MS-500 : Microsoft 365 Security Administration : Part 06

MS-500 : Microsoft 365 Security Administration : Part 06

1. HOTSPOT

   You have a Microsoft 365 subscription that uses a default domain name of litwareinc.com.

   You configure the Sharing settings in Microsoft OneDrive as shown in the following exhibit.

   

   

   

2. HOTSPOT

   You have a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD) tenant named contoso.com.

   OneDrive stores files that are shared with external users. The files are configured as shown in the following table.

   

   You create a data loss prevention (DLP) policy that applies to the content stored in OneDrive accounts. The policy contains the following three rules:

   Rule1:
   – Conditions: Label1, Detect content that’s shared with people outside my organization
   – Actions: Restrict access to the content for external users
   – User notifications: Notify the user who last modified the content
   – User overrides: On
   – Priority: 0

   Rule2:
   – Conditions: Label1 or Label2
   – Actions: Restrict access to the content
   – Priority: 1

   Rule3:
   – Conditions: Label2, Detect content that’s shared with people outside my organization
   – Actions: Restrict access to the content for external users
   – User notifications: Notify the user who last modified the content
   – User overrides: On
   – Priority: 2

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   When content is evaluated against rules, the rules are processed in priority order. If content matches multiple rules, the rules are processed in priority order and the most restrictive action is enforced. In this scenario rule 2 is the most restrictive.

3. You have a Microsoft 365 subscription for a company named Contoso, Ltd. All data is in Microsoft 365.

   Contoso works with a partner company named Litware, Inc. Litware has a Microsoft 365 subscription. Microsoft OneDrive has the default settings.

   You need to allow users at Contoso to share files from Microsoft OneDrive to specific users at Litware.

   Which two actions should you perform from the OneDrive admin center? Each correct answer presents part of the solution.

   NOTE: Each correct selection is worth one point.

   • Increase the permission level for OneDrive External sharing
   • Modify the Links settings
   • Change the permissions for OneDrive External sharing to the least permissive level
   • Decrease the permission level for OneDrive External sharing
   • Modify the Device access settings
   • Modify the Sync settings

4. You have a Microsoft 365 subscription.

   Some users access Microsoft SharePoint Online from unmanaged devices.

   You need to prevent the users from downloading, printing, and syncing files.

   What should you do?

   • Run the Set-SPOTenant cmdlet and specify the -ConditionalAccessPolicy parameter.
   • From the SharePoint admin center, configure the secure control settings.
   • From the Microsoft Azure portal, create an Azure Active Directory (Azure AD) Identity Protection sign-in risk policy.
   • From the Microsoft Azure portal, create an Azure AD Identity Protection user risk policy.
   Explanation:

   As a SharePoint or global admin in Microsoft 365, you can use the Access control page of the SharePoint admin center or the Set-SPOTenant -Conditional Access Policy cmdlet to block or limit access to SharePoint and OneDrive content from unmanaged devices.

   Note:
   There are several versions of this question in the exam. The question has two possible correct answers:
   1. Run the Set-SPOTenant cmdlet and specify the
   -Conditional Access Policy parameter.
   2.From the SharePoint admin center, configure the Access control settings.

   Other incorrect answer options you may see on the exam include the following:
   1. From the Microsoft Azure portal, create an Azure Active Directory (Azure AD) Identity Protection user risk policy.
   2. From the Microsoft Azure portal, create an Azure Active Directory (Azure AD) conditional access policy

5. HOTSPOT

   You have the Microsoft Azure Information Protection conditions shown in the following table.

   

   You have the Azure Information Protection labels shown in the following table.

   

   You have the Azure Information Protection policies shown in the following table.

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

6. HOTSPOT

   Your company has a Microsoft 365 subscription, a Microsoft Azure subscription, and an Azure Active Directory (Azure AD) tenant named contoso.com.

   The company has the offices shown in the following table.

   

   The tenant contains the users shown in the following table.

   

   You create the Microsoft Cloud App Security policy shown in the following exhibit.

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

7. A user stores the following files in Microsoft OneDrive:

   – File.docx
   – ImportantFile.docx
   – File_Important.docx

   You create a Microsoft Cloud App Security file policy Policy1 that has the filter shown in the following exhibit.

   

   To which files does Policy1 apply?

   • File_Important.docx only
   • File.docx, ImportantFile.docx, and File_Important.docx
   • File.docx only
   • ImportantFile.docx only
   • File.docx and File_Important.docx only

8. SIMULATION

   You need to create an Azure Information Protection label to meet the following requirements:

   – Content must expire after 21 days.
   – Offline access must be allowed for 21 days only.
   – Documents must be protected by using a cloud key.
   – Authenticated users must be able to view content only.

   To complete this task, sign in to the Microsoft 365 admin center.

   • See explanation below.
   Explanation:

   1. If you haven’t already done so, open a new browser window and sign in to the Azure portal. Then navigate to the Azure Information Protection pane.
   For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.
   2. From the Classifications > Labels menu option: On the Azure Information Protection – Labels pane, select the label you want to change.
   – On the Label pane, locate Set permissions for documents and emails containing this label, and select Protect.
   3. Select Protection.
   4. On the Protection pane, select Azure (cloud key).
   5. Select Set permissions to define new protection settings in this portal.
   6. If you selected Set permissions for Azure (cloud key), this option lets you select users and usage rights.
   To specify the users that you want to be able to open protected documents and emails, select Add permissions. Then on the Add permissions pane, select the first set of users and groups who will have rights to use the content that will be protected by the selected label:
   – Choose Select from the list where you can then add all users from your organization by selecting Add <organization name> – All members. This setting excludes guest accounts. Or, you can select Add any authenticated users, or browse the directory.
   When you choose all members or browse the directory, the users or groups must have an email address. In a production environment, users and groups nearly always have an email address, but in a simple testing environment, you might need to add email addresses to user accounts or groups.
   – Change the File Content Expiration setting to 21 days.
   – Change the Allow offline access setting to 21 days.
   When you have finished configuring the permissions and settings, click OK.
   This grouping of settings creates a custom template for the Azure Rights Management service. These templates can be used with applications and services that integrate with Azure Rights Management.
   7. Click OK to close the Protection pane and see your choice of User defined or your chosen template display for the Protection option in the Label pane.
   8. On the Label pane, click Save.
   9. On the Azure Information Protection pane, use the PROTECTION column to confirm that your label now displays the protection setting that you want:
   – A check mark if you have configured protection.
   – An x mark to denote cancellation if you have configured a label to remove protection.
   – A blank field when protection is not set.
   When you clicked Save, your changes are automatically available to users and services. There’s no longer a separate publish option.

9. You have a Microsoft 365 subscription.

   You have a Microsoft SharePoint Online site named Site1.

   You have a Data Subject Request (DSR) case named Case1 that searches Site1.

   You create a new sensitive information type.

   You need to ensure that Case1 returns all the documents that contain the new sensitive information type.

   What should you do?

   • From the Security & Compliance admin center, create a new Search by ID List
   • From Site1, modify the search dictionary
   • From the Security & Compliance admin center, create a new Guided search
   • From Site1, initiate a re-indexing of Site1

10. SIMULATION

    You need to ensure that a user named Allan Deyoung can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. The solution must use the principle of least privilege.

    To complete this task, sign in to the Microsoft 365 admin center.

    • See explanation below.
    Explanation: 
    1. After signing in to the Microsoft 365 admin center, navigate to the Security & Compliance Center.
    2. In the left pane of the security and compliance center, select Permissions, and then select the checkbox next to eDiscovery Manager.
    3. On the eDiscovery Manager flyout page, do one of the following based on the eDiscovery permissions that you want to assign.
    To make a user an eDiscovery Manager: Next to eDiscovery Manager, select Edit. In the Choose eDiscovery Manager section, select the Choose eDiscovery Manager hyperlink, and then select + Add. Select the user (or users) you want to add as an eDiscovery manager, and then select Add. When you’re finished adding users, select Done. Then, on the Editing Choose eDiscovery Manager flyout page, select Save to save the changes to the eDiscovery Manager membership.

11. SIMULATION

    You need to prevent any email messages that contain data covered by the U.K. Data Protection Act from being sent to recipients outside of your organization, unless the messages are sent to an external domain named adatum.com.

    To complete this task, sign in to the Microsoft 365 admin center.

    • See explanation below.
    Explanation:

    1. After signing into the Microsoft 365 admin center, navigate to Compliance Management in the Exchange Admin center.
    2. Click on “Data Loss Prevention” option.
    3. To add a new custom DLP policy, Click on (+) plus button to get the context menu
    4. Click on “New Custom DLP policy” option, a new window appears where you have to enter policy name, description, state and mode of the requirement details. Click on save button to create policy and continue…
    5. You will be back to the “Data Loss Prevention” screen with newly added policy information.
    6. Double click on the added row to open the policy details, click on rules option in left part of the screen as depicted
    7. Click on (+) plus button to add a new rule. Select the “Block messages with sensitive information” rule.
    8. On the following screen, we can add condition, action, exceptions, rule activation and deactivation dates

    

    9. Click on “Select Sensitive information Types” to specify the sensitive information details.

    

    10. Click on (+) plus button and add the following Sensitive information Types:
    – U.K. National Insurance Number (NINO
    – U.S. / U.K. Passport Number
    – SWIFT Code
    11. Click on Ok
    12. Add an exception for recipients in the adatum.com domain
    13. Add recipients for incident reports and click ok
    14. Click save
    15. Click save

12. SIMULATION

    You need to ensure that a user named Allan Deyoung receives incident reports when email messages that contain data covered by the U.K. Data Protection Act are sent outside of your organization.

    To complete this task, sign in to the Microsoft 365 admin center.

    • See explanation below.
    Explanation:

    1. In the Security & Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy.
    2. Choose the U.K. Data Protection Act template > Next.
    3. Name the policy > Next.
    4. Choose All locations in Office 365 > Next.
    5. At the first Policy Settings step just accept the defaults,
    6. After clicking Next, you’ll be presented with an additional Policy Settings page
    Deselect the Show policy tips to users and send them an email notification option.
    Select the Detect when content that’s being shared contains option, and configure the number instances to be 10.
    Select the Send incident reports in email option.
    Select the Choose what to include in the report and who receives it link to add Allan Deyoung as a recipient.
    7. > Next
    8. Select the option to turn on the policy right away > Next.
    9. Click Create to finish creating the policy.

13. SIMULATION

    You need to ensure that a global administrator is notified when a document that contains U.S. Health Insurance Portability and Accountability Act (HIPAA) data is identified in your Microsoft 365 tenant.

    To complete this task, sign in to the Microsoft Office 365 admin center.

    • See explanation below.
    Explanation:

    1. In the Security & Compliance Center > left navigation > Data loss prevention > Policy > + Create a policy.
    2. Choose the U.S. Health Insurance Portability and Accountability Act (HIPAA) template > Next.
    3. Name the policy > Next.
    4. Choose All locations in Office 365 > Next.
    5. At the first Policy Settings step just accept the defaults,
    6. After clicking Next, you’ll be presented with an additional Policy Settings page
    – Deselect the Show policy tips to users and send them an email notification option.
    – Select the Detect when content that’s being shared contains option, and decrease the number of instances to 1.
    – Select the Send incident reports in email option.
    7. > Next
    8. Select the option to turn on the policy right away > Next.
    9. Click Create to finish creating the policy.

14. DRAG DROP

    You have a Microsoft 365 subscription.

    You need to include a custom sensitive information type in Data Subject Request (DSR) cases.

    Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

15. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    You have a Microsoft 365 tenant. You create a label named CompanyConfidential in Microsoft Azure Information Protection.

    You add CompanyConfidential to a global policy.

    A user protects an email message by using CompanyConfidential and sends the label to several external recipients. The external recipients report that they cannot open the email message.

    You need to ensure that the external recipients can open protected email messages sent to them.

    You create a new label in the global policy and instruct the user to resend the email message.

    Does that meet the goal?

    • Yes
    • No

16. HOTSPOT

    Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the groups shown in the following table.

    

    The domain is synced to a Microsoft Azure Active Directory (Azure AD) tenant that contains the groups shown in the following table.

    

    You create a sensitivity label named Label1.

    You need to publish Label1.

    To which groups can you publish Label1? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    The groups must be mail-enabled.
    Labels can be published to any specific user or email-enabled security group, distribution group, or Microsoft 365 group (which can have dynamic membership) in Azure AD.

17. HOTSPOT

    You have a Microsoft 365 subscription.

    You identify the following data loss prevention (DLP) requirements:

    – Send notifications to users if they attempt to send attachments that contain EU Social Security Numbers (SSN) or Equivalent ID.
    – Prevent any email messages that contain credit card numbers from being sent outside your organization.
    – Block the external sharing of Microsoft OneDrive content that contains EU passport numbers.
    – Send administrators email alerts if any rule matches occur.

    What is the minimum number of DLP policies and rules you must create to meet the requirements? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

18. You have a Microsoft 365 subscription.

    Some users access Microsoft SharePoint Online from unmanaged devices.

    You create a conditional access policy in Azure Active Directory.

    You need to prevent the users from downloading, printing, and syncing files.

    What should you do?

    • From the Microsoft Azure portal, create an Azure Active Directory (Azure AD) Identity Protection user risk policy.
    • From the Microsoft Azure portal, create an Azure Active Directory (Azure AD) conditional access policy.
    • From the SharePoint admin center, configure the Access control settings. 
    • From the Microsoft Azure portal, create an Azure Active Directory (Azure AD) Identity Protection sign-in risk policy.
    Explanation:

    As a SharePoint or global admin in Microsoft 365, you can use the Access control page of the SharePoint admin center or the Set-SPOTenant -Conditional Access Policy cmdlet to block or limit access to SharePoint and OneDrive content from unmanaged devices.

    Note:
    There are several versions of this question in the exam. The question has two possible correct answers:
    1. Run the Set-SPOTenant cmdlet and specify the -Conditional Access Policy parameter.
    2. From the SharePoint admin center, configure the Access control settings.

    Other incorrect answer options you may see on the exam include the following:
    1. From the SharePoint admin center, configure the secure store settings.
    2. From the Microsoft Azure portal, create an Azure AD Identity Protection user risk policy.
    3. From the Microsoft 365 Compliance admin center, create a data loss prevention (DLP) policy.

19. You have a Microsoft 365 tenant.

    You have a database that stores customer details. Each customer has a unique 13-digit identifier that consists of a fixed pattern of numbers and letters.
    You need to implement a data loss prevention (DLP) solution that meets the following requirements:

    – Email messages that contain a single customer identifier can be sent outside your company.
    – Email messages that contain two or more customer identifiers must be approved by the company’s data privacy team.

    Which two components should you include in the solution? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • a sensitive information type
    • a sensitivity label
    • a retention label
    • a DLP policy
    • a mail flow rule

20. You create a data loss prevention (DLP) policy as shown in the following exhibit:

    

    What is the effect of the policy when a user attempts to send an email message that contains sensitive information?

    • The user receives a notification and can send the email message 
    • The user receives a notification and cannot send the email message
    • The email message is sent without a notification
    • The email message is blocked silently