Microsoft Microsoft Certifications MS-500 Questions & Answers

• Question 101:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have a Microsoft 365 E5 subscription that contains a user named User1.

  The Azure Active Directory (Azure AD) Identity Protection risky users report identifies User1.

  For User1, you select Confirm user compromised.

  User1 can still sign in.

  You need to prevent User1 from signing in. The solution must minimize the impact on users at a lower risk level.

  Solution: You configure the sign-in risk policy to block access when the sign-in risk level is high.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk

• Question 102:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have a Microsoft 365 E5 subscription that contains a user named User1.

  The Azure Active Directory (Azure AD) Identity Protection risky users report identifies User1.

  For User1, you select Confirm user compromised.

  User1 can still sign in.

  You need to prevent User1 from signing in. The solution must minimize the impact on users at a lower risk level.

  Solution: You configure the user risk policy to block access when the user risk level is high.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk

• Question 103:

  You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) connector and an Office 365 connector.

  From the workspace, you plan to create a scheduled query rule that will use a custom query. The rule will be used to generate alerts when inbound access to Office 365 from specific user accounts is detected.

  You need to ensure that when multiple alerts are generated by the rule, the alerts are consolidated as a single incident per user account.

  What should you do?

  A. From Set rule logic, map the entities.

  B. From Analytic rule details, configure Severity.

  C. From Set rule logic, set Suppression to Off.

  D. From Analytic rule details, configure Tactics.

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities

• Question 104:

  You have a Microsoft 365 E5 subscription that uses Microsoft Teams and contains a user named User1.

  You configure information barriers.

  You need to identify which information barrier policies apply to User1.

  Which cmdlet should you use?

  A. Get-InformationBarrierRecipientStatus

  B. Get-InformationBarrierPoliciesApplicationStatus

  C. Get-InformationBarrierPolicy

  D. Get-OrganizationSegment

  Correct Answer: A

  Get-InformationBarrierRecipientStatus -Identity

  Use the Get-InformationBarrierRecipientStatus cmdlet with the Identity parameter.

  You can use any identity value that uniquely identifies each recipient, such as Name, Alias, Distinguished name (DN), Canonical DN, Email address, or GUID.

  https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/information-barriers/information-barriers-troubleshooting

  Reference:

  https://docs.microsoft.com/en-us/office365/troubleshoot/information-barriers/information-barriers-troubleshooting

• Question 105:

  You have a Microsoft 365 subscription.

  You receive a General Data Protection Regulation (GDPR) request for the custom dictionary of a user.

  From the Compliance admin center, you need to create a content search.

  How should you configure the content search?

  A. Condition: Type Operator. Equals any of Value: Office Roaming Service

  B. Condition: Title Operator: Equals any of Value: Normal.dot

  C. Condition: Type Operator: Equals any of Value: Documents

  D. Condition: File type Operator: Equals any of Value: dic

  Correct Answer: D

  Since the GDPR request is related to the custom dictionary of a user, we need to search for the files that contain the user's custom dictionary. The custom dictionary files in Microsoft Word are typically saved with a ".dic" file extension.

  Therefore, we should configure the content search with a condition that searches for files with the ".dic" file type.

  Option A is not correct because it is searching for the Office Roaming Service, which is not related to the custom dictionary.

  Option B is not correct because it is searching for files with the "Normal.dot" file name, which is a template file and not related to the custom dictionary.

  Option C is not correct because it is searching for files with the "Documents" type, which is too broad and will likely return many irrelevant results.

• Question 106:

  You have a Microsoft 365 subscription linked to an Azure Active Directory (Azure AD) tenant that contains a user named User1. You need to grant User1 permission to search Microsoft 365 audit logs. The solution must use the principle of least privilege. Which role should you assign to User1?

  A. the View-Only Audit Logs role in the Security and Compliance admin center

  B. the View-Only Audit Logs role in the Exchange admin center

  C. the Compliance Management role in the Exchange admin center

  D. the Security reader role in the Azure Active Directory admin center

  Correct Answer: B

  There is no View-Only Audit logs role in Exchange Admin Center. The documentation for the View-Only Logs role also state that it applies to Exchange Server 2013 Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide https://learn.microsoft.com/en-us/exchange/view-only-audit-logs-role-exchange-2013-help

• Question 107:

  You have a Microsoft 365 subscription that contains 100 users and a Microsoft 365 group named Group1.

  All users have Windows 10 devices and use Microsoft SharePoint Online and Exchange Online.

  A sensitivity label named Label1 is published as the default label for Group1.

  You add two sublabels named Sublabel1 and Sublabel2 to Label1.

  You need to ensure that the settings in Sublabel1 are applied by default to Group1.

  What should you do?

  A. Change the order of Sublabel1.

  B. Modify the policy of Label1.

  C. Duplicate all the settings from Sublabel1 to Label1.

  D. Delete the policy of Label1 and publish Sublabel1.

  Correct Answer: B

  To ensure that the settings in Sublabel1 are applied by default to Group1, you need to modify the policy of Label1. As Label1 is the default label for Group1, any changes made to the policy of Label1 will be applied by default to Group1.

  Therefore, modifying the policy of Label1 to include the settings in Sublabel1 will ensure that these settings are applied by default to Group1.

  Option A, changing the order of Sublabel1, will not have any effect on which settings are applied by default to Group1.

  Option C, duplicating all the settings from Sublabel1 to Label1, is unnecessary and will not ensure that the settings in Sublabel1 are applied by default to Group1.

  Option D, deleting the policy of Label1 and publishing Sublabel1, will remove Label1 as the default label for Group1, and it will not ensure that the settings in Sublabel1 are applied by default to Group1.

  Reference:

  https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide

• Question 108:

  You have a Microsoft 365 alert named Alert2 as shown in the following exhibit.

  

  You need to manage the status of Alert2.

  To which status can you change Alert2?

  A. Active or Investigating only

  B. Dismissed only

  C. The status cannot be changed.

  D. Investigating only

  E. Investigating, Active, or Dismissed

  Correct Answer: E

  Despite status showing resolved it still can be changed. Select alert > Under Alert status > Actions > select "Edit comments" > choose new status: Active, Investigating, Dismissed or Resolved. Alert status will change. Tested from https:// compliance.microsoft.com/ admin portal.

• Question 109:

  You have a Microsoft 365 E5 subscription that contains 1,000 Windows 10 devices. The devices are onboarded to Microsoft Defender for Endpoint.

  You need to view a consolidated list of the common vulnerabilities and exposures (CVE) that affect the devices. The solution must minimize administrative effort.

  Which Threat and Vulnerability Management page should you use?

  A. Software inventory

  B. Event timeline

  C. Weaknesses

  D. Security recommendations

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tvm-weaknesses?view=o365-worldwide

• Question 110:

  You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

  

  You discover that several security alerts are visible from the Microsoft Defender for Identity portal.

  You need to identify which users in contoso.com can close the security alerts.

  Which users should you identify?

  A. User3 only

  B. User1 and User2 only

  C. User3 and User4 only

  D. User1 and User3 only

  E. User1 only

  Correct Answer: C

  User1 and User 2 have no roles assigned to them or there is no reference to group membership, so we have to assume there are no permissions. User3 and User4 are the only ones that have permissions: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide

  https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide#:~:text=Security%20Operator,of%20security%20features.