HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
Multi-factor authentication (MFA) is configured to use 131.107.5.0/24 as trusted IPs.
The tenant contains the named locations shown in the following table.
You create a conditional access policy that has the following configurations:
✑ Users and groups assignment: All users
✑ Cloud apps assignment: App1
✑ Conditions: Include all trusted locations
✑ Grant access: Require multi-factor authentication
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: Yes -
131.107.50.10 is in a Trusted Location so the conditional access policy applies. The policy requires MFA. However, User1's MFA status is disabled. The MFA requirement in the conditional access policy will override the user's MFA status of disabled. Therefore, User1 must use MFA.
Box 2: Yes.
131.107.20.15 is in a Trusted Location so the conditional access policy applies. The policy requires MFA so User2 must use MFA.
Box 3: Yes.
131.107.5.5 is an MFA Trusted IP so that counts as a Trusted Location in the conditional access policy. The ג€All Trusted Locationsג€ setting includes MFA Trusted
IPs. Therefore, the conditional access policy applies so User2 must use MFA.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
You have a Microsoft 365 Enterprise E5 subscription.
You need to enforce multi-factor authentication on all cloud-based applications for the users in the finance department.
What should you do?
Answer:
C
You can configure a conditional access policy that applies to the Finance department users. The policy can be configured to 'Allow access' but with multi-factor authentication as a requirement.
The reference below explains how to create a conditional access policy that requires MFA for all users. To apply the policy to finance users only, you would select
Users and Group in the Include section instead of All Users and then specify the finance department group.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Create a sign-in risk policy.
2. Create a conditional access policy.
Other incorrect answer options you may see on the exam include the following:
1. Create an activity policy.
2. Create a session policy.
3. Create an app permission policy.
4. Configure the sign-in status for the user accounts of the finance department users.
5. Assign an Enterprise Mobility + Security E5 license to the finance department users.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
You have a Microsoft 365 subscription.
Your company deploys an Active Directory Federation Services (AD FS) solution.
You need to configure the environment to audit AD FS user authentication.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
DE
To audit AD FS user authentication, you need to install Azure AD Connect Health for AD FS. The agent should be installed on an AD FS server. After the installation, you need to register the agent by running the Register-AzureADConnectHealthSyncAgent cmdlet.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-adfs
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
✑ Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
✑ User passwords must be 10 characters or more.
Solution: Implement password hash synchronization and configure password protection in the Azure AD tenant.
Does this meet the goal?
Answer:
B
This solution meets the following requirement:
✑ Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable. (this is because the authentication is performed by Azure Active Directory).
This solution does not meet the following requirement:
✑ Users passwords must be 10 characters or more.
To meet this requirement, you would need to configure the Default Domain Policy in the on-premise Active Directory.
Azure Password Protection can prevent users from using passwords from a 'banned password' list but it cannot be configured to require that passwords must be
10 characters or more.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest.
You deploy Microsoft 365.
You plan to implement directory synchronization.
You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:
✑ Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
✑ User passwords must be 10 characters or more.
Solution: Implement pass-through authentication and modify the password settings from the Default Domain Policy in Active Directory.
Does this meet the goal?
Answer:
B
This solution does not meet the following requirement:
✑ Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
This is because with pass-through authentication, the authentication is performed by the on-premise Active Directory.
This solution does meet the following requirement:
✑ User passwords must be 10 characters or more.
Configuring the Default Domain Policy in the on-premise Active Directory meets the requirement.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
You have a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD) tenant named contoso.com.
A temporary employee at your company uses an email address of [email protected]
You need to ensure that the temporary employee can sign in to contoso.com by using the [email protected] account.
What should you do?
Answer:
C
You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.
The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the external vendor already has a Microsoft account ([email protected]) so he can authenticate using that.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains 10,000 users.
The company has a Microsoft 365 subscription.
You enable Azure Multi-Factor Authentication (MFA) for all the users in contoso.com.
You run the following query.
search "SigninLogs" | where ResultDescription == "User did not pass the MFA challenge."
The query returns blank results.
You need to ensure that the query returns the expected results.
What should you do?
Answer:
D
You can now send audit logs to Azure Log Analytics. This gives you much easier reporting on audit events and the ability to perform queries such as the one in this question.
References:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics
Your company has a Microsoft 365 subscription that has multi-factor authentication configured for all users.
Users that connect to Microsoft 365 services report that they are prompted for multi-factor authentication multiple times a day.
You need to reduce the number of times the users are prompted for multi-factor authentication on their company-owned devices. Your solution must ensure that users are still prompted for MFA.
What should you do?
Answer:
B
The remember Multi-Factor Authentication feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users.
Users can bypass subsequent verifications for a specified number of days, after they've successfully signed-in to a device by using Multi-Factor Authentication.
The feature enhances usability by minimizing the number of times a user has to perform two-step verification on the same device.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
SIMULATION -
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.
When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
You may now click next to proceed to the lab.
Lab information -
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Microsoft 365 Username:
[email protected]
Microsoft 365 Password: xxxxxxxxxx
If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 111111111 -
You plan to allow the users in your organization to invite external users as guest users to your Microsoft 365 tenant.
You need to prevent the organization's users from inviting guests who have an email address that uses a suffix of @gmail.com.
Answer:
See explanation below.
You need to add gmail.com as a denied domain in the 'External collaboration settings'.
1. Go to the Azure Active Directory admin center.
2. Select Users then select 'User settings'.
3. Under External Users, select the 'Manage external collaboration settings'.
4. Under 'Collaboration restrictions', select the 'Deny invitations to the specified domains' option.
5. Under, Target Domains, type in the domain name 'gmail.com'
6. Click the Save button at the top of the screen to save your changes.
References:
https://docs.microsoft.com/en-us/azure/active-directory/b2b/allow-deny-list
SIMULATION -
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.
When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
You may now click next to proceed to the lab.
Lab information -
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Microsoft 365 Username:
[email protected]
Microsoft 365 Password: xxxxxxxxxx
If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 111111111 -
You hire a new global administrator named Irvin Sayers to manage your Microsoft 365 tenant.
You need to modify Irvin Sayers to meet the following requirements:
✑ Uses at least two methods of user authentication
✑ Has the highest Microsoft Office 365 administrative privileges
Answer:
See explanation below.
You need to assign the Global Admin role to Irvin Sayers. You then need to configure the account to require Multi-Factor Authentication (MFA).
1. In the Microsoft 365 admin center, select Users then select Active Users.
2. Select the Irvin Sayers account to open the account properties blade.
3. In the Roles section, click on the 'Manage roles' link.
4. Select the 'Admin center access' option.
5. Select Global Administrator then click the 'Save changes' button.
The next step is to enable the account for Multi-Factor Authentication (MFA).
1. If the Irvin Sayers account is selected in the user accounts list, deselect it (click on the tick icon next to the account name). Selecting a user account changes the menu options at the top of the page; deselecting the accounts changes the menu options back.
2. Click on the 'Multi-factor authentication' link at the top of the page.
3. In the 'Multi-factor authentication' page, select the Irvin Sayers account.
4. Click the 'Enable' link on the right side of the page.
5. In the pop-up window, click the 'enable multi-factor auth' button.
