Microsoft 365 Security Administration v1.0 (MS-500)

Answer : AE

A: The Monitoring Reader can read all monitoring data (metrics, logs, etc.).
Note: Assign the Monitoring reader role to the Azure Active Directory application on the subscription, resource group or resource you want to monitor.
E: Monitoring Contributor can read all monitoring data and edit monitoring settings.
Incorrect:
Not B: Security Reader can view permissions for Security Center. Can view recommendations, alerts, a security policy, and security states, but cannot make changes
Not D: Contributor grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Answer : B

To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only
Audit Logs or Audit Logs role, and then add the user as a member of the new role group.
Incorrect:
Not D: If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the compliance portal, they won't be able to search the audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.
You can also use the Exchange admin center (EAC).
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance

Answer : A

Block clients that don't support multi-factor with a Conditional Access policy.
Note: Clients that do not use modern authentication can bypass Conditional Access policies, so it's important to block these.
Incorrect:
Not D: OAuth app policies enable you to investigate which permissions each app requested and which users authorized them for Office 365, Google Workspace, and Salesforce. You're also able to mark these permissions as approved or banned.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/identity-access-policies

Answer :

Box 1: Helpdesk admin -
View BitLocker recovery keys.
Helpdesk Admins can read bitlocker metadata and key on devices
Note: One of the following should be enough:

Global admins -

Intune Service Administrators -

Security Administrators -

Security Readers -

Helpdesk Admins -

Box 2: User Administrator -
Configure the usage location for the users in the tenant.
The User Administrator can manage all aspects of users and groups, including resetting passwords for limited admins.
The User Administrator cam manage all user properties including User Principal Name

Update (FIDO) device keys -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

Answer :

Box 1: Hybrid -
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources.

Box 2: Certificate -
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

Answer :

Box 1: Security only -
You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time.
Incorrect:
Not supported:
Adding Security groups to Microsoft 365 groups.
Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.

Box 2: Assigned only -
The membership type for role-assignable groups must be Assigned and can't be an Azure AD dynamic group.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-membership-azure-portal

Answer :

Box 1: No -
The Group1 membership rule 'Name Start with Device' applies to Device1.
However, the higher ranked Group2 membership rule 'Tag Equals Tag1' also applies to Device1, and overrules the lower ranked rule.
Note: Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. If a device is also matched to other groups, it's added only to the highest ranked device group.

Box 2: No -
The Group1 membership rule 'Name Start with Device' applies Device2.
No other rule applies.

Box 3: Yes -
The Group3 rule applies for Computer3.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-groups

Answer : C

The Authenticator App turns any iOS or Android phone into a strong, passwordless credential.
Note: Microsoft Authenticator App
You can allow your employee's phone to become a passwordless authentication method. You may already be using the Microsoft Authenticator App as a convenient multi-factor authentication option in addition to a password. You can also use the Authenticator App as a passwordless option.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless

Answer : D

You can nudge users to set up Microsoft Authenticator during sign-in. Users will go through their regular sign-in, perform multifactor authentication as usual, and then be prompted to set up Microsoft Authenticator. You can include or exclude users or groups to control who gets nudged to set up the app. This allows targeted campaigns to move users from less secure authentication methods to Microsoft Authenticator.
Incorrect:
Not C, Not E, Not F: Not User3 since the user must not have already set up Microsoft Authenticator for push notifications on their account.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-registration-campaign

Answer :

Box 1: No -
User1 has IP address 192.168.1.16, which is in DC named location. DC is not trusted.
CA1 applies. Access will not be granted.

Box 2: No -
User2 has IP address 192.168.2.16, which is in NY named location. NY is trusted. However, CA2 blocks Microsoft Planner NY access.

Box 3: No -
User3 is in LA. LA is not trusted.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies

Answer : D

Windows Event logs -
Defender for Identity detection relies on specific Windows Event logs that the sensor parses from your domain controllers. For the correct events to be audited and included in the Windows Event log, your domain controllers require accurate Advanced Audit Policy settings.
For the correct events to be audited and included in the Windows Event Log, your domain controllers require accurate Advanced Audit Policy settings. Incorrect
Advanced Audit Policy settings can lead to the required events not being recorded in the Event Log and result in incomplete Defender for Identity coverage.

Note: Relevant Windows Events -
For Active Directory Federation Services (AD FS) events
1202 - The Federation Service validated a new credential
1203 - The Federation Service failed to validate a new credential
4624 - An account was successfully logged on
4625 - An account failed to log on

For other events -
1644 - LDAP search
4662 - An operation was performed on an object
4726 - User Account Deleted
4728 - Member Added to Global Security Group
4729 - Member Removed from Global Security Group
4730 - Global Security Group Deleted
4732 - Member Added to Local Security Group
4733 - Member Removed from Local Security Group
4741 - Computer Account Added
4743 - Computer Account Deleted
4753 - Global Distribution Group Deleted
4756 - Member Added to Universal Security Group
4757 - Member Removed from Universal Security Group
4758 - Universal Security Group Deleted
4763 - Universal Distribution Group Deleted
4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
7045 - New Service Installed
8004 - NTLM Authentication
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/prerequisites https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection

Answer : A

Activate a role -
When you need to assume an Azure AD role, you can request activation by opening My roles in Privileged Identity Management.
1. Sign in to the Azure portal.
2. Open Azure AD Privileged Identity Management
3. Select My roles, and then select Azure AD roles to see a list of your eligible Azure AD roles.
4. My roles page showing roles you can activate
5. In the Azure AD roles list, find the role you want to activate.
6. Azure AD roles - My eligible roles list
7. Select Activate to open the Activate pane.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role

Answer : C

Use the Microsoft Purview compliance portal to enable support for sensitivity labels
This option is the easiest way to enable sensitivity labels for SharePoint and OneDrive, but you must sign in as a global administrator for your tenant.
1. Sign in to the Microsoft Purview compliance portal as a global administrator, and navigate to Solutions > Information protection > Labels
2. If you see a message to turn on the ability to process content in Office online files, select Turn on now:

Answer :

Box 1: Yes -
In this scenario the User Administrator role is require justification on active assignment.

Require justification -
You can require that users enter a business justification when they activate. To require justification, check the Require justification on active assignment box or the
Require justification on activation box.

Box 2: Yes -
Activation maximum duration is 8 hours.

Box 3: Yes -
Require multifactor authentication
Privileged Identity Management provides enforcement of Azure AD Multi-Factor Authentication on activation and on active assignment.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings

Answer :

Box 1: Yes -
Note: The following considerations and limitations apply to the custom banned password list:
The custom banned password list can contain up to 1000 terms.
The custom banned password list is case-insensitive.
The custom banned password list considers common character substitution, such as "o" and "0", or "a" and "@".
The minimum string length is four characters, and the maximum is 16 characters.

Box 2: Yes -
The $ character is OK when it used instead of an S.

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection