Pass Microsoft 365 MS-203 Exam in First Attempt Guaranteed!
Get 100% Latest Exam Questions, Accurate & Verified Answers to Pass the Actual Exam!
30 Days Free Updates, Instant Download!
MS-203 Premium Bundle
- Premium File 335 Questions & Answers. Last update: Mar 25, 2023
- Training Course 89 Lectures
Last Week Results!
|Download Free MS-203 Exam Questions|
Size: 10.08 MB
Size: 7.47 MB
Size: 1.28 MB
Size: 1.21 MB
Size: 1.17 MB
Size: 727.04 KB
Size: 462.42 KB
Size: 267.04 KB
Microsoft 365 MS-203 Practice Test Questions and Answers, Microsoft 365 MS-203 Exam Dumps - PrepAway
All Microsoft 365 MS-203 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the MS-203 Microsoft 365 Messaging practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!
Manage Role-Based Permissions
1. Understanding Assigning Role
Let's talk about the concept of roles. What is the purpose of roles? Now, let me say this: if you've ever worked with cybersecurity or the Internet, you may know that when it comes to access control, there are multiple access control strategies or access control models. There are three main, popular models that are used. The first one is called DAC, which stands for Discretionary Access Control. DAC bases privilege. Access is based upon ownership.
So with the DAC model, when you own something, you basically get to control the permissions on the perSo if I create a file or some kind of access to some kind of data that I want to give people, I get to control it if I own it. Okay? So permissions are granted based on ownership. With the DAC model, Microsoft has used that model and still does in a lot of cases. When you create things through SharePoint and get into public folders with Exchange and all that, or even in the Windows Operating System, you create a file, like a spreadsheet or something. On the Windows operating system, you are the creator and owner, and you get to set permissions on it. So the DAC model is heavily used. It's very common.
A second model is called Mac. Mac is subject to mandatory access control. Mandatory access control privileges are based on security levels. So, for example, if you think about the military, the military has top-secret security clearances. Secret security clearance and Top Secret use classifications. So as we learn about things like Azure information protection, classifications, and things like that, that's all what the Mandatory Access Control model is all about. And so the Microsoft 365 Services, Azure, ActiveDirectory, all that, utilise that model also. But when it comes to administrators, when it comes to giving out roles with your admins and giving users privileges to control and administer things, there's a third model. And that model is called RBAC, or role-based access Access Control.Role-based access control gives administrators the ability to assign privileges to user accounts and give them admin rights.
OK? So the great thing about a role is that the way Microsoft is built, there are back-end privileges. The role always records exactly what privileges that role has. That's part of the code for this role-based system: you can always go on a role and see what privileges it has. Microsoft tried to do this with group-based access controls years ago, but it never really panned out the way they wanted it to. For example, with on-premises Active Directory, I could create a group and name it something based on a role, like "Server Admins" or something like that, and then you could put people in it. The problem is that you could grant that serveradmins group privileges all over your domain, and there was no centralised way of seeing what privileges that group had been given. But in my opinion, I really feel like, with the Microsoft 365 Services Azure AD, Microsoft has really gotten it right with their RBAC system.
When you create a role or use an existing one in Azure Active Directory or the Microsoft 365 Services, every single privilege it has is clearly written on there, and you can very easily find out who has been given this power. Okay, another really nice thing we get with our back in our Microsoft 365 Services is a thing called PIM, which is privileged identity management. With Privilege Identity Management, I can do what's called Justintime Administration, which means I can give out privileges to people, and those privileges can expire. I can require that a user be allowed to do something, but they first have to request access, and that access can be approved by somebody, and then they can get access to do it. This is really great. If I were maybe the Exchange Online administrator, I'm going to be going on vacation next week, and I've got a junior-level administrator who's going to be kind of helping with creating some recipients and things like that.
With PEM privilege, identity management, and our back role-based access control, I can give this Junior Administrator temporary privileges during that week while I'm gone. So that's another great thing you've got. Now, when it comes to this concept of RBAC, you want to be thinking in regards to the principal lease privilege. And if you've never heard of that before, the principal lease privilege is really simple. You give out the least amount of rights, but still allow somebody to do their job. Okay? So if I was going to use this PIM—this Privilege Identity Management—that you see towards the bottom of my slide just in time for administration, I would always want to give out the least amount of privileges while still allowing somebody to do their job. So if I did, if I was going on vacation and I wanted to give out these privileges over to a junior level administrator, I would want to just give out the bare minimum privilege but still enable that junior level administrator to actually perform the task at hand. Okay? So that's the idea of roles, role-based access control, the principle of least privilege, as well as this concept known as PIM.
2. Admin Roles with AzureAD
I'd like to take a look now at how Azure Active Directory manages its general roles. Okay, so here we are on Portal Dot, Azure.com. We're going to go to the menu bar, and we're going to open up Azure Active Directory. Okay, so here we are. Azure active directory We're going to now look at roles and administrators. So right out of the gates here with the roles that you have in our Azure AD, we have a big list of general roles that are supported right here in Azure Active Directory. and you can clearly see the different names. You'll notice that a lot of them are called administrator roles, which obviously have a lot of power. The most powerful role you can have in the Microsoft 365 Azure advertising environment is that of global administrator.
As I always like to say, if you have global administrative rights, you basically have intergalactic cosmic powers over your Azure ad environment. You have some roles that are called reader roles, and obviously these have the ability to read things, like the global reader role, which can read everything. You have individual roles that have special powers over certain products. So, for example, I have a role called the Exchange Administrator, which has full blown Exchange administrative privileges. You have a SharePoint administrator who has SharePoint privileges. You have other special types of roles, like mine: the security reader role, the security operator role, and the security administrator role. Now, one thing I want to encourage you to do is, when you're trying to think in terms of roles, one of the great things you can do is click on the role. You can look at the description of the role. Microsoft will provide a pretty clear description, and a lot of times they will also provide you with an article link.
You can go, and you can read more about that role. So I can clearly see that it says these users with this role have global read-only access, including all information in Azure AD. Identity protection, privilege, identity management, the ability to read Active Directory, sign-in reports, and audit logs It says it grants read-only privileges. Now you'll notice this is my favourite part right here. The role clearly identifies every privilege it has. You cannot grant a privilege without documenting it, which is really great. There's no way that this role can be given a bunch of permissions that we don't know about. For the most part, you can see that this role only lets you read things. If you go back and look at your roles, you could look at the security operator, and you can see the difference. So the Security Operator role gives you a description; okay, it says User.
This role can manage alerts and provide global read-only access to security-related features, including all information. I can see all that, and I can also see the different privileges this role has here. In this case, you don't just see a bunch of reads; you see that they can create resources involving cloud app security and identity protection. They can manage advanced threat protection and compliance centre information. So this role has more privileges. And then finally, the administrator roles obviously have a lot more privileges. So if you go there and read the description, you can see everything they can do. Now, if I wanted to see everything that, say, the Exchange administrator can do, I could do the same thing with the Exchange administrator. I can go up here, look at "Exchange administrator," click on "description," and see everything that the Exchange administrator can do. So it gives me a brief description.
But most importantly, I can look at these privileges that the Exchange administrator has. If you would like to assign somebody a role, there are multiple ways you can do that. You can click "Assignment" here, and you can click "Add Assignment," and then you can choose a user to whom you want to grant this privilege. So if I wanted to give Holly Holt, for example, and make Holly Holt an Exchange administrator, I could click Add, and Holly Holt is now an Exchange administrator. On the flip side of that, you can also come over here to Azure Active Directory. You can click the user's blade. You can actually click the user in question, and then from there, you can assign the role right here. You can also, of course, do this with PowerShell as well. Okay? And of course, another way to do so is through the Microsoft 365 portal at Microsoft.com. You can assign roles through that as well. And of course, Exchange and other services like SharePoint Teams all have their own ways of assigning roles also. But this gives you a good look at just how Azure AD may manage its roles.
3. Role Groups in Exchange Online
I want to walk through now and look at how we deal with roles directly in Exchange Online. Now I'm in the Microsoft 365 Admin Center, which you can get to by going to either portal dot Microsoft.com or admin dot Microsoft.com. I'm going to click on the "All Ellipse" symbol here. Then we're going to scroll down and go to Exchange, and this is going to bring us into the EAC for Exchange Online. Exchange admin center Okay? From there, I'm going to click Permissions, and you're going to see a couple of different kinds of roles here.
So I have admin roles that allow me to control administrative privileges in my Exchange environment here. And I have user roles, which get into being able to sign user privileges, and in the user privilege role here, you'll notice there's a default policy there, and it tells you that the default policy is going to grant your end users the permissions to basically have privileges in Microsoft Outlook. So I could actually edit this, and if you wanted, you could go through and specify the things that they could change in their Outlook settings. So you'll notice I can specify different things that they can be a part of or alter inside their Outlook settings and all that. Now, from the administrative roles side of things, these right here are sometimes referred to as "role groups." A role group is essentially an object that is going to group together a bunch of assigned roles.
So if you look closely, I have the compliance management group here, and this compliance management group has all of these roles. And these would be members; these would be people who would have that privilege. So again, just like what we deal with in Azure AD, our different roles clearly define what these role groups have. And you can edit these if you want. So I can go here and edit the compliance management, for example, and I have a nice little description. I can click on each one of these options here and alter what roles this role group is going to be assigned. And if I wanted to assign members, I could click the little plus sign here and assign different members to the role group if I wanted to.
So you can click through each one of these. Again, it gives you a nice little description right over here on the right side of the screen that lets me see exactly what these can do. And if I wanted to, I could actually create my own simply by clicking the plus sign, giving it a name, and specifying the roles that I want it to have for each of these roles.
Also, what's really nice is that when you assign each of these roles to a role group, you get a nice little description of what that role group can do. Also in Microsoft's Knowledge Base, they have documented what all these privileges are as well.
Okay, so working with your roles in Microsoft Exchange is pretty straightforward. The most important thing to do, though, is to educate yourself on what the privileges are for each one of these. I would also advise you, if you are planning on taking the exam, to sit down and kind of just read through the description of each one of these and educate yourself on what each role does. Okay? This will really help you wrap your brain around the concept of "role groups." the Microsoft Exchange online environment.
4. Working with RBAC roles for eDiscovery
Let's now walk through the concepts of roles within the Microsoft 365 Admin Center, and I also want to talk a little bit about the Discovery side of things and how that fits in with roles. So we are right here in the Microsoft 365 Admin Center.
We're going to start by simply looking at the fact that if we click Show all here, we also have a role blade here we can click on, and our role blade we can click on, and we can assign roles just like we can through Azure Ad, okay? And so we have different roles here that show up that we can manage through Azure ads. We can also manage things in Intune. Not that I'm getting into Intune right now, okay? But what I really want to show you is that I can play roles here if I want. I can click on the role and assign it to a user if I want to. You can very easily assign administrators to this by clicking here and clicking Add. So there's Holly Holt, for example, who is an Exchange administrator. But I can also do that through users.
I can click on active users. I can click on the user that I want to assign the role to. So like Alex Rogers here, I can click on Alex Rogers, and then I can assign a role this way. See Manage Roles. But I want to show you something else involving this. Now, if we scroll down, there is an admin centre called Security. Now if we click on Security, this is going to bring us into the Security and Compliance Center, okay? Now one of the things that sometimes we need to be able to do in our Exchange environment, for example, is be able to do what's called "ediscovery," "discovery mailbox holds," and all that. That's going to involve basically making it so that somebody who maybe has done something they shouldn't have done goes and tries to delete the evidence by deleting all their emails or something like that. I can put an Discover hold on their mailbox, and I can prevent them from being able to do that.
Here's the Ediscovery stuff down here. But in order to do that, you must have a certain privilege. So here in the Security Compliance Center, I can click on permissions. Okay. And then there is a special type of role called an "ediscovery manager." We're going to click this role, and then if we scroll down right here where it says Ediscovery Manager, we can click Edit, and then we can assign this, and we can choose an Ediscovery Manager.
So if I wanted to make a particular user an Ediscovery Manager, like maybe Jane Doe or somebody like that, I could add that user right here, okay? Jane Doe. I could make Jane Doe and Discovery managers. At that point, Jane Doe can actually go through the process of putting an Ediscovery hold on somebody's mailbox, and they would be able to Jane Doe would be able to do searches through their mailbox, looking for keywords and collecting evidence collection. This gets into forensics and all that in case something maybe was to go to a court of law.
And that's a very important role that we may have to implement in our environment under certain circumstances. So that gives you an idea, though, of how rules are managed through the Microsoft 365 side of things, as well as how we look at roles in regards to the security and compliance center because certain roles have to be managed through it, especially if it's obvious by its name that it involves security and compliance.
Microsoft 365 MS-203 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass MS-203 Microsoft 365 Messaging certification exam dumps & practice test questions and answers are to help students.
Comments * The most recent comment are at the top
IT Certification Tutorials
- Top Career Opportunities for Financial Certified Professionals
- Top Project Management Certifications to Improve Your CV
- Top 10 Computer Job Titles That Will Rule the Future
- Discontinuation of ITIL v3 in 2022 And New Technological Era
- GAQM CSM-001 Certified Scrum Master - Chapter 04 - Meetings in Scrum Part 3
- Python Institute PCAP - Modules; Packages and Object Oriented Programming in Python Part 3
- PMI PMP Project Management Professional - Introducing Project Risk Management Part 3
- CompTIA CASP+ CAS-004 - Chapter 01 - Understanding Risk Management Part 3
- DA-100 Microsoft Power BI - Part 2 Level 2 - Getting Multiple files
- CompTIA CASP+ CAS-004 - Chapter 04 - Implementing Security for Systems; Applications; and Storage Part 3
- IIBA CBAP - Tasks of Business Analysis Planning and Monitoring
- MB-210 Microsoft Dynamics 365 - Create and Manage Product and Product Catalog Part 2
- Salesforce Certified Platform App Builder - 5 - Business Logic and Process Automation Part 3
- Amazon AWS Certified Data Analytics Specialty - Domain 4: Analysis
- Google Professional Cloud Network Engineer - Designing; Planning; and Prototyping a GCP Network Part 3