Pass Microsoft 365 Certified: Security Administrator Associate Certification Exams in First Attempt Easily
Latest Microsoft 365 Certified: Security Administrator Associate Certification Exam Dumps, Practice Test Questions
Accurate & Verified Answers As Experienced in the Actual Test!
- Premium File 325 Questions & Answers
Last Update: Feb 1, 2023
- Training Course 78 Lectures
- Study Guide 1012 Pages
Check our Last Week Results!
Download Free Microsoft 365 Certified: Security Administrator Associate Practice Test, Microsoft 365 Certified: Security Administrator Associate Exam Dumps Questions
Free VCE files for Microsoft 365 Certified: Security Administrator Associate certification practice test questions and answers are uploaded by real users who have taken the exam recently. Sign up today to download the latest Microsoft 365 Certified: Security Administrator Associate certification exam dumps.
Microsoft 365 Certified: Security Administrator Associate Certification Practice Test Questions, Microsoft 365 Certified: Security Administrator Associate Exam Dumps
Want to prepare by using Microsoft 365 Certified: Security Administrator Associate certification exam dumps. 100% actual Microsoft 365 Certified: Security Administrator Associate practice test questions and answers, study guide and training course from Exam-Labs provide a complete solution to pass. Microsoft 365 Certified: Security Administrator Associate exam dumps questions and answers in VCE Format make it convenient to experience the actual test before you take the real exam. Pass with Microsoft 365 Certified: Security Administrator Associate certification practice test questions and answers with Exam-Labs VCE files.
Password Expiration Management in Microsoft 365
2. Demonstration of configuring Password Expiration in Microsoft 365
Here in the Microsoft 365 Admin Center. Again. That's admin at Microsoft.com. This is going to be where you're going to control your password expiration settings. So if you look over to the left, you'll notice the little dropdowns. You have one drop-down called "Settings." So we're going to drop that down, and then we have another option called Settings. So oddly enough, you're going to click Settings settings. And this is going to be the starting point for changing these expiration periods. So when I click on Settings here, then I'm going to go up to this area here where it says security and privacy. We're going to go ahead and select that. And then, as you can see, you've got a few options here. The one we care about right now, though, is the password expiration policy. We're going to go ahead and click on that, and here we are. So password expiration policy You'll notice that we haven't enabled the setting that's going to let us alter that yet. So we're going to select that, okay? From there, we have two options. days before my password expired. As you can see, that is going to be 90 days by default. And then days before a user is notified about expiration is set to 14 days. So we're going to go ahead now and we’re going to set that to what we want. Let's say we want it to be 100 kwh, and then maybe we want the days before users are notified set to 20 again. This is to just change it to whatever we want here. All right. At that point, there's really nothing left for you to do other than click Save Changes, and then it confirms that it's been saved and you're done. So at that point, you should be able to click it again and verify that it's there and that it's all saved. And you've now set your password exploration policy.
3. Stepping through the hands on tutorial for configuring password expiration.
Alright, in this case, we're going to click Show all Drop-Down down settings.Click settings again. security and privacy password. Expiration policy. Check it. We would set this to 100, okay? And if we wanted to change the expiration period, we would do that. Now, if this was a task on the exam that Iwas told to do, if it doesn't say to change somethinglike the days before users noticed, then don't change it. If they do tell you to change it, obviously you will change it. And as you can see, that's really easy to alter. at that point. We'd click "Save changes," close the window, and we'd be done. We've gone through the steps.
Password Lockout Management in Microsoft 365
1. Introduction to Password Lockout Management in Microsoft 365
Is going to involve a user getting their passwords locked or getting their accounts locked for various reasons. And this is something that isn't really new in terms of dealing with user accounts. Again, this is another thing that we've had for decades and decades when it comes to dealing with accounts. And of course, Microsoft 365 and Azure AD have their own ways of handling all this, and they're actually pretty simplistic. Although I will say again that if you did synchronise your on-premises Active Directory using Azure AdConnect, then at that point, if you're synchronising all of that, then the on-premises domain is going to control those accounts and the lockout policies. But your cloud accounts are cloud-based accounts. Or if you aren't syncing with Active Directory, then you're going to control all of this through your portal here. So we're going to be taking a look at that in just a second. So it's going to be managed through the Azure Portal. There are a couple of things there. There is an account lockout threshold. and the account lockout thresholds. I like to call this the Strike Counter. So you get a certain amount of strikes, and then you are locked out. Okay? So I can set that to three or five or seven or whatever, however many attempts or how many stripes you want to give your identities before they get locked out. And then you have the duration. Of course, the duration is the amount of time that you're going to be locked out.
So the threshold is the number of strikes. The duration is the amount of time an object is going to be locked out if that threshold is reached. Now, what are some of the common reasons for this happening? One reason would be if the user just locked themselves out. This can be Fat finger and the password afew times this could be user forgot their password. Okay? Another thing would be if you have an application or service that is using your account. So one of the things you might recall me saying in an earlier video is that with identities, we can have identities that services are using. so many different services that are logging on and accessing cloud-based resources. If a password is changed and a service is using that account, the service will continue to attempt to connect, and it will, of course, lock your account out. Another reason would be situations where you changed your password in a new environment and haven't properly synchronised things between an old environment and a new environment. And again, that's going to go back into things like on-premises Active Directory and the fact that you can have multiple domains, you can have multiple forests, and you've set synchronisation up, you've altered things, and things aren't quite properly synchronized. One example of this is also with Azure Ad Connect. When your on-premises Active Directory is linked to the cloud, What can happen is that you have to have an Azure account that's doing the synchronisation between the OnPrem and the Microsoft Azure ad environments. Well, of course, if that account's password gets changed, Cloud doesn't know about it, and now things aren't synchronizing. This is going to throw a lot of things out of whack. Your on-premises accounts are no longer going to be synchronising to the cloud. And of course, one of the great things that you do have in Azure AD Connect is the ability to monitor the health of your synchronization. So this is something that you can watch for. You can also have alerts that are set up in that way. There is a way for you to always keep an eye on this particular problem.
2. Demonstration of configuring the Password Lockout settings
Let's now take a look at the Azure Ad Lockout settings. So we're going to go up here; we're on Portal Azure.com.We're going to click the menu bar. We're going to go to Azure Active Directory. OK, we're going to scroll down to where it says security. And then you're going to click on authentication methods, and from there you'll see password protection. Okay? So if you look at these different settings, you have the account lockout threshold. Look closely; it tells you that these are going to be your failed sign-in attempts that are allowed on an account before it's first locked out. It says the first sign-in after a lockout also fails. The account locks itself out again. Okay? Right here, you've got the duration. It tells you the minimum length in seconds of each lockout. If an account locks out repeatedly, this duration is going to increase. So it's going to progressively increase. Right here, you've got banned passwords. So it tells you that when you enable this, this is going to make it so that certain passwords will not be allowed. It's a great idea to turn this on when you want to prevent people from using easy-to-guess passwords or even talking about passwords that are common to the area where somebody lives—sports teams, things like that. You can put together a list there. Now down here at the bottom, you can also enable password protection on Windows Server Active Directory. So you can turn that on. It'll tie into your on-premises Active active directory.And then down here at the bottom, you've got the mode that this is on. If you enable this, it will enforce password protection for Active Directory, specifically Windows Server Active Directory. And if you want, you could go into either audit mode or enforce mode. Enforce Mode is obviously going to enforce it. Audit mode is going to make it so it's basically just going to audit what's going on. Okay, so as you can see here, if it is set to enforce, users will be prevented from setting band passwords, and the attempt will be logged. So basically, it's going to tie to those band passwords, and then the attempt will be logged. If set to audit, the attempt will only be logged. Okay? So that's the difference between enforced and imposed. Enforced users will be prevented from setting band passwords and from attempting to log in. If audit is enabled, it will simply be logged. Okay? So that's going to be your difference. as you can see here. It's pretty easy to work with the authentication methods in Azure Ad, or the lockout threshold in the authentication methods, I should say, in Azure Ad. And you'll find pretty straightforward information here, as well as something that will definitely entice you to go and chat. And of course, you can also practise it by doing the little tutorial.
3. Stepping through the hands on tutorial for Password Lockout in Microsoft 365
In our click-through tutorial here. We're going to go through and we're going to set the authentication password policy lockout threshold to three and the duration to 250 seconds. So we'll get started. We're going to go to Portal Azure.com. We're going to click the menu. We're going to go to Azure Active Directory, scroll down to Security authentication methods, and turn on password protection. We're going to configure what we want here, which is three, and we're setting our lockout duration to 220. Okay? Now, I want to say this. If I was doing this on the exam, I want to clarify again. If they don't tell you exactly what to do in regard to some of these other options, don't mess with them. If they were to say enforced and they wanted you to enforce it, then enforce it, but don't assume, okay? If they don't tell you to click enforce, then don't click enforce. In this case, the scenario did not call for enforcing this policy, so I've left it as the default, which is audit, which is just going to do monitoring and logging. It's not actually going to enforce the policy fully. So again, don't go through and do things that you're not being asked to do. So we're going to go ahead now and save it. And we've now completed that tutorial. Now you can give that a shot.
Role Based Access Control and Privileged Identity Management (PIM)
1. Introduction to Assigning Roles
You may or may not be familiar with the different access control models. So, for many, many years, dating back to the days of paper-based documentation, when access control was managed through paper-based solutions, organisations have used a variety of models and strategies to control permissions over specific objects as well as administrative rights over documentation. And one of the models we're going to take a look at here is the one that Microsoft sort of puts all of their focus on in regards to their cloud. It's known as RBAC (role-based access Access Control.Along with that, they're also working on some other models and models that can be implemented in your environment. There's a model called DAC, which involves discretionary access control, which is really just all about ownership. The owner makes decisions. And if you look back at Active Directory in the past, you may note that one of the main ways that we dealt with rights in our environment was based on ownership. So we would create a file, and if you were the owner of the file, you had full control over it, and then you could grant other people access. And you can still use the DAC model to this day in your environment if you want, or in the cloud, obviously, as well. Now you've also got Mac access control. Mandatory Access Control is where we're basing our rights and permissions on classification labels and being able to label documentation, classify.And then of course, when I think of Mac, I sort of think of the military because it will involve things like security clearances and security levels. So like in the military, you have secret, top secret, and all of that. And then finally we have RBAC, which is the one we care about right now. RBAC is role-based access control. And the way that role-based access control works is that the privileges or rights that you're given are based on the role you play in the organization. Okay, so there are two different ways you can sort of look at and manage our backs in your environment. One is from a user's perspective, where we're granting a privilege over some kind of resource in our Azure environment based upon roles. And then the other is from the administrative perspective. So in the MS 500 exam, they're going to put a big emphasis on dealing with it from the administrative perspective. So we're going to be focusing on that right now. So our back is going to allow an administrator to grant other administrators privileges over things in your environment, giving them control over your environment. This is going to include both Azure as well as your Microsoft 365 environment. What you're going to find is a mix of roles. Some of the roles are going to be in the Azure Portal, which is what we're going to sort of focus on right now. and then a little bit later. We're going to also focus on the Microsoft 365 side, where you're going to see that there are some roles that are specific to the security of Microsoft 365. One of my favourite things about roles is that they allow us to see exactly what privileges our users and administrators have. One of the annoying things about group-based access control, which goes back years and years with Adsas Active Directory Domain Services, is that you would create a group, you'd put people in the group, and you would then assign permissions to the group and give them the rights they needed. But then here's the problem. There was nothing that really documented what rights those groups had. I mean, you could go to the Access Control List of the resource, like, let's say it's a file server, and you go to the share or the folder or whatever, the file, and look at the permissions over that file, the ACL, the Access Control List. But then the issue is that you'd have to do that for every file and folder. You were curious to see if that group actually had rights to that object. There was no way for you to simply go to the group and see everything the group had gotten access to. Don't get me wrong, there were some tools out there that could sort of make this happen. You could actually make it happen with PowerShell if you wrote a script that went through. But you're talking loads and loads of processing power just to get it to spider its way across your environment to determine what rights that group had. And so what can happen is that you create a group, you grant permission, you add people to it, and then over time, more people get added to it, and it gets given more permissions and more permissions. Then, five years later, this object, this group, has gained access to all sorts of crazy things in your environment, and you have no way of knowing, and things get really difficult. So you could sort of achieve your goal with groups if you created a hierarchical group. But I'm going to tell you that, as a consultant all these years, I can say that almost nobody ever implemented that system unless I implemented it myself. Nobody ever designed a group hierarchy that worked to achieve our back system. Now in Microsoft 365 and Azure, the great thing about roles is the way they've been designed, and I really feel like Microsoft got this right in the way they designed it. Okay, you create a role. You then assign rights to the role, and the role records exactly what rights it has. They are also documented on the role itself. They use JSON, if you're familiar with the Java language, JSON.The way it works with JSON, in this case with RBAC, is that every time I write something, it has to be added to that role. So there's no way that the role can be given rights to things and you not know, okay? And then from there, you can assign identities to that role and give those users their rights. So you could add users or groups or whatever you want to those roles. And of course, identities can have access to more than one role. So if I have a user who needs to be able to control InTune but not Exchange, or maybe I have a user who needs to control InTune as well as SharePoint but not Exchange, I could give this user the InTune administrator role and the SharePoint administrator role but not the Exchange administrator role. So it gives me that ability to do this next thing, which is the principle of least privilege. So if you're not familiar with that term, that's another sort of cybersecurity term that you hear out there. Lease privilege entails giving out the fewest rights while still allowing someone to do their job. So giving them the fewest rights while still allowing them to do their job All right? I do a lot of classes on military bases and things, and I know a lot of times I have to have them vouch for me to get into the military base, and they give me a pass. And sometimes I have to be escorted in a building to my classroom, and I'm surprised I don't have to be escorted to the bathroom. But in those classes, that's an example of least privilege. They're giving me the least amount of rights to get on the base: to get into my classroom, do my class, and then leave. So I've had the honour of teaching a lot of military guys, a lot of cyber security classes, and all of that. That's what comes to mind whenever I think of least privilege. But the logic is this: okay, so if you've got somebody who only needs to perform a certain action, then you should give out the bare minimum rights that they need, okay? as opposed to giving too many rights. I'll never forget the very first company I ever worked for in the 1990s as an administrator. I was a junior-level administrator, and they're like, "Congratulations, you're hired." So I get hired, and they give me access to this NT network, so I get access to a tool called User Manager Domain. Some of you guys might remember that old tool, and I opened it up, and I noticed that there are, like, 80 people who are domain admins, and I'm one of them. So they're kind of like, "Congratulations, you're hired." And then all of a sudden, I'm a domain admin, and there are, like, 80 people who are domain admins. And I started looking through the list, and I was like, "Wait a minute." That guy is a sales guy. Why is he a domain admin? You know what I mean? So that's an example of not using lease privileges. And I think sometimes people in their environments get too much into giving these rights out to just achieve something. The person wants to install programmes on their computer; let's make them a domain admin. That was sort of the logic. So, with the amount of cybersecurity issues we have today, you definitely want to use LeasePrivilege, and Microsoft strongly encourages it. And one tip I'll give you: On the exam, they always assume they want lease privilege. So if you're looking at a scenario where they're saying, "Hey, this user needs the ability to go in and make changes to Intune as an administrator, but you don't want them having control over the entire Azure environment," or even if they don't say that, assuming LeasePrivilege is always what they want, that's going to be one tip I give you. So I'm not going to make the person a global administrator. The global administrator role is the most powerful role that you can have in Azure or Microsoft 365. You basically have, as I like to say, intergalactic cosmic powers over Azure and Microsoft 365 as a global admin. Yes, you can control Intune, but you can also control everything else. and that's too many rights for people. Now, another thing that's really cool about our environment is that Microsoft has implemented PAMPIM, or privileged identity management. PEM allows us to achieve JIT, which is just-in-time administration. Just-in-time administration means I can give out role access temporarily. It can be scheduled, and it can go away after a certain amount of time. Another thing that can happen is that a user can request permissions or privileges for a certain amount of time if they need to. So if you have an admin that's going on vacation, and this person is the one who creates accounts, for example, and then you could give this privilege over to somebody else while you're on vacation. This person could request that access, get it for a temporary amount of time, utilize that control, create the account, and then of course, the privileges go away. So just-in-time administration is all part of privileged identity management, which of course builds upon roles.
2. Demonstration on role permissions as well as assigning roles to identities
So we've arrived at Portal Dot, Azure.com. We're going to have a look at the different ways that we can control roles here in Azure. I'm going to go up here to the menu bar. We're going to go over to Azure. Active Directory. Azure ad. And as you'll see here, there's a blade called Roles, and administrators are going to click on that. And here you go. You now have a nice, long list of the various roles that Microsoft has created. All right? So notice some of the roles say "administrator." Some of them say "developer. All right? You'll also notice that you'll see the word "editor." You're going to notice a pattern here, Operator. So one thing I want to give you guys some advice on when you're preparing for this exam—and I'm not just talking about the hands-on stuff here, the labs, which is what I'm sort of focusing on. But what I want to warn you about is it's agood idea that when you're studying that you get familiar withsome of these different roles and what they do. And one of the best ways to do that is to click on some of these roles. like, for example, a security administrator. Let's click on that one. You have assignments here. And as you can see, you can see who's assigned those rights. I'm going to click on Description. And this is what I really love about Microsoft. I really feel like they've got this right here. First off, they give me a nice little comprehensive description. Usually, this role has all the read-only permissions of the security reader role, plus the ability to manage configuration for security-related services such as Azure Active Directory, Identity Protection, Azure Information Protection, Privilege, Identity Management, and Office 365 Security and Compliance. So you look at that little description. Now scroll down and notice that they tell you all the role permissions. So, as I mentioned earlier, Microsoft documents exactly what the role permissions are. and it's right here in front of you. You can look through this list and see everything that this person can do, okay? This person is the one who was given this role. So as you can see, bunch ofread permissions down here towards the bottom. But there's also some permissions thatinvolve management up here, creating, deletingupdating, all that good stuff. Let's go back. We're going to click on the contosorole in Administration preview breadcrumb here. We looked at the security reader. Now take a look at the security administrator. Sorry, we're going to take a look now at the security reader. Click that and do the same thing. Click Description and notice it says users with this role have global read-only access, including all information in Azure AD, identity protection, identity management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. So you've noticed that this role is a reader. So based upon that naming convention, you're going to have reading privileges. That's one thing I want to give you right out of the gate here. As a good tip for the exam, an administrator is obviously going to have administrative rights, whereas a reader is going to have reading privileges. So this is great in a situation where you have a user identity that needs to be able to come in and see all this security-related stuff, but not necessarily make any changes to it. So another verbiage to look for here is the word "global." Global means they can see everything in your Azure and Microsoft 365 environment, like Global Reader. Okay. You have administrative roles: SharePoint administrator, Skype for Business administrator, all that good stuff. You are the Entune administrator. All right, which is the one I want to look at right now? This would be a role I wanted to give to a certain user. Let's say this was a lab scenario and the exam was asking you to add a user to the Intune administrator role. So in other words, they might say, "Give the administrator role to," let's say, Alexandra Smith. So here's the user right there. We clicked "Add Assignments." We're going to assign that to Alexander Smith. We're going to click Add, and that user now has that role. Now, I also want to remind you that there's more than one way to achieve this. Depending upon where you're at, you could also have just done it over here in Azure Active Directory. Click on the user. There's the user right there. And then from there, I can add the user this way as well. So there's a simple solution: go to sign roles. There it is. so this way, too. One thing that's great about this is that it allows me to go in and see exactly what roles this user has already been assigned. In this case, being an administrator is the only role. But I could also click on "Add Assignments." And of course, again, that's another way that I could achieve this. All right, now we're also going to be taking a look a little later at the Portal.microsoft.com site. And from there, you're going to notice that if you go, you click Show All and click Security. The Security Compliance Center has a section called Permissions where you can grant role access. This is another place that roles can be controlled. We're going to take a deeper look at some of this. So here are some of the other roles that you didn't see on the Azure site. Some of them you did, and some of them you didn't. All right? Records management: you discover a reviewer. So I encourage you to also come over here and learn about some of these different roles as well.
3. Stepping through the hands on tutorial for assigning roles
We're now going to step through the Handsontutorial involving adding a user to a role. So in this case, we're going to be adding the Alexander Smith user account to the Intune administrative role. So we're going to go ahead and click Start on that. We're going to go to Portal Azure.com, click theMenu bar, azure Active Directory roles and administrators goingto scroll down here and then we're going tochoose into an administrator because that's the role we'rewanting to add the user to. Add an assignment, find the user that you want to add, and then click Add, and that's it. Now remember that when you're doing this, if this was something that you had to do on the exam, it really doesn't matter which way you do it. You could have done it just like in this tutorial, or you could have done it by going and finding the user themselves and adding the role. You could have also done it over in the Microsoft 365 environment. My goal with the tutorial is just to give you one way that works that you can practice. So that's the idea. Now you guys will get a chance. Give it a shot.
So when looking for preparing, you need Microsoft 365 Certified: Security Administrator Associate certification exam dumps, practice test questions and answers, study guide and complete training course to study. Open in Avanset VCE Player & study in real exam environment. However, Microsoft 365 Certified: Security Administrator Associate exam practice test questions in VCE format are updated and checked by experts so that you can download Microsoft 365 Certified: Security Administrator Associate certification exam dumps in VCE format.
Microsoft 365 Certified: Security Administrator Associate Certification Exam Dumps, Microsoft 365 Certified: Security Administrator Associate Certification Practice Test Questions and Answers
Do you have questions about our Microsoft 365 Certified: Security Administrator Associate certification practice test questions and answers or any of our products? If you are not clear about our Microsoft 365 Certified: Security Administrator Associate certification exam dumps, you can read the FAQ below.
Purchase Microsoft 365 Certified: Security Administrator Associate Certification Training Products Individually