NOTE I HAVE UPDATED THIS POST FOR 2020- Preparing for the MS-500 Microsoft 365 Security Administration Exam (February 2020 Update)
The MS-500 Microsoft 365 Security Administration exam is currently available in beta, and as you can see if you scroll down, this exam expects you to have very broad exposure across the security capabilities of the Microsoft 365 E5 suite. This guide is effectively the fifth post in this series, and if you have already taken the exams listed below you will find that some of the preparation for those exam will help out here.
Preparing for the MS-101 Microsoft 365 Mobility and Security Exam (BETA)
Preparing for the MD-100 Windows 10 Exam (BETA)
Preparing for the MD-101 Managing Modern Desktops Exam (BETA)
There’s a huge amount of content to work through in the links below, and I’ll publish an updated version once the exam goes live in order to incorporate any changes with the final exam.
Implement and manage identity and access (30-25%) (look at those numbers, not my typo!)
- Secure Microsoft 365 hybrid environments
May include but is not limited to:- Configure and manage security integration components in Microsoft 365 hybrid environments including connectivity, synchronization services, and authentication
- Plan Azure AD authentication options
- Plan Azure AD synchronization options
- Monitor and interpret Azure AD Connect events
- Secure user accounts
May include but is not limited to:- Implement Azure AD dynamic group membership
- Implement Azure AD Self-service password reset
- Manage Azure AD access reviews
- Implement authentication methods
May include but is not limited to:- Plan sign-on security
- Implement multi-factor authentication (MFA)
- Manage and monitor MFA
- Implement device sign-on methods
- Manage authentication methods
- Monitor authentication methods
- Implement conditional access
May include but is not limited to:- Plan for compliance and conditional access policies
- Configure and manage device compliance policy
- Configure and manage conditional access policy
- Monitor Conditional Access and Device Compliance
- Implement role-based access control (RBAC)
May include but is not limited to- Plan for RBAC
- Configure RBAC
- Monitor RBAC usage
- Implement Azure AD Privileged Identity Management (PIM)
May include but is not limited to:- Plan for Azure PIM
- Configure and manage Azure PIM
- Monitor Azure PIM
- Implement Azure AD Identity Protection
May include but is not limited to:- Implement user risk policy
- Implement sign-in risk policy
- Configure Identity Protection alerts
- Review and respond to risk events
Implement and manage threat protection (20-25%)
- Implement an enterprise hybrid threat protection solution
May include but is not limited to:- Plan an Azure Advanced Threat Protection (ATP) solution
- Install and configure Azure ATP
- Manage Azure ATP workspace health
- Generate Azure ATP reports
- Integrate Azure ATP with Windows Defender ATP
- Monitor Azure ATP
- Manage suspicious activities
- Implement device threat protection
May include but is not limited to:- Plan and implement a Windows Defender ATP solution
- Manage Windows Defender ATP
- Monitor Windows Defender ATP
- Implement and manage device and application protection
May include but is not limited to:- Plan for device protection
- Configure and manage Windows Defender Application Guard
- Configure and manage Windows Defender Application Control
- Configure and manage Windows Defender Exploit Guard
- Configure Secure Boot
- Configure and manage Windows 10 device encryption
- Configure and manage non-Windows device encryption
- Plan for securing applications data on devices
- Define managed apps for Mobile Application Management (MAM)
- Protect your enterprise data using Windows Information Protection (WIP)
- Configure WIP policies
- Configure Intune App Protection policies for non-Windows devices
- Implement and manage Office 365 messaging protection
May include but is not limited to- Configure Office 365 ATP anti-phishing protection
- Configure Office 365 ATP anti-phishing policies
- Define users and domains to protect with Office 365 ATP Anti-phishing
- Configure Office 365 ATP anti-spoofing
- Configure actions against impersonation
- Configure Office 365 ATP anti-spam protection
- Enable Office 365 ATP Safe-Attachments
- Configure Office 365 ATP Safe Attachments policies
- Configure Office 365 ATP Safe Attachments options
- Configure Office 365 ATP Safe Links options
- Configure Office 365 ATP Safe Links blocked URLs
- Configure Office 365 ATP Safe Links policies
- Implement and manage Office 365 threat protection
May include but is not limited to- Configure Office 365 Threat Intelligence
- Integrate Office 365 Threat Intelligence with Office 365 services
- Integrate Office 365 Threat Intelligence with Windows Defender ATP
- Review threats and malware trends on the Office 365 ATP Threat Management dashboard
- Review threats and malware trends with Office 365 ATP Threat Explorer and Threat Tracker
- Create and review Office 365 ATP incidents
- Review quarantined items in ATP including Microsoft SharePoint Online, OneDrive for Business, Exchange Online, and Microsoft Teams
- Monitor online anti-malware solutions using Office 365 ATP reports
- Perform tests using Attack Simulator
Implement and manage information protection (15-20%)
- Secure data access within Office 365
May include but is not limited to:- Plan secure data access within Office 365
- Implement and manage Customer Lockbox
- Configure data access in Office 365 collaboration workloads
- Configure B2B sharing for external users
- Manage Azure information Protection (AIP)
May include but is not limited to:- Plan an AIP solution
- Activate Azure Rights Management
- Configure usage rights
- Configure and manage super users
- Customize policy settings
- Create and configure labels and conditions
- Create and configure templates
- Configure languages
- Configure and use the AIP scanner
- Deploy the RMS connector
- Manage tenant keys
- Deploy the AIP client
- Track and revoke protected documents
- Integrate AIP with Microsoft Online Services
- Manage Data Loss Prevention (DLP)
May include but is not limited to:- Plan a DLP solution
- Create and manage DLP policies
- Create and manage sensitive information types
- Monitor DLP reports
- Manage DLP notifications
- Create queries to locate sensitive data
- Implement and manage Microsoft Cloud App Security
May include but is not limited to:- Plan Cloud App Security implementation
- Configure Office 365 Cloud App Security
- Perform productivity app discovery using Cloud App Security
- Manage entries in the Cloud app catalog
- Manage third-party apps in Office 365 Cloud App Security
- Manage Microsoft Cloud App Security
- Configure Cloud App Security connectors
- Configure Cloud App Security policies
- Configure and manage Cloud App Security templates
- Configure Cloud App Security users and permissions
- Review and respond to Cloud App Security alerts
- Review and interpret Cloud App Security dashboards and reports
- Review and interpret Cloud App Security activity log and governance log
Manage governance and compliance features in Microsoft 365 (25-30%)
- Configure and analyze security reporting
May include but is not limited to:- Interpret Windows Analytics
- Configure Windows Telemetry options
- Configure Office Telemetry options
- Review and interpret security reports and dashboards
- Plan for custom security reporting with Intelligent Security Graph
- Review Office 365 secure score action and recommendations
- Configure reports and dashboards in Azure Log Analytics
- Review and interpret reports and dashboards in Azure Log Analytics
- Configure alert policies in the Office 365 Security and Compliance Center
- Manage and analyze audit logs and reports
May include but is not limited to:- Plan for auditing and reporting
- Configure Office 365 auditing and reporting
- Perform audit log search
- Review and interpret compliance reports and dashboards
- Configure audit alert policy
- Configure Office 365 classification and labeling
May include but is not limited to:- Plan for data governance classification and labels
- Search for personal data
- Apply labels to personal data
- Monitor for leaks of personal data
- Create and publish Office 365 labels
- Configure label policies
- Manage data governance and retention
May include but is not limited to:- Plan for data governance and retention
- Review and interpret data governance reports and dashboards
- Configure retention policies
- Define data governance event types
- Define data governance supervision policies
- Configure Information holds
- Find and recover deleted Office 365 data
- Import data in the Security and Compliance Center
- Configure data archiving
- Manage inactive mailboxes
- Manage search and investigation
May include but is not limited to:- Plan for content search and eDiscovery
- Delegate permissions to use search and discovery tools
- Use search and investigation tools to perform content searches
- Export content search results
- Manage eDiscovery cases
- Manage data privacy regulation compliance
May include but is not limited to:- Plan for regulatory compliance in Microsoft 365
- Review and interpret GDPR dashboards and reports
- Manage Data Subject Requests (DSRs)
- Review Compliance Manager reports
- Create and perform Compliance Manager assessments and action items
Thanks!
This one looks very tough!
LikeLike
Thanks. Doing the exam tomorrow.
LikeLike
Good luck!
LikeLike
How’d it go?
LikeLike
Still waiting on results but it wasn’t quite I expected. I thought it was going to be a bit more high level, but there were some specifics that only an admin of a particular workload would know off the top of their head. I thought it was a good exam to really get people who are prepping to understand that M365 isn’t just a set of licensing options rather than pieces that are working together at a much deeper level.
LikeLike
Hi Sean,
Could u let us know your experience about ur exam MS-500 Exam?
LikeLike
Hi Arun – it’s really important to approach this as the M365 E5 exam, and pay a lot of attention to the different ATPs, not just Office 365 ATP. I don’t think any of the questions were particularly difficult, but there were certainly a few that I just wasn’t sure because of limited experience with some of the items that were tested. If someone goes in just with Office 365 or EMS experience, they might find the exam pretty tough.
LikeLiked by 2 people
Hi Mark,
Is there any way I could attend Mock test for this MS 500 Exam before I attend to actual exam.
I have experience and still learning all three ATP’s – O365 ATP, Microsoft Defender ATP & Azure ATP. However, I do not have experience in Azure AD Connect.
So that is why i like to attend some Mock test. Kindly let me know is there any options?
FYI, I have downloaded modern desktop deployment kit for setup.
Thank you.
Regards,
Arun
LikeLike
And thank you for your kind Response Mark.
LikeLike
Hi Arun
I haven’t seen a practice exam for this one yet, I usually go to measureup when I need one.
LikeLike
Hi Mark
What type of lab do we need for MS-500?
LikeLike
The important things for this are to get access to an M365 E5 or similar, and have the ability to build out VMs to try things AATP. If you need the AD infrastructure as well, use the modern desktop deployment kit as that speeds up the deployment process.
LikeLiked by 2 people
I just took the exam today and I’m waiting for the results. I’ve worked with EMS+E5 for a couple of years now and I feel I’m an expert within this license SKU. I’ve deployed nearly all the technologies covered on this exam as well as being the Exchange and SharePoint admin for a large organization where I migrated these workloads to O365. I used PluralSight to cover the areas I was weak in as well as this blog (Defender ATP and 365 Labels) but overall I feel confident that I passed this exam. There were definitely questions I did not know the answer to and I agree with Mark, it does pay to have experience being an Exchange and SharePoint administrator going into this exam.
These are the subjects which were covered on my exam:
Azure ATP
Defender ATP
O365 ATP
Azure Information Protection
Labels (sensitivity, retention)
AD Connect (federated identity, password hash sync, SSO)
Exchange (retention policies, mailbox auditing, DLP, PowerShell)
Sharepoint/OneDrive/UnfiedGroups/Teams (DLP, sharing/partner organizations, PowerShell)
DLP Policies
MCAS
Azure PIM
Azure AD (roles, groups, dynamic groups, hybrid identity, hybrid device)
Azure user risk policies/events
Azure Conditional Access Policies
Azure MFA
Security and Compliance roles
M365 Roles
M365 Unified Audit Log
Intune
LikeLiked by 1 person
Thank for the feedback John. I think EMS people have a big advantage because they have to know something about the Office 365 and/or Windows 10 apps they have to protect.. So far I’m 7/7 for the beta exams (I did AZ100/AZ101/AZ102 as well as MS/MD), and I’m hoping this keeps the streak going.
LikeLike
Just an update, I received an email today that I passed this exam and it now shows on my transcript.
This is my first beta exam so for those of you who have passed these before, how long before you can claim your badge on Acclaim — or, will I never receive a badge for this exam?
LikeLiked by 1 person
Congrats John – I’m in the same boat, got the results but no badge yet. Normally beta exams lag a bit in terms of everything working through the system, but if you don’t see anything within a few weeks contact the regional support center and they can check on it for you.
LikeLike
Awesome, thanks Mark! Again, I appreciate the blog, it was helpful! Congrats on passing yet another exam 🙂
LikeLike
Same here. Waiting for the badge and the Enterprise Administrator Expert certification as I have completed MS-100 and MS-101 as well.
LikeLike
It’s showing up in my transcript now, but no badge just yet. I guess this means we just get to celebrate when we see the score report, again when it shows on the transcript, and a final time when we get the badge. =)
LikeLike
Hi, I just finished the MS-100 and MS-101 exam and now I’m thinking about taking the MS-500 exam to collect the Expert level title. Is there somebody who took the MS-101 and MS-500 and can you tell where the differences are? Is the MS-500 harder/easier to study than the MS-101?
To me it looks like the MS-500 covers most of the MS-101 topics, but more focused on implementation, rather than design (like the MS-101).
LikeLike
Hi Russell – I found it was broader, and I over prepared on the roles/rights side because I was a bit under prepared for that in the MS-10x exams, as that’s something I’d be referencing as needed and not trying to memorise them. The main thing I remember during that exam was I was glad that I’d spend the last few years focused on EMS, not just working with O365. The feedback I’m getting from people doing exams at the moment (not just this one) is that they aren’t really prepared for the EMS and Windows 10 pieces, including Defender ATP.
LikeLike
Hi Mark, thanks for your reply and the time you took to comment. For me it’s still a bit unclear how the MS-500 differs from the MS-100/101. I’m studying and for now the only difference I find is that some objectives are more detailed. But I would argue that overall the MS-100/101 do cover most of the MS-500 objectives, perhaps differing in design vs implementation. Would you agree?
LikeLike
How focused is the exam on Powershell? And with the Powershell questions do they want you to input commands or is it a multiple choice?
LikeLike
Hi Paul – there wasn’t much PowerShell at all from memory.
LikeLike
Thanks Mark
LikeLike
Hi Mark,
Just wondering if there are any recommendations for Test Labs with this exam.
I was thinking of spinning up a VM for sync testing and just signing up for the E5 trial but I wasn’t sure about a month of time being enough.
We have M365 at work but they only use E3 so can’t go through all the ATP features.
Cheers,
Paul
LikeLike
Hi Paul – I would recommend signing up for the M365 E5 trial, even though its only 30 days you could spin another tenant up pretty quickly.
LikeLike
Thanks Mark,
I did do that I also found demo.microsoft.com I was able to create test environments that have a 90 day expiry.
Cheers,
Paul
LikeLike