Microsoft 365 Security Administration v1.0

Page:    1 / 24   
Exam contains 352 questions

You have a Microsoft 365 subscription linked to an Azure Active Directory (Azure AD) tenant that contains a user named User1.
You have a Data Subject Request (DSR) case named Case1.
You need to allow User1 to export the results of Case1. The solution must use the principle of least privilege.
Which role should you assign to User1 for Case1?

  • A. eDiscovery Manager
  • B. Security Operator
  • C. eDiscovery Administrator
  • D. Global Reader


Answer : A

Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-gdpr-data-subject-requests-with-the-dsr-case-tool?view=o365-worldwide#step-1-assign- ediscovery-permissions-to-potential-case-members

HOTSPOT -
You have a Microsoft 365 subscription that contains the users shown in the following table.

You create and enforce an Azure Active Directory (Azure AD) Identity Protection user risk policy that has the following settings:
✑ Assignments: Include Group1, Exclude Group2
✑ User-risk: User risk level of Medium and above
✑ Access: Allow access, Require password change
The users attempt to sign in. The risk level for each user is shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Box 1: Yes.
User1 is in Group1 which the policy applies to.

Box 2: No -
User2 is in Group2 which is excluded from the policy.

Box 3: No -
User3 is in Group1 which is included in the policy and Group2 which is excluded from the policy. In this case, the exclusion wins so the policy does not apply to
User3.

You configure several Advanced Threat Protection (ATP) policies in a Microsoft 365 subscription.
You need to allow a user named User1 to view ATP reports from the Threat management dashboard.
Which role provides User1 with the required role permissions?

  • A. Compliance administrator
  • B. Security reader
  • C. Message center reader
  • D. Reports reader


Answer : B

Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-reports-for-atp?view=o365-worldwide#what-permissions-are-needed-to-view-the- atp-reports

HOTSPOT -
Your network contains an on-premises Active Directory domain that syncs to Azure Active Directory (Azure AD) as shown in the following exhibit.

The synchronization schedule is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You plan to implement Azure Active Directory (Azure AD) Identity Protection.
You need to identify which users can perform the following actions:
✑ Configure a user risk policy.
✑ View the risky users report.
Which users should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

You add internal as a blocked word in the group naming policy for contoso.com.
You add Contoso- as prefix in the group naming policy for contoso.com.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

User Admin and Global Admin are exempt from group password policies.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/solutions/groups-naming-policy?view=o365-worldwide

DRAG DROP -
You have a Microsoft 365 tenant.
User attributes are synced from your company's human resources (HR) system to Azure Active Directory (Azure AD).
The company has four departments that each has its own Microsoft SharePoint Online site. Each site must be accessed only by the users from its respective department.
You are designing an access management solution that has the following requirements:
✑ Users must be added automatically to the security group of their department.
✑ All security group owners must verify once quarterly that only the users in their department belong to their group.
Which components should you recommend to meet the requirements? To answer, drag the appropriate components to the correct requirements. Each component may only be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:



Answer :

Reference:
https://cloudbuild.co.uk/tag/create-a-dynamic-security-group-in-azure-ad/ https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Endpoint Manager.
The Compliance policy settings are configured as shown in the following exhibit.

On February 25, 2020, you create the device compliance policies shown in the following table.

On March 1. 2020, users enroll Windows 10 devices in Microsoft Endpoint Manager as shown in the following table

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Box 1: Yes -
Device2 is in Group2 so Policy2 applies.
Device2 is not compliant with Policy2. However, the device wonג€™t be marked as non-compliant until 10 days after the device was enrolled.

Box 2: Yes -
Device1 is in Group1 and Group2 so both Policy1 and Policy2 apply.
Device1 is compliant with Policy1 but non-compliant with Policy2. However, the device wonג€™t be marked as non-compliant until 10 days after the device was enrolled.

Box 3: No -
Device1 is in Group1 and Group2 so both Policy1 and Policy2 apply.
Device1 is compliant with Policy1 but non-compliant with Policy2. th

March 12 -
is more than 10 days after the device was enrolled so it will now be marked as non-compliant by Policy2.

You have a Microsoft 365 tenant.
From the Azure Active Directory admin center, you review the Risky sign-ins report as shown in the following exhibit.

You need to ensure that you can see additional details including the risk level and the risk detection type.
What should you do?

  • A. Purchase Microsoft 365 Enterprise E5 licenses.
  • B. Activate an instance of Microsoft Defender for Identity.
  • C. Configure Diagnostic settings in Azure Active Directory (Azure AD).
  • D. Deploy Azure Sentinel and add a Microsoft Office 365 connector.


Answer : A

You have a Microsoft 365 E5 subscription.
You plan to create a conditional access policy named Policy1.
You need to be able to use the sign-in risk level condition in Policy1.
What should you do first?

  • A. Connect Microsoft Endpoint Manager and Microsoft Defender for Endpoint.
  • B. From the Azure Active Directory admin center, configure the Diagnostics settings.
  • C. From the Endpoint Management admin center, create a device compliance policy.
  • D. Onboard Azure Active Directory (Azure AD) Identity Protection.


Answer : D

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

You assign an enterprise application named App1 to Group1 and User2.
You configure an Azure AD access review of App1. The review has the following settings:
✑ Review name: Review1
✑ Start date: 01`"15`"2020
✑ Frequency: One time
✑ End date: 02`"14`"2020
✑ Users to review: Assigned to an application
✑ Scope: Everyone
✑ Applications: App1
✑ Reviewers: Members (self)
✑ Auto apply results to resource: Enable
✑ Should reviewer not respond: Take recommendations
On February 15, 2020, you review the access review report and see the entries shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:



Answer :

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/perform-access-review

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 subscription that contains the users shown in the following table.

You need to ensure that User1, User2, and User3 can use self-service password reset (SSPR). The solution must not affect User4.
Solution: You enable SSPR for Group3.
Does that meet the goal?

  • A. Yes
  • B. No


Answer : B

By default, self-service password reset is enabled for Directory writers and Security administrator but not for Azure Information Protection administrators and
Cloud application administrators. Therefore, we must enable SSPR for User3 by applying it to Group2 and not Group3 as User4 is in Group3. User4 would thus be affected if we enable it on Group3.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 subscription that contains the users shown in the following table.

You need to ensure that User1, User2, and User3 can use self-service password reset (SSPR). The solution must not affect User4.
Solution: You enable SSPR for Group2.
Does that meet the goal?

  • A. Yes
  • B. No


Answer : A

By default, self-service password reset is enabled for Directory writers and Security administrator but not for Azure Information Protection administrators and
Cloud application administrators.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 subscription that contains the users shown in the following table.

You need to ensure that User1, User2, and User3 can use self-service password reset (SSPR). The solution must not affect User4.
Solution: You enable SSPR for Group1.
Does that meet the goal?

  • A. Yes
  • B. No


Answer : B

By default, self-service password reset is enabled for Directory writers and Security administrator but not for Azure Information Protection administrators and
Cloud application administrators. Thus, we must enable SSPR for User3 by applying it to Group2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences

You have a Microsoft 365 subscription that contains the users shown in the following table.

You enable self-service password reset for Group1 and configure security questions as the only authentication method for self-service password reset.
You need to identity which user must answer security questions to reset their password.
Which user should you identify?

  • A. User1
  • B. User2
  • C. User3
  • D. User4


Answer : B

Self-service password reset (SSPR) is only enabled for Group1 (User1 and User2). User1 cannot use security questions for SSPR because User1 has an administrative security role. Therefore, only User2 can use SSPR with security questions as the authentication method.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences

Page:    1 / 24   
Exam contains 352 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy