MS-101 Microsoft 365 Mobility and Security Exam Resource Guide (November 2022 Update)

The exam description for MS-101 recently had a minor update, with no real changes to the exam topics, instead it’s a fit and finish update fixing some minor errors and introducing Microsoft Entra branding into the audience profile. It received a major update recently though, so let’s take a look at those changes.

What was added in the previous update? The Intune/Endpoint Manager topics now include App Configuration Policies and Windows subscription based activation. App Configuration Policies assist with the initial configuration of apps on mobile devices, so it’s easy to understand why it’s now included. What about Windows subscription based activation? This is mostly going to be used for Windows 10/11 Pro to Windows 10/11 Enterprise, so it’s inclusion makes sense with the additional security capabilities being added. Desktop Analytics has been removed from the exam description, as it’s being retired in November 2022.

Up next there’s been a major overhaul of the Microsoft 365 Defender topics. The biggest one is the removal of Microsoft Defender for Identity, which makes sense to me because for anyone who works in a cloud only environment without traditional Active Directory exposure this was something that pushed them into understanding what to them might be viewed as legacy technologies. Defender for Endpoint, Defender for Office 365 and Defender for Cloud Apps have all been expanded, which again is something that makes sense to me.

Where things change quite a bit is in the compliance section. If you were to ask me what I think about the compliance section being part of this exam, I do question it’s inclusion based on the name of the exam. The exam name includes mobility and security, and there are so many technologies in those areas that could be included instead of having around one third of the exam covering what could be argued is off topic. I make the same argument with MS-500 – it has security in the name but still includes a considerable amount of compliance content. My personal preference for both of these exams is to either better align them with the exam name, by changing their names to include compliance or governance or to drop the compliance content. My suspicion here is that this is more of a remnant of “security and compliance” being grouped together as if they are one thing, and I’m sure some of you have some opinions on that.

You may notice that there’s no reference to Purview in any of the topics yet. Technologies that fall under the Purview banner are definitely included, with new references add in for Content Explorer, Activity Explorer, and label reports, but there have also been some removals. References to Privileged Access Management, Azure Information Protection, Information Rights Management and Windows Information Protection have been removed. While some of these technologies might still be covered under existing topics in the exam, Windows Information Protection’s removal makes a great deal of sense due to Microsoft actively recommending moving on to other Purview technologies to provide similar functionality.

One of the weirder inclusions in the compliance section is Azure Active Directory auditing. It’s not the topic itself, rather it’s where it’s situated amongst Purview functionality. As there isn’t an identity section in the exam for this to be a more comfortable fit, I’ll just assume this was the best location to place it. In order to fully understand this topic it’s best if you have an Azure subscription in your Microsoft 365 tenant so that you can take a look at the different options about sending your log data into Log Analytics or Storage Accounts, for example.

When you start preparing for this exam it’s important to remember what I called out above, it’s not just a mobility and security exam, it also includes a section on compliance. It’s going to include more detailed questions on Intune, Endpoint Manager and Windows than the more recently introduced SC-x00 exams . However, once you move past this difference, there are many topics that overlap with the SC-x00 series exams, but that doesn’t mean that preparing for this exam will completely prepare you for those exams.

If you have passed MS-100 and MS-101 you are going to be in pretty good shape to prepare for MS-500 and the SC-300 identity exam. If governance and compliance are what you are more passionate about, it would make sense to look at SC-400 as your next exam, as the base knowledge in this exam puts you in a good starting position as far as knowledge is concerned.

Some of the SC-x00 exams do have an Azure component, or in the case of the SC-200 Security Operations exam have a very heavy Azure focus due to Microsoft Defender for Cloud and Microsoft Sentinel making up a large portion of the exam. There is similar overlap with this exam and MS-500, so it could be a good exam to take after this one if you were planning out what’s next.

Plan and implement device services (35—40%)

Plan and implement device management by using Microsoft Endpoint Manager

• plan co-management between Endpoint Configuration Manager and Intune
  • What is co-management?
  • Enable tenant attach
  • Getting started with cloud native Windows endpoints
• plan and implement configuration profiles for Windows and MacOS clients
  • Assign profiles
• plan and implement configuration profiles for iOS and Android
  • Assign profiles
• review and respond to issues identified in Microsoft Endpoint Manager
  • Intune reports

Plan and implement device security and compliance by using Microsoft Endpoint Manager

• plan and implement device compliance policies
  • Get started with device compliance policies in Intune
  • Create a device compliance policy
• plan and implement attack surface reduction policies
  • Protect devices
  • Configure attack surface reduction
  • Configure Microsoft Defender antivirus features
• implement and manage security baselines
  • Manage security baselines
• plan and configure conditional access policies for device compliance
  • Common ways to use conditional access
  • Device-based Conditional Access policy
  • App-based Conditional Access

Deploy and manage applications by using Microsoft Endpoint Manager

• plan and implement application deployment
  • Assign apps to employees
• publish public and private applications by using Microsoft Endpoint Manager
  • Distribute apps with a management tool
  • Distribute apps using your private store
  • Microsoft Store for Business and Microsoft Store for Education overview
• plan and implement application protection policies
  • Compare MDM and MAM
• plan and implement application configuration policies
  • App configuration policies
• monitor and troubleshoot application deployment
  • Troubleshoot app installation problems

Plan for Windows client deployment and management

• choose Windows client deployment methods and tools based on requirements, including Windows Autopilot, USMT, Microsoft Deployment Toolkit, and Windows Deployment Services
  • Windows 10 deployment considerations
• plan and implement Windows subscription-based activation
  • Windows 10/11 Subscription Activation
• plan for Windows updates
  • Overview of Windows as a service
  • Feature updates policy
  • Update rings policy
• plan and implement additional Windows client security features
  • Windows 10 Enterprise Security

Plan and implement device enrollment

• plan and implement device join or hybrid join to Azure AD
  • What is device management in Azure AD?
• plan and implement device registration to Azure AD
  • Set up automatic enrollment
• plan and implement manual and automated device enrollment into Intune
  • Planning guide
  • Set the MDM authority
  • Restrictions

Manage security and threats by using Microsoft 365 Defender (25—30%)

Manage security reports and alerts by using the Microsoft 365 Defender portal

• review and respond to the Microsoft 365 Secure Score
  • Secure score and security controls
• review and respond to security alerts in Microsoft 365 Defender
  • Alerts in the Security & Compliance Center
• review and respond to issues identified in security and compliance reports in Microsoft 365 Defender
  • Overview
  • Manage incidents

Plan, implement, and manage email and collaboration protection by using Microsoft Defender for Office 365

• plan and implement policies and rules in Microsoft Defender for Office 365
  • Set up anti-phishing and Microsoft Defender for Office 365 anti-phishing policies
  • Set up Microsoft Defender for Office 365 Safe Attachments policies
  • Set up Microsoft Defender for Office 365 Safe Links policies
• review and respond to issues identified in Microsoft Defender for Office 365, including threats, investigations, and campaigns
  • View and read your Microsoft Defender for Office 365 reports
  • Attack Simulator in Microsoft Defender for Office 365
• unblock users
  • Remove blocked users

Plan, implement, and manage endpoint protection by using Microsoft Defender for Endpoint

• plan Microsoft Defender for Endpoint
  • Plan your Defender for Endpoint Deployment
  • Set up Microsoft Defender for Endpoint deployment
• onboard devices to Microsoft Defender for Endpoint
  • Onboard devices to the service
• configure Microsoft Defender for Endpoint settings
  • Configure capabilities of the service
  • Configure conditional access
  • Enable Microsoft Defender for Cloud Apps in Microsoft Defender for Endpoint
• review and respond to endpoint vulnerabilities
  • Endpoint detection and response overview
• review and respond to risks on devices
  • Investigate devices
• review and respond to exposure score
  • Get exposure score

Plan, implement, and manage Microsoft Defender for Cloud Apps

• configure the application connector for Office 365
  • How to connect Office 365 to Defender for Cloud Apps
• plan and configure Microsoft Defender for Cloud Apps policies
  • Set up your organization’s settings in Defender for Cloud Apps
  • Control cloud apps with policies
  • Connect apps to get visibility and control
• review and respond to Microsoft Defender for Cloud Apps alerts
  • Manage alerts raised in Defender for Cloud Apps
• review and respond to activity log
  • Get started with app threat detection and remediation
• configure Cloud App Discovery
  • Configure automatic log upload for continuous reports
• review and respond to issues identified in Cloud App Discovery
  • Discovered app filters and queries

Manage Microsoft 365 compliance (30—35%)

Plan and implement information governance

• plan and implement retention labels and label policies
  • Retention policies and labels
• recover deleted data in Exchange Online and SharePoint Online
  • Restore items in the Recycle Bin of a SharePoint site
  • Restore deleted items from the Site collection recycle bin 
  • Manage inactive mailboxes
• implement records management
  • Learn about records management

Plan and implement information protection

• plan and implement data classification
  • Get started with sensitivity labels
• plan and implement sensitivity labels and policies
  • Learn about sensitivity labels
  • Create and publish sensitivity labels
  • Enable sensitivity labels for Office files in SharePoint and OneDrive
  • Retention policies and labels
• optimize label usage by using Content Explorer, Activity Explorer, and label reports
  • Get started with content explorer
  • Get started with activity explorer
  • Labeling actions reported in Activity explorer

Plan and implement data loss prevention (DLP)

• plan and implement DLP for workloads
  • Learn about data loss prevention
• plan and implement Microsoft 365 Endpoint DLP
  • Create a DLP policy from a template
  • Create, test, and tune a DLP policy
• review and respond to DLP alerts, events, and reports
  • View the DLP reports
  • What the DLP functions look for

Manage search and investigation

• configure auditing in Azure AD, including diagnostic settings
  • Sign-in logs
  • What are Azure AD reports?
  • What is Azure AD monitoring?
• plan and configure audit retention policies for Microsoft 365
  • Turn audit log search on or off
  • Configure your Microsoft 365 tenant for increased security
  • Enable mailbox auditing
• retrieve and interpret audit logs for workloads
  • Search the audit log
• plan and configure eDiscovery and Advanced eDiscovery
  • Get Started With Core eDiscovery
  • Assign eDiscovery permissions
• specify a Content Search based on requirements
  • Use Content Search