Microsoft 365 Security Administration (Exam MS-500)

Explore how cloud migration heightens identity threats from credential theft and privilege abuse, and why safeguarding user identities amid password reuse and unapproved apps matters beyond perimeter defenses.

Manage identities as the new control plane in a Microsoft 365 environment by implementing Azure Active Directory, hybrid identity, multi-factor authentication, privileged identity management, and group-based access control.

Explore Microsoft 365 authentication options, from cloud-only Azure AD users to directory synchronization with Azure AD Connect (with or without password sync) and pass-through authentication, enabling single sign-on via federation.

Create cloud only user accounts in the admin center, assign licenses and admin roles, and bulk import via CSV or PowerShell with Azure AD modules.

Manage cloud-based user accounts through the Microsoft 365 admin portal or PowerShell, adjusting licenses and apps, blocking sign-in, resetting passwords, and verifying license details.

Delete a Microsoft 365 user to remove the Azure AD account and licenses, understand email and OneDrive impacts, with soft delete and 30-day restore, plus hard delete via PowerShell.

Learn how to assign roles in Microsoft 365 from the Office 365 portal and Azure AD, including global administrator, service administrator, and user administrator, with consistent roles across portals.

Create and manage Office 365 groups, distribution groups, mail-enabled security groups, and dynamic distribution groups with rule-based membership (department) from the portal, Exchange Admin Center, or Azure AD.

Explore how privileged identity management in Azure Active Directory Premium P2 enables just-in-time admin access with approval, MFA, and auditing to protect global administrator accounts.

Explore Azure Active Directory privilege identity management and how to elevate to eligible admins, distinguish permanent versus eligible roles, and manage approvals, audits, and activations.

Learn how Azure AD enables privileged access management in 365 with just-in-time role elevation or task-based approvals in the admin center, and configure Exchange task policies.

Configure cloud password policies in Microsoft 365, including expiration (14–730 days) and reminders (1–30 days). Learn how on-premises policies affect synchronized accounts and self-service resets for standard users.

Enable multi-factor authentication in the Microsoft 365 admin center and enforce MFA. Choose verification options like SMS, phone, or authenticator app, and manage trusted IPs with Azure AD P1/P2 licensing.

Configure self-service password reset for cloud accounts in Azure Active Directory, with methods like authenticator, email, SMS, or security questions, and optional password write back for on-premises Active Directory.

Learn how passwordless authentication replaces passwords with Windows Hello for Business, biometrics, FIDO tokens, and the Azure Authenticator app in Azure Active Directory for strong multi-factor security.

Audit and automate access reviews in Azure Active Directory to validate group memberships and app access, onboarding identity governance, and auto removal of stale access.

Understand how Azure Active Directory security defaults provide preconfigured protections against common attacks. They require MFA enrollment within 14 days and may conflict with conditional access policies.

Explore Azure Active Directory Identity Protection, leveraging premium analytics to detect risky sign-ins and users, block threats, enforce password resets and MFA, and monitor risks with automated remediation and alerts.

Configure Azure AD identity protection to create sign-in risk policies and user risk policies, block or require MFA for medium or higher risk sign-ins, and review risk reports and notifications.

Discover single sign-on options for Microsoft 365 with Azure Active Directory, including Active Directory Federation Services, password synchronization, seamless single sign-on, and pass-through authentication for cloud access.

Synchronize your on-premises directory with Azure Active Directory using Azure AD Connect to create a single source of truth for users, groups, and contacts, with optional password or federation authentication.

Raise forest level to at least server 2008 and install Azure AD Connect on a 64-bit server. Use SQL Express for database and IP fix to verify domain in 365.

Download and run Azure AD Connect tool from Microsoft 365 admin center, choose custom installation, then connect to Azure AD with a global admin and enable password hash synchronization.

Install the Azure AD Connect Health agent to send synchronization and directory service data to the portal, enabling real-time health monitoring, alerts for sync and replication issues, and auto update.

Plan a multi-forest Azure AD Connect deployment by ensuring each forest has authoritative namespaces, unique certificates from a trusted CA, and reliable connectivity to synchronize all forests to one tenant.

Synchronize on-premises Active Directory changes to Azure Active Directory to manage user attributes and authentication, including updates, deletes, disables, and restores, via delta sync and the synchronization service.

Azure AD Connect synchronizes on-premises users and groups to the cloud, but group membership is managed on premises. Premium P1/P2 enables group write back from Azure AD to on-premises AD.

Azure AD Connect creates security groups to manage sync, including the 80 sync admins, operators, browse, and password set groups, as local groups on domain-joined servers.

Federation establishes a trust relationship between on-premises Active Directory and cloud resources by exchanging certificates to issue claims and access tokens for services like SharePoint Online.

Use conditional access to evaluate who, where, and on what device accessing resources, with Azure Active Directory and AD FS enforcing location and MFA when outside the office.

Publish on-premises apps to the internet using Azure AD application proxy, with an on-premises connector and external endpoint, while the firewall makes outbound calls and avoids inbound exposure.

Install and authenticate the Azure Active Directory application proxy connector, publish an on-premises app with an external url, then assign it to users for access via myapps.microsoft.com.

Enroll devices in Intune for management to enforce device compliance and conditional access with Azure AD P1 or P2, applying encryption and password protections while denying non-compliant BYOD access.

Create and manage conditional groups in Azure Active Directory to apply policies based on device properties, such as device type and OS, using dynamic device membership.

Learn to create a conditional access policy in the Azure portal, assign it to groups and apps, set sign-in risk and location conditions, and enforce MFA.

Invite external guest users to access resources via Azure Active Directory, using Office 365 sharing or be-to-be sharing, with invitations and guest entries, while licensing and audits apply for P1/P2.

Create and manage external guest users in Azure Active Directory, inviting external or Microsoft accounts. Sync on-premises Active Directory and monitor licensing, including the 5 to 1 guest-to-license ratio.

Adapt to the cloud-centric work landscape by monitoring how users access resources, managing devices and policies, and prioritizing user IDs as gatekeepers to cloud-hosted data.

Understand Microsoft's security strategy that increases attacker costs, assumes identities are under attack, and uses defense in depth, cloud protection, and attack simulations to detect and respond.

Explore your Microsoft 365 security posture using the secure score, view improvement actions, and track changes over time; enable multi-factor authentication for all admins to boost the score.

Secure email flow with Exchange Online Protection blocks at the edge using IP and sender reputation, scans with multiple virus engines, and sandbox analysis before delivery.

Explain how zero hour auto purge (zap) monitors delivered messages, moves junk mail and removes malicious attachments, and can reclassify items from junk to inbox if not spam.

Explore how Microsoft 365 uses SPF, DKIM, and DMARC to authenticate email, detect spoofing and phishing, and manage spoof intelligence through the Security and Compliance Center.

Learn to configure safe attachments in Microsoft Defender for Microsoft 365, create sandboxed policies, and apply block, monitor, replace, or dynamic delivery to protect email attachments and files.

Explore how Microsoft 365 Safe Links rewrites URLs at click time and scans destinations for malicious sites. Configure policies, block or whitelist sites, and enable URL scanning.

Install a Defender for Identity sensor on your system to collect network traffic and event logs. The cloud-based service analyzes this data to detect reconnaissance, lateral movement, and credential harvesting.

Configure Microsoft Defender for Identity by installing the sensor on domain controllers and connecting to the identity workspace with the access key, then monitor on-premises activity.

Use the Microsoft Defender for Identity portal to analyze authentication attempts and events from on-premises to the cloud, generate alerts and health reports, and manage alerts.

Explore Microsoft Defender for Endpoint, a cloud-based service that detects, investigates, and mitigates threats with endpoint sensors, threat intelligence, threat and vulnerability management, and automated investigation and remediation.

Discover how application guard uses hardware isolation and a Hyper-V container Edge browser to isolate untrusted sites and protect Windows 10 enterprise systems.

Apply application control on Windows 10 enterprise to run only trusted code by default, blocking unsigned or modified binaries, enforcing code signing with a metadata file and reputation checks.

Explore how Windows Defender exploit protection provides host intrusion prevention, attack surface reduction rules, and built-in network protection in Windows 10, with Apple Locker controls to isolate untrusted networks.

Explore the security compliance center's threat management dashboard to monitor investigations, playbooks, and Windows Defender responses, and review weekly threat detection, Exchange Online protection, malware trends, and spoof domains.

Leverage the Microsoft Graph to aggregate billions of signals from Microsoft 365, Windows 10, EMS, and third-party feeds to detect anomalies and strengthen environment security.

Explore threat explorer and threat tracker to identify malware, phishing, and campaigns targeting your environment, drill into attacker origins and affected users, and learn from Microsoft alerts to educate users.

Explore how to use the attack simulator in Microsoft 365 security center to run credential harvesting and malware simulations, customize recipients, trigger post-simulation training, and review results.

Explore automated investigation and response in Microsoft 365 security, using security playbooks to respond to well-known threats, remove malicious emails, and notify users to reduce manual effort.

The lecture introduces Azure Sentinel as a cloud-native siem that uses ai, threat intelligence, and cloud-scale data collection to detect, investigate, and automate responses to threats.

Learn to deploy Azure Sentinel, a cloud-based SIEM and SOAR, collect data from on-prem and cloud sources like Microsoft 365, use AI-driven threat detection, and automate responses via playbooks.

Explore how mobile application management in Intune and Microsoft endpoint manager pushes, configures, and secures apps while protecting corporate data with app protection policies across Android, iOS, and Windows devices.

Integrate on-premises Active Directory with Azure Active Directory to enable single sign-on for SharePoint, OneDrive, and other enterprise applications, then assign apps and provide seamless access via My Apps.

Enroll devices with a mobile device management authority such as Intune to enforce security policies, configure settings like screensaver and password, and monitor device compliance, including selective delete.

Learn how Microsoft 365 MDM policies enforce enrollment and device compliance to control access to email and documents using conditional access, app deployment, and data protection.

Prepare and deploy mobile device management by configuring domains, auto enrollment, and Apple push notification certificates, then establish device compliance, conditional access, and security policies in the Azure portal.

Define corporate device enrollment policies with type and OS restrictions, set minimum and maximum OS versions, and limit self-enrollment to control number and ownership of devices.

Enroll Windows 10 devices by domain join, hybrid Azure AD automatic enrollment (paid Azure AD required), or manual via the company portal; Android, iOS, and Apple device enrollment enable configuration.

Enable device enrollment manager to preconfigure and enroll up to a thousand devices into MTM with device profiles, ensuring updates apply by device rather than user.

Explore four data sensitivity label application methods in Microsoft 365: automatic, location-based, recommended, and manual, plus reclassification rules, audit logs, and how user changes override automatic labeling.

Publish sensitivity labels in the compliance center to classify and protect data across Windows, Mac, iOS, and Android. Enforce encryption and permissions, apply watermarks, and test with simulation.

Create and apply sensitivity labels to Microsoft 365 groups and sites, manage labels in Azure portal and SharePoint admin center, and reveal watermark and restricted permissions for non-owners.

Enable the AIP super user to manage encryption across the tenant, enabling unprotect actions when needed via PowerShell and the a DRM module; assign groups and monitor admin logs.

Learn how the customer lockbox requires manager approval, with email and portal prompts, four hours of access, and auto rejection after 12 hours if unanswered.

Explore protecting data access in Microsoft 365 by applying baseline protections, encryption, location and sensitivity controls, external sharing policies, device access, and privileged identity management with Azure AD.

Differentiate corporate data from personal data on Windows devices using Windows information protection, enabling encryption, remote wipe, and app-level protections to guard work data.

Implement Windows information protection by creating an Azure app protection policy for Windows 10, protecting corporate data in Office 365 Pro Plus and restricting copy‑paste to non‑trusted apps.

Explore how Windows Information Protection uses enlightened apps to separate work related data from personal data, guiding saving choices across domain protected shares and local storage.

Explore how Microsoft 365 encrypts data at rest with BitLocker in data centers and data in transit with TLS, plus email protection via message encryption and Azure Rights Management Services.

Learn how rights management in Exchange protects sensitive messages by encrypting emails, applying policies like do-not-forward, expiration, and access licenses for offline viewing across Outlook and Outlook on the web.

Apply information rights management to SharePoint Online document libraries to encrypt downloaded documents and restrict actions such as printing, running scripts, or modifying copies based on user permissions.

Compare irm and aip in SharePoint: libraries require protection decisions, templates aren’t applicable, while aip encrypts labeled documents on the client side and irm is server-side, with co-authoring not supported.

Explore how S/MIME protects email with digital signatures and encryption, using certificates, public and private keys, and session keys to ensure authentication, data integrity, non repudiation, and confidentiality.

Office message encryption lets you send encrypted email from Exchange Online to internal and external recipients without a full PKI, with recipients decrypting via Google ID or a one-time passcode.