ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-500 All Questions

View all questions & answers for the MS-500 exam
Go to Exam

Exam MS-500 topic 4 question 31 discussion

Actual exam question from Microsoft's MS-500
Question #: 31
Topic #: 4
[All MS-500 Questions]

HOTSPOT -
You have a Microsoft 365 subscription. Auditing is enabled.
A user named User1 is a member of a dynamic security group named Group1.
You discover that User1 is no longer a member of Group1.
You need to search the audit log to identify why User1 was removed from Group1.
Which two activities should you use in the search? To answer, select the appropriate activities in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance
by Jogre at March 14, 2020, 1:37 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
itmp
Highly Voted 5 years ago
Got the time and tested this. Answer is: -Removed member from group -Updated group "Updated User" yields no results! Removed member from group: => shows the user that was removed (by modifying dynamic the query) Updated group => shows what user 'updated' the group.
upvoted 35 times
mehnaz
4 years, 10 months ago
The above answer is correct according to the document. https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide.
upvoted 1 times
...
junkz
4 years, 9 months ago
I think you need to lay out the test conditions too. the scenario talks about one single user being removed, so , in order for the modification of the dynamic query to affect a single user, it means it was trumping on a property that was not present on the other users. which, in real life, is rather unlikely. Gill's reasoning is valid here.
upvoted 2 times
...
EzeQ
3 years, 8 months ago
I go with subzero and gills, in real live you do not change the dynamic rule that often, but users frequently change some property that kicks him out of a group. Changing stuff like manager, dept, etc.. might cause the scenario.
upvoted 2 times
...
SUBZER0
4 years, 8 months ago
-----"Updated User" yields no results! -> unless the user is eddited therefore kicked out from the group ----Updated group=> shows what user 'updated' the group. Probably because you edited the gruop to kick out the user If only 1 user is affected probably the change was made in the user and not in the group. I would say answers are right, anyway you have more chances to find the root cause if you look at to different things, the group and the user.
upvoted 6 times
...
Load full discussion...
...
ranc1d
Highly Voted 5 years, 1 month ago
Action 1: Updated user an admin changed an attribute of a user Action 2: Removed user from group Dynamic group management removes user from the dynamic group as the needed attribute is no longer valid. This action is listed as "Initiated by actor: Microsoft Approval Management" in audit logs
upvoted 32 times
...
Charlotte2728
Most Recent 2 years, 3 months ago
Relevant on 01/02/23
upvoted 2 times
...
mkoprivnj
3 years, 5 months ago
Answer is: -Removed member from group -Updated group
upvoted 4 times
AWpkl
2 years, 3 months ago
Reading through this whole thread, I agree with this. The ambiguity in the question is really annoying though. In this case we know the user was removed, and with dynamic groups than can only have two causes - the user changed, or the group filter changed. 'Remove user from group' would tell us that the user was removed because of a filter change, but would it tell us who made the change or what the change was? If the user change shows no results, you already know it was a filter change, so an audit telling you only that it was a filter change and not what kind of change is not very helpful. I can certainly see the argument for the given answer, however, since it also guarantees an answer to the prompt.
upvoted 1 times
...
...
Rstilekar
3 years, 5 months ago
Given answers are Correct. Action 1: Updated user an admin changed an attribute of a user. If only 1 user is affected probably the change was made in the user and not in the group. So this is correct. Action 2: Removed member from group Dynamic group management removes user from the dynamic group as the needed attribute is no longer valid. This action is listed as "Initiated by actor: Microsoft Approval Management" in audit logs While Updated group => shows what user 'updated' the group. This is not what we are looking for. https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide.
upvoted 2 times
...
g87123
3 years, 12 months ago
the answer is correct. tested it 1. create the dynamic group and add rules (eg. Department or Location) 2. make sure a user account matched or contains the correct department or location 3. Wait for a few minutes or more to take effect. --> Audit Logs > "updated user" will show up 4. to remove the user from Dynamic group > update the user's Department/Location in AAD > wait a few minutes to take effect. > "Removed member from group" will show up in audit logs You need patience because it will take some time to really show up the result without manually changing it.
upvoted 6 times
...
nzboy123
4 years, 2 months ago
Hi Everyone, I tested this in my lab and the answers given are correct. If you look in the user audit logs, the results are: - Remove Member from group - Update User If you look in the dynamic group audit logs, the results are: - Removed member from group.
upvoted 9 times
Timmeh
4 years, 2 months ago
Cheers, makes sense.
upvoted 2 times
kiketxu
4 years, 1 month ago
given answers makes sense to me too as usually in this scenario you check the user1 audit log to see what happened.
upvoted 1 times
...
...
...
Jejechu
4 years, 5 months ago
I think the good answers are "Updated user" and "updated group". Question is about to find how the user have been removed from the dynamic group. 2 possibilities here : either user's attributes have been modified (so Uptaded user), either dynamic group filtering has been modified (updated group). So to know why the user has been removed, we must check for "updated user" and "updated group".
upvoted 4 times
...
saran1987
4 years, 8 months ago
I tested this scenario. When I modified the group dynamic rule, one user is removed from the group. I couldnt see any logs for this even in security & compliance as it would take 24 hours but when I checked the audit logs in Azure AD, I see two events as 1.Updated Group 2. Removed member from group. When I edited one of the user's properties, I see the logs as 1. Removed member from group and 2. update user. So my conclusion is Remove member from group is definitely one answer. The second we could either user update user or Update group. Both will improve the chances to see what happened to a particular user being removed from the group
upvoted 3 times
JaBe
4 years, 6 months ago
Based on your testing, I'd conclude Remove member from group is not an answer. Look, we know the user is removed from the group, the question states you want to know _why_. As you verified, the reason can be one of the two update conditions, hence you need both these update conditions to search on. Only then you can be sure why the remove has taken place.
upvoted 2 times
GregD133
4 years, 5 months ago
Jabe, Absolutely correct. The question specifically asks WHY the user was removed. If we wanted to know WHEN, then Remove member would be helpful. A user can only be removed from a dynamic group if the user changes, or the group changes.
upvoted 2 times
...
...
JiDu
4 years, 8 months ago
The testing is excellent. I think as the question states only User1 is no longer a member of the group and not all members, then the change has occured in the attributes of that user and the result is 'updated user' compared to 'updated group', assuming the above is correct.
upvoted 2 times
...
...
jack987
4 years, 11 months ago
Agree with itmp. --> Updated user Administrator changes one or more properties of a user account. For a list of the user properties that can be updated, see the "Update user attributes" section in Azure Active Directory Audit Report Events. --> Removed member from group A member was removed from a group. --> Updated group A property of a group was changed. Source: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
upvoted 2 times
...
tintin_
4 years, 11 months ago
UPDATED USER AND UPDATED GROUP
upvoted 2 times
...
Piper
5 years ago
I thought one answer would be 'updated group' because someone may have changed the rules of the dynamic group.
upvoted 1 times
gills
5 years ago
My $0.02, changing a rule of the dynamic group affects a lot of users. So usually this is not the case when only one use user is affected.
upvoted 3 times
...
...
Jogre
5 years, 1 month ago
Was under the impression you can't manually remove a user from a Dynamic Group so why is Remove User from Group correct? Either you change the user attributes so they no longer matched the Dynamic Group settings (Updated User) or you changed the Dynamic Group settings (Updated Group)?
upvoted 11 times
nicolonsky
5 years, 1 month ago
Totally agree.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago