|

MS-102 Portal Path Cheat Sheet: Microsoft 365 Admin, Entra, Purview, Defender, and Cloud Apps

ByTechieGeek

MS-102 Portal Path Cheat Sheet (In Depth)

This is a practical navigation playbook you can rely on during MS-102 study and in a live tenant. It focuses on the portals you will use most, what each one is responsible for, the exact navigation paths, and what to validate after you configure a setting.

1) Microsoft Defender Portal (security.microsoft.com)

Primary use in MS-102: Threat protection for email and collaboration workloads (Exchange Online, SharePoint, OneDrive, Teams).

When you should be here

  • Configuring email threat policies (spam, phishing, malware)
  • Protecting users from malicious links and attachments
  • Investigating threats, alerts, and incidents tied to email and collaboration

Core navigation map

Portal: https://security.microsoft.com
Main left nav area: Email & collaboration

A. Safe Attachments

Path:
Email & collaboration โ†’ Policies & rules โ†’ Threat policies โ†’ Safe Attachments

What this controls

  • Detonation and scanning of attachments for malware
  • Protection extends beyond email to:
    • SharePoint Online files
    • OneDrive for Business files
    • Teams files (where supported/configured)

Typical configuration checkpoints

  • Policy mode (Monitor vs Block)
  • Scope (pilot group vs all users)
  • Action behavior (block, quarantine, redirect, etc., based on plan and policy capabilities)
  • Enable protection for SharePoint/OneDrive (if the option is presented)

Validation

  • Confirm policy is enabled and assigned to intended users/groups
  • Confirm events/alerts appear in Defender when a malicious artifact is detected
  • Check Incidents & alerts for correlated detections

B. Anti-phishing

Path:
Email & collaboration โ†’ Policies & rules โ†’ Threat policies โ†’ Anti-phishing

What this controls

  • Impersonation protection (user impersonation and domain impersonation)
  • Spoof intelligence configuration
  • Safety tips and user warning signals

Typical configuration checkpoints

  • Protected users (executives, finance, HR, helpdesk)
  • Protected domains (your tenant domains and key partner domains)
  • Actions:
    • Quarantine for high confidence
    • Junk for lower confidence (depends on your risk tolerance)
  • Exclusions (use sparingly)

Validation

  • Review detections in Email & collaboration investigations
  • Check Quarantine (if configured)
  • Confirm spoof intelligence is enabled and generating insight

C. Anti-spam

Path:
Email & collaboration โ†’ Policies & rules โ†’ Threat policies โ†’ Anti-spam

What this controls

  • Bulk mail thresholds
  • Spam/phish actions and filtering aggressiveness
  • Allowed/blocked lists in the policy (note: tenant allow/block lists are also managed separately)

Validation

  • Check mail flow outcomes and quarantine statistics
  • Verify users are not receiving bulk/phish content that should be filtered

D. Safe Links

Path:
Email & collaboration โ†’ Policies & rules โ†’ Threat policies โ†’ Safe Links

What this controls

  • Time-of-click URL inspection
  • Rewriting URLs for click tracking and protection
  • Protection in supported apps (Outlook, Teams, Office apps depending on configuration)

Typical configuration checkpoints

  • Scope (pilot vs all)
  • URL rewrite and click protection enabled
  • Do not track internal URLs unless required
  • Exclusions for known-safe business apps (minimize exclusions)

Validation

  • Confirm URL rewrite is occurring (test email)
  • Confirm user experience (warning page on malicious link)
  • Review Safe Links reports/detections

Defender portal troubleshooting shortcuts

  • Incidents & alerts โ†’ review correlated incidents
  • Email & collaboration โ†’ Explorer (if available) for detailed message and URL/attachment telemetry
  • Actions & submissions โ†’ submit false positives/negatives (where available)

2) Microsoft Purview Portal (compliance.microsoft.com)

Primary use in MS-102: Audit, retention, compliance configuration, and investigation workflows.

When you should be here

  • Searching audit logs for user/admin activity
  • Managing audit retention policies (priority-based retention control)
  • Implementing retention policies and labels (data lifecycle)

Core navigation map

Portal: https://compliance.microsoft.com

A. Audit log search

Path:
Audit

What this does

  • Lets you search activities across Microsoft 365 workloads:
    • Exchange, SharePoint, OneDrive, Teams, Entra (depending on auditing and licensing)
  • Key for investigations and proof of activity

Validation

  • Run a query for a known activity (e.g., file accessed, mailbox permission change)
  • Confirm results show the expected activity and timestamp

Common pitfalls

  • Audit isnโ€™t enabled or isnโ€™t ingesting for the workload
  • Incorrect time range
  • Expecting longer retention than configured/licensed

B. Audit retention policies

Path:
Audit โ†’ Audit retention policies

What this does

  • Controls how long audit records are retained
  • Retention outcome is determined by policy priority, not specificity

Key admin concept

  • If multiple policies apply, the one with the highest Priority value wins.

Validation

  • Review policies for:
    • Priority order
    • Target users
    • Record types (workloads)
    • Operations (if specified)
    • Retention duration

Common pitfalls

  • Creating an โ€œexceptionโ€ policy but giving it a lower priority than the baseline policy
  • Assuming a user-specific policy automatically overrides an org-wide policy

C. Retention policies (Data Lifecycle)

Path:
Data lifecycle management โ†’ Microsoft 365 โ†’ Retention policies

What this does

  • Retains or deletes content across workloads, depending on configuration
  • Works at the content level (mail, files, Teams messages where supported)

Validation

  • Confirm policy scope includes the right locations (Exchange/SPO/OneDrive/Teams)
  • Confirm inclusion/exclusion rules and retention duration

Common pitfalls

  • Confusing audit retention (logs) with retention policies (content)
  • Not scoping locations correctly

3) Microsoft Entra Admin Center (entra.microsoft.com)

Primary use in MS-102: Identity, access, groups, role assignments, and group-based licensing.

When you should be here

  • Creating groups for targeting policies and licensing
  • Assigning licenses to groups at scale
  • Managing users and role assignments

Core navigation map

Portal: https://entra.microsoft.com
Left nav: Identity

A. Group-based licensing

Path:
Identity โ†’ Groups โ†’ Select a group โ†’ Licenses

What this does

  • Assigns license SKUs to a group
  • Allows disabling specific service plans inside a SKU (for example, disabling a single service like Power Automate within an E3 bundle)

Implementation pattern

  • Baseline licensing group for all users
  • Department or role add-on groups for special SKUs (Power BI, Visio, Project, etc.)

Validation

  • Select a user โ†’ confirm:
    • Licenses show as assigned (direct or inherited via group)
    • Disabled service plans are actually disabled
  • Check group licensing errors:
    • Insufficient licenses
    • Conflicting service plans
    • Usage location missing (sometimes required)

B. Dynamic groups (department-based targeting)

Path:
Identity โ†’ Groups โ†’ New group โ†’ Membership type: Dynamic user

What this does

  • Automatically populates membership based on attributes (e.g., Department = Research)

Validation

  • Confirm user attributes are populated correctly
  • Confirm membership rules evaluate as expected

Common pitfalls

  • Department attribute not standardized (spelling/variations)
  • Rule logic correct but user properties incomplete

C. User management

Path:
Identity โ†’ Users โ†’ All users

What this does

  • Core user lifecycle tasks: create, delete, password reset, block sign-in
  • View assigned licenses, groups, authentication methods (depending on your role/licensing)

Validation

  • Confirm user exists, has correct groups, and licensing is inherited properly

4) Microsoft Defender for Cloud Apps (portal.cloudappsecurity.com)

Primary use in MS-102: Unusual activity detection and alerting for SaaS usage, including Office 365 patterns.

When you should be here

  • Detecting unusual sign-in and activity patterns
  • Building activity-based alerting policies
  • Monitoring app connectors and cloud discovery (depending on configuration)

Core navigation map

Portal: https://portal.cloudappsecurity.com

A. Activity policies (unusual usage alerts)

Path:
Control โ†’ Policies โ†’ Create policy โ†’ Activity policy

What this does

  • Creates alerting logic based on user activity and patterns
  • Common exam-friendly scenarios:
    • Unusual download volume
    • Suspicious access patterns
    • Abnormal user activity for Office 365 apps

Validation

  • Confirm the connector/integration is enabled and ingesting activity
  • Confirm alerts appear in the policy alerts view when thresholds are met (in real environments, validate using safe test methods)

Common pitfalls

  • Expecting alerts without proper app connectors/integration enabled
  • Policies scoped too narrowly or too broadly

5) Microsoft 365 Admin Center (admin.microsoft.com)

Primary use in MS-102: Tenant administration, billing, license inventory, service health, org settings.

When you should be here

  • Checking licensing inventory and subscriptions
  • Performing broad tenant settings changes
  • Managing users at a high level (though Entra is preferred for identity-centric tasks)

Core navigation map

Portal: https://admin.microsoft.com

A. License inventory and subscriptions

Path:
Billing โ†’ Licenses (or Billing โ†’ Your products depending on UI)

Use cases

  • Confirm you own the SKUs required for group-based licensing
  • Check license counts before assignment changes

B. Active users

Path:
Users โ†’ Active users

Use cases

  • Quick user creation and management
  • Confirm user accounts and basic properties

C. Service health

Path:
Health โ†’ Service health

Use cases

  • Rule out tenant-wide outages when troubleshooting mail flow, audit ingestion, or policy behavior

6) Fast Decision Guide: Which Portal Do I Use?

Threat protection (email, links, attachments, phishing)

  • Microsoft Defender portal: security.microsoft.com

Audit logs and audit retention

  • Microsoft Purview portal: compliance.microsoft.com

Users, groups, roles, and group-based licensing

  • Microsoft Entra admin center: entra.microsoft.com

Unusual cloud usage patterns and SaaS activity alerts

  • Defender for Cloud Apps: portal.cloudappsecurity.com

Subscription inventory and tenant-wide admin settings

  • Microsoft 365 admin center: admin.microsoft.com

7) Verification Checklist (Post-Change)

Use this after any policy or configuration change:

Defender policies (Safe Attachments, Safe Links, Anti-phishing, Anti-spam)

  • Policy enabled
  • Correct scope (pilot vs all)
  • Correct actions (quarantine, block, etc.)
  • Alerts visible in Defender
  • User impact acceptable (false positives reviewed)

Purview audit

  • Audit search returns expected events
  • Retention policies priorities correct
  • Retention durations align with requirements

Entra licensing

  • Group membership correct
  • Licenses assigned to groups
  • Required service plans disabled as intended
  • No licensing errors (conflicts or insufficient SKUs)

Cloud Apps alerts

  • Integration/connector enabled
  • Policy enabled and scoped
  • Alerts generated and visible
  • Notifications configured (if required)

 

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *