Microsoft MS-500 today updated questions - Verified by Microsoft Experts

Microsoft 365 Security Administration Questions and Answers

Question 1

You have a Microsoft 365 that uses Microsoft ShareP0•int Online.

You need to ensure that users can only share files with users at specified partner companies. The solution must minimize administrative effort.

What should you do?

Options:

Allow only in specific security groups to share externally.

Set File and folder links to people.

Limit external by domain

Set External sharing to New and existing guest

Question 2

Your network contains an on-premises Active Directory domain named contoso.local that has a forest functional level of Windows Server 2008 R2.

You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant named contoso.com.

You plan to install Azure AD Connect and enable single sign-on (SSO).

You need to prepare the domain to support SSO. The solution must minimize administrative effort.

What should you do?

Options:

Raise the forest functional level to Windows Server 2016.

Modify the UPN suffix of all domain users.

Populate the mail attribute of all domain users.

Rename the domain.

Question 3

You have a Microsoft 365 subscription for a company named Contoso, Ltd. All data is in Microsoft 365.

Contoso works with a partner company named Litware. Inc. Litware has a Microsoft 365 subscription, Microsoft OneDrive has the default settings.

You need to allow users at Contoso to share files from Microsoft OneDrive only to specific users at Litware.

Which two actions should you perform from the SharePoint admin center? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Options:

Modify the Links settings.

Change the permissions for OneDrive External sharing to the least permissive level.

Configure the permission level for OneDrive External sharing to be less restrictive.

Modify the Device access settings.

Configure the permission level for OneDrive External sharing to be more restrictive.

Modify the Sync settings.

Question 4

You have a Microsoft 365 subscription.

You need to create data loss prevention (DLP) queries in Microsoft SharePoint Online to find sensitive data stored in sites.

Which type of site collection should you create first?

Options:

Records Center

Compliance Policy Center

eDiscovery Center

Enterprise Search Center

Document Center

Question 5

You have a Microsoft 365 subscription.

You need to enable auditing for all Microsoft Exchange Online users.

What should you do?

Options:

From the Exchange admin center, create a journal rule

Run the Set-MailboxDatabase cmdlet

Run the Set-Mailbox cmdlet

From the Exchange admin center, create a mail flow message trace rule.

Question 6

You have a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD) tenant named contoso.com. All the devices in the tenant are managed by using Microsoft Intune.

You purchase a cloud app named App1 that supports session controls.

You need to ensure that access to App can be reviewed in real time.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Options:

Question 7

You have a Microsoft 365 E5 subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains three groups named Group!, Group2. and Group3 and the users shown in the following table.

You create a new access package as shown in the following exhibit.

You have a Microsoft 365 E5 subscription that uses Microsoft Endpoint Manager. The Compliance policy settings are configured as shown in the following exhibit.

These settings configure the way the compliance service treats devices. Each device evaluates these as a "Built-in Device Compliance Policy", which is reflected in device monitoring.

Options:

Question 8

You have a Microsoft 365 subscription.

Your company uses Jamf Pro to manage macOS devices.

You plan to create device compliance policies for the macOS devices based on the Jamf Pro data.

You need to connect Microsoft Endpoint Manager to Jamf Pro.

What should you do first?

Options:

From the Azure Active Directory admin center, add a Mobility (MDM and MAM) application.

From the Endpoint Management admin center, add the Mobile Threat Defense connector.

From the Endpoint Management admin center, configure Partner device management.

From the Azure Active Directory admin center, register an application.

Question 9

You need to ensure that a user named Grady Archie can monitor the service health of your Microsoft 365 tenant. The solution must use the principle of least privilege.

To complete this task, sign in to the Microsoft 365 portal.

Options:

Question 10

You have a Microsoft 365 subscription.

Yesterday, you created retention labels and published the labels to Microsoft Exchange Online mailboxes.

You need to ensure that the labels will be available for manual assignment as soon as possible.

What should you do?

Options:

From the Security & Compliance admin center, create a label policy

From Exchange Online PowerShell, run Start-RetentionAutoTagLearning

From Exchange Online PowerShell, run Start-ManagedFolderAssistant

From the Security & Compliance admin center, create a data loss prevention (DLP) policy

Question 11

You have a Microsoft 365 E5 subscription that contains three users named User1, User2 and User3.

You have Azure AD roles that have the role activation settings shown in the following table.

You have Azure AD roles that have the role assignment settings shown in the following table.

The Azure AD roles have eligible users assigned as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Options:

Question 12

Your company has a Microsoft 365 subscription.

The company forbids users to enroll personal devices in mobile device management (MDM).

Users in the sales department have personal iOS devices.

You need to ensure that the sales department users can use the Microsoft Power BI app from iOS devices to access the Power BI data in your tenant.

The users must be prevented from backing up the app’s data to iCloud.

What should you create?

Options:

a conditional access policy in Microsoft Azure Active Directory (Azure AD) that has a device state

condition

an app protection policy in Microsoft Intune

a conditional access policy in Microsoft Azure Active Directory (Azure AD) that has a client apps condition

a device compliance policy in Microsoft Intune

Question 13

You have a Microsoft 365 subscription that contains a Microsoft SharePoint Online site named Site1. Site1 contains the folders shown in the following table.

At 09:00, you create a Microsoft Cloud App Security policy named Policy1 as shown in the following exhibit.

After you create Policy1, you upload files to Site1 as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Options:

Question 14

Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

Labs are not timed separately, and this exam may more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

Username and password

Use the following login credentials as needed:

To enter your username, place your cursor in the Sign in box and click on the username below.

To enter your password, place your cursor in the Enter password box and click on the password below.

Microsoft 365 Username:

admin@LODSe244001@onmicrosoft.com

Microsoft 365 Password: &=Q8v@2qGzYz

If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

The following information is for technical support only:

Lab instance: 11032396

You need to ensure that when users tag documents as classified, a classified watermark is applied to the documents.

To complete this task, sign in to the Microsoft Office 365 admin center.

Options:

Answer:

See explanation below.

Explanation:

1. In the admin center, select the Compliance admin center.

2. Select Classification > Sensitivity labels.

3. Select Create a label, and when the warning appears, select Yes.

4. Enter a Label name, Tooltip, and Description. Select Next.

5. Turn on Encryption. Choose when you want to assign permissions, whether you want your users' access to the content to expire, and whether you want to allow offline access.

6. Select Assign permissions > Add these email addresses or domains.

7. Enter an email address or domain name (such as Contoso.org). Select Add, and repeat for each email address or domain you want to add.

8. Select Choose permissions from preset or custom.

9. Use the drop-down list to select preset permissions, such as Reviewer or Viewer, or select Custom permissions. If you chose Custom, select the permissions from the list. Select Save >Save > Next.

10. Turn on Content marking, and choose the markings you want to use.

11. For each marking that you choose, select Customize text. Enter the text you want to appear on the document, and set the font and layout options. Select Save, and then repeat for any additional markings. Select Next.

12. Optionally, turn on Endpoint data loss prevention. Select Next.

13. Optionally, turn on Auto labeling. Add a condition. For example, under Detect content that contains, select Add a condition. Enter the condition; for example, add a condition that if passport, Social Security, or other sensitive information is detected, the label will be added. Select Next.

14. Review your settings, and select Create. Your label has been created. Repeat this process for any additional labels you want.

15. By default, labels appear in Office apps in this order: Confidential, Internal, and Public. To change the order, for each label, select More actions (the ellipsis), and then move the label up or down. Typically, permissions are listed from the lowest to highest level of permissions.

16. To add a sub-label to a label, select More actions, then Add sub level.

17. When finished, choose Publish labels> Choose labels to publish > Add. Select the labels you want to publish, and then select Add > Done > Next.

18. By default, the new label policy is applied to everyone. If you want to limit who the policy is applied to, select Choose users or groups > Add. Select who you want the policy to apply to, and then select Add > Done > Next.

19. If you want a default label for documents and email, select the label you want from the drop-down list. Review the remaining settings, adjust as needed, and then select Next.

20. Enter a Name and Description for your policy. Select Next.

21. Review your settings, then select Publish.

Reference: [Reference:, https://support.office.com/en-us/article/create-and-manage-sensitivity-labels-2fb96b54-7dd2-4f0c-ac8d-170790d4b8b9, , https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide, , ]

Question 15

Von haw a Microsoft 365 subscription.

You need to ensure that users on manually designate which content will be subject to data toss prevention (DIP) polices?

What should you create first?

Options:

a retention label

a custom sensitive information type

a safe attachments policy

a Data Subject Request (OSR)

Question 16

You have a Microsoft 365 subscription that contains 100 users.

Microsoft Secure Score for the subscription is shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the the information presented in the graphic.

NOTE: Each correct selection is worth one point.

Options:

Question 17

You have a Microsoft 365 subscription linked to an Azure Active Directory (Azure AD) tenant that contains a user named User1.

You have a Data Subject Request (DSR) case named Case1.

You need to allow User1 to export the results of Case1. The solution must use the principle of least privilege.

Which role should you assign to User1 for Case1?

Options:

eDiscovery Manager

Security Operator

eDiscovery Administrator

Global Reader

Question 18

You need to create a policy that identifies content in Microsoft OneDrive that contains credit card numbers.

To complete this task, sign in to the Microsoft 365 portal.

Options:

Answer:

See explanation below.

Explanation:

You need to configure auto-labeling in ‘simulation’ mode. In the policy, you can select the ‘Credit Card’ sensitive info type.

In the Microsoft 365 compliance center, navigate to sensitivity labels:

Solutions > Information protection

Select the Auto-labeling (preview) tab.
Select + Create policy.
For the page Choose info you want this label applied to: Select one of the templates, such as Financial or Privacy. You can refine your search by using the Show options for dropdown. Or, select Custom policy if the templates don't meet your requirements. Select Next.
For the page Name your auto-labeling policy: Provide a unique name, and optionally a description to help identify the automatically applied label, locations, and conditions that identify the content to label.
For the page Choose locations where you want to apply the label: Select OneDrive. Then select Next.
For the Define policy settings page: Keep the default of Find content that contains to define rules that identify content to label across all your selected locations. The rules use conditions that include sensitive information types and sharing options. For sensitive information types, you can select both built-in and custom sensitive information types.
Then select Next.
For the Set up rules to define what content is labeled page: Select + Create rule and then select Next.
On the Create rule page, name and define your rule, using sensitive information types and then select Save.
Click Next.
For the Choose a label to auto-apply page: Select + Choose a label, select a label from the Choose a sensitivity label pane, and then select Next.
For the Decide if you want to run policy simulation now or later page: Select Run policy in simulation mode if you're ready to run the auto-labeling policy now, in simulation mode. Otherwise, select Leave policy turned off. Select Next.
For the Summary page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the wizard.

Reference: [Reference:, https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide, , , ]

Question 19

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have a Microsoft 365 E5 subscription that contains a user named User1.

The Azure Active Directory (Azure AD) Identity Protection risky users report identifies User1.

For User1, you select Confirm user compromised.

User1 can still sign in.

You need to prevent User1 from signing in. The solution must minimize the impact on users at a lower risk level.

Solution: You configure the sign-in risk policy to block access when the sign-in risk level is high.

Does this meet the goal?

Options:

Yes

Question 20

You have a Microsoft 365 subscription for a company named Contoso, Ltd. All data is in Microsoft 365.

Contoso works with a partner company named Litware, Inc. Litware has a Microsoft 365 subscription.

You need to allow users at Contoso to share files from Microsoft OneDrive to specific users at Litware.

Which two actions should you perform from the OneDrive admin center? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Options:

Increase the permission level for OneDrive External sharing

Modify the Links settings

Change the permissions for OneDrive External sharing to the least permissive level

Decrease the permission level for OneDrive External sharing

Modify the Device access settings

Modify the Sync settings

Question 21

You have a Microsoft 365 E5 subscription that contains a user named User1.

User1 needs to be able to create Data Subject Requests (DSRs) in the Microsoft 365 compliance center.

To which role or role group should you add User1?

Options:

the Compliance Data Administrator role

the Data Investigator role

the eDiscovery Manager role

the Records Management role group

Question 22

You have a hybrid Microsoft 365 deployment that contains the users shown in the following table.

You need to perform an eDiscovery content search.

Which users data can be included in the content search? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 23

You have multiple Microsoft 365 subscriptions.

You need to build an application that will retrieve the Microsoft Secure Score data of each subscription.

What should you use?

Options:

the Microsoft Defender for Endpoint API

the Microsoft Graph Security API

the Microsoft Office 365 Management API

the Azure Monitor REST API

Question 24

You have a Microsoft 365 subscription.

You configure Microsoft Defender for Endpoint as shown in the following table.

You onboard devices to Microsoft Defender for Endpoint as shown in the following table.

Microsoft Defender for Endpoint contains the incidents shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Options:

Question 25

You have a Microsoft 365 subscription.

You create an Advanced Threat Protection (ATP) safe attachments policy to quarantine malware.

You need to configure the retention duration for the attachments in quarantine.

Which type of threat management policy should you create from the Security&Compliance admin center?

Options:

ATP anti-phishing

DKIM

Anti-spam

Anti-malware

Question 26

You need to recommend a solution that meets the technical and security requirements for sharing data with the partners.

What should you include in the recommendation? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Options:

Create an access review.

Assign the Global administrator role to User1.

Assign the Guest inviter role to User1.

Modify the External collaboration settings in the Azure Active Directory admin center.

Question 27

You need to recommend an email malware solution that meets the security requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 28

You need to recommend a solution to protect the sign-ins of Admin1 and Admin2.

What should you include in the recommendation?

Options:

a device compliance policy

an access review

a user risk policy

a sign-in risk policy

Question 29

You plan to configure an access review to meet the security requirements for the workload administrators. You create an access review policy and specify the scope and a group.

Which other settings should you configure? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 30

You install Azure ATP sensors on domain controllers.

You add a member to the Domain Admins group. You view the timeline in Azure ATP and discover that information regarding the membership change is missing.

You need to meet the security requirements for Azure ATP reporting.

What should you configure? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 31

An administrator configures Azure AD Privileged Identity Management as shown in the following exhibit.

What should you do to meet the security requirements?

Options:

Change the Assignment Type for Admin2 to Permanent

From the Azure Active Directory admin center, assign the Exchange administrator role to Admin2

From the Azure Active Directory admin center, remove the Exchange administrator role to Admin1

Change the Assignment Type for Admin1 to Eligible

Question 32

You need to recommend a solution for the user administrators that meets the security requirements for auditing.

Which blade should you recommend using from the Azure Active Directory admin center?

Options:

Sign-ins

Azure AD Identity Protection

Authentication methods

Access review

Question 33

NO: 7

You need to resolve the issue that targets the automated email messages to the IT team.

Which tool should you run first?

Options:

Synchronization Service Manager

Azure AD Connect wizard

Synchronization Rules Editor

IdFix

Question 34

You need to create Group2.

What are two possible ways to create the group?

Options:

an Office 365 group in the Microsoft 365 admin center

a mail-enabled security group in the Microsoft 365 admin center

a security group in the Microsoft 365 admin center

a distribution list in the Microsoft 365 admin center

a security group in the Azure AD admin center

Question 35

You need to enable and configure Microsoft Defender for Endpoint to meet the security requirements. What should you do?

Options:

Configure port mirroring

Create the ForceDefenderPassiveMode registry setting

Download and install the Microsoft Monitoring Agent

Run WindowsDefenderATPOnboardingScripc.cmd

Question 36

Which IP address space should you include in the MFA configuration?

Options:

131.107.83.0/28

192.168.16.0/20

172.16.0.0/24

192.168.0.0/20

Question 37

How should you configure Azure AD Connect? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 38

You need to implement Windows Defender ATP to meet the security requirements. What should you do?

Options:

Configure port mirroring

Create the ForceDefenderPassiveMode registry setting

Download and install the Microsoft Monitoring Agent

Run WindowsDefenderATPOnboardingScript.cmd

Question 39

How should you configure Group3? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 40

You need to create Group3.

What are two possible ways to create the group?

Options:

an Office 365 group in the Microsoft 365 admin center

a mail-enabled security group in the Microsoft 365 admin center

a security group in the Microsoft 365 admin center

a distribution list in the Microsoft 365 admin center

a security group in the Azure AD admin center

Question 41

You need to configure threat detection for Active Directory. The solution must meet the security requirements.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Options:

Question 42

You are evaluating which finance department users will be prompted for Azure MFA credentials.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Options:

Question 43

Which user passwords will User2 be prevented from resetting?

Options:

User6 and User7

User4 and User6

User4 only

User7 and User8

User8 only

Question 44

You need to meet the technical requirements for User9. What should you do?

Options:

Assign the Privileged administrator role to User9 and configure a mobile phone number for User9

Assign the Compliance administrator role to User9 and configure a mobile phone number for User9

Assign the Security administrator role to User9

Assign the Global administrator role to User9

Question 45

Which policies apply to which devices? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 46

Which users are members of ADGroup1 and ADGroup2? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Options:

Question 47

What should User6 use to meet the technical requirements?

Options:

Supervision in the Security & Compliance admin center

Service requests in the Microsoft 365 admin center

Security & privacy in the Microsoft 365 admin center

Data subject requests in the Security & Compliance admin center

Question 48

You are evaluating which devices are compliant in Intune.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Options:

Question 49

Which role should you assign to User1?

Options:

Global administrator

User administrator

Privileged role administrator

Security administrator

Load More MS-500 Questions

Summer Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Microsoft MS-500 Microsoft 365 Security Administration Exam Practice Test

Microsoft 365 Security Administration Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options: