Study guide for Exam MS-500: Microsoft 365 Security Administration
Warning
This exam retired on June 30, 2023. Learn more.
Purpose of this document
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
Useful links | Description |
---|---|
Review the skills measured as of November 4, 2022 | This list represents the skills measured AFTER the date provided. Study this list if you plan to take the exam AFTER that date. |
Review the skills measured prior to November 4, 2022 | Study this list of skills if you take your exam PRIOR to the date provided. |
Change log | You can go directly to the change log if you want to see the changes that will be made on the date provided. |
How to earn the certification | Some certifications only require passing one exam, while others require passing multiple exams. |
Certification renewal | Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn. |
Your Microsoft Learn profile | Connecting your certification profile to Learn allows you to schedule and renew exams and share and print certificates. |
Passing score | A score of 700 or greater is required to pass. |
Exam sandbox | You can explore the exam environment by visiting our exam sandbox. |
Request accommodations | If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation. |
Take a practice test | Are you ready to take the exam or do you need to study a bit more? |
Updates to the exam
Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.
We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.
Note
The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.
Note
Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.
Skills measured as of November 4, 2022
Audience Profile
Candidates for this exam plan, implement, manage, and monitor security and compliance solutions for Microsoft 365 and hybrid environments. The Microsoft 365 security administrator proactively secures identity and access, implements threat protection, manages information protection, and enforces compliance. The Microsoft 365 security administrator collaborates with the Microsoft 365 enterprise administrator, business stakeholders, and other workload administrators to plan and implement security strategies.
Candidates for this exam have functional experience with Microsoft 365 workloads and with Microsoft Entra ID, part of Microsoft Entra. They have implemented security for Microsoft 365 environments, including hybrid environments. They have a working knowledge of Windows clients, Windows servers, Active Directory, and PowerShell.
Implement and manage identity and access (25-30%)
Implement and manage threat protection (30-35%)
Implement and manage information protection (15-20%)
Manage compliance in Microsoft 365 (20-25%)
Implement and manage identity and access (25-30%)
Plan and implement identity and access for Microsoft 365 hybrid environments
Choose an authentication method to connect to a hybrid environment
Plan and implement pass-through authentication and password hash sync
Plan and implement Microsoft Entra synchronization for hybrid environments
Monitor and troubleshoot Microsoft Entra Connect events
Plan and implement identities in Microsoft Entra ID
Implement Azure AD group membership
Implement password management, including self-service password reset and Microsoft Entra Password Protection
Manage external identities in Microsoft Entra ID and Microsoft 365 workloads
Plan and implement roles and role groups
Audit Microsoft Entra ID
Implement authentication methods
Implement multi-factor authentication (MFA) by using conditional access policies
Manage and monitor MFA
Plan and implement Windows Hello for Business, FIDO, and passwordless authentication
Plan and implement conditional access
Plan and implement conditional access policies
Plan and implement device compliance policies
Test and troubleshoot conditional access policies
Configure and manage identity governance
Implement Microsoft Entra Privileged Identity Management
Implement and manage entitlement management
Implement and manage access reviews
Implement Microsoft Entra ID Protection
Implement user risk policy
Implement sign-in risk policy
Configure Identity Protection alerts
Review and respond to risk events
Implement and manage threat protection (30-35%)
Secure identity by using Microsoft Defender for Identity
Plan a Microsoft Defender for Identity solution
Install and configure Microsoft Defender for Identity
Manage and monitor Microsoft Defender for Identity
Secure score
Analyze identity-related threats and risks identified in Microsoft 365 Defender
Secure endpoints by using Microsoft Defender for Endpoint
Plan a Microsoft Defender for Endpoint solution
Implement Microsoft Defender for Endpoint
Manage and monitor Microsoft Defender for Endpoint
Analyze and remediate threats and risks to endpoints identified in Microsoft 365 Defender
Secure endpoints by using Microsoft Endpoint Manager
Plan for device and application protection
Configure and manage Microsoft Defender Application Guard
Configure and manage Windows Defender Application Control
Configure and manage exploit protection
Configure and manage device encryption
Configure and manage application protection policies
Monitor and manage device security status using Microsoft Endpoint Manager admin center
Analyze and remediate threats and risks to endpoints identified in Microsoft Endpoint Manager
Secure collaboration by using Microsoft Defender for Office 365
Plan a Microsoft Defender for Office 365 solution
Configure Microsoft Defender for Office 365
Monitor for threats by using Microsoft Defender for Office 365
Analyze and remediate threats and risks to collaboration workloads identified in Microsoft 365 Defender
Conduct simulated attacks by using Attack simulation training
Detect and respond to threats in Microsoft 365 by using Microsoft Sentinel
Plan a Microsoft Sentinel solution for Microsoft 365
Implement and configure Microsoft Sentinel for Microsoft 365
Manage and monitor Microsoft 365 security by using Microsoft Sentinel
Respond to threats using built-in playbooks in Microsoft Sentinel
Secure connections to cloud apps by using Microsoft Defender for Cloud Apps
Plan Microsoft Defender for Cloud Apps implementation
Configure Microsoft Defender for Cloud Apps
Manage cloud app discovery
Manage entries in the Microsoft Defender for Cloud Apps catalog
Manage apps in Microsoft Defender for Cloud Apps
Configure Microsoft Defender for Cloud Apps connectors and OAuth apps
Configure Microsoft Defender for Cloud Apps policies and templates
Analyze and remediate threats and risks relating to cloud app connections identified in Microsoft 365 Defender
Manage App governance in Microsoft Defender for Cloud Apps
Implement and manage information protection (15-20%)
Manage sensitive information
Plan a sensitivity label solution
Create and manage sensitive information types
Configure sensitivity labels and policies
Publish sensitivity labels to Microsoft 365 workloads
Monitor data classification and label usage by using Content explorer and Activity explorer
Apply labels to files and schematized data assets in Microsoft Purview Data Map
Implement and manage Microsoft Purview Data Loss Prevention (DLP)
Plan a DLP solution
Create and manage DLP policies for Microsoft 365 workloads
Implement and manage Endpoint DLP
Monitor DLP
Respond to DLP alerts and notifications
Plan and implement Microsoft Purview Data lifecycle management
Plan for data lifecycle management
Review and interpret data lifecycle management reports and dashboards
Configure retention labels, policies, and label policies
Plan and implement adaptive scopes
Configure retention in Microsoft 365 workloads
Find and recover deleted Office 365 data
Manage compliance in Microsoft 365 (20-25%)
Manage and analyze audit logs and reports in Microsoft Purview
Plan for auditing and reporting
Investigate compliance activities by using audit logs
Review and interpret compliance reports and dashboards
Configure alert policies
Configure audit retention policies
Plan for, conduct, and manage eDiscovery cases
Recommend eDiscovery Standard or Premium
Plan for content search and eDiscovery
Delegate permissions to use search and discovery tools
Use search and investigation tools to discover and respond
Manage eDiscovery cases
Manage regulatory and privacy requirements
Plan for regulatory compliance in Microsoft 365
Manage regulatory compliance in the Microsoft Purview Compliance Manager
Implement privacy risk management in Microsoft Priva
Implement and manage Subject Rights Requests in Microsoft Priva
Manage insider risk solutions in Microsoft 365
Implement and manage Customer Lockbox
Implement and manage Communication compliance policies
Implement and manage Insider risk management policies
Implement and manage Information barrier policies
Implement and manage Privileged access management
Study resources
We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.
Study resources | Links to learning and documentation |
---|---|
Get trained | Choose from self-paced learning paths and modules or take an instructor-led course |
Find documentation | Microsoft 365 documentation Microsoft Entra documentation Microsoft 365 Defender documentation Microsoft Defender for Identity documentation Microsoft Defender for Endpoint documentation Microsoft Sentinel documentation Learn about data loss prevention |
Ask a question | Microsoft Q&A | Microsoft Docs |
Get community support | Microsoft 365 - Microsoft Tech Community |
Follow Microsoft Learn | Microsoft Learn - Microsoft Tech Community |
Find a video | Exam Readiness Zone |
Change log
Key to understanding the table: The topic groups (also known as functional groups) are in bold typeface followed by the objectives within each group. The table is a comparison between the two versions of the exam skills measured and the third column describes the extent of the changes.
Skill area prior to November 4, 2022 | Skill area as of November 4, 2022 | Changes |
---|---|---|
Audience Profile | Major | |
Implement and manage identity and access | Implement and manage identity and access | % of exam decreased |
Secure Microsoft 365 hybrid environments | Plan and implement identity and access for Microsoft 365 hybrid environments | Major |
Secure identities | Plan and implement identities in Microsoft Entra ID | Major |
Implement authentication methods | Implement authentication methods | Minor |
Implement conditional access | Plan and implement conditional access | Minor |
Implement roles and role groups | - | Removed |
Configure and manage identity governance | Configure and manage identity governance | Minor |
- | Implement Microsoft Entra ID Protection | Added |
Implement and manage threat protection | Implement and manage threat protection | % of exam increased |
Implement Microsoft Entra ID Protection | - | Removed |
Implement and manage Microsoft Defender for Identity | Secure identity by using Microsoft Defender for Identity | Minor |
Implement and manage Microsoft Defender for Endpoint | Secure endpoints by using Microsoft Defender for Endpoint | Minor |
Implement and manage by using Microsoft Endpoint Manager | Secure endpoints by using Microsoft Endpoint Manager | Major |
Implement and manage Microsoft Defender for Office 365 | Secure collaboration by using Microsoft Defender for Office 365 | Major |
Monitor M365 security with Microsoft Sentinel | Detect and respond to threats in Microsoft 365 by using Microsoft Sentinel | Major |
Implement and manage Microsoft Defender for Cloud Apps | Secure connections to cloud apps by using Microsoft Defender for Cloud Apps | Minor |
Implement and manage information protection | Implement and manage information protection | % of exam increased |
Manage sensitive information | Manage sensitive information | Major |
Manage Data Loss Prevention (DLP) | Implement and manage Microsoft Purview Data Loss Prevention (DLP) | Minor |
Manage data governance and retention | - | Removed |
Plan and implement Microsoft Purview Data lifecycle management | Plan and implement Microsoft Purview Data lifecycle management | New |
Manage governance and compliance features in Microsoft 365 | Manage compliance in Microsoft 365 | No change** |
Configure and analyze security reporting | - | Removed |
Manage and analyze audit logs and reports | Manage and analyze audit logs and reports in Microsoft Purview | Minor |
Discover and respond to compliance queries in Microsoft 365 | Removed | |
- | Plan for, conduct, and manage eDiscovery cases | New |
Manage regulatory compliance | Manage regulatory and privacy requirements | Major |
Manage insider risk solutions in Microsoft 365 | Manage insider risk solutions in Microsoft 365 | Minor |
Skills measured prior to November 4, 2022
Audience profile
Candidates for this exam implement, manage, and monitor security and compliance solutions for Microsoft 365 and hybrid environments. The Microsoft 365 security administrator proactively secures Microsoft 365 enterprise environments, responds to threats, performs investigations, and enforces data governance. The Microsoft 365 security administrator collaborates with the Microsoft 365 enterprise administrator, business stakeholders, and other workload administrators to plan and implement security strategies and ensures that the solutions comply with the policies and regulations of the organization.
Candidates for this exam are familiar with Microsoft 365 workloads and have strong skills and experience with identity protection, information protection, threat protection, security management, and data governance. This role focuses on the Microsoft 365 environment and includes hybrid environments.
Implement and manage identity and access (35-40%)
Implement and manage threat protection (25-30%)
Implement and manage information protection (10-15%)
Manage governance and compliance features in Microsoft 365 (20-25%)
Implement and manage identity and access (35-40%)
Secure Microsoft 365 hybrid environments
Plan Microsoft Entra authentication options
Plan Microsoft Entra synchronization options
Monitor and troubleshoot Microsoft Entra Connect events
Secure Identities
Implement Microsoft Entra group membership
Implement password management
Manage external identities in Microsoft Entra and Microsoft 365 workloads
Implement authentication methods
Implement multi-factor authentication (MFA) by using conditional access policy
Manage and monitor MFA
Plan and implement device authentication methods like Windows Hello
Implement conditional access
Plan for compliance and conditional access policies
Configure and manage device compliance policies
Implement and manage conditional access
Test and troubleshoot conditional access policies
Implement roles and role groups
Plan for roles and role groups
Configure roles and role groups
Audit roles for least privileged access
Configure and manage identity governance
Implement Microsoft Entra Privileged Identity Management
Implement and manage entitlement management
Implement and manage access reviews
Implement Microsoft Entra ID Protection
Implement user risk policy
Implement sign-in risk policy
Configure Identity Protection alerts
Review and respond to risk events
Implement and manage threat protection (25-30%)
Implement and manage Microsoft Defender for Identity
Plan a Microsoft Defender for Identity solution
Install and configure Microsoft Defender for Identity
Monitor and manage Microsoft Defender for Identity
Implement device threat protection
Plan a Microsoft Defender for Endpoint solution
Implement Microsoft Defender for Endpoint
Manage and monitor Microsoft Defender for Endpoint
Implement and manage device and application protection
Plan for device and application protection
Configure and manage Microsoft Defender Application Guard
Configure and manage Microsoft Defender Application Control
Configure and manage exploit protection
Configure and manage Windows device encryption
Configure and manage non-Windows device encryption
Implement application protection policies
Configure and manage device compliance for endpoint security
Implement and manage Microsoft Defender for Office 365
Configure Microsoft Defender for Office 365
Monitor for and remediate threats using Microsoft Defender for Office 365
Conduct simulated attacks using Attack simulation training
Monitor Microsoft 365 Security with Microsoft Sentinel
Plan and implement Microsoft Sentinel
Configure playbooks in Microsoft Sentinel
Manage and monitor with Microsoft Sentinel
Respond to threats using built-in playbooks in Microsoft Sentinel
Implement and manage Microsoft Defender for Cloud Apps
Plan Microsoft Defender for Cloud Apps implementation
Configure Microsoft Defender for Cloud Apps
Manage cloud app discovery
Manage entries in the Microsoft Defender for Cloud Apps catalog
Manage apps in Microsoft Defender for Cloud Apps
Configure Microsoft Defender Cloud Apps connectors and OAuth apps
Configure Microsoft Defender for Cloud Apps policies and templates
Review, interpret and respond to Microsoft Defender for Cloud Apps alerts, reports, dashboards, and logs
Implement and manage information protection (10-15%)
Manage sensitive information
Plan a sensitivity label solution
Create and manage sensitive information types
Configure sensitivity labels and policies
Configure and use Activity Explorer
Use sensitivity labels with Teams, SharePoint, OneDrive, and Office apps
Manage Data Loss Prevention (DLP)
Plan a DLP solution
Create and manage DLP policies for Microsoft 365 workloads
Create and manage sensitive information types
Monitor DLP reports
Manage DLP notifications
Implement Endpoint DLP
Manage data governance and retention
Plan for data governance and retention
Review and interpret data governance reports and dashboards
Configure retention labels and policies
Configure retention in Microsoft 365 workloads
Find and recover deleted Office 365 data
Configure and use Microsoft 365 Records Management
Manage governance and compliance features in Microsoft 365 (20-25%)
Configure and analyze security reporting
Monitor and manage device security status using Microsoft Endpoint Manager admin center
Manage and monitor security reports and dashboards using Microsoft 365 Defender portal
Plan for custom security reporting with Graph Security API
Use secure score dashboards to review actions and recommendations
Manage and analyze audit logs and reports
Plan for auditing and reporting
Perform audit log search
Review and interpret compliance reports and dashboards
- Configure alert policies
Discover and respond to compliance queries in Microsoft 365
Plan for content search and eDiscovery
Delegate permissions to use search and discovery tools
Use search and investigation tools to discover and respond
Manage eDiscovery cases
Manage regulatory compliance
Plan for regulatory compliance in Microsoft 365
Manage Data Subject Requests (DSRs)
Administer Compliance Manager in Microsoft 365 compliance center
Use Compliance Manager
Manage insider risk solutions in Microsoft 365
Implement and manage Customer Lockbox
Implement and manage communication compliance policies
Implement and manage Insider risk management policies
Implement and manage information barrier policies
Implement and manage privileged access management