Microsoft Microsoft Certifications MS-500 Questions & Answers

• Question 161:

  Your network contains an on-premises Active Directory domain. The domain contains servers that run Windows Server and have advanced auditing enabled.

  The security logs of the servers are collected by using a third-party SIEM solution.

  You purchase a Microsoft 365 subscription and plan to deploy Azure Advanced Threat Protection (ATP) by using standalone sensors.

  You need to ensure that you can detect when sensitive groups are modified and when malicious services are created.

  What should you do?

  A. Turn off Delayed updates for the Microsoft Defender for Identity sensors.

  B. Configure auditing in the Microsoft 365 Compliance center.

  C. Turn on Delayed updates for the Microsoft Defender for Identity sensors.

  D. Integrate SIEM and Microsoft Defender for Identity.

  Correct Answer: D

  Note:

  There are several versions of this question in the exam. The questions in the exam have two different correct answers:

  Integrate SIEM and Microsoft Defender for Identity

  Configure Event Forwarding on the domain controllers

  Other incorrect answer options you may see on the exam include the following:

  1.

  Configure Microsoft Defender for Identity notifications

  2.

  Modify the Domain synchronizer candidate settings on the Microsoft Defender for Identity sensors

  3.

  Enable the Audit account management Group Policy setting for the servers

  4.

  Configure auditing in the Microsoft 365 Defender portal

  Reference: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-event-forwarding

• Question 162:

  You have a Microsoft 365 Enterprise E5 subscription.

  You use Windows Defender Advanced Threat Protection (Windows Defender ATP).

  You need to integrate Microsoft Office 365 Threat Intelligence and Windows Defender ATP.

  Where should you configure the integration?

  A. From the Microsoft 365 admin center, select Settings, and then select Services and add-ins.

  B. From the Security and Compliance admin center, select Threat management, and then select Explorer.

  C. From the Microsoft 365 admin center, select Reports, and then select Security and Compliance.

  D. From the Security and Compliance admin center, select Threat management and then select Threat tracker.

  Correct Answer: B

  To integrate Microsoft Defender for Office 365 and Microsoft Defender for EndpointL

  1.

  Go into the Microsoft 365 Defender Portal

  2.

  Choose Email and Collaboration

  3.

  Go into Explorer

  4.

  Select MD Settings

  5.

  In the Microsoft Defender for Endpoint connection flyout turn on Connect to Microsoft Defender for Endpoint and click Close

  6.

  Choose settings in the navigation pane

  7.

  On the Settings page choose Endpoints and go into Advanced Features

  8.

  Turn on Office 365 Threat Intelligence connection

  9.

  Click Save Preferences Updated documentation can be found at: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde?view=o365-worldwide

• Question 163:

  Your company has 500 computers.

  You plan to protect the computers by using Windows Defender Advanced Threat Protection (Windows Defender ATP). Twenty of the computers belong to company executives.

  You need to recommend a remediation solution that meets the following requirements:

  1.

  Windows Defender ATP administrators must manually approve all remediation for the executives

  2.

  Remediation must occur automatically for all other users

  What should you recommend doing from Windows Defender Security Center?

  A. Configure 20 system exclusions on automation allowed/block lists

  B. Configure two alert notification rules

  C. Download an offboarding package for the computers of the 20 executives

  D. Create two machine groups

  Correct Answer: D

  Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection

• Question 164:

  Your company uses Microsoft Azure Advanced Threat Protection (ATP).

  You enable the delayed deployment of updates for an Azure ATP sensor named Sensor1.

  How long after the Azure ATP cloud service is updated will Sensor1 be updated?

  A. 7 days

  B. 24 hours

  C. 1 hour

  D. 48 hours

  E. 12 hours

  Correct Answer: B

  Note: The delay period was 24 hours. In ATP release 2.62, the 24 hour delay period has been increased to 72 hours.

• Question 165:

  You have a Microsoft 365 subscription.

  You create an Advanced Threat Protection (ATP) safe attachments policy.

  You need to configure the retention duration for the attachments in quarantine.

  Which type of threat management policy should you create?

  A. ATP anti-phishing

  B. DKIM

  C. Anti-spam

  D. Anti-malware

  Correct Answer: C

  "The default value is 15 days in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal.A valid value is from 1 to 30 days."

  References: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide

• Question 166:

  You have a Microsoft 365 tenant.

  You have 500 computers that run Windows 10.

  You plan to monitor the computers by using Windows Defender Advanced Threat Protection (Windows Defender ATP) after the computers are enrolled in Microsoft Intune.

  You need to ensure that the computers connect to Windows Defender ATP.

  How should you prepare Intune for Windows Defender ATP?

  A. Configure an enrollment restriction

  B. Create a device configuration profile

  C. Create a conditional access policy

  D. Create a Windows Autopilot deployment profile

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/intune/advanced-threat-protection

• Question 167:

  You have a Microsoft 365 E5 subscription.

  You implement Advanced Threat Protection (ATP) safe attachments policies for all users.

  User reports that email messages containing attachments take longer than expected to be received.

  You need to reduce the amount of time it takes to receive email messages that contain attachments. The solution must ensure that all attachments are scanned for malware. Attachments that have malware must be blocked.

  What should you do from ATP?

  A. Set the action to Block

  B. Add an exception

  C. Add a condition

  D. Set the action to Dynamic Delivery

  Correct Answer: D

  Reference: https://docs.microsoft.com/en-us/office365/securitycompliance/dynamic-delivery-and-previewing

• Question 168:

  You have a Microsoft 365 E5 subscription and a hybrid Microsoft Exchange Server organization.

  Each member of a group named Executive has an on-premises mailbox. Only the Executive group members have multi-factor authentication (MFA) enabled. Each member of a group named Research has a mailbox in Exchange Online.

  You need to use Microsoft Office 365 Attack simulator to model a spear-phishing attack that targets the Research group members.

  The email addresses that you intend to spoof belong to the Executive group members.

  What should you do first?

  A. From the Azure ATP admin center, configure the primary workspace settings

  B. From the Microsoft Azure portal, configure the user risk policy settings in Azure AD Identity Protection

  C. Enable MFA for the Research group members

  D. Migrate the Executive group members to Exchange Online

  E. Enable MFA for your account.

  Correct Answer: E

  Module 6 - Lab 1 - Exercise 1 - Conduct a Spear phishing attack Holly Dickson is concerned that some users in her organization may require education about phishing attacks. In this lab you will use the Microsoft 365 Attack simulator to determine your users' susceptibility to phishing attacks. Task 1: Enable Mulit-factor authentication for Holly Dickson

  1.

  On LON-CL1, Go to the Office 365 Security and Compliance center https://protection.office.com and login as Holly Dickson.

  2.

  Click Threat management, and then click Attack simulator.

  3.

  Notice the warning that you must enable multi-factor authentication (MFA). You are about to do a simulated attack and the system wants to confirm your credentials. This is a requirement of the attack simulator. Let's enable MFA for Holly Dickson.

  4.

  Etc.

  Reference: https://microsoftlearning.github.io/MS-500-Microsoft-365-Security/Instructions/Labs/MS500T00/LAB_AK_06_Lab1_Ex1_Phishing_attack.html

• Question 169:

  You have a Microsoft 365 Enterprise E5 subscription.

  You use Windows Defender Advanced Threat Protection (Windows Defender ATP).

  You plan to use Microsoft Office 365 Attack simulator.

  What is a prerequisite for running Attack simulator?

  A. Enable multi-factor authentication (MFA)

  B. Configure Advanced Threat Protection (ATP)

  C. Create a Conditional Access App Control policy for accessing Office 365

  D. Integrate Office 365 Threat Intelligence and Windows Defender ATP

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/office365/securitycompliance/attack-simulator

• Question 170:

  You configure several Advanced Threat Protection (ATP) policies in a Microsoft 365 subscription. You need to allow a user named User1 to view ATP reports in the Threat management dashboard. Which role provides User1 with the required role permissions?

  A. Reports reader

  B. Exchange administrator

  C. Security administrators

  D. Compliance administrator

  Correct Answer: C

  In order to view and use the reports described in this article, you need to be a member of one of the following role groups in the Microsoft 365 Defender portal:

  1.

  Organization Management

  2.

  Security Administrator

  3.

  Security Reader

  4.

  Global Reader

  Note:

  There are several versions of this question in the exam. The question has two possible correct answers:

  1.

  Security Administrator

  2.

  Security Reader

  Other incorrect answer options you may see on the exam include the following:

  1.

  Message center reader

  2.

  Service administrator

  Reference: https://docs.microsoft.com/en-us/office365/securitycompliance/view-reports-for-atp#what-permissions-are-needed-to-view-the-atp-reports