Microsoft Microsoft Certifications MS-500 Questions & Answers

• Question 271:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains three users named Use1, User2, and User3.

  You have Azure Active Directory (Azure AD) roles that have the role activation settings shown in the following table.

  

  You have Azure AD roles that have the role assignment settings shown in the following table.

  

  The Azure AD roles have eligible users assigned as shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  1.

  (No) Approvers can't approve their own activation request.

  2.

  (No) Role2 does not need approval to activate.

  3.

  (No) Justification is not needed for activation approval of Role1. Justification is only needed when eligibility assignment is made with activation included(ie permanent activation).

• Question 272:

  HOTSPOT

  You have a Microsoft 365 subscription that contains three users named User1, User2, and User3.

  You have the named locations shown in the following table.

  

  You configure an Azure Multi-Factor Authentication (MFA) trusted IP address range of 192.168.1.0/27. You have the Conditional Access policies shown in the following table.

  

  The users have the IP addresses shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  User 1 access through CA1 (forms) with Location:(included as nothing else is stated) trusted location = require MFA YES

  User 2 access through CA2 (planner) with Location:(included as nothing else is stated) NY = nothing NO

  User 3 access through CA1 (forms) with Location:(included as nothing else is stated) trusted location = require MFA, but NY is not a trusted location in the include, so no MFA will be promted. NO

• Question 273:

  HOTSPOT

  You create device groups in Microsoft Defender for Endpoint as shown in the following table.

  

  You onboard three devices to Microsoft Defender for Endpoint as shown in the following table.

  

  After the devices are onboarded, you perform the following actions:

  1.

  Add a tag named Tag1 to Device1.

  2.

  Rename Computer3 as Device3.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  The Group1 membership rule 'Name Start with Device' applies to Device1.

  However, the higher ranked Group2 membership rule 'Tag Equals Tag1' also applies to Device1, and overrules the lower ranked rule.

  Note: Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. If a device is also matched to other groups, it's added only to the highest ranked device

  group.

  Box 2: No

  The Group1 membership rule 'Name Start with Device' applies Device2.

  No other rule applies.

  Box 3: Yes

  The Group3 rule applies for Computer3.

  Reference:

  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-groups

• Question 274:

  HOTSPOT

  You have a Microsoft 365 E5 subscription.

  You need to create a role-assignable group. The solution must ensure that you can nest the group.

  How should you configure the group? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Security only

  You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group,

  saving you configuration time.

  Incorrect:

  Not supported:

  Adding Security groups to Microsoft 365 groups.

  Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.

  Box 2: Assigned only

  The membership type for role-assignable groups must be Assigned and can't be an Azure AD dynamic group.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-membership-azure-portal

• Question 275:

  HOTSPOT

  Your on-premises network contains an Active Directory domain that syncs to Azure Active Directory (Azure AD) by using Azure AD Connect. The functional level of the domain is Windows Server 2019.

  You need to deploy Windows Hello for Business. The solution must meet the following requirements:

  1.

  Ensure that users can access Microsoft 365 services and on-premises resources.

  2.

  Minimize administrative effort.

  How should you deploy Windows Hello for Business and which type of trust should you use? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Hybrid

  Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources.

  Box 2: Certificate

  The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain

  controller.

  Reference:

  https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

• Question 276:

  HOTSPOT

  You have a Microsoft 365 description that contains a user named User1.

  You need to that User1 can review registration and usage activity reports for Azure Multi- Factor Authentication (Azure MFA) for the subscription. The solution must meet the following requirements:

  Minimize Costs use the principle Of least privilege

  What should you assign to user1?

  Hot Area:

  

  Correct Answer:

  

• Question 277:

  HOTSPOT You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains a user named User1 and multiple Windows 10 devices. The devices are Azure AD joined and protected by using BitLocker Drive Encryption (BitLocker).

  You need to ensure that User1 can perform the following actions:

  1.

  View BitLocker recovery keys.

  2.

  Configure the usage location for the users in the tenant.

  The solution must use the principle of least privilege.

  Which two roles should you assign to User1 in the Microsoft 365 admin center? To answer, select the appropriate roles in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Helpdesk admin

  View BitLocker recovery keys.

  Helpdesk Admins can read bitlocker metadata and key on devices

  Note: One of the following should be enough:

  1.

  Global admins

  2.

  Intune Service Administrators

  3.

  Security Administrators

  4.

  Security Readers

  5.

  Helpdesk Admins

  Box 2: User Administrator

  Configure the usage location for the users in the tenant.

  The User Administrator can manage all aspects of users and groups, including resetting passwords for limited admins.

  The User Administrator cam manage all user properties including User Principal Name

  Update (FIDO) device keys

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

• Question 278:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains three groups named Group!, Group2. and Group3 and the users shown in the following table.

  

  You create a new access package as shown in the following exhibit.

  You have a Microsoft 365 E5 subscription that uses Microsoft Endpoint Manager. The Compliance policy settings are configured as shown in the following exhibit.

  These settings configure the way the compliance service treats devices. Each device evaluates these as a "Built-in Device Compliance Policy", which is reflected in device monitoring.

  

  Hot Area:

  

  Correct Answer:

  

• Question 279:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains two users named Adminl and User1. a Microsoft SharePoint Online site named Site1, and a retention label named Retention1. The role assignments for Site1 are shown in the following table.

  

  Site1 includes a file named File1. Rentention1 has the following settings:

  1.

  Retain items for a specific period: Retention period: 7 years

  2.

  During the retention period: Mark Items as a record

  3.

  At the end of the retention period: Delete items automatically

  Rententon1 is published to Site1.

  User1 applies Retention1 to File1.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  https://docs.microsoft.com/en-us/microsoft-365/compliance/records-management?view=o365-worldwide

• Question 280:

  HOTSPOT

  You company has a Microsoft 36S E5 subscription and a hybrid Azure active Directory named contoso.com.

  Contoso.com includes the following users:

  

  You configure Password protection for Contoso.com as shown in the following exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Audit mode is the default initial setting, where passwords can continue to be set. Passwords that would be blocked are recorded in the event log. After you deploy the proxy servers and DC agents in audit mode, monitor the impact that the password policy will have on users when the policy is enforced.

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy