Microsoft 365: Security Administration (MS-500) Exam Prep Guide

This blog is part of a series. For more exam prep guides check back in the future

I must admit I enjoyed the security administration exam. I enjoyed studying for it. In fact, I congratulate Microsoft for introducing a Security certification which is so much more than a fundamentals exam (98-367).

However – for anyone looking to take this I would recommend taking the fundamentals first. I would also consider taking MS-900, MS-101 and MD-101 first if you have the time, resources and opportunities to do so. But if you haven’t – or you just decide to go for it, then I would offer a single piece of advice if only to save you money and avoid one or multiple failures. If you are not familiar with Windows Defender ATP, Office 365 ATP, AIP & Unified Labeling, DLP, PIM, Intune or Cloud App Security then, if you have access to one, spin up a Microsoft E5 demo tenant ( for a few months and get into the detail because this exam is deep and, IMHO, more aimed at an expert level rather than an associate. It’s not for an administrator or a consultant who has a passing interest on security which begins and ends with a bit of MFA and conditional access. This is all about implementing security across the breadth and depth of a Microsoft 365 enterprise E5 roll out.

So for all those who study hard, get into – as you will see – the hefty amount of content and pass – congratulations this is a great one to get and a tough one – I’m sure you’ll be joining me in taking the AZ-500 in the future.

Like the questions on most Microsoft security exams, it’s black and white, direct and granular. Ultimately, that’s why I think I like them. When you sit there in that exam room you either know it or you don’t. No hair splitting. No trying to fool you.

I like that. The very best of luck!

Link to Exam: Here
Released: 7th January 2019
Practice Test: Available later in 2019
MOC Course: MS-500T01A/T02A/T03A/T04A

Important Note: this exam prep guide should be used to supplement your own resources and should not be used for the whole of your learning. Some of the resources may be not completely cover the requirements especially if the requirement is vague. If you find better articles than the ones below, please feel free to reach out and I’ll amend.

Status: I passed this exam in April shortly after it came out of Beta. I had the short type exam (43 questions) and from what I can remember it was a pretty even spread across all four areas.


Implement and Manage Identity and Access (30-35%)

Secure Microsoft 365 hybrid environments

Configure and manage security integration components in Microsoft 365 hybrid environments, including connectivity, synchronization services, and authentication

Plan Azure AD authentication options

Plan Azure AD synchronization options

Monitor and interpret Azure AD Connect events

Secure user accounts

Implement Azure AD dynamic group membership

Implement Azure AD Self-service password reset

Manage Azure AD access reviews

Implement authentication methods

Plan sign-on security

Implement multi-factor authentication (MFA)

Manage and monitor MFA

Implement device sign-on methods

Manage authentication methods

Monitor authentication methods

Implement conditional access

Plan for compliance and conditional access policies

Configure and manage device compliance policy

Configure and manage conditional access policy

Monitor Conditional Access and Device Compliance

Implement role-based access control (RBAC)

Plan for RBAC

Configure RBAC

Monitor RBAC usage

Implement Azure AD Privileged Identity Management (PIM)

Plan for Azure PIM

Configure and manage Azure PIM

Monitor Azure PIM

Implement Azure AD Identity Protection

Implement user risk policy

Implement sign-in risk policy

Configure Identity Protection alerts

Review and respond to risk events


Implement and Manage Threat Protection (20-25%)

Implement an enterprise hybrid threat protection solution

Plan an Azure Advanced Threat Protection (ATP) solution

Install and configure Azure ATP

Manage Azure ATP workspace health

Generate Azure ATP reports

Integrate Azure ATP with Windows Defender ATP

Monitor Azure ATP

Manage suspicious activities

Implement device threat protection

Plan and implement a Windows Defender ATP solution

Manage Windows Defender ATP

Monitor Windows Defender ATP

Implement and manage device and application protection

Plan for device protection

Configure and manage Windows Defender Application Guard

Configure and manage Windows Defender Application Control

Configure and manage Windows Defender Exploit Guard

Configure Secure Boot

Configure and manage Windows 10 device encryption

Configure and manage non-Windows device encryption

Plan for securing applications data on devices

Define managed apps for Mobile Application Management (MAM)

Protect your enterprise data using Windows Information Protection (WIP)

Configure WIP policies

Configure Intune App Protection policies for non-Windows devices

Implement and manage Office 365 messaging protection

Configure Office 365 ATP anti-phishing protection

Configure Office 365 ATP anti-phishing policies

Define users and domains to protect with Office 365 ATP Anti-phishing

Configure Office 365 ATP anti-spoofing

Configure actions against impersonation

Configure Office 365 ATP anti-spam protection

Enable Office 365 ATP Safe-Attachments

Configure Office 365 ATP Safe Attachments policies

Configure Office 365 ATP Safe Attachments options

Configure Office 365 ATP Safe Links options

Configure Office 365 ATP Safe Links blocked URLs

Configure Office 365 ATP Safe Links policies

Implement and manage Office 365 threat protection

Configure Office 365 Threat Intelligence

Integrate Office 365 Threat Intelligence with Office 365 services

Integrate Office 365 Threat Intelligence with Windows Defender ATP

Review threats and malware trends on the Office 365 ATP Threat Management dashboard

Review threats and malware trends with Office 365 ATP Threat Explorer and Threat Tracker

Create and review Office 365 ATP incidents

Review quarantined items in ATP including Microsoft SharePoint Online, OneDrive for Business, Exchange Online, and Microsoft Teams

Monitor online anti-malware solutions using Office 365 ATP reports

Perform tests using Attack Simulator


Implement and Manage Information Protection (15-20%)

Secure data access within Office 365

Plan secure data access within Office 365

Implement and manage Customer Lockbox

Configure data access in Office 365 collaboration workloads

Configure B2B sharing for external users

Manage Azure information Protection (AIP)

Plan an AIP solution

Activate Azure Rights Management

Configure usage rights

Configure and manage super users

Customize policy settings

Create and configure labels and conditions

Create and configure templates

Configure languages

Configure and use the AIP scanner

Deploy the RMS connector

Manage tenant keys

Deploy the AIP client

Track and revoke protected documents

Integrate AIP with Microsoft Online Services

Manage Data Loss Prevention (DLP)

Plan a DLP solution

Create and manage DLP policies

Create and manage sensitive information types

Monitor DLP reports

Manage DLP notifications

Create queries to locate sensitive data

Implement and manage Microsoft Cloud App Security

Plan Cloud App Security implementation

Configure Office 365 Cloud App Security

Perform productivity app discovery using Cloud App Security

Manage entries in the Cloud app catalogue

Manage third-party apps in Office 365 Cloud App Security

Manage Microsoft Cloud App Security

Configure Cloud App Security connectors

Configure Cloud App Security policies

Configure and manage Cloud App Security templates

Configure Cloud App Security users and permissions

Review and respond to Cloud App Security alerts

Review and interpret Cloud App Security dashboards and reports

Review and interpret Cloud App Security activity log and governance log


Manage governance and compliance features in Microsoft 365 (25-30%)

Configure and analyse security reporting

Interpret Windows Analytics

Configure Windows Telemetry options

Configure Office Telemetry options

Review and interpret security reports and dashboards

Plan for custom security reporting with Intelligent Security Graph

Review Office 365 secure score action and recommendations

Configure reports and dashboards in Azure Log Analytics

Review and interpret reports and dashboards in Azure Log Analytics

Configure alert policies in the Office 365 Security and Compliance Centre

Manage and analyse audit logs and reports

Plan for auditing and reporting

Configure Office 365 auditing and reporting

Perform audit log search

Review and interpret compliance reports and dashboards

Configure audit alert policy

Configure Office 365 classification and labelling

Plan for data governance classification and labels

Search for personal data

Apply labels to personal data

Monitor for leaks of personal data

Create and publish Office 365 labels

Configure label policies

Manage data governance and retention

Plan for data governance and retention

Review and interpret data governance reports and dashboards

Configure retention policies

Define data governance event types

Define data governance supervision policies

Configure Information holds

Find and recover deleted Office 365 data

import data in the Security and Compliance Centre

Configure data archiving

Manage inactive mailboxes

Manage search and investigation

Plan for content search and eDiscovery

Delegate permissions to use search and discovery tools

Use search and investigation tools to perform content searches

Export content search results

Manage eDiscovery cases

Manage data privacy regulation compliance

Plan for regulatory compliance in Microsoft 365

Review and interpret GDPR dashboards and reports

Manage Data Subject Requests (DSRs)

Review Compliance Manager reports

Create and perform Compliance Manager assessments and action items

2 thoughts on “Microsoft 365: Security Administration (MS-500) Exam Prep Guide

Comments are closed.