HOTSPOT -
Your network contains an on-premises Active Directory domain named contoso.com.
Your company purchases a Microsoft 365 subscription and establishes a hybrid deployment of Azure Active Directory (Azure AD) by using password hash synchronization. Password writeback is disabled in Azure AD Connect.
You create a new user named User10 on-premises and a new user named User20 in Azure AD.
You need to identify where an administrator can reset the password of each new user.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
If a user account is created in the on-premise Active Directory and synchronized to Azure Active Directory, you can reset the password of the user account in the on-premise Active Directory only.
If a user account is created in Azure Active Directory, you can reset the password of the user account in the Azure Active Directory only.
Your network contains an Active Directory forest named contoso.local.
You have a Microsoft 365 subscription.
You plan to implement a directory synchronization solution that will use password hash synchronization.
From the Microsoft 365 admin center, you successfully verify the contoso.com domain name.
You need to prepare the environment for the planned directory synchronization solution.
What should you do first?
Answer:
B
The on-premise Active Directory domain is named contoso.local. Therefore, all the domain users accounts will have a UPN suffix of contoso.local by default.
To enable directory synchronization that will use password hash synchronization, you need to configure the domain user accounts to have the same UPN suffix as the verified domain (contoso.com in this case). Before you can change the UPN suffix of the domain user accounts to contoso.com, you need to add contoso.com as a UPN suffix in the domain.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname
Your company has a Microsoft 365 subscription.
Your plan to add 100 newly hired temporary users to the subscription next week.
You create the user accounts for the new users.
You need to assign licenses to the new users.
Which command should you run?
A.
B.
C.
D.
Answer:
B
The first line gets all users from the Temp department that have a UsageLocation assigned and stores them in the $NewStaff variable. You cannot use PowerShell to assign a license to a user that does not have a UsageLocation configured.
The second line adds the licenses to each user in the $NewStaff variable.
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/powershell/assign-licenses-to-user-accounts-with-office-365-powershell
Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.
The network uses a firewall that contains a list of allowed outbound domains.
You begin to implement directory synchronization.
You discover that the firewall configuration contains only the following domain names in the list of allowed domains:
✑ *.microsoft.com
*.office.com
Directory synchronization fails.
You need to ensure that directory synchronization completes successfully.
What is the best approach to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.
Answer:
E
Azure AD Connect needs to be able to connect to various Microsoft domains such as login.microsoftonline.com. Therefore, you need to modify the list of allowed outbound domains on the firewall.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
Your network contains an on-premises Active Directory forest.
You are evaluating the implementation of Microsoft 365 and the deployment of an authentication strategy.
You need to recommend an authentication strategy that meets the following requirements:
✑ Allows users to sign in by using smart card-based certificates
✑ Allows users to connect to on-premises and Microsoft 365 services by using SSO
Which authentication strategy should you recommend?
Answer:
B
Federation with Active Directory Federation Services (AD FS) is required to allow users to sign in by using smart card-based certificates.
Federated authentication -
When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises
Active Directory Federation Services (AD FS), to validate the user's password.
The authentication system can provide additional advanced authentication requirements. Examples are smartcard-based authentication or third-party multifactor authentication.
Reference:
https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn
HOTSPOT -
Your network contains an on-premises Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD) as shown in the following exhibit.
An on-premises Active Directory user account named Allan Yoo is synchronized to Azure AD. You view Allan's account from Microsoft 365 and notice that his username is set to [email protected]
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Allan Yoo's user account is synchronized from the on-premise Active Directory. This means that most user account settings have to be configured in the on- premise Active Directory.
In the exhibit, Password Writeback is disabled. Therefore, you cannot reset the password of Allan Yoo from the Azure portal.
You also cannot change Allan Yoo's job title in the Azure portal because his account is synchronized from the on-premise Active Directory.
One setting that you can configure for synchronized user accounts I the usage location. The usage location must be configured on a user account before you can assign licenses to the user.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback
HOTSPOT -
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
You have users in contoso.com as shown in the following table.
The users have the passwords shown in the following table.
You implement password protection as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: No -
User1's password contains the banned password 'Contoso'. However, User1 will not be required to change his password at next sign in. When the password expires or when User1 (or an administrator) changes the password, the password will be evaluated and will have to meet the password requirements.
Box 2: Yes -
Password evaluation goes through several steps including normalization and Substring matching which is used on the normalized password to check for the user's first and last name as well as the tenant name. Normalization is the process of converting common letter substitutes into letters. For example, 0 converts to o. $ converts to s. etc.
The next step is to identify all instances of banned passwords in the user's normalized new password. Then:
1. Each banned password that is found in a user's password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.
'C0nt0s0' becomes 'contoso' after normalization. Therefore, C0nt0s0_C0mplex123 contains one instance of the banned password (contoso) so that equals 1 point. After 'contoso', there are 11 unique characters. Therefore, the score for 'C0nt0s0_C0mplex123' is 12. This is more than the required 5 points so the password is acceptable.
Box 3:
The 'Password protection for Windows Server Active Directory' is in 'Audit' mode. This means that the password protection rules are not applied. Audit mode is for logging policy violations before putting the password protection 'live' by changing the mode to 'enforced'.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
User1 is the owner of Group1. User2 is the owner of Group2.
You create an access review that contains the following configurations:
✑ Users to review: Members of a group
✑ Scope: Everyone
✑ Group: Group1, Group2
Reviewers: Group owners -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: Yes -
User1 is the owner of Group1. User2 is in Group1 and Group2. Group owners can review access. Therefore, User1 can review User2's membership of Group1.
Box 2: Yes -
User1 is the owner of Group1. User3 is in Group1 and Group2. Group owners can review access. Therefore, User1 can review User3's membership of Group1.
Box 3: No -
Only group owners can review access. User3 is not a group owner. Therefore, User3 cannot review membership of the groups.
References:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
HOTSPOT -
You need to ensure that a user named User1 can create documents by using Office Online.
Which two Microsoft Office 365 license options should you turn on for User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct section is worth one point.
Hot Area:
Answer:
You need ג€Office Onlineג€ to be able to create documents by using Office Online. You also need an online location to save and store the documents. For this, you would use SharePoint online.
Your network contains two on-premises Active Directory forests named contoso.com and fabrikam.com. Fabrikam.com contains one domain and five domain controllers. Contoso.com contains the domains shown in the following table.
You need to sync all the users from both the forests to a single Azure Active Directory (Azure AD) tenant by using Azure AD Connect.
What is the minimum number of Azure AD Connect sync servers required?
Answer:
A
You can have only one active Azure AD Connect server synchronizing accounts to a single Azure Active Directory (Azure AD) tenant. You can have 'backup'
Azure AD Connect servers, but these must be running in 'staging' mode. Staging mode means the Azure AD Connect instance is not actively synchronizing users but is ready to be bought online if the active Azure AD Connect instance goes offline.
When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. The server must be joined to a domain. If necessary, to reach all forests, you can place the server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-single-azure-ad-tenant