Microsoft Microsoft Certifications MS-500 Questions & Answers

• Question 51:

  You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1 and the data loss prevention (DIP) policies in following table.

  

  The DLP rules are configured as shown in the following table.

  

  All the policies are assigned to Site1.

  You need to ensure that if a user uploads a document to Site1 that matches all the rules, the user will be shown the Tip 2 policy tip.

  What should you do?

  A. Enable additional processing Of the policies if is a match for Rule1.

  B. Change the priority Of DLP2 to 3.

  C. Change the priority of DLP2 to 0

  D. Prevent additional processing of the policies if there is a match for Rule2.

  Correct Answer: C

  The rule with priority 0 is processed first.

  Reference:

  https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-policy-reference

• Question 52:

  You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.

  

  You plan to implement privileged access in Microsoft 365, Which groups can you specify as the default approval group?

  A. Group4 only

  B. Group3 or Group4 only

  C. Group1, Group2, or Grcup3

  D. Group1, Group3, or Group4 only

  E. Group1, Group2. Group3, or Group4

  Correct Answer: C

  If the security group does not have an email address associated with it, you can still use it as the default approval group for privileged access in Microsoft 365.

  When you select a security group as the default approval group, Azure AD Privileged Identity Management will send approval notifications to the members of the security group using their individual email addresses. The email notifications will contain a link to the approval request in the Azure portal, where the members can review the request and approve or deny it.

  So even if the security group itself does not have an email address, the members of the group will still receive email notifications for any access requests that require approval. However, it's important to ensure that the members of the security group have valid email addresses associated with their user accounts in Azure AD, so that they can receive the approval notifications.

• Question 53:

  You have a hybrid deployment of Azure Active Directory (Azure AD) that contains two users named User1 and User2. You need to assign Role Based Access Control (RBAC) roles to User1 and User2 to meet the following requirements:

  1.

  Use the principle of least privilege

  2.

  Enable User1 to view sync errors by using Azure AD Connect Health

  3.

  Enable User2 to configure Azure Active Directory Connect Health Settings

  Which two roles should you assign?

  Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  A. The Monitoring Readers role in Azure AD Connect Health to User1

  B. The Security reader role in Azure AD to User 1

  C. The Reports reader role in Azure AD to User 1

  D. The Contributor role in Azure AD Connect Health to User 2

  E. The Monitoring Contributor role in Azure Connect Health to User 2

  F. The Security operator role in Azure AD to User2

  Correct Answer: AD

  Azure AD Connect Health supports the following built-in roles:

  Role Permissions

  Owner Owners can manage access (for example, assign a role to a user or group), view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health.

  By default, Azure AD Hybrid Identity Administrators are assigned this role, and this cannot be changed.

  Contributor Contributors can view all information (for example, view alerts) from the portal, and change settings (for example, email notifications) within Azure AD Connect Health.

  Reader Readers can view all information (for example, view alerts) from the portal within Azure AD Connect Health.

  https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-operations

• Question 54:

  You have a Microsoft 365 subscription that contains a user named Use1. You need to ensure that User1 can review Conditional Access policies.

  Solution: You assign User1 the Application Administrator role.

  Does this meet goal?

  A. Yes

  B. No

  Correct Answer: B

• Question 55:

  You have a Microsoft 365 E5 subscription

  You need to use Microsoft Cloud App Security to identify documents stored in Microsoft SharePomt Online that contain proprietary information.

  What should you create in Cloud App Security?

  A. a data source and a file policy

  B. a data source and an app discovery policy

  C. an app connector and an app discovery policy

  D. an app connector and a We policy

  Correct Answer: B

• Question 56:

  You have a Microsoft 365 subscription that contains a Microsoft 365 group named Group1. Group1 contains 100 users and has dynamic user membership.

  All users have Windows 10 devices and use Microsoft SharePoint Online and Exchange Online.

  You create a sensitivity label named Label and publish Label 1 as the default label for Group!.

  You need to ensure that the users in Group1 must apply Label! to their email and documents.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Install the Azure Information Protection unified labeling client on the Windows 10 devices.

  B. From the Microsoft 365 Compliance center, modify the settings of the Label1 policy.

  C. Install the Active Directory Rights Management Services (AD RMS) client on the Windows 10 devices.

  D. From the Microsoft 365 Compliance center, create an auto-labeling policy.

  E. From the Azure Active Directory admin center, set Membership type for Group1 to Assigned.

  Correct Answer: AB

  D is wrong. Auto-Labeling policy will not achieve the requirement “You need to ensure that the users in Group1 must apply Label1 to their email and documents”

  This requirement is a setting in the sensitivity label policy that can be selected.

  Auto-Labeling is an admin activity.

  Auto-Labeling policy:

  When you create a sensitivity label, you can automatically assign that label to files and emails when it matches conditions that you specify.

  This ability to apply sensitivity labels to content automatically is important because:

  1.

  You don't need to train your users when to use each of your classifications.

  2.

  You don't need to rely on users to classify all content correctly.

  3.

  Users no longer need to know about your policies—they can instead focus on their work.

  E is wrong. It is not a must to Membership type for Group1 to be Assigned. Label can be applied to both Assigned and Dynamic.

• Question 57:

  You have a Microsoft 365 subscription that contains a user named Used.

  You need to assign User1 permissions to search Microsoft Office 365 audit logs.

  What should you use?

  A. the Azure Active Directory admin center

  B. the Microsoft 365 Compliance center

  C. the Microsoft 365 Defender portal

  D. the Exchange admin center

  Correct Answer: D

  To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only

  Audit Logs or Audit Logs role, and then add the user as a member of the new role group.

  Incorrect:

  If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the compliance portal, they won't be able to search the audit log. You have to assign the permissions in Exchange Online. This is because the

  underlying cmdlet used to search the audit log is an Exchange Online cmdlet.

  You can also use the Exchange admin center (EAC).

  Reference:

  https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance

• Question 58:

  You have a Microsoft 365 tenant that uses Azure Information Protection to encrypt sensitive content.

  You plan to implement Microsoft Cloud App Security to inspect protected files that are uploaded to Microsoft OneDrive for Business.

  You need to ensure that at Azure Information Protection-protected files can be scanned by using Cloud App Security

  Which two actions should you perform?

  Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. From the Cloud App Security admin center, enable file monitoring of software as a service (SaaS) apps.

  B. From the Cloud App Security admin center, create an OAuth app policy for apps that have the Have full access to user files permission

  C. From the Microsoft 365 compliance admin center create a data loss prevention (EXP) policy that contains an exception for content that contains a sensitive information type.

  D. From the Azure Active Directory admin center, grant Cloud App Security permission to read all the protected content of the tenant

  Correct Answer: BD

• Question 59:

  You have a Microsoft 165 E5 subscription.

  You need to enable support for sensitivity labels in Microsoft SharePoint Online.

  What should you use?

  A. the SharePoint admin center

  B. the Microsoft 365 admin center

  C. the Microsoft 365 compliance center

  D. the Azure Active Directory admin

  Correct Answer: C

  Use the Microsoft Purview compliance portal to enable support for sensitivity labels

  This option is the easiest way to enable sensitivity labels for SharePoint and OneDrive, but you must sign in as a global administrator for your tenant.

  1.

  Sign in to the Microsoft Purview compliance portal as a global administrator, and navigate to Solutions > Information protection > Labels

  2.

  If you see a message to turn on the ability to process content in Office online files, select Turn on now:

  

  Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files

• Question 60:

  You have a Microsoft 365 E5 subscription that contains a user named Use1.

  You need to ensure that User1 can use the Microsoft 365 compliance center to search audit logs and identify which users were added to Microsoft 365 role groups. The solution must use the principle of least privilege.

  To which role group should you add User1?

  A. Security Reader

  B. View-Only Organization Management

  C. Organization Management

  D. Compliance Management

  Correct Answer: D

  https://admin.exchange.microsoft.com/#/adminRoles click the roles and check permissions.

  compliance management and org management have access. but compliance management is least priveliged.

  not to be confused with ordinary audit logs those require reports reader.