Microsoft 365 Security Administration v1.0 (MS-500)

Page:    1 / 21   
Total 310 questions

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription that contains a user named User1.
The Azure Active Directory (Azure AD) Identity Protection risky users report identifies User1.
For User1, you select Confirm user compromised.
User1 can still sign in.
You need to prevent User1 from signing in. The solution must minimize the impact on users at a lower risk level.
Solution: You configure the user risk policy to block access when the user risk level is high.
Does this meet the goal?

  • A. Yes
  • B. No


Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription that contains a user named User1.
The Azure Active Directory (Azure AD) Identity Protection risky users report identifies User1.
For User1, you select Confirm user compromised.
User1 can still sign in.
You need to prevent User1 from signing in. The solution must minimize the impact on users at a lower risk level.
Solution: You configure the sign-in risk policy to block access when the sign-in risk level is high.
Does this meet the goal?

  • A. Yes
  • B. No


Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription that contains a user named User1.
The Azure Active Directory (Azure AD) Identity Protection risky users report identifies User1.
For User1, you select Confirm user compromised.
User1 can still sign in.
You need to prevent User1 from signing in. The solution must minimize the impact on users at a lower risk level.
Solution: From the Access settings, you select Block access for User1.
Does this meet the goal?

  • A. Yes
  • B. No


Answer : A

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 subscription that contains the users shown in the following table.


You need to ensure that User1, User2, and User3 can use self-service password reset (SSPR). The solution must not affect User4.
Solution: You create a conditional access policy for User1, User2, and User3.
Does that meet the goal?

  • A. Yes
  • B. No


Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

You have a Microsoft 365 tenant that is linked to a hybrid Azure Active Directory (Azure AD) tenant named contoso.com.
You need to enable Azure AD Seamless Single Sign-On (Azure AD SSO) for contoso.com.
What should you use?

  • A. Azure AD Connect
  • B. the Microsoft 365 Defender portal
  • C. the Microsoft 365 Security admin center
  • D. the Microsoft 365 admin center


Answer : A

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

You have a Microsoft 365 subscription.
You need to recommend a passwordless authentication solution that uses biometric authentication.
What should you include in the recommendation?

  • A. Windows Hello for Business
  • B. a smart card
  • C. the Microsoft Authenticator app
  • D. a PIN


Answer : A

Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview

Your network contains an on-premises Active Directory domain and a Microsoft 365 subscription.
You plan to deploy a hybrid Azure Active Directory (Azure AD) tenant that has Azure AD Identity Protection risk policies enabled.
You need to configure Azure AD Connect to support the planned deployment.
Which Azure AD Connect authentication method should you select?

  • A. Federation with AD FS
  • B. Federation with PingFederate
  • C. Password Hash Synchronization
  • D. Pass-through authentication


Answer : A

You have several Conditional Access policies that block noncompliant devices from connecting to services.
You need to identify which devices are blocked by which policies.
What should you use?

  • A. the Device compliance report in the Microsoft Endpoint Manager admin center
  • B. the Device compliance trends report in the Microsoft Endpoint Manager admin center
  • C. Activity log in the Cloud App Security portal
  • D. the Conditional Access Insights and Reporting workbook in the Azure Active Directory admin center


Answer : D

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting

You have a Microsoft 365 subscription named contoso.com.
You need to configure Microsoft OneDrive for Business external sharing to meet the following requirements:
✑ Enable file sharing for users that have a Microsoft account.
✑ Block file sharing for anonymous users.
What should you do?

  • A. From Advanced settings for external sharing, select Allow or block sharing with people on specific domains and add contoso.com.
  • B. From the External sharing settings for OneDrive, select Only people in your organization.
  • C. From the External sharing settings for OneDrive, select Existing external users.
  • D. From the External sharing settings for OneDrive, select New and existing external users.


Answer : D

Reference:
https://www.sharepointdiary.com/2020/09/enable-external-sharing-in-onedrive-for-business.html

DRAG DROP -
You have a Microsoft 365 E5 tenant that contains three users named User1, User2, and User3.
You need to assign roles or role groups to the users as shown in the following table.


What should you use to assign a role or role group to each user? To answer, drag the appropriate tools to the correct roles or role groups. Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:



Answer :

Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide

Your network contains an on-premises Active Directory domain named contoso.local that has a forest functional level of Windows Server 2008 R2.
You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to install Azure AD Connect and enable single sign-on (SSO).
You need to prepare the domain to support SSO. The solution must minimize administrative effort.
What should you do?

  • A. Raise the forest functional level to Windows Server 2016.
  • B. Modify the UPN suffix of all domain users.
  • C. Populate the mail attribute of all domain users.
  • D. Rename the domain.


Answer : B

Reference:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization?view=o365-worldwide

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.


For contoso.com, you create a group naming policy that has the following configuration.
<Department> - <Group name>
You plan to create the groups shown in the following table.

Which users can be used to create each group? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Reference:
https://office365itpros.com/2020/01/22/using-groups-admin-role/ https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.


You configure the Security Operator role in Azure AD Privileged Identity Management (PIM) as shown in the following exhibit.

You add assignments to the Security Operator role as shown in the following table.

Which users can activate the Security Operator role?

  • A. User2 only
  • B. User3 only
  • C. User1 and User2 only
  • D. User2 and User3 only
  • E. User1, User2, and User3


Answer : D

You have a Microsoft 365 tenant.
You need to implement a policy to enforce the following requirements:
✑ If a user uses a Windows 10 device that is NOT hybrid Azure Active Directory (Azure AD) joined, the user must be allowed to connect to Microsoft SharePoint
Online only from a web browser. The user must be prevented from downloading files or syncing files from SharePoint Online.
✑ If a user uses a Windows 10 device that is hybrid Azure AD joined, the user must be able connect to SharePoint Online from any client application, download files, and sync files.
What should you create?

  • A. a conditional access policy in Azure AD that has Client apps conditions configured
  • B. a conditional access policy in Azure AD that has Session controls configured
  • C. a compliance policy in Microsoft Endpoint Manager that has the Device Properties settings configured
  • D. a compliance policy in Microsoft Endpoint Manager that has the Device Health settings configured


Answer : B

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains two users named User1 and User2.
You need to assign Role Based Access Control (RBAC) roles to User1 and User2 to meet the following requirements:
✑ Use the principle of least privilege.
✑ Enable User1 to view sync errors by using Azure AD Connect Health.
✑ Enable User2 to configure Azure Active Directory Connect Health Settings.
Which two roles should you assign? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. The Monitoring Reader role in Azure AD Connect Health to User1
  • B. The Security reader role in Azure AD to User1
  • C. The Reports reader role in Azure AD to User1
  • D. The Contributor role in Azure AD Connect Health to User2
  • E. The Monitoring Contributor role in Azure AD Connect Health to User2
  • F. The Security operator role in Azure AD to User2


Answer : AE

Explanation:
A: The Monitoring Reader can read all monitoring data (metrics, logs, etc.).
Note: Assign the Monitoring reader role to the Azure Active Directory application on the subscription, resource group or resource you want to monitor.
E: Monitoring Contributor can read all monitoring data and edit monitoring settings.
Incorrect:
Not B: Security Reader can view permissions for Security Center. Can view recommendations, alerts, a security policy, and security states, but cannot make changes
Not D: Contributor grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Page:    1 / 21   
Total 310 questions