Skip Navigation Links
 

Microsoft - MS-500: Microsoft 365 Security Administration

Sample Questions

Question: 201
Measured Skill: Manage governance and compliance features in Microsoft 365 (25-30%)

Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the groups shown in the following table.



The domain is synced to a Microsoft Azure Active Directory (Azure AD) tenant that contains the groups shown in the following table.



You create a sensitivity label named Label1.

You need to publish Label1.

To which groups can you publish Label1?

(To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AOn-premises Active Directory groups: Group4 only
Azure AD groups: Group13 only
B On-premises Active Directory groups: Group1 and Group4 only
Azure AD groups: Group13 and Group14 only
C On-premises Active Directory groups: Group3 and Group4 onl
Azure AD groups: Group11 and Group12 only
D On-premises Active Directory groups: Group1, Group3, and Group4 only
Azure AD groups: Group11, Group13, and Group14 only
E On-premises Active Directory groups: Group1, Group2, Group3, and Group4
Azure AD groups: Group11, Group13, and Group14 only
F On-premises Active Directory groups: Group1, Group2, Group3, and Group4
Azure AD groups: Group11, Group12, Group13, and Group14

Correct answer: B

Explanation:

To get their work done, people in your organization collaborate with others both inside and outside the organization. This means that content no longer stays behind a firewall—it can roam everywhere, across devices, apps, and services. And when it roams, you want it to do so in a secure, protected way that meets your organization's business and compliance policies.

Sensitivity labels from the Microsoft Information Protection solution let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered.

After you create your sensitivity labels, you need to publish them, to make them available to people and services in your organization. The sensitivity labels can then be applied to Office documents and emails, and other items that support sensitivity labels.

Unlike retention labels, which are published to locations such as all Exchange mailboxes, sensitivity labels are published to users or groups. Apps that support sensitivity labels can then display them to those users and groups as applied labels, or as labels that they can apply.

Labels can be published to any specific user or email-enabled security group, distribution group, or Microsoft 365 group (which can have dynamic membership) in Azure AD.

Note: Distribution groups do not sync from on-premises to Azure AD, if they do not have an email address assigned.

Reference: Learn about sensitivity labels

Question: 202
Measured Skill: Implement and manage threat protection (20-25%)

You have an on-premises Hyper-V infrastructure that contains the following:
  • An Active Directory domain
  • A domain controller named Server1
  • A member server named Server2
A security policy specifies that Server1 cannot connect to the Internet. Server2 can connect to the Internet.

You need to implement Azure Advanced Threat Protection (ATP) to monitor the security of the domain.

What should you configure on each server?

(To answer, drag the appropriate components to the correct servers. Each component may only be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AServer1: An Azure ATP sensor
Server2: An Azure ATP sensor, An event subscription
B Server1: An Azure ATP sensor
Server2: An Azure ATP standalone sensor, An event subscription
C Server1: An Azure ATP standalone sensor
Server2: A port mirroring source, An event subscription
D Server1: An Azure ATP standalone sensor
Server2: An Azure ATP sensor, A port mirroring source
E Server1: An event subscription
Server2: A port mirroring source, An event subscription
F Server1: A port mirroring source
Server2: An Azure ATP standalone sensor, An event subscription

Correct answer: F

Explanation:

Azure ATP monitors your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers, then analyzes the data for attacks and threats. Utilizing profiling, deterministic detection, machine learning, and behavioral algorithms Azure ATP learns about your network, enables detection of anomalies, and warns you of suspicious activities.

Azure ATP-Sensor
The Azure ATP sensor supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Windows Server Core but not Windows Nano Server), Windows Server 2019 (including Windows Core but not Windows Nano Server).

The domain controller can be a read-only domain controller (RODC).

For your domain controllers to communicate with the cloud service, you must open port 443 in your firewalls and proxies to *.atp.azure.com.

During installation, the .Net Framework 4.7 is installed and might require a reboot of the domain controller, if a restart is already pending.

Standalone Azure ATP-Sensor
The Azure ATP standalone sensor supports installation on a server running Windows Server 2012 R2 or Windows Server 2016 (Include server core). The Azure ATP standalone sensor can be installed on a server that is a member of a domain or workgroup. The Azure ATP standalone sensor can be used to monitor Domain Controllers with Domain Functional Level of Windows 2003 and above.

For your standalone sensor to communicate with the cloud service, port 443 in your firewalls and proxies to *.atp.azure.com must be open.

If you are installing a standalone ATP sensor, you must configure the domain controller for port mirroring so that the sensor can read the event data from the domain controller.

Reference: Configure port mirroring

Question: 203
Measured Skill: Implement and manage identity and access (30-35%)

You have a Microsoft 365 tenant. User attributes are synced from your company's human resources (HR) system to Azure Active Directory (Azure AD).

The company has four departments that each has its own Microsoft SharePoint Online site. Each site must be accessed only by the users from its respective department.

You are designing an access management solution that has the following requirements:
  • Users must be added automatically to the security group of their department.
  • All security group owners must verify once quarterly that only the users in their department belong to their group.
Which components should you recommend to meet the requirements?

(To answer, drag the appropriate components to the correct requirements. Each component may only be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AUsers must be automatically added to the security group for their department: Access packages
Group owners must verify membership of departmental groups: Azure AD Privileged Identity Management (PIM) role assignments
B Users must be automatically added to the security group for their department: Azure AD Privileged Identity Management (PIM) role assignments
Group owners must verify membership of departmental groups: Access reviews
C Users must be automatically added to the security group for their department: Groups that have a Membership type of Assigned
Group owners must verify membership of departmental groups: Conditional access policies
D Users must be automatically added to the security group for their department: Groups that have a Membership type of Assigned
Group owners must verify membership of departmental groups: Azure AD Privileged Identity Management (PIM) role assignments
E Users must be automatically added to the security group for their department: Groups that have a Membership type of Dynamic User
Group owners must verify membership of departmental groups: Access reviews
F Users must be automatically added to the security group for their department: Groups that have a Membership type of Dynamic User
Group owners must verify membership of departmental groups: Access packages

Correct answer: E

Explanation:

We should use dynamic membership rules to add users to their department group based on their user attributes.

In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users.

When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You can't manually add or remove a member of a dynamic group.

Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.

References:

Dynamic membership rules for groups in Azure Active Directory

What are Azure AD access reviews?

Question: 204
Measured Skill: Implement and manage information protection (15-20%)

You have a Microsoft 365 tenant.

You have a database that stores customer details. Each customer has a unique 13-digit identifier that consists of a fixed pattern of numbers and letters.

You need to implement a data loss prevention (DLP) solution that meets the following requirements:
  • Email messages that contain a single customer identifier can be sent outside your company.
  • Email messages that contain two or more customer identifiers must be approved by the company's data privacy team.
Which two components should you include in the solution?

(Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.)

AA sensitive information type
B A sensitivity label
C A retention label
D A DLP policy
E A mail flow rule

Correct answer: A, D

Explanation:

We need to create a custom sensitive information type that detects the occurrence of the 13-digit identifier. Sensitive information types are pattern-based classifiers. They detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items.

We can include the sensitive information type in a DLP policy that does nothing if a mail contains only a single instance of the sensitive information type (low volume of content detected rule) and requires approval if a mail contains two or more instances of the sensitive information type (high volume of content detected rule).

References:

Learn about sensitive information types

Create, test, and tune a DLP policy

Question: 205
Measured Skill: Manage governance and compliance features in Microsoft 365 (25-30%)

You have a Microsoft 365 E3 subscription.

You plan to audit all Microsoft Exchange Online user and admin activities.

You need to ensure that all the Exchange audit log records are retained for one year.

What should you do?

AModify the retention period of the default audit retention policy.
B Create a custom audit retention policy.
C Assign Microsoft 365 Enterprise E5 licenses to all users.
D Modify the record type of the default audit retention policy.

Correct answer: C

Explanation:

You can create and manage audit log retention policies in the Security & Compliance Center. Audit log retention policies are part of the new Advanced Audit capabilities in Microsoft 365. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years. You can create policies based on the following criteria:

  • All activities in one or more Microsoft 365 services

  • Specific activities (in a Microsoft 365 service) performed by all users or by specific users

  • A priority level that specifies which policy takes precedence in you have multiple policies in your organization

Advanced Audit in Microsoft 365 provides a default audit log retention policy for all organizations. This policy retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year. This default policy retains audit records that contain the value of ExchangeSharePointOneDriveAzureActiveDirectory for the Workload property (which is the service in which the activity occurred). The default policy can't be modified.

The default audit log retention policy only applies to audit records for activity performed by users who are assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. If you have non-E5 users or guest users in your organization, their corresponding audit records are retained for 90 days.

Reference: Manage audit log retention policies



 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2021 by cert2brain.com