Pass Microsoft 365 MS-500 Exam in First Attempt Easily
Latest Microsoft 365 MS-500 Practice Test Questions, 365 Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Download Free Microsoft 365 MS-500 Exam Dumps, 365 Practice Test
Free VCE files for Microsoft 365 MS-500 certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest MS-500 Microsoft 365 Security Administration certification exam practice test questions and answers and sign up for free on Exam-Labs.
Microsoft 365 MS-500 Practice Test Questions, Microsoft 365 MS-500 Exam dumps
Introduction to the course
1. Creating a free Microsoft 365/Azure account for practice
First order of business, if you want to practice all the activities, I want you to know that I've provided you a way to do that without having a full-blown Microsoft 365 account. My little activities are clickbait Web-based, and you can do them 24 hours a day, seven days a week, as much as you want. However, if you really want to get down and dirty with Microsoft 365 and Azure and all that, it's great for you to go through the process of creating your own Microsoft 365 trial account. So Microsoft has an easy way for us to do this. We essentially can create an account that will give us access to Office 365, E5, and Microsoft 365, and then we can activate an EMS license, enterprise Mobility Plus Security. So I'm going to show you how to do that. It's really easy.
It only takes a few minutes. The first thing you would want to do in order to do this is creating a free email account. Of course, if you've got an email already that's not assigned to a Microsoft 365 Azure account, then you could use that, obviously. But one thing you could simply do is go to somewhere like Outlook.com, Gmail, or Yahoo, create yourself a free email account, and from there you're going to go to this little URL right here. This is tinyurl.com. Try office three six five E five. Okay, so that'll take you directly to the place that you need to go to sign up for this. Okay. The only other thing you're going to need when you do this is cash; you don't need a credit card or anything like that. Because it will perform a verification, you will need a cell phone that can receive text messages. As far as I know, I've never seen a limit on how many accounts can be tied to a cell phone. I've probably got 30 accounts tied to my cellphone number myself, so I wouldn't worry too much about it. Well, I've used my cell phone with another account.
But you will have to have a cellphone, because they're going to send a code to your cell phone, a one-time password. You don't have to put that in. Okay, so we're not going to take a look at that. We'll take a look at the link and the steps, and I'll show you how to activate the EMS license, which is going to be important to get access to a lot of the security and compliance stuff. So when you put in the tiny URL link that I gave you, this is where you're going to end up. You'll be looking at this Office 365 E5 page, and from there we're going to click on Free Trial. It detects that you've already created a Microsoft 365 account. It's going to ask you if you want to use that. I'm going to say no. I would want to sign up myself. So then at that point, if you're signed into an existing account, it's going to log you out of that account, tell you to close your browser and all that, and it'll redirect you. And then at that point, this is where you would put in your free email address that you've created.
It'll ask for some personal information about you. And then at that point, it will require that one-time password. So it will text your cell phone. Okay, so pretty easy. Just fill out the form, and at that point you'll get your 30-day trial. But there's another step you have to do. Once you get logged in and signed into your free account, which again only takes a few minutes, you're going to go to Portal Azure.com. You're going to click the little menu button, click on Azure Active Directory, and then go to Licenses. As you can see, if I look over here to the right, I've got an option that says "Get a free trial." We're going to click on "Get a Free Trial." And then what you're going to want is this Enterprise Mobility Plus Security E-5 subscription. This is going to give you access to all the security things that we're going to be playing around with. So we drop that down, and you would activate it. You need to give it about an hour to activate. Microsoft kind of says this will take effect very quickly, but what I found is it takes longer than that to go through. so I would say give it about an hour to go through. The good news is that you'll be able to do most of what you'll be doing here at the start of this course with ease. But some of the later things, such as the Security Compliance Center, are going to be towards the end of the course. You won't be able to do that until this is fully and utterly activated. Don't believe it. It will say it's activated, but you've got to give it time. It takes time before these features will show up. Once you've activated that, come over here to where it says all products, and you'll see Enterprising plus Security. You may not have all of these here.
That's not a problem. You don't need access to these things right here to get access to the stuff we're using in the course. The big one is this guy right here. You need to make sure that you assign your admin account to this subscription. Your admin account information is right up here. So, you would go here to Enterprise. Ability plus security You would click "Assign." You would assign that to your admin account. Okay, now how do you know that this has actually shown up? How do you know it's ready to go? Well, if you go to Portal.Microsoft.com, drop down "Show All," and then click on Security, that's going to bring you into the Security Compliance Center.
At that point, you'll see a bunch of options here that you can select. But keep in mind that regardless of if your EMS subscription is activated or not, you're going to see some options here anyway. The one you want to look for—that's sort of a guarantee that everything is activated—is this guy here, EDiscovery. If you don't see EDiscovery, then your subscription is not fully activated yet. So you need to give it some more time. Okay? Like I said, give it about an hour. Okay. Once that's done, you'll be able to do all the hands-on work that we do in the course and get a good bit of experience with everything. And again, you have access to all that for 30 days. So I highly encourage you to take the time to do that, even though you will be able to practice all the little activities that I do in class using the little tutorials I provide you with. But this is definitely a good way for you to really get down and dirty with Microsoft 65.
Creating and Managing User Identities
1. Introduction to Creating and Managing User Identities
So Microsoft is now starting to use this term "identity." I don't know if any of you guys have noticed that, but in the past they've always used the term "user account" or just "account," and that's the way it's always been. For well over 20 years, even into the 1990s and maybe even a little bit in the late 80s, they've used the term "user account" to represent things. But you've noticed a shift, probably as we've moved more into the cloud world. Microsoft started to use this term, "identity." And that term "identity" actually fits better with something known as Identity Federation, which is a web-based standard for managing accounts.
So if you're wondering why they've done that, it's mostly to be built upon this web-based standard that everything is now sitting on. So Microsoft has really moved towards redesigning its directory services using Web-based standards. In fact, Azure Ad is completely and utterly built and programmed using web-based services, web-based standards, and web programming, the same technologies that power a lot of our websites, connecting our websites together and making our web servers talk. This is all built upon those standards. I mean, I don't know about you guys. When I first heard about Azure Ad, my mindset was, "Oh, I see what they're going to do." They're going to take Active Directory domain services and basically put them in virtual machines out on the cloud, and we're going to have the good old LDAP lightweight directory access protocol with Kerberos and these same technologies we've had for 20 years. In my brain, I'm thinking they're just going to virtualize all that. Well, I couldn't be further from the truth. Microsoft redid everything. Azure AD is a completely different beast than it once was. A lot of people don't like hearing that because everybody sort of feels comfortable with Active Directory. A lot of people do. I mean, I know that after teaching Active Director for 20 years, I've really grown accustomed to the way that they've done things. And so it's strange to me that they would make this shift. But then when you start researching a little bit of the logic there, you find that they really needed to. As good as Active Directory was, it really needed an overhaul as far as being able to be utilised out on the web and allowing large organisations to partner up and manage their resources together. Now, here's the good news. If you do have an on-premises Active Directory, you have Active Directory domain services.
Well, you can actually synchronise your Prem accounts to the cloud. So a lot of people are worried about the whole concept of SSO—single sign on. meaning, Oh no, my accounts. I'm going to have to have users that are on premises remember one set of credentials, and then people in the cloud are going to have to know another. And if I've got a single person who needs both services, the person is going to have to keep up with multiple accounts. And actually, that's not true. You can use this thing called Azure AD Connect. You can set up the server called Azure Ad Connect on premises. You can synchronise your on-premises AD with Azure Active Directory. Of course, a lot of people are nervous about that too, because they're thinking, "Oh well, this is going to completely leak everything out to the cloud." And really, you have complete control over exactly what on premise is going to get synchronised out to the cloud. You can even do a pilot group where you have certain people get synchronised first. Of course, I would advise it. Who better to be the pilot group than your IT department, right? but you can slowly move things in. You can move things along at your own pace. Nobody says you have to just throw the whole key to the kingdom out there.
And another thing you can do is, if you're under certain compliance rules, like HIPAA compliance or something like that, then you have the ability to make it so your accounts don't actually synchronise their passwords out to the cloud. So the passwords will stay on premises with Active Directory, and they won't synchronize. There's a federated option there that you can use. ADFS, active directory, federated services Or a newer solution is to use something called "pass-through authentication," which will make it so your passwords don't actually synchronise out to the cloud. Though there are some benefits to synchronising your passwords, there are multiple ways to manage identities in the cloud. So Microsoft has two main graphical ways that you're going to deal with your identities. The first is the Azure Ad Portal. The website. The first is Portal Azurecom, and the second is the Microsoft 365 Admin Center, which is admin Microsoft com. You're going to find that you can really jump back and forth between them. You'll probably find that the Azure Ad Portal has a few more advanced things you can do there.
The Microsoft 365 Portal is definitely a little bit more intuitive and more user friendly. I advise people if they have, say, an HR department that's going to be hiring people. and maybe building user accounts, then perhaps that's going to be a better solution for you. Because again, it's a little bit more user-friendly for somebody who's not as techy. But there are some more advanced things you can do in the Azure Ad Portal. So we're going to take a look at both of those. Now, a third thing you can do is, if you've synchronised your on-premises Active Directory with AzureAd using Azure Ad Connect, just do it the normal way. You're going to create your accounts on premise, and they're going to synchronize out to the cloud, so your accounts will be in both places. Granted, if you want, you can also have "cloud only accounts," which are accounts that are only in the cloud but not on premise. And then finally, of course, we have good old PowerShell. Pretty much anything you can do through the graphical portals, you can do using PowerShell. You'll first have to connect to your subscription using PowerShell, but once you've linked up, you have lots of different commands that can control all aspects of your different identities. Now, another part of this would involve licences and roles. In order for users to have access to the different features in your cloud, you have these things called licenses. So you have subscriptions where you are subscribed to a certain set of features, and then you licence those features out to your users. So, for example, I can have an Office 365 three- or five-user subscription, and then I can licence that out to my users, and I can even be very specific. I can go into those subscriptions, and I can disable certain features that I may or may not want them to have.
For example, maybe you want your users to have Office online, but you don't want them to have the downloadable versions of Office. You could go into the subscription and turn off what is known as Office 365 Pro Plus. And at that point, they would lose access to the downloadable versions of Office. And that goes with all the security licenses and things like that. Microsoft has EMS Enterprise Mobility Plus Security Suite, which is a whole suite of different security licences that can be utilized in the cloud. Things such as Intune and multi-factor authentication These are all things we're going to be taking a look at and then finally having roles.
Roles are used to give out assignments. This is based on the principle known as RBAC. RBAC is role-based access control. Role-based access control basically means that you're going to give rights out based on the role somebody plays. And a user can be assigned to multiple roles if you want. So there are two ways of looking at this. The way we're going to mostly look there, which is sort of geared more towards the exam in this case, is the administrative controls. So when you have a user who needs admin rights and you want to grant them rights over a certain aspect of your cloud environment, you're going to assign them a role or multiple roles if you want to give them additional rights. For example, I may have somebody who is the administrator over at Tune in our environment. I can assign them the "in" or "administrator" role, and that's going to give them power over Tune, but it's not going to give them power over anything else. And then there are also user roles, which are roles specific to giving permissions to certain resources. in the Azure environment.
2. Demonstration of Creating and Managing User Identities
Okay, so let's take a look at the different portals and how we're going to manage user accounts through those portals. So I'm just going to go ahead and start with portal.dot, Azure.com. Put that in. As you can see, it's loading Azure.
Now what we're going to do, we're going to take a look at the menu bar. This little guy right here is called the menu bar. I'm going to drop that down and I'm going to click on Azure ad. All right. From there, as you can see, I can go right over here and click on Users. And I can see all the different users that have been created in my environment. If I want to go ahead and create a user, I can simply say "new user." This is one of the activities you could be asked to perform. So if I wanted to create a username called Aaron 3, 6, 5, I'm going to say this person's name is Aaron Jones. I hope I spelled that right. Let's say Aaron Jones. So you put the username in, and you can auto-generate the password.
You can say, "Let me choose the password." You can also show what password has been auto-generated if you want. Now if you want to assign it to a group, you can do that here. or you can assign it to a role here, or you can do that later down the road. You can also, of course, block the sign-in if you want. Don't allow the user to log in just yet. You can also assign a location for usage location. I'm going to tell you that if you're going to start signing licences to your users, you must first assign a usage location. You cannot assign any licenses to your users unless they have a usage location. You'll get an error if you try to do that. So pretty important you do that. I don't know why they don't make that mandatory here. They do in the Microsoft 365 portal. They just don't care. So you could specify the job title and department, as well as those attributes, and that's it. That's about all they let you do there. So we'll just say, "Create," or "We created our user" if we want. We've got our user set up now, and away we go. Now that is through the Microsoft 365 portal. again through the Azure Portal. If we want, we can click on this user account again. We could edit more of their information right here.
Job info settings here's, contact information, all that good stuff. If we want to assign a role, we click on "Assign Roles," and we can assign this user role here. We want to assign groups. We can assign groups here. I'm going to have a lesson on groups coming up. So you guys will see that as well. Okay, so that's going to be done through the Azure Portal. As you can see, pretty easy, pretty straightforward. Let's take a look at the Admin Portal. Now we'll start by going through Portal Office.com. I'll just show you this real quick. If you go through Portal Office.com, this is what a user sees when they go in and see all their office online apps. And then an administrator has this nice little icon here.
So this is a way you can get into your Admin Center from Portal Office.com. Or you can simply just type Admin at Microsoft.com, and that's going to bring you in here that way as well. So now you have this nice little users dropdown, and we'll just click on Active Users, and you'll see the same users here as you did in Azure Ad. Essentially, they're tied to the same place. So then we would click "Add User." All right, add a user. And then, of course, you fill in the information here essentially the same way. So I'm going to say AA. Alexander. I'm just trying to keep all of my Alexandra Smith and then username Alexandra. Okay, simple enough. Password. You can say, "Let me choose a password." same thing we did a little earlier. It's going to check to make sure it's available. We would click "Next." This is where we can assign some of our product licenses and all that. Okay, I wanted to so notice you can do a few more things here.
This is why I say that the Microsoft 365 Portal is a little bit more intuitive than what we had on the Azure Portal. But as you get into the Azure Portal and start editing the user, you can do a lot. There are a few more advanced features. Okay, so I could also choose not to licence a product to this user right now if I wanted. Notice that it makes me choose a location. So if you don't assign this usage location, as I said earlier, then essentially what's going to happen is that the user cannot be assigned any license. So they make you do that here through the Microsoft 365 Portal. So I'm going to go ahead and click Next, and here's where I could assign roles if I want to. And it's going to give me a chance to review everything and edit things if I want. And then I can click "finish adding." From there, if I want to edit the user, I can simply click on the user, and I can go through here and edit things just like I could with the Azure Portal. So if I want to assign groups, roles, things likethat through here, I can here's groups, here's roles. And again, we're going to talk more about some of that as we get a little deeper into it. OK, so it's pretty straightforward, pretty intuitive, and easy to manage, as Isaid.
3. Stepping through the hands on tutorial for User Identities
We're going to go to the Users drop-down menu and select Active Users. We're then going to add a user username, an Alex with the last name Jones. A. Alex Jones The username is going to be Alex Jones. And then we're going to click "Next." We're going to go ahead and assign the EMS license. So we'll select that. We're going to click Next again. We're going to go ahead and sign a letter now. So drop that down, select the AdminCenter, and then access "Show all by category." Then we're going to scroll down, we're going to select Privilege Authentication Administrator, and we're going to finish.
Group Creation in Microsoft 365
1. Introduction to Group Creation in Microsoft 365
To begin, if you go to the Microsoft 365 Portal, you'll notice that there are several different groups from which to choose. The first group is called an Office 365 group. This group is mostly used for team collaboration and also has distribution groups. Distribution groups are groups that get an email address, just like Office 365 also gets an email address. Distribution groups, however, cannot be assigned any rights. So this is sort of like how we had in AD Active Directory Domain Services, where we had groups called Distribution Groups that you could assign an email address to, and anytime an email goes to the group, it basically goes to everybody in the group. But you can't really assign any permissions to that group. And you can also create a mail-enabled security Security Group. A mail-enabled security group is a group that gets an email address, but it also can be given permission.
This is also how it was done in Ads Active Directory Domain Services on premise. So you only have a Security group. A security group is a group that can be given permissions, but it doesn't get an email address or any of that. So those are your four types of groups. Now if you go through the Azure Portal, you're going to notice that they only give you two options, which are the Distribution Group and the Security Group. Also, we have the ability, especially if you go through the Azure Portal. What's really cool here is you can do what's called an "assigned group" and you can do what's known as "dynamic groups." Now an assigned group is the same old thing that we're used to. We've had this for decades. Now, an assigned group is more static. That means that you can add users to the group. You can remove members of the group from the group. But of course, that's manual. There's no automation in that. Now, with a dynamic group, this is a really neat concept. This is very similar to what we had in the early days of Exchange with Exchange 2003 called "Query Based Distribution Groups." It's that concept. A dynamic group is a group that bases things on queries. So what happens is every time you assign an object, move an object, create an object, or delete an object, it performs a query against your groups.
And if any attributes are met in that query along those groups, along the dynamic group, it will essentially add or remove an object from that group. So essentially, if I created, say, a group called "Sales," okay, and it's a dynamic group, so I assign this departmental attribute to the word "Sales," all right? Then what would happen is that every time I create a user or make a change to a user, it's going to perform these queries. And if it matched the department's attributes, then of course it would essentially add the user to the group. If I changed the user attribute, the department attribute of that user to something else, say the salesperson has moved to the marketing department, it would remove them from the group at that point. So this is a really neat feature. You can do this with device groups as well. For example, if I wanted a group that represented a specific type of phone, such as Android phones or iPhones, I can create a device group that will detect the type of device and add that device to that device group. So if I created a group called "iPhone Devices," for example, and I had it detect based upon device OS type and label it "iPhone," then every time an iPhone is associated with the cloud, it would add it to that group.
2. Demonstration of Creating Groups in Microsoft 365
Okay, we're going to go ahead now and jump right in, and we're going to look at two different ways that you can create groups. But ultimately we're going to jump over to the Azure Portal for the actual creation of the group. since that's where you're going to do a dynamic group ad. All right, so we'll start with the Microsoft portal, the Microsoft 365 portal. So we can go to admin Microsoft.com.We're going to drop down where it says Groups. Click on Groups. Then we would click "Add a Group." And this is where you can see that you can create the four different types of groups here.So Office 365 is being used for team collaboration.
As you can see, they share workspaces and all that good stuff. You start getting into teams and being able to collaborate, communicate, do video meetings, and do those types of things. Distribution groups are the group that gets an email address but can't be given any permissions. Mail enabled. Security Group is the group that receives both. You get an email address, and you can assign permissions to it. And then finally, a security group, which is just for permissions, just for access control. So these are your options through the Microsoft 365 Portal. It's pretty easy to go through. Just fill out the information. Now let's take a look over at the portal, Azure.com. Now drop down and we're going to take a look at Azure Active Directory groups. We're going to click New Group. This is going to be a security group. Notice that you have just a couple of types of groups here. And then we're going to call this device an iPhone; we can give it a description if we want. I'm going to choose to make it a dynamic device group.
So I told you guys, you can do an assignment group, which is just a static group. It's a group where you have to manually add devices or users to it or manually remove it. Okay, you can do a dynamic user group, which is going to be query-based, but it's going to be geared towards users. And then you can do a "dynamic device group." Now in my case, I am going to be creating a group called "iPhone Devices" that's going to be assigning iPhones to the device. Whenever iPhones get associated with my cloud, I'm going to want to go with Dynamic Device, okay? So I can go here and say select dynamic members, and then I'm going to choose the property attribute I want, which is going to be device OS type, then the operator, which is going to be equals, and then the value. Now the value is going to be based upon how the device identifies itself. That is how iPhone devices identify themselves. If you're concerned about things like uppercase, lowercase, or anything else, you can always add another expression and then choose the same thing equals. And then if you want, you could just type it in lowercase. And then here is the actual syntax that it's using. You don't actually have to type that in, although there are pretty advanced things you can do if you learn their syntax. You can edit this directly. Once you've done that, you're pretty much done. You just hit save, click, create eight, and there you have it. Created yourself. a dynamic group for iPhone devices.
3. Stepping through the hands on tutorial for Dynamic Group Creation
Alright, so let's take a look at going through the actual tutorial steps themselves. It's going to kind of walk you through this, and then, of course, you're going to get a chance to try this yourself. so we're going to have to start this. This activity involves trying to create a dynamic device group called iPhone Devices. And this is going to detect any time a device gets added to your cloud environment; if it falls into the category of being an iPhone, then it's going to automatically be added to this device group. So, let's get this party started.
The first thing we've got to do is go to PortalAzure.com. We're going to click on the menu bar and go to Azure Active Directory. Going to click groups. Going to click new group. It's going to be a security group, as you can see, because we're going to be able to assign permissions and all that to it. It needs to be a security group. So we're going to go and specify the group name. It's going to be a dynamic device group as opposed to an assigned group, which would be a group that you would have to manually add devices to. So it's going to be a dynamic device. We're going to add a dynamic query property. We're going to choose is going to be device OS type. All right, this is going to be the attribute of that device. We're going to click on that, and then the next thing we're going to do is select equals, so deviceOS type equals, and then the value that the device would be known as is an iPhone. So we're going to type that in, and then we're going to save it, click "create," and we've officially got ourselves a dynamic group that is going to add devices that have the device OS type iPhone.
Password Expiration Management in Microsoft 365
1. Introduction to Password Expiration Management in Microsoft 365
Now. Password management is obviously a pretty critical thing in our environments. Even though we've made huge leaps forward in the arena of authentication by supporting multifactor authentication and something. You know. something you have. Something you are is measurements. Passwords are still one of the main methods that identities use to authenticate, if anything. It's usually one of the factors, even if you do have multi-factor authentication enabled in your environment. Now, in an Active Directory on premise environment, we always use password policies in our group policy objects, and that's still going to be something that takes effect even if you link your Azure ad environment with your ads as your on premise Active Directory.
However, if you are using cloud-based user accounts that aren't linked to an on-premises Active Directory, Microsoft has some default settings that they've configured that pretty much just take effect right out of the gate with your Microsoft 365 and Azure AD environments. Passwords are set to expire in 90 days. So you create a user, the user logs on, and they can set their password to whatever they want. At that point, it's going to cover a 90-day period. So in 90 days, the user must change their password. So they go. They log on and change their password. If the user does not change their password and they try to utilise applications and things outside the cloud, eventually those applications are going to be unusable until that password gets changed.
So, for example, if I had downloaded Office 365 Pro Plus downloaded versions onto my hard drive and I changed my password, those downloaded versions are going to have to be reactivated. And if my password isn't linked up properly, then they're not going to be able to go through the process of reactivating. So it can actually not only stop people from signing on, but it can also stop applications from working after a while if you haven't changed your password. So again, your default period is 90 days. All right? You can easily change the 90-day period. We'll take a look at that through the Microsoft 365 Admin Center. Okay? Another thing that can happen is that, again, if you are linking your on-premises Active Directory with your cloud services, synchronisation can occur to the point where your objects are syncing into the cloud, and again, your Azure Active Directory and your adds will be in sync as far as all that is concerned. There's also a great little feature called the password writeback feature where, if you are syncing it, it makes it so that if somebody changes their password in the cloud, it's going to synchronise back to on-premises Active Directory.
Now another thing, obviously, that's very important here is that users need to be aware that they are running out of time. So users are going to get their first notification when 14 days have passed up to the point where the password is going to expire. So 14 days before your password expires, the user is going to start getting bugged, and basically it's going to be warning the user, "Hey, you're running out of time." You need to change your password. They'll get these little notifications that are popping up on their screens as they try to interact with their cloud services. Okay. This notification period is also something that you can change. And these are a couple of things that could possibly show up on the test. If you're going through the hands-on activities, they might expect you to know how to change the stuff. Of course, it's also important to know the real world as well.