Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Microsoft 365 Security Administration (MS-500) Sample Questions

  1. Home
  3. Microsoft 365 Security Administration (MS-500) Sample Questions
Microsoft 365 Security Administration (MS-500) Sample Questions

Candidates who have experience with Microsoft 365 and hybrid settings, as well as the ability to implement, manage, and monitor security and compliance solutions, should take the Microsoft 365 Security Administration MS-500 exam. This article covers the following Microsoft 365 Security Administration (MS-500) Sample Questions topics:

  • Implement and manage identity and access (35-40%)
  • Implement and manage threat protection (25-30%)
  • Implement and manage information protection (10-15%)
  • Implement and manage governance compliance features in Microsoft 365 (20-25%)

Advanced Sample Questions

What is the primary purpose of Microsoft Defender for Identity?

  • a. To provide real-time threat protection for endpoints.
  • b. To protect sensitive data in the cloud.
  • c. To monitor and protect identity and access in an organization.
  • d. To provide firewall protection for network traffic.

Answer: c. To monitor and protect identity and access in an organization.

Explanation: Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud-based security solution that provides threat protection for an organization’s identity and access. It monitors user behavior and detects suspicious activity, helping to identify potential security threats.

What is the purpose of a Conditional Access policy in Microsoft 365?

  • a. To block specific email addresses from sending messages to users in an organization.
  • b. To limit the number of devices a user can connect to a specific service.
  • c. To control access to cloud-based services based on specified conditions.
  • d. To monitor user activity on company devices.

Answer: c. To control access to cloud-based services based on specified conditions.

Explanation: A Conditional Access policy is a security feature in Microsoft 365 that allows an organization to control access to cloud-based services based on specified conditions. This could include things like requiring multi-factor authentication, blocking access from certain locations, or requiring specific device settings.

What is the purpose of the Microsoft Secure Score in Microsoft 365?

  • a. To provide a measure of the overall security of an organization’s IT infrastructure.
  • b. To identify specific vulnerabilities in an organization’s IT environment.
  • c. To provide a risk analysis of an organization’s cloud-based services.
  • d. To monitor user activity in real-time and detect potential security threats.

Answer: a. To provide a measure of the overall security of an organization’s IT infrastructure.

Explanation: The Microsoft Secure Score is a tool in Microsoft 365 that provides a measure of the overall security of an organization’s IT infrastructure. It assesses security posture across a range of factors, including identity and access management, device management, and data protection, and provides recommendations for improving security.

What is the primary purpose of Microsoft Cloud App Security?

  • a. To provide threat protection for cloud-based applications.
  • b. To monitor and protect user identity and access.
  • c. To monitor user activity and detect potential security threats.
  • d. To provide backup and recovery services for cloud-based data.

Answer: a. To provide threat protection for cloud-based applications.

Explanation: Microsoft Cloud App Security is a cloud-based security solution that provides threat protection for cloud-based applications. It uses machine learning and behavioral analytics to identify and respond to security threats, and provides visibility into an organization’s cloud-based applications.

What is the purpose of Microsoft Information Protection (MIP) in Microsoft 365?

  • a. To monitor user activity and detect potential security threats.
  • b. To encrypt and protect sensitive data in the cloud.
  • c. To control access to cloud-based services based on specified conditions.
  • d. To provide real-time threat protection for endpoints.

Answer: b. To encrypt and protect sensitive data in the cloud.

Explanation: Microsoft Information Protection (MIP) is a suite of tools and services in Microsoft 365 that allows an organization to classify, label, and protect sensitive data in the cloud. It provides encryption, access controls, and other security features to ensure that sensitive data is protected from unauthorized access.

What is the purpose of Microsoft Cloud App Security’s Cloud Discovery feature?

  • a. To monitor user activity and detect potential security threats.
  • b. To provide threat protection for cloud-based applications.
  • c. To identify and manage cloud applications used within an organization.
  • d. To provide backup and recovery services for cloud-based data.

Answer: c. To identify and manage cloud applications used within an organization.

Explanation: Microsoft Cloud App Security’s Cloud Discovery feature allows an organization to identify and manage the cloud applications that are being used within their network. It provides insight into the types of applications that are being used, which can help to improve security and compliance.

What is the purpose of Microsoft Intune in Microsoft 365?

  • a. To monitor and protect user identity and access.
  • b. To provide real-time threat protection for endpoints.
  • c. To manage and secure mobile devices and applications.
  • d. To provide backup and recovery services for cloud-based data.

Answer: c. To manage and secure mobile devices and applications.

Explanation: Microsoft Intune is a cloud-based service in Microsoft 365 that allows an organization to manage and secure mobile devices and applications. It provides features such as mobile device management, mobile application management, and conditional access policies.

What is the purpose of Microsoft Cloud App Security’s Threat Protection feature?

  • a. To provide backup and recovery services for cloud-based data.
  • b. To monitor user activity and detect potential security threats.
  • c. To provide threat protection for cloud-based applications.
  • d. To control access to cloud-based services based on specified conditions.

Answer: c. To provide threat protection for cloud-based applications.

Explanation: Microsoft Cloud App Security’s Threat Protection feature uses machine learning and behavioral analytics to identify and respond to security threats in cloud-based applications. It provides features such as anomaly detection, user behavior analysis, and real-time threat detection.

What is the purpose of the Microsoft Compliance Manager in Microsoft 365?

  • a. To monitor user activity and detect potential security threats.
  • b. To provide a measure of the overall security of an organization’s IT infrastructure.
  • c. To control access to cloud-based services based on specified conditions.
  • d. To assess and manage an organization’s compliance with regulations and standards.

Answer: d. To assess and manage an organization’s compliance with regulations and standards.

Explanation: The Microsoft Compliance Manager is a tool in Microsoft 365 that allows an organization to assess and manage their compliance with various regulations and standards. It provides a compliance score and recommendations for improving compliance posture.

What is the purpose of the Microsoft Identity Manager (MIM) in Microsoft 365?

  • a. To monitor and protect user identity and access.
  • b. To provide real-time threat protection for endpoints.
  • c. To manage and secure mobile devices and applications.
  • d. To provide backup and recovery services for cloud-based data.

Answer: a. To monitor and protect user identity and access.

Explanation: The Microsoft Identity Manager (MIM) is a tool in Microsoft 365 that allows an organization to manage and protect user identity and access. It provides features such as self-service password reset, user provisioning and deprovisioning, and role-based access control.

Basic Sample Questions

Q1) You have a number of Conditional Access policies in place that prevent noncompliant devices from accessing services. You’ll need to figure out which policies are blocking particular devices. What type of material should you use?

  1. the Setting compliance report in the Microsoft Endpoint Manager admin center
  2.  Sign-ins in the Azure Active Directory admin center
  3.  Activity log in the Cloud App Security admin center
  4.  Audit logs in the Azure Active Directory admin center

Correct Answer: Sign-ins in the Azure Active Directory admin center

Explanation: The Conditional Access framework gives you a lot of setup options. However, because of this flexibility, you should thoroughly review each configuration policy before releasing it to avoid unfavourable outcomes. You should pay extra attention to assignments that effect whole sets, such as all users, groups, or cloud apps, in this context.

Refer: Troubleshooting sign-in problems with Conditional Access

Q2) You have a Microsoft 365 E5 subscription linked to the contoso.com tenancy in Microsoft Azure Active Directory (Azure AD). To federate on-premises Active Directory and the tenant, you use Active Directory Federation Services (AD FS). The following options are available in Azure AD Connect:

  • Source Anchor: objectGUID
  • Password Hash Synchronization: Disabled
  • Password writeback: Disabled
  • Directory extension attribute sync: Disabled
  • Azure AD app and attribute filtering: Disabled
  • Exchange hybrid deployment: Disabled
  • User writeback: Disabled

You must guarantee that you can use Azure AD Identity Protection’s leaked credentials detection. Solution: Change the settings for Password Hash Synchronization. Is that enough to achieve the goal?

  • Yes
  • No

Correct Answer: Yes

Explanation: Organizations can utilise the Identity Secure Score page in the Azure AD portal to identify security holes in their existing configuration and ensure that they are following current Microsoft security best practises. Implementing each tip on the Secure Score page will improve your score, let you to track your progress, and allow you to compare your implementation to that of other organisations of similar size.

Refer: Five steps to securing your identity infrastructure

Q3) You’re working in a Microsoft 365 hybrid environment. Microsoft Intune is used to manage all of the PCs, which run Windows 10. Create a conditional access policy in Microsoft Azure Active Directory (Azure AD) that allows only Windows 10 computers identified as compliant to connect to the on-premises network through VPN. What should you start with?

  1.  From the Azure Active Directory admin center, create a new certificate
  2.  Enable Application Proxy in Azure AD
  3.  From Active Directory Administrative Center, create a Dynamic Access Control policy
  4.  From the Azure Active Directory admin center, configure authentication methods

Correct Answer: From the Azure Active Directory admin center, create a new certificate

Explanation: An EAP-TLS client cannot connect until the NPS server has completed a certificate chain revocation check (including the root certificate). Because cloud certificates produced by Azure AD are short-lived certificates with a one-hour lifetime, they do not contain a CRL. The EAP on NPS must be set up to overlook the lack of a CRL. This registry value is only required under EAP-13 because the authentication mechanism is EAP-TLS. If you’re using additional EAP authentication methods, the registry value should be added to those as well.

Refer: Conditional access for VPN connectivity using Azure AD

Q4) Your organisation has a primary office and a subscription to Microsoft 365. You must utilise conditional access to enforce Microsoft Azure Multi-Factor Authentication (MFA) for all users who are not physically present in the office. In the configuration, what should you include?

  1.  a user risk policy
  2.  a sign-in risk policy
  3.  a named location in Azure Active Directory (Azure AD)
  4.  an Azure MFA Server

Correct Answer: a named location in Azure Active Directory (Azure AD)

Expalantion: This location can be used by businesses for common tasks such as:

  • Users accessing a service outside of the corporate network must employ multi-factor authentication.
  • Blocking users from specified nations or areas from accessing a service.
  • The public IP address a client sends to Azure Active Directory or the GPS coordinates provided by the Microsoft Authenticator app define the location. By default, all IPv4 and IPv6 addresses are covered by Conditional Access regulations.

Refer: Using the location condition in a Conditional Access policy

Q5) You are a subscriber to Microsoft 365 E5. To access Microsoft SharePoint Online, some users must need an authenticator software. You need to see which users have accessed SharePoint Online using an authenticator app. The solution must be cost-effective. So, what are your options?

  1. From the Security & Compliance admin center, download a report.
  2.  From Azure Log Analytics, query the logs.
  3.  From the Security & Compliance admin center, perform an audit log search.
  4.  From the Enterprise applications blade of the Azure Active Directory admin center, view the sign-ins.

Correct Answer: From the Enterprise applications blade of the Azure Active Directory admin center, view the sign-ins.

Explanation: The user sign-ins report shows a user’s sign-in behaviour, the number of users who have signed in in the last week, and the status of those sign-ins. This question appears in numerous different forms on the exam. There are two possible accurate solutions to this question:

  1. Go to the Azure Active Directory admin center’s Enterprise apps blade and look at the sign-ins.
  2. View the sign-ins from the Azure Active Directory admin centre.
  3. You may also see the following incorrect answer alternatives on the exam:
  4. View the audit logs from the Azure Active Directory admin center’s Enterprise applications blade.
  5. View the audit logs from the Azure Active Directory admin centre.

Refer: Sign-in logs in Azure Active Directory

Q6)You are a subscriber to Microsoft 365 E5. To access Microsoft SharePoint Online, some users must need an authenticator software. You need to see which users have accessed SharePoint Online using an authenticator app. The solution must be cost-effective. So, what are your options?

  1.  From the Azure Active Directory admin center, view the sign-ins.
  2.  From the Security & Compliance admin center, download a report.
  3.  From the Enterprise applications blade of the Azure Active Directory admin center, view the audit logs.
  4.  From the Azure Active Directory admin center, view the authentication methods.

Correct Answer:  From the Azure Active Directory admin center, view the sign-ins.

Explanation:

  1. Go to the Azure Active Directory admin center’s Enterprise apps blade and look at the sign-ins.
  2. View the sign-ins from the Azure Active Directory admin centre.

Refer: Sign-in logs in Azure Active Directory

Q7) You have a Microsoft 365 membership, and User1 is one of your users. Compliance Manager is something you intend to utilise. You must guarantee that User1 has the ability to assign Compliance Manager responsibilities to other users. The idea of least privilege must be applied to the solution. Which role should User1 be assigned?

  1.  Compliance Manager Assessor
  2.  Global Administrator
  3.  Portal Admin
  4.  Compliance Manager Administrator

Correct Answer: Global Administrator

Explanation: In Compliance Manager, the Global Admin can control position allocations.

Refer: Microsoft Purview Compliance Manager

Q8) You have a Microsoft 365 subscription that is tied to an Azure Active Directory (Azure AD) tenant with a User1 user. Case1 is a Data Subject Request (DSR) case that you have. You must allow User1 to export Case1’s results. The idea of least privilege must be applied to the solution. For Case 1, which role should you assign to User1?

  1.  eDiscovery Manager
  2.  Security Operator
  3.  eDiscovery Administrator
  4.  Global Reader

Correct Answer: eDiscovery Manager

Explanation: The General Data Protection Regulation (GDPR) of the European Union aims to preserve and enable individuals’ privacy rights within the EU (EU). Individuals in the European Union (known as data subjects) have the right to access, retrieve, correct, erase, and restrict personal data processing under the GDPR. Personal data is defined as any information relating to an identified or identifiable natural person under the GDPR.

Refer: Manage GDPR data subject requests with the UDS case tool in the Microsoft Purview compliance portal

Q9)In a Microsoft 365 subscription, you can set up various Advanced Threat Protection (ATP) rules. Allow a user named User1 to see the Threat Management Dashboard’s ATP reports. Which role gives User1 the permissions he or she needs?

  1. Compliance administrator
  2.  Security reader
  3. Message center reader
  4. Reports reader

Correct Answer: Security reader

Explanation: A range of security-related reports are available in Microsoft Defender for Office 365 companies (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons). You can view and download these reports on the Microsoft 365 Defender site if you have the proper rights.

Refer: View Defender for Office 365 reports in the Microsoft 365 Defender portal

Q10) You have a Microsoft Exchange Server hybrid environment. Microsoft 365 E5 licences are available to all users. You want to set up an anti-phishing policy in Microsoft Defender for Office 365. All users must have mailbox intelligence enabled. What should you start with?

  1.  Configure attribute filtering in Microsoft Azure Active Directory Connect (Azure AD Connect)
  2.  Purchase the Microsoft Defender for Office 365 add-on
  3.  Select Directory extension attribute sync in Microsoft Azure Active Directory Connect (Azure AD Connect)
  4.  Migrate the on-premises mailboxes to Exchange Online

Correct Answer: Migrate the on-premises mailboxes to Exchange Online

Explanation: Microsoft 365 enterprises with Exchange Online mailboxes, independent Exchange Online Protection (EOP) organisations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organisations all have policies to specify anti-phishing protection settings.

Refer: Anti-phishing policies in Microsoft 365

Q12)In a Microsoft 365 subscription, you can set up multiple Microsoft Defender for Office 365 policies. In the Threat management dashboard, you must allow a user named User1 to see Microsoft Defender for Office 365 reports . Which role gives User1 the permissions he or she needs?

  1.  Security reader
  2.  Compliance administrator
  3.  Information Protection administrator
  4.  Exchange administrator

Correct Answer:  Security reader

Explanation: A range of security-related reports are available in Microsoft Defender for Office 365 companies (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons). You can view and download these reports on the Microsoft 365 Defender site if you have the proper rights.

Refer: View Defender for Office 365 reports in the Microsoft 365 Defender portal

Q13) You are a subscriber to Microsoft 365 Enterprise E5. Microsoft Defender Advanced Threat Protection is installed on your computer (Microsoft Defender ATP). Microsoft Office 365 Attack Simulator is something you intend to utilise. What are the requirements for using Attack Simulator?

  1.  Enable multi-factor authentication (MFA)
  2.  Configure Office 365 Advanced Threat Protection (ATP)
  3.  Create a Conditional Access App Control policy for accessing Office 365
  4.  Integrate Office 365 Threat Intelligence and Microsoft Defender ATP

Correct Answer: nable multi-factor authentication (MFA)

Explanation: You can use Attack simulation training on the Microsoft 365 Defender site to perform realistic attack scenarios in your organisation if your firm has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities. These simulated attacks can assist you in identifying and locating vulnerable people before a genuine attack has a negative impact on your business.

Refer: Get started using Attack simulation training in Defender for Office 365

Q14) You have a hybrid Microsoft Exchange Server organisation and a Microsoft 365 E5 subscription. Each member of the Executive group has their own on-premises mailbox. Multi-factor authentication (MFA) is only available to members of the Executive group. In Exchange Online, each member of the Research group has a mailbox. To replicate a spear-phishing assault against members of the Research group, you must use the Microsoft Office 365 Attack Simulator. The email addresses you plan to spoof belong to members of the Executive group. What should you start with?

  1.  From the Azure ATP admin center, configure the primary workspace settings
  2.  From the Microsoft Azure portal, configure the user risk policy settings in Azure AD Identity Protection
  3.  Enable MFA for the Research group members
  4.  Migrate the Executive group members to Exchange Online

Correct Answer:  Enable MFA for the Research group members

Explanation: You can use Attack simulation training on the Microsoft 365 Defender site to perform realistic attack scenarios in your organisation if your firm has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities. These simulated attacks can assist you in identifying and locating vulnerable people before a genuine attack has a negative impact on your business.

Refer: Get started using Attack simulation training in Defender for Office 365

Q15) You are a subscriber to Microsoft 365 E5. For all users, you apply Advanced Threat Protection (ATP) safe attachments policies. Email messages with attachments are taking longer than intended to arrive, according to users. You need to shorten the time it takes for you to receive email messages with attachments. All attachments must be inspected for malware as part of the solution. Malware-infected attachments must be banned. What should you do as a result of ATP?

  1. Set the action to Block
  2.  Add an exception
  3.  Add a condition
  4.  Set the action to Dynamic Delivery

Correct Answer: Set the action to Dynamic Delivery

Refer: Safe Attachments in Microsoft Defender for Office 365

Q16) Several Azure Advanced Threat Protection (ATP) sensors will be deployed by an administrator. The Azure information needed to deploy the sensors must be provided to the administrator. What information do you need to give?

  1. an Azure Active Directory Authentication Library (ADAL) token
  2. the public key
  3. the access key 
  4.  the URL of the Azure ATP admin center

Correct Answer:  the URL of the Azure ATP admin center

Refer: Working with the Microsoft Defender for Identity portal

Q17)You’re a Microsoft 365 subscriber. You have 500 computers with Windows 10 installed. After the PCs are enrolled in Microsoft Endpoint Manager, you plan to monitor them using Microsoft Defender for Endpoint. Make sure the computers are connected to Microsoft Defender for Endpoint. How should Endpoint Manager be prepared for Microsoft Defender for Endpoint?

  1. Configure an enrollment restriction
  2. Create a device configuration profile
  3. Create a conditional access policy
  4.  Create a Windows Autopilot deployment profile

Correct Answer: Create a device configuration profile

Refer: Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune

Q18) In a Microsoft 365 subscription, you can set up various Advanced Threat Protection (ATP) rules. In the Threat management dashboard, you must allow a user named User1 to see ATP reports. Which role gives User1 the permissions he or she needs?

  1.  Security administrators
  2.  Exchange administrator
  3.  Compliance administrator
  4.  Message center reader

Correct Answer: ecurity administrators

Refer: View Defender for Office 365 reports in the Microsoft 365 Defender portal

Q19) You’re a subscriber to Microsoft 365. You make a safe attachments policy in Microsoft Defender for Identity. The attachments in quarantine must have their retention duration configured. Which threat management policy should you develop?

  1.  Anti-phishing
  2.  DKIM
  3.  Anti-spam
  4.  Anti-malware

Correct Answer:  Anti-spam

Refer: Manage quarantined messages and files as an admin in EOP

Q20)There are 500 computers in your firm.You intend to use Microsoft Defender for Endpoint to defend the PCs. The company’s execs own twenty of the machines.You must propose a remediation solution that satisfies the following criteria:

  1. All remediation for executives must be manually approved by Microsoft Defender for Endpoint administrators.
  2. For all other users, remediation must happen automatically.What do you think you should do with Microsoft Defender Security Center?
  1.  Configure 20 system exclusions on automation allowed/block lists
  2.  Configure two alert notification rules
  3.  Download an offboarding package for the computers of the 20 executives
  4.  Create two machine groups

Correct Answer:  Create two machine groups

Refer: Create and manage device groups

Microsoft 365 Security Administration (MS-500) free practice test
Menu