Pass Microsoft 365 MS-500 Exam in First Attempt Guaranteed!
Get 100% Latest Exam Questions, Accurate & Verified Answers to Pass the Actual Exam!
30 Days Free Updates, Instant Download!
MS-500 Premium Bundle
- Premium File 303 Questions & Answers. Last update: Nov 20, 2022
- Training Course 78 Lectures
- Study Guide 1012 Pages
Last Week Results!
|Download Free MS-500 Exam Questions|
Size: 2.4 MB
Size: 2.13 MB
Size: 1.89 MB
Size: 1.5 MB
Size: 1.43 MB
Size: 1.42 MB
Size: 1.42 MB
Size: 1.4 MB
Size: 1.25 MB
Microsoft 365 MS-500 Practice Test Questions and Answers, Microsoft 365 MS-500 Exam Dumps - PrepAway
All Microsoft 365 MS-500 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the MS-500 Microsoft 365 Security Administration practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!
Conditional Access and Compliance Policies
5. Implementing Device Compliance Policies using Enpoint Manager
Now that we've got a good understanding of what compliance policies are, I want to go ahead and talk about how we can actually create and implement compliance policies. OK, so here we are in Endpoint Manager. This is the Endpoint Microsoft.com portal, OK. We're going to go to the Devices Blade over here, okay? And then from there, we're going to go and click on compliance policies. Now, I'd also like to point out that you can also create conditional access policies here as well. So you can actually do it a couple of different ways.
You can do conditional access policies in Azure, like I've shown you, or you can do it here, and then you have compliance policies here as well. Okay? So we're going to go and click on compliance policies. And currently I don't have any compliance policies, so we're going to click to create a compliance policy, then we're going to select our platform. So here are all our options for platforms, okay? You've seen a list like this in the past, okay? And I'm going to go with Windows 10 just because, again, this course is definitely more heavily focused on Windows 10. So we're going to select on that. By the way, the exam is also heavily focused on Windows 10, but I'm going to click to create that policy, okay? And then we're going to give this a name. I'm just going to call it Windows 10 compliance. All right? We could give a description; we could specify everything in there that we're going to want, what we're doing in this policy, everything.
We're going to configure it to give it a nice description for our fellow administrators. But I'm going to go ahead and click next. And this is where the magic happens, okay? So this is where we are going to specify exactly what policies we want and what our settings are going to be. I've got Device Health, and as you can see, I can specify a bunch of things here. I'm going to require—maybe I'm going to require—that BitLocker be on somebody's machine. Maybe I'm going to require secure boot to be enabled on the person's machine. That's the UEFI setting that we've got. I can require code integrity that's going to verify the TPM settings of the machine.
Again, that's going to involve secure boot. We've got device settings. All right. I can do a minimum operating system. Maximum Operating System, same thing for mobile devices. The mobile version of Windows Ten You can have it validate certain builds of the operating system. Okay. Down here, you've got configuration manager compliance. I can require that this machine is also managed through Windows 10. Windows. Ten Sports Co. Management with the configuration manager From there, I can change system security settings. Drop that down. I could require you to have a certain type of password. Maybe you're not allowed to use a simple password, so I could block that if I wanted to. OK, specify the type of password: an alpha-numeric or numeric password. I was going to maybe do a PIN number. I could specify how many characters I want this to be.
Maybe I want this to be at least a minimum of seven characters. Okay. Maximum minutes of inactivity before a password is required. So you can do that if you want the inactivity setting password to expire after a certain number of days. Number previous passwords to prevent reuse. Require passwords when the device returns from an idle state. Okay, so if it goes idle, they'll have to put their password in an auto lock on it. You could enable the encryption of data storage on the device. So this requires them to have some form of data encryption, whether it be bit, locker, or third-party. So firewall settings, I can require that to be on. I can require that they have a TPM chip, which is a special type of chip that's on the motherboard that allows you to use things like BitLocker, okay. Antivirus. You can require that any spyware be installed. You could require that they use Windows Defender and not something else. So if I wanted, I could force that, or I could just allow them to use whatever virus protection they've got. Down here, you've got Windows Defender, ATP, which is advanced threat protection. Some of these Windows Defender features we're going to be talking about here towards the tail end of all this But I could require that to be turned on. And this is kind of cool. I've got it under the ATP setting; I've got it required for the device to be under, to beat or be under the machine risk score. So we talked about how in the Azure AD and Microsoft 365 environment, we've got a machine learning system that Microsoft supports where, based on the way you're using your machines and the times of day you're using them, it's actually learning the way your users use their devices. What are the normal hours that they work?
Where are they normally logging on from? Do they have lots of failed password attempts and things like that? If they do things like that, like entering bad passwords constantly, having some issues, logging on at weird hours, and things like that, then the machine gets rated as a possible risk. Okay, so you could require that the machine at least stay at a low-risk level if you wanted. All right, you could say it's clear, so there's none or it's not configured, which means you're just not going to turn this on. So these are all these little settings that I can configure; there are quite a few little settings there that have very cool different features that can be turned on. And Microsoft is adding additional settings to this all the time. So I'm going to go ahead and click Next, and these are the actions for noncompliance. So what's going to happen if you're not compliant? It says if Mark's device is not compliant, it will be fixed immediately. And as you can see, that is the default. And it says scheduled days after compliance. So you've got that set to zero. Okay, I could change this. We'll say send an email to the end user. All right. Also, if I'm going to do that, it's making me select a template for that. Okay? So I'm going to specify a name and select a notification method. We haven't created a notification message, so I don't have a name that I can select for notification here. All right, but I won't get into creating the notification messages here. but you can do that. You can specify the recipient—whoever you want to receive the notifications—if you want. So I could put in an admin or something like that if I wanted a recipient. Okay.
Or I could simply say "remotely lock the noncompliant device" so it locks it. All right, so here's the thing: Let's say somebody is sitting at this device who shouldn't be there, and then all of a sudden they do some things that make the device non-compliant. It can auto-lock the device, and at that point they'd have to enter their credentials. It could force MFA—multifactor authentication—and all that. Okay? I could also say retire the noncompliant device that's going to basically make it so that the device can't access any information or open anything in our corporate environment, like One Drive, SharePoint, or Exchange; nothing will open if the device is then marked as noncompliant. Okay, so I have all these different options that I can go with if I want. Okay? So right now I'm just going to say that Mark is not compliant. Here's the thing: If we pair this with a conditional access policy, as I said earlier, then what will actually happen is that it will either force compliance or just block the device altogether. So you saw when we went over conditional access a little earlier that we could implement that. And so these two complement each other. Conditional access policies and compliance policies work together. Okay, so I'm going to go ahead now. I'm going to click Next, and then I could specify scope tags. I've mentioned scope tags before.
Scope tags are for administrators to specify what certain administrators can manage. I might have a Windows 10 scope tag, and I might allow an admin to manage that scope tag. Okay? So I'm just going to go with the default scope tag because I don't have a bunch of scope tags created at the moment. So we'll just select the default. Okay, so we'll go here, select default, and we're going to go ahead and click Next. And then we get to assignment. So assignment is who we're going to actually assign this to. So if we wanted to assign this, we could say "add it to an exclusion group." Maybe we'll add this to our Windows 10 people and our marketing people, and then we will exclude our IT people. All right, remember that exclusions always override inclusion. Maybe I don't want to include my It people in this, but in the real world, you probably would want to include your It people. Or maybe what I might do is have some specific compliance settings just for my IT people. Okay, so maybe the reason I'm excluding it right now is because I don't want it to affect them, but I might also have something more restrictive for them. Okay, so at that point, I can click next, and I'm going to click "create," and I have officially created my compliance policy. All right? So at that point, it would get applied to the people that are in that group. Devices in that group setting will take a few minutes to take effect. This does not take effect immediately. It can take a few minutes. The machines will check in for the intune.At that point, it will actually get assigned and take effect on their device.
AIP (Azure Information Protection)
1. Introduction to Azure Information Protection
Now, Azure Information Protection is also sometimes referred to as AIP. not to be confused with Azure Active Directory Identity Protection. That's actually a different technology. Azure information protection is all about identifying and labelling sensitive information.
So your goal here is to be able to have information in your environment, your documents, the data stored throughout spreadsheets, documents, database information, and all of that stuff have a way of being labelled as well as classified. This will involve emails as well. So your goal here is obviously, in an environment where data is very sensitive and in a higher security environment, to not just talk about publicly accessible data. Your information has to have a way of being flagged so that it can show that there is sensitive information there, and it needs to be in some way tagged or labeled. Okay, so AIP is Microsoft's solution for this. You might recall that back in the on-premises days, we used RMS AD, or RMS Active Directory Rights Management Services.
And you're going to find that rights management is still a piece of all of this. But now they're using Azure Information Protection to do the actual labeling. You're going to find that RMS plays more of a role in dealing with the encryption side of things. So Rights Management Services is still a part of this, but AIP is what's actually dealing with the labelling side of things. So the way that you're going to set AIP up is that you're going to configure it using rules and conditions. You're going to set those rules and conditions up to look for certain types of sensitive information. And then from there, you can configure the different types of labels that are going to be applied by those rules, and you can have that information classified based upon those labels.
Now the other thing that's interesting about this is that users can either manually classify, manually label, and classify, or they can also have automation happen. But there is a rule that applies there, and that is you have to have premium Version 2 to do this. There's. Azure provides information protection. P one. There's azure information. P2: Azure information protection P two. Now of course, if you have theEMS subscription, the Enterprise Mobility Plus Securitysubscription, then you've got both. And you can use P1 for maybe users that you know are going to be dealing with this manually. And P2 for the people that you want this to be applied automatically for. Ideally, we want it to be automatic for everyone, but it depends on what subscriptions and licencing model you've chosen and all that. Now, how are labels applied? Well, AIP labels are going to get applied to your documents and emails based upon the types of information that's stored inside those documents. Okay. Now, once this information gets applied, is the information going to be on that document for good? Pretty much.
And how exactly does that work exactly? Well, what they've done is set up metadata on documents so that information can be classified, and the classification label will be in clear text. So the document can be labeled, the label can be applied, classification can be applied, and it's all going to be in clear text in the metadata of the file. And then you can have encryption on the file as well. The file can then be digitally signed, which provides integrity for the file, which means if anybody tampers with it or tries to change it, modify it, whatever, you're going to know because it will have a digital signature associated with it. And if digital signatures get altered, your system is going to immediately know about it. Whatever application you're using Word, Excel, PowerPoint—there are even obviously third-party apps that support all of this as well. If you're not really familiar with integrity and all of that, the way that integrity works when something is signed is kind of like the wax seal analogy. It's like back in mediaeval times when kings and queens would write letters, they'd write them on parchment paper, then fold them up, pour hot wax on them, and seal them with their seal. And then they would have to get somebody to deliver the letter.
And then, of course, if the letter got to the other end and the wax seal was broken, well, at that point, the person on the other end knows that that letter has been compromised right off with their head or whatever. Well, the idea, essentially, is that when something gets tampered with or altered, we would know about it. Okay. The other thing that's great about it, though, is that with the help of rights management services, you can have that information encrypted. So somebody is not going to be able to read the information either. So you can have a digital signature to provide authenticity. You can have encryption on the data itself, which provides confidentiality, but the starting point of all this is AIP, which gets into being able to label the information and then classify the information. Now, it doesn't really matter where the document goes at that point. Documents can be moved around. It could even somehow slip outside our organization. It's still going to be labeled, classified, encrypted, and digitally signed. If you combine this with rights management, So that's good either way.
You can also, of course, have rules in place, and we're going to talk about this a little later, that are going to try to prevent this document from making its way outside. But even if somebody had it on their laptop and walked to it outside the organization, it's still going to have that information on it. It's still going to be protected. Now another thing you've got with labels is visual markings. You can have a header at the top with a colour code. You can have a footer, and then you can also have a watermark that can go across the middle of the page or horizontally across the page that indicates that this is a confidential document or some kind of sensitive label wording, however you want to do it. And you can configure the font, the color, the way that it's going to go across the page, all that good stuff. So there are quite a few features with this. It's a really great feature that Microsoft has given us access to, and it's definitely something to look into implementing in a higher security environment. And of course, for this exam, the MS 500, you're definitely going to want to have some experience with that a little bit and understand it because it is possibly something you can get as a lab sender area.
2. Demonstration on creating and managing AIP Sensitivity Labels
We're starting off on admin.microsoft.com. Okay. And we're going to go, and we're going to scroll down, and then we're going to click on Security or Compliance. Actually, either one of those will take you to the same place. This is going to take you to the Security and Compliance Center, which is where we're going to be messing around with AIP. All right? Azure Information Protection Now I would like to clarify something. You can do this through the Azure Portal as well. There's an Azure Information Protection Service that you can add, and you can figure it out there. But I'm going to give you guys some advice. Don't try it there; do it here. Okay? That's all I'm going to say on that. This is where you're going to want to focus your efforts for the exam.
If you're taking the exam, this is where you're going to want to do it from. Okay? If you were to get a lab scenario on this, I would recommend doing it through here. All right? So I'm going to go and I'm going to drop down Classification, and then I'm going to click on Sensitivity Label. So right now, what I'm wanting to do is create a sensitivity label. Every time a Social Security number shows up in a document, I want that document to be labelled as sensitive. Okay? Maybe it has PII information. There is personal, identifiable information in that document. So we're going to click on Sensitivity Labels. We're going to create a label here. Now again, I also want to point out—notice this little note up here at the top. And it says if your organisation has labels and Azure Information Protection, they'll need to be migrated if you want to use them across other Microsoft apps and services. If you create labels with the same name as your existing Azure Information Protection labels, you won't be able to migrate. So they're basically saying that you can migrate the labels from the Azure version of this over to Microsoft 365.
Remember, this is Microsoft 365. It's a Microsoft 365-related course we're going through here, and the exam is a Microsoft 365 course as well as some Azure stuff. But they're going to put their focus on this side of things. So this is why we want to be in this area and not on the Azure Information Protection through the Azure Portal. So this is still an AIP that we're doing. And we're doing it through the Microsoft 365 portals through the Security Compliance Center instead of the Azure Portal. So we're going to click on "Create a Label." At that point, you would want to give it a name. So I'm just going to say "PII included." Personal, identifiable information is included. And then you could give it a tool tip. I'm just going to put the same tool tip in there. Now what is a tool tip? The tool tip is that there's going to be a little message that pops up when somebody tries to share this via email or something like that with somebody else. It's going to pop up, and you can actually add a restriction that can stop somebody from sharing something with this particular sensitivity label in it if you want. Right now, we're just creating the sensitivity label; we're not actually implementing the policy; we're simply creating it.
So obviously, you could give it a description right here and describe to people what this label is going to do and all that good stuff. But I'm going to go ahead and click Next from there. This is where I could include encryption. Again, if I was going to use Rights Management with this, the Azure Rights Management Services, and all that, I could do encryption if I wanted to and I could apply encryption, okay? And it'll use a high level of encryption, using basically RSA encryption and all that. But I'm not going to do that right now. I'm going to click Next, and then you've got content marking. So this is where you can put a watermark in place. And again, let me clarify, guys. If this was something I was being asked to do on the exam, for example, and I know I've said this in previous lectures, don't do anything they don't tell you to do. If they don't tell you to put a watermark on it, don't put one on it, okay? But if they do tell you to put a watermark, put a watermark. If they don't tell you to encrypt anything, don't encrypt anything.
Okay? So the same rule applies for that. But if you wanted to put a watermark on your document, you would click "Add watermark." You could customise the text here, so I could say "secret." If I wanted to put the font size in, I could also put the font colour in if I wanted the text layout to be either diagonally across the page or horizontally across the page. I could add a header if I wanted. Same thing. Customize the text; you know, put the word "secret" in there if I want. Okay? same thing here. I could add a footer if I wanted. Now, in my case, I'm actually not going to add any content marking. But again, if that was something they asked you to do on the exam, that would be something you would do, all right? If it's something they don't ask you to do, you don't do it. Okay? So I'm going to go ahead and click Next, and then from there, I've got auto-labelling for Office apps. So at this point, I'm going to turn this on, all right? I am going to want to use labelling for office apps. And this is the automatic labeling.
So the great thing about this guy is that I can create this label, and it can be manually used by people, okay? But with automatic labeling, I can have it automatically used. Now, keep in mind that with auto-using labels, you have to have the premium two version of AIP (Azure Information Protection), which I'll jump over here in a second. We'll take a look, but detect content that matches these conditions. I'm going to click Add condition contains all right and then Add Sensitive Info type.So I'm going to click that. And so this is where I can go through and find some sensitive information that I want. So just scroll down, find the sensitive information you want to do, and do it. If I'm going to get a US Social Security number, I'm going to choose that.
Okay, you'll notice you could select more than one if you want. So I could give you my Social Security number. I could get a tax identification number from us. All this good stuff I could add information here—credit card numbers, all that. So obviously, you can go through this list and choose what you want. You can obviously search as well. So I'm going to click "Add." I've got the stuff I wanted to add. If I only wanted to add one thing, you would only add one thing. Again, if this was the exam and the exam said I wanted you to add the Social Security number, then that's the only thing you would add. And then it looks for accuracy. So one thing about Microsoft 365 and Azure with AIP is that it actually uses a thing called Regex. Some people pronounce it RegX.
However you like to say it, R-E-G-E-X. That's a regular expression. And it's essentially a pattern-matching system for being able to match up a sequence of numbers. So the sequence of numbers on a credit card, the sequence of numbers for a social security number, and the sequence of numbers for a tax ID number, for example, are Social Security number. Most of you guys probably know that you have a three-digit number, then a two-digit number, and then a four-digit number. Well, that's what that's going to look at, and it's going to look for accuracy as well, and try to find an accurate example of that number in this document before it labels it.
Now the other thing you'll notice is that you have an instance count, so you could require there to be more than one of these showing up. Maybe you require ten instances of each before it becomes a sensitive document. So that's what they're saying over here. With this instant account, you can do Okay, so I'm going to go ahead. Now I could have another group of these if I wanted to, a group of these that are getting detected, if I wanted to. But I'm going to click next, and then I'm going to click submit. And I've now officially created a label that can be used.
OK, the label is not yet published yet. I'm going to talk about publishing in the next little lecture. But the label is now available; it's been created, and eventually it can be published and utilised by my users. So the next thing I want to do is take a look at the licencing side of all this. So we're going to go to Portal.Azure.com. Drop the menu bar down, okay? From there, I'm going to go to Azure Active Directory licenses, all products, and I'm going to click on the Enterprise Ability plus Security. This is where I wanted to show you the details of the service plan details. You have Azure Information Premium One and Two. Again, the big difference is that Premium One is going to let you manually do labels. Premium Two is going to let you automatically apply labels. So you're only going to be able to do the automatic application of labels for users who have Premium too, just so you know. And again, you can assign those licenses. We've seen how to do that in previous lectures. OK, so that's your first look at Azure Information Protection. In this next one, we're going to take a look at publishing the policy and publishing the labels.
3. Stepping through the hands on tutorial for creating AIP Sensitivity Labels.
And you could click "Show All," then click on "Security or Compliance." Really? Security is the one I'm going to go with. OK, then you're in the security and compliance center. The next step is going to be to click Classification. So you're going to click that Classification dropdown and then go to do sensitivity labels. From there, you're going to click "Create a label" and give it a name. In this case, the SSN Now another thing I want to say is that if this was something you were being asked to do on the exam, they may not tell you to give it a certain name. If they don't tell you to give it a certain name, then it really doesn't matter. You would just put in whatever you want there. OK, so then Tool Tip, I specify what the tool tip is going to say, "pop up," and things like Outlook and things like that.
When somebody tries to share something, you have a tool tip that can pop up. In this case, the tool tip is going to say "SSN Label." So from there, I'm going to click "Next." I am not doing any encryption because I was not asked to in this case, and I am not going to do any content marking because I was not asked to. Not going to do endpoint loss, data loss prevention site, and group settings, okay? Auto-labeling of Office apps So I am going to do that one. I'm going to select that. I'm going to click Add Condition Content contains Add Sensitivity Info Types and find the one called US. Social Security number, check that, click Add Next, and then submit, and the label is created. Remember, you don't want to do anything that, if this was a lab scenario, this was an exam lab scenario, you wouldn't want to add anything they don't want you to add. I mean, obviously, all this is also cool and stuff for the real world too, but it kind of focuses on an exam per second. You definitely don't want to do anything they don't ask you to do. Don't do any extra work, okay? Just do what they ask you to do.
Microsoft 365 MS-500 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass MS-500 Microsoft 365 Security Administration certification exam dumps & practice test questions and answers are to help students.