Microsoft 365 Security Administration

Here you have the best Microsoft MS-500 practice exam questions

  • You have 352 total questions across 71 pages (5 per page)
  • These questions were last updated on February 12, 2026
  • This site is not affiliated with or endorsed by Microsoft.
Question 1 of 352
You have several Conditional Access policies that block noncompliant devices from connecting to services.
You need to identify which devices are blocked by which policies.
What should you use?
Answer

Suggested Answer

The suggested answer is B.

To identify which devices are blocked by Conditional Access policies, you should use Sign-ins in the Azure Active Directory admin center. The sign-in logs provide detailed information about sign-in attempts, including which Conditional Access policies were applied and whether access was granted or denied. This allows you to see which devices and sign-ins were blocked by specific Conditional Access policies.

Community Votes12 votes
BSuggested
100%
Question 2 of 352
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription that is associated to a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.
You use Active Directory Federation Services (AD FS) to federate on-premises Active Directory and the tenant. Azure AD Connect has the following settings:
✑ Source Anchor: objectGUID
✑ Password Hash Synchronization: Disabled
✑ Password writeback: Disabled
✑ Directory extension attribute sync: Disabled
✑ Azure AD app and attribute filtering: Disabled
✑ Exchange hybrid deployment: Disabled

User writeback: Disabled -
Exam MS-500: Question 2 - Image 1
You need to ensure that you can use leaked credentials detection in Azure AD Identity Protection.
Solution: You modify the Azure AD app and attribute filtering settings.
Does that meet the goal?
Answer

Suggested Answer

The suggested answer is B.

To use leaked credentials detection in Azure AD Identity Protection, you need password hash synchronization enabled. This is because the detection mechanism relies on comparing known exposed credentials with the password hashes stored in Azure AD. Modifying the Azure AD app and attribute filtering settings does not facilitate this detection process. Therefore, the suggested solution does not meet the goal.

Community Votes8 votes
BSuggested
100%
Question 3 of 352
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription that is associated to a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.
You use Active Directory Federation Services (AD FS) to federate on-premises Active Directory and the tenant. Azure AD Connect has the following settings:
✑ Source Anchor: objectGUID
✑ Password Hash Synchronization: Disabled
✑ Password writeback: Disabled
✑ Directory extension attribute sync: Disabled
✑ Azure AD app and attribute filtering: Disabled
✑ Exchange hybrid deployment: Disabled
✑ User writeback: Disabled
You need to ensure that you can use leaked credentials detection in Azure AD Identity Protection.
Solution: You modify the Password Hash Synchronization settings.
Does that meet the goal?
Answer

Suggested Answer

The suggested answer is A.

Enabling Password Hash Synchronization (PHS) is necessary to use leaked credentials detection in Azure AD Identity Protection. This feature requires password hashes to be synced with Azure AD so that it can validate those credentials against leaked databases. Modifying the Password Hash Synchronization settings to enable it would meet the goal of utilizing leaked credentials detection.

Community Votes5 votes
ASuggested
100%
Question 4 of 352
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft 365 E5 subscription that is associated to a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.
You use Active Directory Federation Services (AD FS) to federate on-premises Active Directory and the tenant. Azure AD Connect has the following settings:
✑ Source Anchor: objectGUID
✑ Password Hash Synchronization: Disabled
✑ Password writeback: Disabled
✑ Directory extension attribute sync: Disabled
✑ Azure AD app and attribute filtering: Disabled
✑ Exchange hybrid deployment: Disabled
✑ User writeback: Disabled
You need to ensure that you can use leaked credentials detection in Azure AD Identity Protection.
Solution: You modify the Source Anchor settings.
Does that meet the goal?
Answer

Suggested Answer

The suggested answer is B.

To use leaked credentials detection in Azure AD Identity Protection, you need to enable Password Hash Synchronization (PHS) in Azure AD Connect. The current settings show that Password Hash Synchronization is disabled, and modifying the Source Anchor does not address this requirement. Therefore, changing the Source Anchor settings will not help achieve the goal of utilizing leaked credentials detection.

Community Votes3 votes
BSuggested
100%
Question 5 of 352
HOTSPOT -
You have a Microsoft 365 subscription that uses a default domain name of contoso.com.
The multi-factor authentication (MFA) service settings are configured as shown in the exhibit. (Click the Exhibit tab.)
Exam MS-500: Question 5 - Image 1
In contoso.com, you create the users shown in the following table.
Exam MS-500: Question 5 - Image 2
What is the effect of the configuration? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Exam MS-500: Question 5 - Image 3
Answer

Suggested Answer

References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates Exam MS-500: Question 5 - Image 4

About the Microsoft MS-500 Certification Exam

About the Exam

The Microsoft MS-500 (Microsoft 365 Security Administration) validates your knowledge and skills. Passing demonstrates proficiency and can boost your career prospects in the field.

How to Prepare

Work through all 352 practice questions across 71 pages. Focus on understanding the reasoning behind each answer rather than memorizing responses to be ready for any variation on the real exam.

Why Practice Exams?

Practice exams help you familiarize yourself with the question format, manage your time, and reduce anxiety on the test day. Our MS-500 questions are regularly updated to reflect the latest exam objectives.