Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

MS-500Free trial

By microsoft

Verified

25Q per page

Question 51

DRAG DROP -
You have a Microsoft 365 E5 tenant that contains three users named User1, User2, and User3.
You need to assign roles or role groups to the users as shown in the following table.

What should you use to assign a role or role group to each user? To answer, drag the appropriate tools to the correct roles or role groups. Each tool may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

—

Question 52

Your network contains an on-premises Active Directory domain named contoso.local that has a forest functional level of Windows Server 2008 R2.
You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to install Azure AD Connect and enable single sign-on (SSO).
You need to prepare the domain to support SSO. The solution must minimize administrative effort.
What should you do?

A: Raise the forest functional level to Windows Server 2016.
B: Modify the UPN suffix of all domain users.
C: Populate the mail attribute of all domain users.
D: Rename the domain.

—

Question 53

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

For contoso.com, you create a group naming policy that has the following configuration.
<Department> - <Group name>
You plan to create the groups shown in the following table.

Which users can be used to create each group? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

—

Question 54

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You configure the Security Operator role in Azure AD Privileged Identity Management (PIM) as shown in the following exhibit.

You add assignments to the Security Operator role as shown in the following table.

Which users can activate the Security Operator role?

A: User2 only
B: User3 only
C: User1 and User2 only
D: User2 and User3 only
E: User1, User2, and User3

—

Question 55

HOTSPOT -
You configure Microsoft Azure Active Directory (Azure AD) Connect as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

—

Question 56

You have a Microsoft 365 tenant.
You need to implement a policy to enforce the following requirements:
✑ If a user uses a Windows 10 device that is NOT hybrid Azure Active Directory (Azure AD) joined, the user must be allowed to connect to Microsoft SharePoint
Online only from a web browser. The user must be prevented from downloading files or syncing files from SharePoint Online.
✑ If a user uses a Windows 10 device that is hybrid Azure AD joined, the user must be able connect to SharePoint Online from any client application, download files, and sync files.
What should you create?

A: a conditional access policy in Azure AD that has Client apps conditions configured
B: a conditional access policy in Azure AD that has Session controls configured
C: a compliance policy in Microsoft Endpoint Manager that has the Device Properties settings configured
D: a compliance policy in Microsoft Endpoint Manager that has the Device Health settings configured

—

Question 57

You have a hybrid deployment of Azure Active Directory (Azure AD) that contains two users named User1 and User2.
You need to assign Role Based Access Control (RBAC) roles to User1 and User2 to meet the following requirements:
✑ Use the principle of least privilege.
✑ Enable User1 to view sync errors by using Azure AD Connect Health.
✑ Enable User2 to configure Azure Active Directory Connect Health Settings.
Which two roles should you assign? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A: The Monitoring Reader role in Azure AD Connect Health to User1
B: The Security reader role in Azure AD to User1
C: The Reports reader role in Azure AD to User1
D: The Contributor role in Azure AD Connect Health to User2
E: The Monitoring Contributor role in Azure AD Connect Health to User2
F: The Security operator role in Azure AD to User2

—

Question 58

You have a Microsoft 365 subscription that contains a user named User1.
You need to assign User1 permissions to search Microsoft Office 365 audit logs.
What should you use?

A: the Azure Active Directory admin center
B: the Exchange admin center
C: the Microsoft 365 Defender portal
D: the Microsoft 365 Compliance center

—

Question 59

You have a Microsoft 365 tenant that has modern authentication enabled.
You have Windows 10, MacOS, Android, and iOS devices that are managed by using Microsoft Endpoint Manager.
Some users have older email client applications that use Basic authentication to connect to Microsoft Exchange Online.
You need to implement a solution to meet the following security requirements:
✑ Allow users to connect to Exchange Online only by using email client applications that support modern authentication protocols based on OAuth 2.0.
✑ Block connections to Exchange Online by any email client applications that do NOT support modern authentication.
What should you implement?

A: a conditional access policy in Azure Active Directory (Azure AD)
B: an application control profile in Microsoft Endpoint Manager
C: a compliance policy in Microsoft Endpoint Manager
D: an OAuth app policy in Microsoft Defender for Cloud Apps

—

Question 60

HOTSPOT -
You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains a user named User1 and multiple Windows
10 devices. The devices are Azure AD joined and protected by using BitLocker Drive Encryption (BitLocker).
You need to ensure that User1 can perform the following actions:
✑ View BitLocker recovery keys.
✑ Configure the usage location for the users in the tenant.
The solution must use the principle of least privilege.
Which two roles should you assign to User1 in the Microsoft 365 admin center? To answer, select the appropriate roles in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

—

Question 61

HOTSPOT -
Your on-premises network contains an Active Directory domain that syncs to Azure Active Directory (Azure AD) by using Azure AD Connect. The functional level of the domain is Windows Server 2019.
You need to deploy Windows Hello for Business. The solution must meet the following requirements:
✑ Ensure that users can access Microsoft 365 services and on-premises resources.
✑ Minimize administrative effort.
How should you deploy Windows Hello for Business and which type of trust should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

—

Question 62

HOTSPOT -
You have a Microsoft 365 E5 subscription.
You need to create a role-assignable group. The solution must ensure that you can nest the group.
How should you configure the group? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

—

Question 63

HOTSPOT -
You create device groups in Microsoft Defender for Endpoint as shown in the following table.

You onboard three devices to Microsoft Defender for Endpoint as shown in the following table.

After the devices are onboarded, you perform the following actions:
✑ Add a tag named Tag1 to Device1.
✑ Rename Computer3 as Device3.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

—

Question 64

You have a Microsoft 365 E5 subscription that contains 100 users. Each user has a computer that runs Windows 10 and either an Android mobile device or an iOS mobile device. All the devices are registered with Azure Active Directory (Azure AD).
You enable passwordless authentication for all the users.
You need to ensure that the users can sign in to the subscription by using passwordless authentication.
What should you instruct the users to do on their mobile device first?

A: Install a device certificate.
B: Install a user certificate.
C: Install the Microsoft Authenticator app.
D: Register for self-service password reset (SSPR).

—

Question 65

You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

You enable the authentication methods registration campaign and configure the Microsoft Authenticator method for Group1.
Which users will be prompted to configure authentication during sign in?

A: User1 only
B: User2 only
C: User2 and User3 only
D: User1 and User2 only
E: User2 and User3 only
F: User1, User2, and User3 only

—

Question 66

You have a hybrid Microsoft 365 environment. All computers run Windows 10 and are managed by using Microsoft Endpoint Manager.
You need to create a Microsoft Azure Active Directory (Azure AD) conditional access policy that will allow only Windows 10 computers marked as compliant to establish a VPN connection to the on-premises network.
What should you do first?

A: From the Azure Active Directory admin center, create a new certificate
B: Enable Application Proxy in Azure AD
C: From Active Directory Administrative Center, create a Dynamic Access Control policy
D: From the Azure Active Directory admin center, configure authentication methods

—

Question 67

HOTSPOT -
You have a Microsoft 365 subscription that contains three users named User1, User2, and User3.
You have the named locations shown in the following table.

You configure an Azure Multi-Factor Authentication (MFA) trusted IP address range of 192.168.1.0/27.
You have the Conditional Access policies shown in the following table.

The users have the IP addresses shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

—

Question 68

Your network contains an on-premises Active Directory domain. The domain contains a domain controller named DC1.
You have a Microsoft 365 E5 subscription.
You install the Microsoft Defender for Identity sensor on DC1.
You need to configure enhanced threat detection in Defender for Identity. The solution must ensure that the following events are collected from DC1:
✑ 4726 - User Account Deleted
✑ 4728 - Member Added to Global Security Group
✑ 4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
What should you do on DC1?

A: Install the Azure Monitor agent.
B: Install System Monitor (SYSMON).
C: Configure the Windows Event Collector service.
D: Configure the Advanced Audit Policy Configuration policy.

—

Question 69

You have a Microsoft 365 E5 subscription that uses Azure Active Directory (Azure AD) Privileged Identity Management (PIM).
A user named User1 is eligible for the User Account Administrator role.
You need User1 to request to activate the User Account Administrator role.
From where should User1 request to activate the role?

A: the My Access portal
B: the Microsoft 365 Defender portal
C: the Microsoft 365 admin center
D: the Azure Active Directory admin center