Pass Microsoft 365 MS-101 Exam in First Attempt Easily
Latest Microsoft 365 MS-101 Practice Test Questions, 365 Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Download Free Microsoft 365 MS-101 Exam Dumps, 365 Practice Test
Free VCE files for Microsoft 365 MS-101 certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest MS-101 Microsoft 365 Mobility and Security certification exam practice test questions and answers and sign up for free on Exam-Labs.
Microsoft 365 MS-101 Practice Test Questions, Microsoft 365 MS-101 Exam dumps
Identifying Threat Vectors
1. Today's Threat Landscape
In today's modern IT environment, we really have to understand how the threat landscape has changed dramatically. No longer are we living in a world where everybody accesses things from internally connected systems within your office environment. Data is being shared with employees, partners, and customers across the board. We have to think about the fact that it's going to be much harder for us to control this data now. And we need to be able to extend the reach of our controls a little bit beyond our normal boundaries. Employees want that always-on, anytime connectivity, oftentimes through a shadow IT environment. We may find them connecting applications and services to our corporate data that we're not prepared to necessarily support or defend against. We also have to think about the fact that that boundary has changed. Instead of worrying about setting up a firewall and having everything inside that firewall be protected, why not worry about the outside world? That on-premises environment is no longer the limit of our capabilities. We now have to think about that mobile environment. We have users connecting all across the globe to our corporate assets.
We want employees to be able to be more efficient, and that means giving them that access. But now we have to think about extending our protections to help cover those areas in that environment. We have these unmanaged devices that sometimes connect to our environment. An employee is on a trip, they go to the hotel business center, and they need to connect in order to gain access to some resources. We're certainly not going to have management control over that hotel lobby computer. So we have to think about that in terms of "how do we protect our assets from that environment?" And not only is it our intellectual property that we have to think about now, we have to be very cognizant of the fact that there is personally identifiable information out there. And we have to protect not only our information but our employees' information at the same time.
2. What is Spoofing?
One of the threats we face today is spoofing. Spoofing is when somebody sends you some information, and you think it came from one source when actually it came from another. Think about spoofing. Right. We have to understand that by design, the SMTP mail protocol was intended to support spoofing. So it's not an accidental thing that people can do this. It had a legitimate purpose. Spoofing allows for the message to appear to come from a trusted source when, in fact, it came from a different location. There are absolutely legitimate reasons to do so. Perhaps our corporation wanted to hire some marketing agents to send messages out to our employees but have it appear as if the messages were coming from the CEO of the company. Right.
So there are legitimate reasons why you might want to go out there and have that happen. The problem is, the attacker takes advantage of that feature. The attacker has the ability to send a message to a user and have that user think it came from somebody internal to the organisation when, in fact, it was from somebody outside the company. The way they do that is that the email message actually has two different sender addresses. There's a 5321 mail from address right there. Now this is the actual mail header address. It is the return address. When the user clicks "return" or "reply" to that message, it's going to go to whoever's listed at the 5321 mail from address. The other address is the address that the user actually sees in the mail client, the 5322 from address. This address is going to appear for the user. So they can appear as if it came from somebody inside the company, but when they go to reply to it, it's actually going to go to somebody outside the organization. This represents a significant threat when somebody inside the organisation may think that a message came from, say, their boss, for example, who's asked them to send them the corporate payroll information they do. So attach it and send it on its way—when actually it's now left the organisation and gone to somebody outside with some malicious intent. So while SMTP spoofing was designed as part of the SMTP protocol, there is now a big concern with attackers actually going out and using it to their advantage.
3. What is Phishing?
One type of attack we're seeing arise is phishing. Phishing is when an attacker goes out there and sends you an email that appears to come from a trusted source. For example, it may be coming from a bank, or maybe it's coming from somebody within the organization, or at least it appears that way. The idea is that they make the email look like it came from that trusted source. And the idea here is that they're trying to get the user to either click on a link or download a file. When they go about the process of getting you to click on the link, the link may, for example, look like it came from your bank. And when you click on the link, it looks like it's taking you to your bank's website.
And the website may absolutely look like your bank. However, when you enter your information, what you're actually doing is providing them with that data. They're now scraping your username and your password information from that site, and they're able to use it to actually take advantage of and take control over that resource. So phishing becomes something that's a very big problem within a lot of organizations, because they're going to enter your credentials. Think about it. I sent you a message that appears to be an encrypted message from Office 365. I get the user to click on that message to decrypt it. And in order to decrypt it, they have to provide their username and password. Now the malicious user has that information, and they have access to that wide range of data in that environment.
Now the other possibility is that they can use those sites that, when you click on them, download a rootkit, a virus, or some type of Trojan horse into your system to give them remote access to that environment as well. So there are lots of problems with that. Now there's also this notion of spearfishing. Spear fishing, sometimes referred to as "whaley," is when the attackers, rather than just doing a blanket attack across an entire large organization, do a little research and find out who are the critical people within that company, and they target just those individuals. They try to target people that will have access to resources—managers, CEOs, CIOs, and the like. They'll have access to lots of information that they can take advantage of, right? So they're going to target those executives with high-profile individuals to gain access to a lot of that corporate-sensitive information in that environment, ultimately trying to deliver some malware into the organisation or gain access to those resources. We're going to talk about it in other videos—the ability for us to go out there and have some protection from our phishing environment.
4. How do Spam and Malware Cause Harm?
One area where you're going to need some protection has to do with spam and malware. While spam is not intended to be harmful in and of itself, it can be a productivity killer. If I used, you'd have to sift through hundreds of messages to find the one or two that were actually work product, while the other 97% are just junk mail. Right. You can see how their productivity would go way down. But spam isn't actually trying to hurt the organization. They're just trying to get a user to click into it and maybe buy something, read about something, share an opinion, or something like that. But it's not intended to do harm. that compared to malware, right? Malware or malicious software is actually intended to do harm to the environment. Malware is either going to deliver a payload that may delete information, it may encrypt information, or it may give somebody remote access to your environment. Maurer is trying to actually send some code inthere to deliver that Trojan or that spyware intothe victim's computer and possibly give somebody remote accessto that system over an extended period of time.So we're going to think about how we can protect our organisations against spam and malware.
5. How do Account Breaches Cause Harm?
When you think about your corporate network and the protections that you put in place to try to protect it, oftentimes you're thinking in terms of perimeter networks and delineations between your internal network and your external network to try to stop people from gaining access to information. Now that we're going to be thinking about moving a lot of our email and our documents into Office 365 with Exchange Online, OneDrive, and SharePoint, we have to rethink what an account breach can actually do to the organization. Once an account is compromised, somebody has those credentials. They now have access to the system. Now in an on-premises environment, that means access to on-premises networking computers, but in a cloud, that typically means access to large amounts of data. Once they have that access, the bad actor or attacker will attempt to gain an elevation of that privilege. They're going to try to get access to additional accounts that will give them other features and capabilities. In an on-premises attack, that attacker may do things like use some tools that will actually scan the on-premises system looking for administrative credentials that have been cached locally, right?
It will use a tool to grab those administrative credentials, as well as any cached hash tokens, to do some type of hash attack on the environment and the cloud. They're looking for global administrators. They're looking for the ability to go out there and find somebody within the organisation who might be a global administrator. Because once they get that realm of capability, they have full control over your Office 365 environment, right? Once they do that, then they start moving across your network or across your 365 environment, going out there and having multiple paths of attack. In other words, if I'm in, now that I'm in, I want to make sure that if you find me, if you discover that I've gotten into your environment and you close that door, you close that opportunity, that I have another way in that you may or may not be aware of. So they're not going to be happy with just one method of getting into the organisation once they've cracked it. They're going to make sure that they have alternate paths in case the door gets closed on.And the other thing we have to realise is that these attackers are not always external people. We frequently have people within the organisation who are looking for information and attempting to expose things within the organization. So it's not just external, but internal people.We often have to "walk around" in terms of the different account breaches we may be facing.
6. Data Exfiltration, Deletion, and Spillage
With the large amount of data that we're putting into the cloud, there are lots of things that we have to worry about if a bad actor were to gain control of our environment. One of those things is data exfiltration. When someone goes to get a hold of your environment, they'll immediately try to start extracting as much information from it as possible, right? They're going to have access to anything that they have access to or that the account has access to. Now they have access to your SharePoint sites, to that one drive, to anything that's stored in their email or their team's environment. They're going to have a lot of access to a lot of information out there, right? So when that account gets compromised, we have a lot to worry about. Now, after they've extracted all of the data that they want to get to, sometimes what they want to do is try to deny you access to the data. So then we have to deal with the fact that we've got some data deletion going on; the data deletion will go out there and try to prevent you from having access. Now, they could go in—for example, into your SharePoint site—and delete something. When you delete something in SharePoint, it goes into the recycle bin. But if they have the appropriate account, they can empty it out of the recycle bin and then empty it out of the stage two recycle bin, in which case there's no longer any access to that information. Now, instead of going out there and actually deleting the data, one of the other things you may see is they'll deny you access to the data via ransomware. In other words, they'll encrypt the data in place, and the only way you get access to it is by paying them a ransom, a value that they will then provide you with a decryption key in order for you to be able to go out there and actually get access to it.
One of the other things you may find out is that data may leave your organization, or what we call "spillage." Now, sometimes data spillage occurs as a result of data leaving an area with a high level of protection and moving to an area with no protection. It is common to discover that it was done on purpose, but it can also be accidental. A user takes a document from a document library into SharePoint, where all they have are read permissions on it. They can look at it; they can view it; but they can't edit it. The user downloads a copy of that document to their computer, and all of a sudden they have read-write permissions on that document. They didn't intend to do that, but just by trying to view the document and save it locally so they have access to it later, they've exposed that information in a way that you may not have wanted to expose. So data exfiltration, data deletion, and data spillage are all areas that we have to start concentrating on as we start moving all of our resource sources into the cloud.
Using Secure Score
1. What is Secure Score?
With Microsoft 365, there are a large range of different options that Microsoft provides to help keep your environment secure. One of the things that Microsoft offers is the ability for you to understand exactly what the security posture is for your organization. Right? They're going to go out there and give us the ability to have a rating, what we call a "secure score," for your organization. That Secure Score will enable you to compare it to other organisations as well as get a sense of where you stand within the range of possible security options within the Microsoft 365 environment. It includes steps on how you can make your organisation more secure. So it's not just going to give you some random number and say, okay, that's your security number. It's also going to show you ways that you can actually make your environment a safer and more protected environment for your users and your data. It will allow you to compare your score to other organisations of similar size to get a sense of where you stand. A lot of times, when people initially look at their Secure Score number, they get somewhat panicked when they see a very low number. Say, for example, you have a Secure Score of 35 out of a possible 700. Most people would think of that as being extremely insecure until they realise that that number is probably on par with most people within the Microsoft 365 environment, right.They provide us with a nice quick look dashboard where we can see not only what our Secure Score is right now, but also how it has changed over time and what we can do to actually improve the environment. We also have the ability, if you have an on-premises event management system, another type of security and incident management system, or another external system that you're using to collect some security or data about your organization, to connect to the Secure Score API and extract data from this environment to help it expose in another environment.
2. Using the Secure Score Dashboard and Analyzer
Let's take a look at how you can actually access your secure score for your organisation and see where you stand in terms of your security posture. If I were to go into my Microsoft 365 Admin Center, I'm going to scroll down to my other admin centres and open up Security and Compliance. When I click on Security and Compliance, unless you've changed it, one of the default screens is actually going to show you on the home screen a Secure Score. Look, you're going to have the ability to go out there and just take a quick look at your secure score and see where you stand. Now if you scroll down to the bottom of that, you'll see it breaking it down into various sections, but you'll also see the opportunity to go out there and move to the Secure Score dashboard itself to see the entire site. If we click on that, it'll open up a new tab for us.
Now when we go into the Microsoft Secure Score, it's going to put us into the overview environment. In the overview environment, it's going to break down what my total score is versus what my possible score is. So I've got a 111 out of a 707 right now. A lot of people would look at that and say, "Wow, if Microsoft says you could have a security score as high as 707 and right now you're at a 111, you're probably not doing a whole lot," but in reality, that's a fairly good score when it comes to Microsoft Secure Environment. and I'll show you what I mean by that. If we were to go over here and look at our history and open that up, what you will see in this graph is the fact that my score, which is the purple score here, has dropped at some points and gone up at little bit. My score compared to the global average is much higher. The Aqua line there shows that the global average is only somewhere in the neighborhood of about 33.
So my score of 111 is a lot more secure than most people's within the 365 environment. You can see the industry average. If you provide your industry information, it's going to also compare your score with the industry average for other people in the same industry. And you can see we're probably about on par right now with this client in terms of where they stand with their security posture and then, of course, similar seat counts. So people have to have the same number of licences that I do. You can see on average that there's a neighbourhood somewhere around 41, and again, I'm at a 111. So I'm certainly more secure than that. If I scroll down a little lower, I'm going to see some improvement actions, and I can see some score changes that occurred and some things that have modified mysecure score in the Cloud Apps security console. So we got a 20-point boost instead of going out there and doing the secure change. And in another video, we'll look at some other things that we can do to help improve our secure number.
3. Increasing Your Security Posture
And looking at your Secure Score, a lot of people are initially concerned about the fact that the number is so low. Just understand that there are lots of things you can do to help increase your security posture with Microsoft. And in fact, what they've done is given you a ranked list of things that you might want to consider to help increase it. If we were to go into our Microsoft Secure Score environment and click on our Improvement Actions, in the Improvement Actions, what we're actually going to get is a numbered list from Microsoft of what they believe, in their opinion, are the things that you should do and the order in which you should do them to try to increase that security within your organization. Now understand that right now we have, in this case, over 77 different items listed.
Microsoft is not expecting that you're going to go through the process and actually set up and configure all 77 of them today, right? Microsoft says that you should really look at your security posture for the first 30 days, for 90 days, and then beyond. So do some things that will make you very secure in the first month that you're using the environment. And then as we go down that list, there are things that you might want to consider in the next 90 days and then beyond. So by no means are they anticipating that somebody is going to come in here and just turn all of these features and functions on, because it very well could break a process within your organisation if we look at some of the improvements. like the first one. There is a requirement for multi-factor authentication for Azure Active Directory privilege roles. Now what you'll note here, right, is that it has a potential score of 50, and I have a zero for it right now, which means we don't have it turned on for our tenant account. I have to go through the process of actually turning it on if I want to do that.
Now, when I click on it, you'll note that it opens up a window. I can read a little bit about what that's all about and what turning this feature on will do for me. But more importantly, I can actually go out there and view the settings. Now when I click here to view the settings, it's actually going to take me out to the place where I turn that feature on. Now in this case, with multi-factor authentication, they're taking me over to what's called the Conditional Access Policy, where I can go out there and I can activate a policy that requires multi-factor authentication for any privileged role. So if I turn this on and you're assigned a global administrator, a user management administrator, and a password administrator, for example, the next time you go to log on, you would be required to set up multi-factor authentication in order to be able to log in. So it gives us not only a suggestion as to what we do, but it's going to take you to the location where you can actually set up the feature. You'll notice something called Resolve through a third party next to View settings. Perhaps your organisation has an on-premises multi-factor authentication solution. Maybe you're using Active Directory federated services, and you have secure ID cards on premises that your users actually have to use to authenticate. So you're already using multi-factor authentication for your users, so you don't have to turn on the Office 365 version of that just to get the 50 points.
You can indicate that, no, I've actually resolved this through a third party, and by saying yes, you've resolved that through a third party. Now multifactor authentication will be considered completed for your organization, as you see. Oh. Wait a minute. How come the secure score is still zero or 50 after you complete a task? after you've actually gone through it and either turned on multi-factor authentication for privileged accounts. in this case. are satisfied with it through a third party. It takes about 24 hours for it to pickup that information and for it to actually update the secure score and give you the points. At which point in time would I get the 50 points for having activated or satisfied the requirement of multifactor authentication? Now that's just one of the options out there, and you can see they rank them in order of what Microsoft thinks would provide you the most bang for the buck—the most increase in your security with the least impact on your organization. So go through here and take a look at those. Maybe not all of these are things that you want to integrate or things that you want to use within your organization, but the more of these that you can turn on over time, the more secure your Office 365 environment is going to become.
Configuring Azure Identity Protection
1. What is Azure Identity Protection?
As you start leveraging Microsoft 365 for your business, what you're going to find is a massive amount of data being moved to the cloud. Think about all of the information contained in your online exchanges and messages. Consider the amount of data that your users will actually store in their OneDrive for Business or SharePoint Online environments. Perhaps you have a group that's using teams to work on a brand-new product launch in the environment. That means there are going to be chat conversations about it, there are going to be documents about it, and they're going to be sharing some planner or some scheduling tasks with it. massive amounts of information stored in the cloud, and all of that information is for the most part protected by nothing more than a username and a password. That's where Azure identity protection can come in handy. Azure Identity Protection understands that we're really going out there and using cloud-based authentication as your Active Directory.
All of our users, whether they're authenticating through pass-through authentication, federated authentication, or cloud-only accounts that ultimately are being authenticated, are granted access through Azure Active Directory. So with Azure Identity Protection, we can monitor those accounts, get an idea of what's actually happening with those accounts, and try to understand when those accounts log in. Is this sign a normal sign in an attempt, or is this sign a risky sign in an attempt coming from a different location, from some faraway land where that user has never travelled from, for example? Going out there and seeing these users' activities and the things that they're doing, is their behaviour normal or are they trying to offload massive amounts of data from your environment?
And that's where your identity protection can come in and give us a hand, right? We can actually respond to those types of risks in an automated way. Having the ability to set up policies to configure it actually gives businesses the ability to go out there and detect those vulnerabilities. So I don't have to manually monitor or watch all these signings. I don't have to sit there and review audit logs and figure out who's signing in from where. Azure Identity Protection is going to actually provide that vulnerability and risk assessment for us. When there isn't a risky event, we can be alerted to that and have the ability to start investigating whether that event is something that we should be blocking or something that we want to allow. Right.
And based on that, we have the ability to build conditional access policies. So we can allow users to log in, and depending on their sign-in attempt, whether it's a low-risk or a high-risk sign-in, we may change things. A low-risk sign-in, username, and password will get you in without a hitch. a high-risk sign-in, perhaps we're going to force them to use multifactor authentication to gain access to the environment. Right. And when we start working with Azure Identity Protection, what they're going to do is give us lots of different types of vulnerabilities and risk assessments within that environment. It will go out there and alert us to the fact that a user hasn't registered or configured multi-factor authentication. Then it's going to take a look at the possibility that a user name and password have been leaked. Microsoft actually scans the dark web looking for 365 accounts and passwords and checking those accounts to see if they're valid credentials, and if they are, it can alert you to the fact that somebody in your organisation has a username and password that has been leaked and needs to be modified or fixed in some way. Sign in from an anonymous IP address where someone is attempting to hide their location using an anonymizer and not identifying where they are coming from. This could be considered a very risky event, and we can set up a conditional access policy to deny that or to require some additional authentication through it. Impossible.
Travel to atypical locations. I just signed in to my account in Boston, and then ten minutes later somebody's trying to sign into my account in Ireland. Right. I certainly don't have a time machine at this point in time, so I don't have the ability to be in both of those locations at one time. So that type of sign-in risk could be seen as something that we need to mitigate. Now, atypical travel: if I am typically always signing in from one geographic area over a period of time, your identity protection is going to pick that up and understand that, and then if all of a sudden I'm signing in from some different part of the country, that could raise the risk level of that sign-in attempt. Right. So if it's from an unfamiliar location, we're going to go out there and alert somebody, or possibly cause a conditional access policy to actually kick in for that user to be able to go out there and actually leverage. Right. Sign in from an infected device. So I'm maybe using somebody else's computer and I'm trying to authenticate in, and that device is reporting that it has an infection through Windows or some other medium to let us know that that's an infected device.
Certainly that's a risky signing attempt, and we may want to block that user from being able to connect to our environment and having access to our resources. These vulnerabilities give us the ability to understand if we have sign-ins from IP addresses with suspicious activity. We're not talking about just one or two suspicious activities. Microsoft monitors and, on a daily basis, comes up with a list of IP addresses where bad actors are trying to attack their systems. So if somebody is trying to sign into your environment from one of those locations, azure Identity protection can actually pick that up and has the ability to if we create a policy to automatically respond to that and force, for example, the user to go through multi factor authentication and have the ability to go out there and force them to maybe change their password, for example. So there are lots of different vulnerabilities and risks that Azure identity protection can help us manage for a more secure Microsoft 365 signing experience.