πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MS-102 Domain 1
Domain 1 β€” Module 5 of 8 63%
5 of 28 overall

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response

MS-102 Study Guide

Domain 1: Deploy and Manage a Microsoft 365 Tenant

  • Establish and Configure Your M365 Tenant
  • Monitor Tenant Health and Network Readiness
  • Adoption Tracking and Microsoft 365 Backup
  • Manage Users, Contacts and External Identities
  • Groups, Shared Mailboxes and Licensing at Scale
  • Automate with PowerShell: Bulk User Operations
  • Roles, Role Groups and Workload Permissions
  • Delegate with Administrative Units and PIM

Domain 2: Implement and Manage Microsoft Entra Identity and Access

  • Prepare for Identity Synchronization
  • Implement Connect Sync and Cloud Sync
  • Monitor and Troubleshoot Identity Sync
  • Authentication Methods and Self-Service Password Reset
  • Password Protection and Authentication Troubleshooting
  • Entra Identity Protection and Risk Policies
  • Conditional Access and MFA Enforcement

Domain 3: Manage Security and Threats by Using Microsoft Defender XDR

  • Defender XDR: Security Posture and Threat Intelligence
  • Investigate Incidents with Advanced Hunting
  • Defender for Office 365: Threat Policies
  • Email Threats, Attack Simulation and Restricted Entities
  • Defender for Endpoint: Onboard and Protect
  • Vulnerability Management
  • Defender for Cloud Apps: Connect and Govern
  • Cloud App Discovery and Activity Monitoring

Domain 4: Manage Compliance by Using Microsoft Purview

  • Sensitive Information Types and Data Classification
  • Retention Labels and Data Lifecycle
  • Sensitivity Labels and Monitoring
  • DLP Policies Across M365 Workloads
  • Endpoint DLP and Alert Response
Domain 1: Deploy and Manage a Microsoft 365 Tenant Premium ⏱ ~16 min read

Groups, Shared Mailboxes and Licensing at Scale

Master Microsoft 365 Groups, distribution lists, security groups, shared mailboxes, group-based licensing, and licence monitoring β€” the backbone of organised admin.

Groups and licensing β€” the connective tissue of M365

β˜• Simple explanation

Groups are how Microsoft 365 organises people. Licensing is how you give those people access to services. Get both wrong and you’ll spend your weekdays fixing permissions and your weekends explaining licence costs.

Think of groups like different types of meeting invitations: some give you access to a shared workspace (M365 Groups), some just put you on an email list (distribution lists), some control access to resources (security groups), and some do a bit of everything.

Licensing at scale means assigning licences automatically through groups instead of one user at a time β€” then monitoring for waste.

Microsoft 365 supports multiple group types, each serving a distinct purpose. The admin challenge is choosing the right type, governing creation, and managing lifecycle. Combined with group-based licensing (assigning licences to groups instead of individuals), groups become the primary mechanism for both collaboration and licence management at scale.

Key group management surfaces:

  • Microsoft 365 admin center β€” basic group CRUD and shared mailboxes
  • Microsoft Entra admin center β€” dynamic groups, group-based licensing, expiration policies
  • Exchange admin center β€” distribution lists, shared mailboxes, mail-enabled security groups
  • Microsoft Graph PowerShell β€” bulk operations and automation

Group types compared

Microsoft 365 Group Types
FeatureM365 GroupDistribution ListSecurity GroupMail-Enabled Security
Primary purposeCollaborationEmail distributionAccess controlAccess control + email
Shared mailbox
SharePoint site
Teams teamYes (optional)
Planner
Can assign licences
Dynamic membershipYes (Entra P1+)Yes (Entra P1+)
Managed inM365/Entra admin centerExchange admin centerEntra admin centerExchange admin center
Can contain guests

When to use which group type

ScenarioBest Group TypeWhy
Project team needs shared email, files, and a Teams channelMicrosoft 365 GroupCreates the full collaboration stack automatically
All-staff announcements (one-way email)Distribution ListSimple email fan-out, no shared resources
Control access to a SharePoint site or Azure resourceSecurity GroupPurpose-built for access control
Finance team needs email AND access control for a SharePoint siteMail-enabled Security GroupCombines distribution with access control

Shared mailboxes

A shared mailbox is a mailbox that multiple users can access without needing individual credentials. Common uses: info@company.com, support@company.com, invoices@company.com.

FeatureShared MailboxM365 Group Mailbox
Licence requiredNo (up to 50 GB)No (for the group)
Send as / Send on behalfYesYes (Send As via PowerShell, Send on Behalf via admin center)
Shows in Outlook automaticallyYes (auto-mapped)Yes (if subscribed)
CalendarYes (shared calendar)Yes (group calendar)
Needs a passwordNo β€” accessed via delegationNo β€” accessed via group membership
Best forFunctional mailboxes (support, info)Team collaboration email
πŸ’‘ Exam tip: Shared mailbox size and licensing

Shared mailboxes are free up to 50 GB. If the mailbox exceeds 50 GB, you must assign a licence (Exchange Online Plan 2 or an M365 licence). This bumps the limit to 100 GB. The exam may ask: β€œThe support shared mailbox is at 48 GB and growing. What should Marcus do?” Answer: Assign a licence or implement a retention policy to manage mailbox size.

Also note: shared mailboxes should NOT have passwords or direct sign-in. If you need to sign in directly (e.g., for a service account), convert it to a regular user mailbox with a licence.

Group-based licensing

Instead of assigning licences to individual users, you assign licences to groups. When a user joins the group, they automatically get the licence. When they leave, the licence is removed.

How it works

  1. Create a security group or M365 Group β€” e.g., LIC-M365-E5-Users
  2. Assign licences to the group in Entra admin center > Groups > select group > Licences
  3. Add users to the group β€” directly or via dynamic membership rules
  4. Licences are assigned automatically β€” Entra processes the assignment
  5. Monitor for errors β€” Entra shows processing status and any conflicts

Dynamic groups for automatic licensing

Dev sets up dynamic groups for NimbleCloud’s clients:

# Dynamic membership rule example
(user.department -eq "Engineering") and (user.country -eq "United Kingdom")

When a new engineer in the UK is created, they automatically join the group and receive their M365 E5 licence. No manual intervention needed.

Licence monitoring

Where to MonitorWhat It Shows
M365 admin center > Billing > LicencesAvailable vs assigned per subscription
Entra admin center > Groups > Licence processingGroup-based assignment status, errors
Usage reportsLicensed vs actually active users
Microsoft Graph APIProgrammatic licence queries for dashboards

Common group-based licensing errors

ErrorCauseFix
Not enough licencesMore group members than available licencesPurchase more licences or remove users
Conflicting service plansUser is in two groups assigning conflicting servicesAdjust group membership or disable specific service plans on one group
Missing usage locationUser doesn’t have usage location setSet usage location before licence assignment
Service plan dependencyA disabled service plan is required by another enabled planEnable the dependent service plan
ℹ️ Deep dive: Managing licence conflicts

When a user belongs to multiple groups that assign licences, conflicts can occur. For example:

  • Group A assigns M365 E3
  • Group B assigns M365 E5

Since E5 includes all E3 service plans, this creates an over-assignment (cost waste, not a processing error). The resolution:

  • Remove the user from the E3 group β€” E5 already includes everything in E3, so no functionality is lost
  • Or use service plan toggles to disable specific plans in one assignment

The Entra admin center flags these conflicts in the group’s licence processing status. The exam expects you to identify and resolve these scenarios.

Key concepts to remember

Question

What resources are automatically created when you create a Microsoft 365 Group?

Click or press Enter to reveal answer

Answer

A shared mailbox (group mailbox), a SharePoint Online team site, a Planner plan, and a shared OneNote notebook. Optionally, a Teams team can be added. This is why M365 Groups are the preferred collaboration type β€” they create the full workspace stack.

Click to flip back
Question

Do shared mailboxes require a Microsoft 365 licence?

Click or press Enter to reveal answer

Answer

No β€” shared mailboxes are free up to 50 GB. If the mailbox exceeds 50 GB, you must assign a licence (Exchange Online Plan 2 or M365 licence) to increase the limit to 100 GB. Shared mailboxes should not have direct sign-in enabled.

Click to flip back
Question

What happens when a user is removed from a group that has group-based licensing?

Click or press Enter to reveal answer

Answer

The licence assigned through that group is automatically removed from the user. If the user has the same licence from another group or direct assignment, they keep it. Group-based licensing only manages licences assigned through that specific group.

Click to flip back
Question

What is a dynamic group membership rule?

Click or press Enter to reveal answer

Answer

A rule that automatically adds or removes users from a group based on user attributes (department, country, job title, etc.). Requires Microsoft Entra ID P1 or P2. Example: (user.department -eq 'Sales') automatically adds all Sales users to the group.

Click to flip back

Knowledge check

Knowledge Check

Dev needs to set up a functional email address (support@nimblecloud.com) that three help desk staff can monitor and respond from. No individual licence should be consumed. What should Dev create?
Knowledge Check

Marcus creates a security group called 'LIC-M365-E5' and assigns Microsoft 365 E5 licences to it. He adds 200 users but 15 users show a licence processing error. The error is 'Missing usage location.' What should Marcus do?

🎬 Video coming soon

Next up: Automate with PowerShell: Bulk User Operations β€” why real admins script it once and never click again.

← Previous

Manage Users, Contacts and External Identities

Next β†’

Automate with PowerShell: Bulk User Operations

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.