-one exam replacement, this is effectively twice as important.

The content of the section between both exams is very similar, almost identical except that MS-102 exam guide no longer mentions Defender for Cloud Apps - I am not sure why this is omitted as "Implement app protection by using Microsoft Defender for Cloud Apps" is a Microsoft Learn module for MS-102 so I'd expect it to be examinable.

Compliance, that is, DLP and related tasks, continues to feature prominently - MS-101 had "Manage Microsoft 365 compliance" at 30–35% and MS-102 has "Manage compliance by using Microsoft Purview" at 15–20%.The topics overlap substantially, though as you can infer from the lower weighting, there are fewer topics. MS-102 is all about retention and sensitivity labels and associated tasks, and DLP.

MS-500 vs MS-102

While perhaps an odd comparison as one's a Security Associate exam and the other's for an (enterprise) Administrator, the skills overlap is notable.

MS-500 Implement and manage identity and access (25-30%) has substantial overlap with MS-102's Implement and manage identity and access in Azure AD (25–30%) - while there are some differences, these are mostly due to MS-500 also including User/Group management in this section, which MS-102 instead includes under Deploy and manage a Microsoft 365 tenant.

MS-500's Implement and manage threat protection (30-35%) also maps well to MS-102's Manage security and threats by using Microsoft 365 Defender (25–30%), the main difference being the absence of Intune and Sentinel in the latter.

Similarly, there is substantial overlap between MS-500's Manage compliance in Microsoft 365 (20-25%) and MS-102's Manage compliance by using Microsoft Purview (15–20%).

While there are numerous differences in the various sections and there is likely a difference in the depth of expected knowledge, the amount of on-paper overlap is far more than expected.

Exam topics reallocation

It's worth noting that topics referred to as "gone" are certainly still examinable, in scope of different Microsoft certifications.

Topics related to Intune/Endpoint Manager are in the new Endpoint Administrator certification (MD-102 exam).

Application access is covered in exam SC-300 (Microsoft Identity and Access Administrator), which also covers many other identity and authentication topics.

Sentinel is covered in exam SC-200 (Microsoft Security Operations Analyst), and this exam also goes into more depth on the Defender solutions.

Additionally, Purview and related topics are covered in depth in the exam SC-400 (Microsoft Information Protection Administrator).

Finally, for securing cloud workloads, exam AZ-500: Microsoft Azure Security Technologies continues to be available.

Summary

Adding up the earlier weights, the new MS-102 MS365 Administrator exam has potentially up to 75% of topics related to security and compliance tasks, a substantial increase in emphasis over the prior versions of the skills required.

It retains key topics related to tenant administration and design.

With the revised topics, it also serves as a suitable replacement for the outgoing MS365 Security Administrator certification (MS-500) and in that, a relevant Microsoft certification for a smaller enterprise that doesn't yet have Sentinel.

In that, as a single certification that covers most Microsoft security and compliance solutions as well as important tenant administration concepts, it is quite well put together.

Security professionals that need to study these solutions on more depth continue to have more specialised certifications available.