Skip Navigation Links
 

Microsoft - MS-500: Microsoft 365 Security Administration

Sample Questions

Question: 197
Measured Skill: Implement and manage information protection (15-20%)

You have a Microsoft 365 subscription.

You need to include a custom sensitive information type in a Data loss prevention (DLP) policy.

Which four actions should you perform in sequence?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.)

www.cert2brain.com

ASequence: 1, 3, 6, 4
B Sequence: 2, 3, 6, 4
C Sequence: 1, 5, 6, 4
D Sequence: 2, 5, 6, 4

Correct answer: D

Explanation:

When looking for sensitive information in content, you need to describe that information in what's called a rule. Data loss prevention (DLP) includes rules for the most-common sensitive information types that you can use right away. To use these rules, you have to include them in a policy. You might find that you want to adjust these built-in rules to meet your organization's specific needs, and you can do that by creating a custom sensitive information type.

To export the sensitive information types XML definitions, you need to connect to the Security and Compliance Center via Remote PowerShell.

The following Microsoft 365 article describes how to customize a built-in sensitive information type steb-by-step.

LinCustomize a built-in sensitive information typekText

Question: 198
Measured Skill: Manage governance and compliance features in Microsoft 365 (25-30%)

You have a Microsoft 365 tenant.

You need to retain Azure Active Directory (Azure AD) audit logs for two years. Administrators must be able to query the audit log information by using the Azure Active Directory admin center.

What should you do?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ASave the audit logs to: Azure Data Lake Storage Gen2
Azure AD admin center blade to use to view the saved audit logs: Audit logs
B Save the audit logs to: Azure Data Lake Storage Gen2
Azure AD admin center blade to use to view the saved audit logs: Usage & Insights
C Save the audit logs to: Azure Files
Azure AD admin center blade to use to view the saved audit logs: Identity Governance
D Save the audit logs to: Azure Files
Azure AD admin center blade to use to view the saved audit logs: Audit logs
E Save the audit logs to: Azure Log Analytics
Azure AD admin center blade to use to view the saved audit logs: Logs
F Save the audit logs to: Azure Log Analytics
Azure AD admin center blade to use to view the saved audit logs: Sign-Ins

Correct answer: E

Explanation:

You can route audit activity logs and sign-in activity logs to Azure Monitor logs for further analysis. In order to send Azure AD audit logs to Azure Log Analytics, you need to add a diagnostic setting in the Azure AD admin center.



The logs are pushed to the AuditLogs and SigninLogs tables in the workspace. To view the schema for these tables and to query for audit events, select Logs from the Azure Active Directory admin center.



References:

Integrate Azure AD logs with Azure Monitor logs

Analyze Azure AD activity logs with Azure Monitor logs

Question: 199
Measured Skill: Implement and manage identity and access (30-35%)

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.



You need to identify which user can enable Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) roles.

Which user should you identify?

AUser1
B User4
C User3
D User2

Correct answer: D

Explanation:

Microsoft Defender for Endpoint supports two ways to manage permissions:

  • Basic permissions management: Set permissions to either full access or read-only.
  • Role-based access control (RBAC): Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups.

If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:

  • Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC.
  • Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
  • After switching to RBAC, you will not be able to switch back to using basic permissions management.
Note: Microsoft Defender Advanced Threat Protection was renamed to Microsoft Defender for Endpoint.

Reference: Assign user access to Microsoft Defender Security Center

Question: 200
Measured Skill: Implement and manage threat protection (20-25%)

You work as an administrator for a company. You have a Microsoft 365 tenant.

You create an attack surface reduction policy that uses an application control profile as shown in the following exhibit.



Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

(NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AWhen only a member of Group1 connects to a site ... the site will open without warning .
When only a member of Group2 connects to a site ... the site will be blocked from opening.
B When only a member of Group1 connects to a site ... the site will open without warning .
When only a member of Group2 connects to a site ... the member will receive a security warning .
C When only a member of Group1 connects to a site ... the site will be blocked from opening .
When only a member of Group2 connects to a site ... the site will open without warning .
D When only a member of Group1 connects to a site ... the site will be blocked from opening .
When only a member of Group2 connects to a site ... the site will be blocked from opening .
E When only a member of Group1 connects to a site ... the member will receive a security warning .
When only a member of Group2 connects to a site ... the member will receive a security warning .
F When only a member of Group1 connects to a site ... the member will receive a security warning .
When only a member of Group2 connects to a site ... the site will open without warning .

Correct answer: E

Explanation:

Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!

Attack surface reduction rules target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files;
  • Running obfuscated or otherwise suspicious scripts; and
  • Performing behaviors that apps don't usually initiate during normal day-to-day work.

Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.

The policy allows Windows 10 client computers to only run Windows components, Microsoft Store apps, and reputable apps as defined by the Intelligent Security Graph (ISG). Also the policy enforces Microsoft Defender SmartScreen. SmartScreen is enabled by default.  If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.

References:

Deploy Windows Defender Application Control policies by using Microsoft Intune

Microsoft Defender SmartScreen



Question: 201
Measured Skill: Manage governance and compliance features in Microsoft 365 (25-30%)

Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the groups shown in the following table.



The domain is synced to a Microsoft Azure Active Directory (Azure AD) tenant that contains the groups shown in the following table.



You create a sensitivity label named Label1.

You need to publish Label1.

To which groups can you publish Label1?

(To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AOn-premises Active Directory groups: Group4 only
Azure AD groups: Group13 only
B On-premises Active Directory groups: Group1 and Group4 only
Azure AD groups: Group13 and Group14 only
C On-premises Active Directory groups: Group3 and Group4 onl
Azure AD groups: Group11 and Group12 only
D On-premises Active Directory groups: Group1, Group3, and Group4 only
Azure AD groups: Group11, Group13, and Group14 only
E On-premises Active Directory groups: Group1, Group2, Group3, and Group4
Azure AD groups: Group11, Group13, and Group14 only
F On-premises Active Directory groups: Group1, Group2, Group3, and Group4
Azure AD groups: Group11, Group12, Group13, and Group14

Correct answer: B

Explanation:

To get their work done, people in your organization collaborate with others both inside and outside the organization. This means that content no longer stays behind a firewall—it can roam everywhere, across devices, apps, and services. And when it roams, you want it to do so in a secure, protected way that meets your organization's business and compliance policies.

Sensitivity labels from the Microsoft Information Protection solution let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered.

After you create your sensitivity labels, you need to publish them, to make them available to people and services in your organization. The sensitivity labels can then be applied to Office documents and emails, and other items that support sensitivity labels.

Unlike retention labels, which are published to locations such as all Exchange mailboxes, sensitivity labels are published to users or groups. Apps that support sensitivity labels can then display them to those users and groups as applied labels, or as labels that they can apply.

Labels can be published to any specific user or email-enabled security group, distribution group, or Microsoft 365 group (which can have dynamic membership) in Azure AD.

Note: Distribution groups do not sync from on-premises to Azure AD, if they do not have an email address assigned.

Reference: Learn about sensitivity labels



 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2021 by cert2brain.com