Chapter 19: Mock Exam – Microsoft 365 Security Administration: MS-500 Exam Guide

Chapter 19: Mock Exam

This chapter consists of 25 exam questions, which are designed to be as close as possible to the actual test. All of the questions are multiple choice, and there may be more than one correct answer for each question that you will need to select in order to get the question right. Some of the questions that follow will be in the form of a case study:

  1. You are operating on a hybrid Microsoft 365 environment. All of your devices run Windows 10 and are managed using Microsoft Intune. You need to create a Conditional Access policy that will enforce multi-factor authentication (MFA) when users connect to Microsoft 365 services from outside of your office premises. What should you do first?

    A. From the Azure portal, under Conditional Access | Named Locations, click on New Location, and add the IP ranges for all of your organizations' premises.

    B. From the Azure portal, under Conditional Access | Policies, create a new policy to require MFA for all users, and set the policy to apply to all locations, excluding all trusted locations.

    C. From the Azure portal, under Conditional Access | VPN Connectivity, create a new certificate.

    D. From the Azure portal, under Conditional Access | Policies, set Baseline Policy: End user Protection to Enabled.

  2. Your organization has Microsoft 365 E5 licenses for all users. You want to implement Advanced Threat Protection (ATP) safe attachments throughout the organization. Your users must be able to open attachments with the minimum amount of delay, but it is crucial that all attachments are scanned so that any that contain malware can be blocked. What actions should you take within ATP?

    A. Set the delivery action to Monitor.

    B. Set the delivery action to Block.

    C. Set the delivery action to Replace.

    D. Set the delivery action to Dynamic Delivery.

  3. Your organization is running a traditional on-premises Active Directory (AD) environment using Exchange 2010 SP3 for email. You have been asked to plan the rollout and migration to Exchange Online on the Office 365 platform. You need to enable hybrid identity between AD and Azure AD by installing and configuring Azure AD Connect. It is vital that any users who are migrating to Exchange Online are authenticated via your on-premises AD environment when they connect to Office 365 services. Your solution must involve minimal effort in terms of time and additional infrastructure. Which identity method should you configure?

    A. Cloud only

    B. Password hash-synchronization (PHS)

    C. Active Directory Federation Services (AD FS)

    D. Pass-through authentication (PTA)

  4. Your organization is operating a Microsoft 365 environment using hybrid identity with your on-premises AD. All 500 users have had their mailboxes migrated to Exchange Online, and all data has been migrated to OneDrive and SharePoint Online. Each user in the organization has been assigned an Office 365 E3 license. There are no other license subscriptions currently available in your tenant. You need to roll-out Azure Information Protection and enable unified labeling so that labels and label policies may be deployed from the Security and Compliance Center. The labels that you create need to be automatically applied to any user content that matches a number of sensitive information types built into Office 365. You purchase and assign Azure Information Protection (P1) licenses for all of your users.Does this achieve the goal?

    A. Yes

    B. No

  5. You need to create a retention policy in the Security and Compliance Center that will retain content containing sensitive financial information. The content must be retained for 7 years, based on when it was created, and, at the end of the retention period, the content should be deleted. You create a retention policy as shown in the following screenshot:

    Figure 19.1 – Creating a retention policy

    Does this achieve the goal?

    A. Yes

    B. No

  6. You are operating a Microsoft 365 environment and use Microsoft Intune to manage your organization's Apple iOS devices. You need to ensure that any jailbroken devices are blocked and marked as non-compliant. What should you do in Microsoft Intune?

    A. Create a Device compliance policy and configure the Device Properties settings.

    B. Create a Device compliance policy and configure the Device Health settings.

    C. Create a Device configuration profile and configure the Device Restrictions settings.

    D. Create a Device configuration profile and configure the Device Features settings.

  7. You are operating a Microsoft 365 environment in your organization that has 300 users, all of whom have Microsoft 365 E5 licenses assigned. You need to configure Azure AD Identity Protection to ensure that users will be required to change their password if a risk-level condition setting is matched. What must you do?

    A. Set up a sign-in risk policy in the Azure portal.

    B. Set up an MFA registration policy in the Azure portal.

    C. Set up a user risk policy in the Azure portal.

    D. Set up a Conditional Access policy in the Azure portal.

  8. Your organization uses Exchange Online mailboxes for all user email communications. The HR department has informed you that a user is suspected of sending confidential information via email to external recipients. You need to ensure that you are able to review any such messages, including any that the user may have deleted. What should you do?

    A. Perform a Content search from the Security and Compliance Center.

    B. Use the Exchange admin center to place the suspected user's mailbox on Litigation Hold.

    C. Perform an Audit log search from the Security and Compliance Center.

    D. Perform a Message Trace from the Mail flow section of the Security and Compliance Center.

  9. Your organization is using Microsoft Cloud App Security. You have been asked by the HR department to set up alerts whenever vast amounts of file downloads are completed by a user in a short period of time within your Microsoft 365 environment. You log in to the Cloud App Security portal at https://portal.cloudappsecurity.com and navigate to Control | Templates and click the + sign next to the template named Mass download by a single user to create an activity policy. Does this satisfy requirements?

    A. Yes

    B. No

  10. Your organization is using Microsoft Cloud App Security. You have been asked by the HR department to search for activity by a user on a particular file that is hosted in SharePoint Online within your Microsoft 365 environment. Where would you go in the Cloud App Security portal to check this information?

    A. Investigate | Files

    B. Investigate | Activity Log

    C. Investigate | Users and Account

    D. Investigate | Security Configuration

    Case Study

    The following is a case study followed by five questions.

    Overview

    Chrysalis Technologies is a technology company with 2,000 users across multiple global locations. These include 1,000 users in the main office in London, 500 users in Toronto, and 500 users in Mumbai.

    Internal network configuration

    Chrysalis Technologies' internal network consists of a single domain forest. The functional levels for both the forest and domain are set to Windows Server 2012 R2. The IP address ranges are shown as follows:

    These locations are connected via MPLS. Chrysalis Technologies uses the following operating systems:

    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows 10 Enterprise

Exchange 2010 SP3 is used for email services. The following servers are present within the AD infrastructure:

Cloud configuration

Chrysalis Technologies has a Microsoft 365 tenant and have purchased Microsoft 365 E5 licenses for all of their users. However only four users have been assigned licenses in the Office 365 tenant thus far.

Azure AD Connect has been configured to synchronize all on-premises user accounts to Azure AD using pass-through authentication. The Password writeback and Exchange Hybrid options were also selected when Azure Active Directory Connect (AADC) was configured.

Planned changes

Chrysalis Technologies plans to make the following changes:

  • Migrate all email users in the Toronto Office to Exchange Online by setting up hybrid coexistence.
  • Set up Azure AD Privileged Identity Management.
  • Set up MFA for all privileged accounts using Conditional Access.

Security requirements

Chrysalis Technologies wishes to apply security settings as follows:

  • Set up a group called MFA users to include all the Azure AD user accounts from the Toronto office. This group will be used to ensure that all users from the Toronto office are required to use MFA when accessing their Office 365 accounts outside of any of the business locations.
  • Set up a group called AIP Pilot users to provide Azure Information Protection policies to a pilot group of users.
  • Implement a permanent eligible user administrator role for a user named James Smith who is based at the London office.
  • Ensure that a self-service password reset requires a minimum of two authentication methods for users to reset their own passwords.

General requirements

Chrysalis Technologies would like to minimize the deployment of any new servers to their Active Directory environment where possible:

  1. (CASE STUDY QUESTION 1) Which of the following IP address ranges need to be added as named or trusted locations in order to meet the security requirements for MFA? (Choose all that apply)

    A. 192.168.8.0/20

    B. 212.129.83.0/28

    C. 192.168.0.0/20

    D. 212.109.83.0/28

    E. 215.107.83.0/28

  2. (CASE STUDY QUESTION 2) You connect to Azure AD Privileged Identity Management and configure a role's eligibility, as shown in the following screenshot:

    Figure 19.2 – Azure AD Privileged Identity Management

    Does this meet the security requirements identified by Chrysalis Technologies?

    A. Yes

    B. No

  3. (CASE STUDY QUESTION 3) You create an Azure AD Security Group called MFA Users and add all users from the London and Mumbai offices to the group. You then create a Conditional Access policy that enforces MFA for all users in the tenant but excludes all trusted locations. Does this meet the security requirements identified by Chrysalis Technologies?

    A. Yes

    B. No

  4. (CASE STUDY QUESTION 4) You install a new Windows 2016 server and set up Exchange 2016 on this server in readiness to run the Hybrid Configuration Wizard, which will establish rich coexistence between the Exchange On-premises and Exchange Online accounts for Chrysalis Technologies. Given that one of the general requirements of this project is to minimize the installation of any new servers where possible, is this new server still necessary in order to meet the planned changes?

    A. Yes

    B. No

  5. (CASE STUDY QUESTION 5) You configure the settings of Self-service password reset (SSPR) as shown in the following screenshot:

    Figure 19.3 – Self-service password reset

    Does this meet the security requirements defined by Chrysalis Technologies?

    A. Yes

    B. No

    Questions 16–20 present you with a common scenario, followed by an objective, and configuration settings that may, or may not, fulfil the objective:

  6. You have an Office 365 tenant. Users are assigned Microsoft 365 E5 licenses. Azure AD Connect has been set up to provide a hybrid identity methodology with the following settings:

    A. Password hash synchronization: Enabled

    B. Pass-through authentication: Disabled

    C. Password writeback: Disabled

    D. Exchange hybrid deployment: Enabled

    E. User writeback: Disabled

    F. Device writeback: Disabled

    G. Directory extension attribute sync: Disabled

    H. Hybrid Azure AD join: Disabled

    You need to ensure that the automatic joining of Windows 10 devices to Azure Active Directory is enabled. You enable pass-through authentication. Does this solution meet requirements?

    A. Yes

    B. No

  7. You have an Office 365 tenant. Users are assigned Microsoft 365 E5 licenses. Azure AD Connect has been set up to provide a hybrid identity methodology with the following settings:

    A. Password hash synchronization: Enabled

    B. Password writeback: Disabled

    C. Exchange hybrid deployment: Enabled

    D. User writeback: Disabled

    E. Device writeback: Disabled

    F. Directory extension attribute sync: Disabled

    You need to ensure that the automatic joining of Windows 10 devices to Azure Active Directory is enabled. You configure Hybrid Azure AD join. Does this solution meet requirements?

    A. Yes

    B. No

  8. You have an Office 365 tenant. Users are assigned Microsoft 365 E5 licenses. Azure AD Connect has been set up to provide a hybrid identity methodology with the following settings:

    A. Password hash synchronization: Enabled

    B. Password writeback: Disabled

    C. Exchange hybrid deployment: Enabled

    D. User writeback: Disabled

    E. Device writeback: Disabled

    F. Directory extension attribute sync: Disabled

    You need to ensure that the automatic joining of Windows 10 devices to Azure Active Directory is enabled. You enable Device Writeback. Does this solution meet requirements?

    A. Yes

    B. No

  9. You have an Office 365 tenant. Users are assigned Microsoft 365 E5 licenses. Azure AD Connect has been set up to provide a hybrid identity methodology with the following settings:

    A. Password hash synchronization: Enabled

    B. Password writeback: Disabled

    C. Exchange hybrid deployment: Enabled

    D. User writeback: Disabled

    E. Device writeback: Disabled

    F. Directory extension attribute sync: Disabled

    You need to ensure that the automatic joining of Windows 10 devices to Azure Active Directory is enabled. You enable the Directory extension attribute sync feature. Does this solution meet requirements?

    A. Yes

    B. No

  10. You have an Office 365 tenant. Users are assigned Microsoft 365 E5 licenses. Azure AD Connect has been set up to provide a hybrid identity methodology with the following settings:

    A. Password hash synchronization: Enabled

    B. Password writeback: Disabled

    C. Exchange hybrid deployment: Enabled

    D. User writeback: Disabled

    E. Device writeback: Disabled

    F. Directory extension attribute sync: Disabled

    You need to ensure that the automatic joining of Windows 10 devices to Azure Active Directory is enabled. You disable password hash synchronization. Does this solution meet requirements?

    A. Yes

    B. No

  11. You have a Microsoft 365 tenant with Office 365 E3 licenses assigned to all users. Users are already using Azure Rights Management features to protect content that they are sharing externally. You now need to configure Azure Information Protection with unified labeling within your Microsoft 365 environment. Automatic classification of content based on a match to the built-in sensitive information types must be a feature that is configured in your AIP labels and policies. Which of the following subscriptions will enable the use of automatic labeling? Choose all that apply.

    A. Azure Information Protection P1

    B. EM+S E3

    C. EM+S E5

    D. Microsoft 365 Business

    E. Azure Information Protection P2

    F. Microsoft 365 E5

    G. Microsoft 365 E3

  12. You have a tenant with Microsoft 365 E5 licenses assigned to all users. You are planning to use Windows Defender Advanced Threat Protection in your environment and, as part of this, you want to leverage the Microsoft Office 365 Attack Simulator to test the awareness of your users in relation to safely opening emails and attachments. Which of the following is a prerequisite for running the Attack Simulator tool?

    A. Enable multi-factor authentication (MFA)

    B. Implement Safe Attachments policies

    C. Implement Safe Links policies

    D. Configure Azure AD Identity Protection

  13. You have a Microsoft 365 subscription. You have enabled auditing in the Security and Compliance Center. You now need to ensure that it is enabled for all your Exchange Online users. What steps do you need to take?

    A. From the Exchange admin center, create a new mail flow transport rule.

    B. Run the Set-MailboxDatabase command from the Exchange Online PowerShell.

    C. Run the Set-Mailbox command from the Exchange Online PowerShell.

    D. In the Security and Compliance Center, create a new audit retention policy from the audit log search feature.

  14. You are a Microsoft 365 administrator for an organization based in Melbourne. You have been asked to create retention policies to protect the data within your organization. The retention policies must retain all Australian financial data for a period of 7 years. The content must be retained based on the date it was created. When the content reaches the end of the retention period, it must be automatically deleted. All Office 365 locations must be covered by a retention policy. What do you need to do in order to fulfill these requirements?

    A. Set up one retention policy in the Security and Compliance Center, and set it to apply to the default Office 365 locations.

    B. Set up one retention policy in the Security and Compliance Center, and set it to the option of Let me choose specific locations.

    C. Set up two retention policies in the Security and Compliance Center, and set the option of Let me choose specific locations on each policy.

    D. Set up one retention policy in the Exchange admin center.

  15. You are a Microsoft 365 administrator. You have been asked to implement DLP policies within your organization. The first DLP policy you need to create must prevent the accidental sharing of sensitive UK medical data. The policy must be applied to all available Office 365 locations and be set to detect content that is shared outside of your organization. The policy needs to be tested first and should not be fully activated at this time, but should instead be set to test mode and to notify with policy tips. You open the Security and Compliance Center and create a new DLP policy with the settings shown in the following screenshot:

Figure 19.4 – Review your settings

Does this achieve the required results?

A. Yes

B. No