Pass Your Microsoft 365 MS-500 Exam Easy!

Microsoft MS-500 Microsoft 365 Security Administration exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Microsoft MS-500 Microsoft 365 Security Administration exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Microsoft 365 MS-500 certification exam dumps & Microsoft 365 MS-500 practice test questions in vce format.

Role Based Access Control and Privileged Identity Management (PIM)

4. Understanding Privileged Identity Management (PIM)

What exactly is privileged identity management? This is a capability that we get with Azure AD. There is certain licencing for that, but I'll get to that in a minute. But it is something you get with Azure advertising. Essentially, it allows you to manage, control, and monitor the access to your resources in your organization. The great thing about PIM is that it allows you to control when and how long these capabilities are available to users in terms of access control and management, among other things. So it's a great feature as far as supporting who gets access. When do they get access? Do they have to request access in order to get that role before they are actually able to gain it? Okay, so this is what PIM is going to bring to the table, all right? This model is known as PIM—Privilege Identity Management. This model is sometimes referred to as JIT. just-in-time administration. Okay? And the idea is to be able to help control the resources in Azure, adjust Azure in general which is the IaaS side of things), as well as Microsoft, PaaS, and SaaS. Infrastructure as a service, platform as a service, and software as a service are all examples. PIM is going to play a role in controlling all of those things, okay? The goal here again is to control your administration. Not everybody is a global administrator. As I always say, the global administrator wields intergalactic cosmic powers over your environment. But we don't want everybody to be global administrators. And there might be times where we need to give somebody access to a resource or to control something for a temporary amount of time. It could be that you've got an administrator who is going out of town on vacation next week, and the administrator needs to pass along this ability to somebody. Let me give you an example. Let's say that I have a junior-level admin who works with me. Maybe I'm a higher-level admin. I have a junior-level admin who's working with me. And this junior-level admin normally does not have the ability to create user accounts, okay? That's not something they have been given the authority to do yet, okay? However, I decide to go on vacation, or I'm going to be on vacation next week, and supposedly the company is going to hire a couple of new employees next week and I'm not going to be here, right? So what I could do is make this junior level admin a user administrator, and then I could go on vacation. Before I go on vacation, I could teach the admin, the junior admin, how to create users and all that, and then I could go on vacation. The issue is that I'd have to remember to remove that role when I returned to PIM, with this whole JIT just-in-time administration thing. Just in Time (JIT) Administration is a great capability that says, "Here, you get this role, you get this privilege for a certain amount of time, but then it's going to go away after a while, okay?" and that way I don't forget. If I was to forget, I should say it takes care of it for me. I could schedule this user to have this right for a week. And then when the week is over, this power goes away. I could also make it so the user has to request this control through another user, like a manager or somebody, if I wanted to as well. Okay, so it's a great little feature. Microsoft has made it pretty user-friendly as well. So it's not too hard to set up really interesting technology that you can configure. Now, I will say this: as far as licencing is concerned, you have got to have Azure Ad Premium 2. You have to have that P-2 licence in order to support PM; Azure Ad Basic, Free, and all that stuff do not support it. And you can actually, if you're trying to get a good grasp on, well, what am I getting with Azure Ad Premium One and Premium Two licenses? Microsoft does have a great little website that you can look at to look at the difference. In fact, why don't we look at that? Now, to me, probably one of the fastest ways to find information on licencing just about anything with Azure is to just go to Google or another search engine, your search engine of choice, and just search for the keywords there. So, for example, if I search for "Azure Ad Premium," and if you wanted to see something like "Premium One versus Premium Two," you just do something like that, it's going to pull it up. You can then go here to this pricing for Active Directory and click on that, and they give you a nice little website that's going to break it all down for you. So you can see each and every one of these options that you've got here. All right, so you have the free Office 365 app version and the premium versions One and Two, which is what we care about right now. If I scroll down, you can see that with Premium Two, you're going to get the PIN, the privileged identity management. So you do have to have Premium Two in order to support this. All right, so let's continue going over some of the facts about PIM and some of the key features of PM. So you heard me mention "just in time administration"—that's just in time privilege access, giving the user access when they need it—and then the timebound thing that I was talking about. So again, if I was going on vacation and I needed this junior-level admin to be able to create user accounts or manage Exchange or SharePoint or whatever, I can do that with time-bound access, and I can also enforce approval. So again, it might be that we've got another boss, another manager, somebody like that, that's in town. But this manager isn't the one who normally creates users or anything. I can make it so the junior-level admins request to get control. At that point, this manager has to agree to it before it will happen. You can also enforce multi-factor authentication. So, when a user goes to take control of their role, when they go to grab that power, that role, they must prove who they are using MFA. Okay? Another thing is justification so that you can require them to type something up that says, "Hey, you're justifying why you are gaining this power." And the user could put in there that I'm justifying it because I've got to create these two new employee user accounts, or I've got to create an email account or manage email, or whatever, if it's for exchange or SharePoint, or whatever. So then you've got to receive notifications. So whenever a privileged account gets activated, you can receive a notification that says, "Hey, this person has taken this role. Okay? And then you can also do access reviews, where you go back through and just make sure that your users still need the role. Despite the fact that I granted that role for a month, I was only on vacation for a week. So do I really need that role? Does that user really need that role for that long? Then there's the matter of downloading audit history. The audit history is going to allow you to see exactly what they did with that role when they took that role. Okay? Now, there are some roles that are required for managing PIM. First off, only somebody who is a privileged role administrator or global administrator can control role assignments for your other admins. So you can't just be anybody to control PIM, okay? They also tell you here that you can grant access to the other administrators to manage PM as well. So those two roles are there, theglobal admin and the privilege role administrator. But you could also create a role and give role permissions to some other role to come in here and manage your settings, all right? And then Global Administrators, Security Administrators, Global Readers, and Security Readers also have the ability to view assignments for that as well. So, Globalreader, your security administrator, security, all that. They can't necessarily make a lot of changes, but they can go in there and see the changes. That's basically what they're saying. They can see who's been given those roles. Let's look at some of the terminology. This is right out of Microsoft's knowledge base, okay? Some of the different terms and concepts associated with roles are taken directly from their knowledge base. OK, before we take a look at roles, it's important to understand some of the terminology. So first off, you are eligible. All right? Eligible means that the user has got to go and perform some action to get the role. All right? The second one is an active. "Active" basically means the role is currently active. They tell you here that role assignment doesn't require user consent before any action. If it's already activated, they've already got it. Activate means that somebody wants to activate the role, okay? So when you make that role available to the person, they have to go, and they have to click to activate it. Assigned means this is what they call a state. This is the state that a role is in as opposed to a type. And "assigned" simply means that the user has been assigned that role, and that role is active and then activated. That's the state that a person is in. That means that the role is activated. So they tell you that if a user has an eligible role and they've performed the proper actions to activate the role, that role is now active, okay? Once the role is active, a user can go through the process of using the role for a certain amount of time. So that's the reason why it's activated versus assigned, okay? And then the last bit of terminology Here, you are permanently eligible, okay? So they tell you this is a duration, but they tell you the role assignment is always eligible to be activated by the user. You are permanently active. So this is where a role comes in. A user can always use the role without performing any actions. In general, these are your standard roles. And before PIN ever came out, that was how all of our roles worked: we would assign a role, and it would be permanently active. Unless, of course, we took that role away from someone, in which case, you are no longer eligible. So the role is eligible to be activated between a start and an end date. Then you had expired active. They tell you here that the role is where Auser can essentially use the role without performing any actions, but it will be within a specific amount of time. That means I've already assigned the role, and it's going to expire after a certain point. So you have JIT just-in-time access, correct? And that model is the one that's being used here, as opposed to, say, a duration or something like that. That's the model you've heard me mention in this little lesson already quite a few times, all right? So the user is going to get basically a temporary set of permissions for a certain amount of time, all right? The information is going to be granted when they need it. It's all going to be audited very well, what they're doing. And lastly, the principle of lease privilege That's the concept. That's also a model for us to use and a strategy that we use here. And that's always the number of privileges you grant in order for someone to do their job, okay? So again, if I'm going out of town for a week and I'm granting a junior-level admin the ability to create users, I'm not making them a global admin. Ideally, all they have to do is create users, right? Could I give them global admin control? Yeah, I could give them, as I say, intergalactic cosmic powers over the environment. But why would I do that if the only thing that they should need to do is to create users? Sometimes we get a little carried away there, and they're like, well, what if they need to do more? Okay, well, you need to decide that from the beginning, but ideally, you always want to live off of the principle of lease privilege, and this is always something Microsoft pushes in all their concepts as well as on the exam and all that. There is always the principle of lease privilege. Okay. All right. So that's where we are, and hopefully that gives you a good foundation for what PM is and what the goal of PIM is. the strategies of PIM.

5. Configuring Privileged Identity Management (PIM)

Let's walk through the process now of working with privileged identity management, also known as PIM. So, here we are in Portal Azure.com, and I'm going to click on this new button. And I'm going to click All Services, and we're going to search for privileged identity management. All right? And there it is, right there. I'm going to go ahead too, and I can just add that as a favourite by clicking the little star icon. So now it will show up as one of my favourites here in my little menu bar. So I can just click on that. And here we are in NPM, in privileged identity management. All right. and just kind of looking through some of our options here. I've got my roles. If I click on my roles, is this going to show me if I have any eligible roles? Okay, I can click on Active Roles, and this will show me my active roles. Now you can see I am a global administrator; that's been assigned, and it's permanent. I'm part of that role, right? So, if you return to our Azure Active Directory, simply Standard Azure Active Directory, you can select your roles. And this is how we traditionally add users to roles. We can see all the different roles that are available here, right? And I should be able to see the global administrator right here in the global administrator if I go through. I can click on that, and I can see that my user here has been given those rights. Okay, let's jump back over to privileged identity management. All right, so I've got my roles. You can see that I have active roles. Do I have any roles that have expired? No. Okay, so this is when you go into Privilege Identity Management. If you're clicking on my role, that's exactly what that sounds like. It is. You're looking at roles that your accounthas, not anybody else your account. You've got my request. This is if I requested any roles. Okay. And then approve the request. This is if I need to approve any request. I don't have any requests to approve right now for many users. Okay, so if any users have requested,if you've required a role to beapproved, that's where that would happen. You can also click Review Access, and you can see if there are any particular access reviews of a starting time period or an ending time period that have occurred. You'd be able to see those here as well. All right, now here's where things get interesting. All right. I can go right here where it says Azure AD roles. So let's go ahead and click on that. All right. And I've got some options here. I've got signee eligibility. I've got the activate your role button; if I had a role that was made available to me, this is where I could activate it. Assigning Eligibility. I'm going to look at that with you in a second. That's basically a signing role here, where you would approve requests, and then you can also view the history of things that have happened through privilege identity management here. So you can click on "View History," and you can see previous things. As you can see, I've added eligibility to auer and removed eligibility from a user, among other things. But let's go back over here now, alright? and let's click on settings. And you can see all these different settings that we've assigned or modified at the moment. all these different roles. As you can see, it's not showing that I've given or that I've modified any of these at the moment. So, when you look at it through the ad roles, this is what Settings will do for you. It's just going to show you if you've modified any assignments, okay? I haven't done any assignments, but I could add an assignment if I want. Okay, so if we look at roles, we can see all the different roles that are here. And then I could choose a role-model user administrator, kind of going along with that junior administrator example. Maybe I've got a junior administrator. I want to make a user administrator. I can do that right there. I can click on it, and I can add assignments that way. That's one way you can do it. Another option is to return to Azure Ad Roles and select Assignments. You can do it through here as well. So you click to add the assignment, and then of course, you've got to specify the role that you want to assign. Okay? So either of you can do that either.You can do it either way. You can click on Azure Ad Roles, you can click Assignments, and then it'll make you choose the role. Or if you choose just the roles blade itself, then you can choose the role you want, like user administrator, and you can add the role that way or add the user to the role. So I can also look at role settings, and I've got all these different settings like activation. The maximum duration is 8 hours. You can require justification or require ticket information on activation. So if you're using a ticketing system and you've got MFA, you can force that on the user. All right? You can allow permanent eligibility or turn that off for the role. Okay. You can have an expired expiration. So you can actually edit these different settings by just clicking Edit, and then you can actually go in and you can modify these settings very easily if you want. Okay, so I encourage you to come in there and peck around here, where I could set a duration if I wanted to for the maximum amount of time that this person can get this role in hours if I wanted to. As you can see, it'll Let me go. Activation of 24 hours would, if I wanted to set that on activation, require MFA and justification. If you've got a ticketing system, require approval. If you want to approve, you could specify who the person is that's going to do the approval, right? So, if you want, you could easily configure all of that. Like I said, they've made this very intuitive. They made it a lot easier. They actually improved on it. It used to be a lot harder to deal with a while back, but they've actually done a lot of work, too, and made it a lot better. Okay, so let's go through the process. We've got a user named Chris Jones. We're going to make Chris Jones a user administrator. So I'm going to go here, and I'm going to go to roles, and we're going to go down to user administrator, and we're going to click assignment. All right? So the roles are here; it's already signed. We're going to click Select Our User, and we're going to find Chris Jones. There's Chris Jones. We're going to select Chris Jones. We're going to click select. He's going to be our junior admin, maybe. We're going to click next. And if I wanted to give permanent eligibility, I could, but I don't want to. So I could set a date. I could say, okay, this is going to expire notice.It sets it for a year. Of course, if you went through the settings, you could limit it to 24 hours or something, but you could do it here. It's set for a year right now. But if I don't want to set it to a year, I could go through here and set it to whatever I want. Okay, so if I wanted to go ahead and just say it, we're going to allow this person to have access for a few days; we'll say till the 13th of January, 2020, will say assign, and Chris Jones is officially assigned. Okay, so we have officially given Chris Jones access to it, where he can accept it. All right? And in this next little lesson, I'm actually going to log on as Chris Jones. And we're going to take a look at how Chris Jones would accept it.

6. Activating a PIM role as a user

Let's step through the process now of making a user named Alex Rogers eligible to be a user administrator for one year. OK, so we're going to go ahead now, and we're going to start this little activity here. And we're going to be going to Portal.Azure.com. Okay? So once you get to Portal.Azure.com, you'll be clicking on the menu button here. going to all services. You'll be searching for Privileged Identity Management, clicking on Privileged Identity Management, and then you're ready to go to Azure AD roles here. And so from Roles, you'll click Roles, and you'll be able to locate the role by scrolling down. The role is at the bottom in this case. So it's a user administrator. We're going to click on that added assignment. We're going to set the assignment to Alex Rogers, click Select, and then from there go to Settings and we're going to set the eligibility. So we'll set it for one year. Year. Click.

7. Stepping through the tutorial for PIM

Let's step through the process now of making a user named Alex Rogers eligible to be a user administrator for one year. OK, so we're going to go ahead now, and we're going to start this little activity here. And we're going to be going to Portal.Azure.com. Okay? So once you get to Portal.Azure.com, you'll be clicking on the menu button here. going to all services. You'll be searching for Privileged Identity Management, clicking on Privileged Identity Management, and then you're ready to go to Azure AD roles here. And so from Roles, you'll click Roles, and you'll be able to locate the role by scrolling down. The role is at the bottom in this case. So it's a user administrator. We're going to click on that added assignment. We're going to set the assignment to Alex Rogers, click Select, and then from there go to Settings and we're going to set the eligibility. So we'll set it for one year. Year. Click.

Multi-Factor Authentication In Microsoft 365

1. Introduction to Multi-Factor Authentication

So what is multi-factor authentication? We've always focused on password authentication in the past, and password authentication simply falls into the first category you see there, which is the something, you know, authentication factor. There's also something you have and something you are—something you have being something like a smart card, a key fob, or a cell phone, and something you are being biometric, which includes fingerprint matching, voice recognition, retinal scanning, IRS scanning, and other fun things. So in the first factor, there's something you know, and again, this being the thing that we've focused on for years and years and years, passwords, pin numbers, even the security questions that you use a lot of times to change your passwords on websites, like "What is your mother's maiden name?" What is the name of the streets you grew up on? What is the name of your first pet you ever had? Those all fall into the category of something you know. And the big vulnerability about those a lot of times is that people will use the same password over and over and over again, and it's just human nature because of course we want to try to remember it, right? So the other problem is that we have the issue of using the same password over and over and over again, but then we also end up having to change our passwords on different websites and all that. So what users end up doing is storing their passwords somewhere easy to find, such as a text file on their desktop called "Passwords." Or the worst scenario, of course, is where people write their passwords down on sticky notes and stick them to their monitor. Or the infamous "Hide your password under your keyboard" scenario. So of course, none of those things are great solutions for storing passwords. although there is a good argument. People say that your password is more secure if it's just written down and kept in your wallet, believe it or not, because most of the hacking that's going on is people hacking you across the internet or the network. So maybe keeping it in your wallet is a safer place. There's a valid point there, but the problem is that someone could be anywhere if they learn your password, perhaps through a phishing attack or something like that, and then log on as you from anywhere, including China, all right? And then you have something you have, which would be a smart card or a key fob cell phone, as I said. So what are those things? A smart card has a smart card; a chip has a little bit of memory. You might even have a smart card inside your credit card. Nowadays, a lot of times, there are smart cards, or if you are a DoD person, military, or whatever, you might be carrying around this thing called a CAC, a common access card. So that is a smart card. A smart card is a common one that's used in a lot of organisations and companies, especially the military, or DoD, being a huge organisation that uses it. And then you have what's known as a key fob. So a lot of times, people call these RSA keyfobs. RSA key fobs? It is a little keychain device you carry around with you that simply pops a number up every 30 seconds or so. And from there, you would log on. You'd have to put that number in. Of course, the cell phone is sort of taking over as the de facto standard for something. You have a strategy. In fact, you're going to see that with Microsoft MFA (multi-factor authentication), they really put a focus on having that cell phone with you because the cell phone allows you to have text messages sent to it. As well as getting a phone call, you can also download the authenticator app, and that's going to allow you to get in. And then finally, the last one: something you are that's measured by biometrics, looking at the physical characteristics of people. So Microsoft has a technology in Windows 10 called Windows. Hello. And if you are in a business environment, you have the business edition of Windows 10; you have Windows Hello for business, and Hello is their biometric system. And of course, that biometric system can also tie into the cloud. So what's the purpose of all of this? Well, the purpose of all of this is to strengthen identities with two-step verification. Unfortunately, just one single factor by itself is not secure enough. Hackers have found ways around all of the different factors that you saw on that previous slide. And so just utilising one of those things is not really enough in today's cybersecurity climate. So with two-step verification, we're going to add a massive layer of security to our environment because a hacker would not only have to break through one of those factors, they'd have to break through two of those factors. Okay? In other words, with cybersecurity, one of your goals is always for a hacker to have to spend all this time trying to break through one brick wall only to find themselves staring at another brick wall. Two-step verification with multi-factor authentication is going to do that. So, if you think about it, suppose you combine these and also I want to add this: when we talk about pairing with multiple factor authentication, you want to look at it from the standpoint of two different factors, not two of the same factors. In other words, a password and a PIN number would not be considered truly multifactor because they're both something—you know, an RSA key fob and your cell phone would not be considered two-factor because they're both something you have. And then using fingerprint matching and retina scanning would also not be allowed because that would be too biometric. so you want to pair two different ones. So for example, the DoD is a good example. They use those caches. So you have to have a "smart card," a common access card. And then you also have a PIN number that's paired with that. So if I were to try to hack a DoD person (department of defense), I would have to steal their smart card, but I would also have to know their PIN number. And that's the idea. So Microsoft is trying to implement that in their environments here. Make it where somebody has a password, perhaps. And then connect it to their cell phone. And then you would make it really difficult to break into somebody's account by doing that. All right, how does MFA look for a user? So once we implement MFA, and I'm going to be demonstrating that here shortly, but once you implement MFA, how does it look for a user? One of the things you'll notice is that once MFA has been implemented for your user, they're going to be asked for different ways of verifying. One option would be this option here, which involves them putting in their cell phone. They text their cell phone, or the MFA takes their cell phone, a code. They put that code in and then the person logs on. Okay? That is known as a hop hash-based one-time password. And then over here you have another option, which would be to utilise your account to set up whichever of these you want to do. You could have a text message. You can have it call you. And if it calls you, then at that point the user is going to be asked to enter a number. They enter that number, and it logs the person in. So basically it's like hit oneand to log this account on. So the account tries to log on. It calls your phone. This is great because you don't necessarily have to have a smartphone or even a phone that accepts text messages. You could do this off of Alandline, and it could call you. You hit one, it logs the account on. So as soon as the account logs on, they get a phone call, and away they go. Another option is the Authenticator app. So if you have a smartphone on you right now—actually, if you go to your app store, whether it's Android, Apple, or whatever, search for the Microsoft Authenticator. And that's another option for utilising MFA.

Go to testing centre with ease on our mind when you use Microsoft 365 MS-500 vce exam dumps, practice test questions and answers. Microsoft MS-500 Microsoft 365 Security Administration certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Microsoft 365 MS-500 exam dumps & practice test questions and answers vce from ExamCollection.