MS-100 : Microsoft 365 Identity and Services : Part 06

MS-100 : Microsoft 365 Identity and Services : Part 06

1. Your company uses email, calendar, contact, and task services in Microsoft Outlook.com.

   You purchase a Microsoft 365 subscription and plan to migrate all users from Outlook.com to Microsoft 365.

   You need to identify which user data can be migrated to Microsoft 365.

   Which type of data should you identify?

   • task
   • email
   • calendar
   • contacts

   Explanation:
   You can use the Internet Message Access Protocol (IMAP) to migrate user email from Gmail, Exchange, Outlook.com, and other email systems that support IMAP migration. When you migrate the user’s email by using IMAP migration, only the items in the users’ inbox or other mail folders are migrated. Contacts, calendar items, and tasks can’t be migrated with IMAP, but they can be by a user.

2. SIMULATION

   Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

   When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

   Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

   Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

   Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

   You may now click next to proceed to the lab.

   Lab information

   Use the following login credentials as needed:

   To enter your username, place your cursor in the Sign in box and click on the username below.

   To enter your password, place your cursor in the Enter password box and click on the password below.

   Microsoft 365 Username: [email protected]

   Microsoft 365 Password: m3t^We$Z7&xy

   If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

   The following information is for technical support purposes only:

   Lab Instance: 11440873

   

   You need to prevent all the users in your organization from sending an out of office reply to external users.

   To answer, sign in to the Microsoft 365 portal.

   • See explanation below.
   Explanation:

   You need to modify the default remote domain. When you add a remote domain, you specify the domain name and the settings apply to that domain. The default remote domain applies to all other domains. Therefore, we need to disable Out of Office replies for external users in the settings of the default remote domain.

   1. Go to the Exchange Admin Center.
   2. Click Mail Flow in the left navigation pane.
   3. Click on Remote Domains.
   4. Select the default remote domain and click the Edit icon (pencil icon).
   5. In the ‘Out of Office automatic reply types’ section, select ‘None’.
   6. Click Save to save to changes to the default remote domain.

3. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the users shown in the following table.

   

   The domain syncs to an Azure Active Directory (Azure AD) tenant named contoso.com as shown in the exhibit.

   

   User2 fails to authenticate to Azure AD when signing in as [email protected].

   You need to ensure that User2 can access the resources in Azure AD.

   Solution: From the Azure Active Directory admin center, you add fabrikam.com as a custom domain. You instruct User2 to sign in as [email protected].

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   The on-premises Active Directory domain is named contoso.com. To enable users to sign on using a different UPN (different domain), you need to add the domain to Microsoft 365 as a custom domain.

4. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the users shown in the following table.

   

   The domain syncs to an Azure Active Directory (Azure AD) tenant named contoso.com as shown in the exhibit.

   

   User2 fails to authenticate to Azure AD when signing in as [email protected].

   You need to ensure that User2 can access the resources in Azure AD.

   Solution: From the on-premises Active Directory domain, you assign User2 the Allow logon locally user right. You instruct User2 to sign in as [email protected].

   Does this meet the goal?

   • Yes
   • No
   Explanation: 
   This is not a permissions issue.
   The on-premises Active Directory domain is named contoso.com. To enable users to sign on using a different UPN (different domain), you need to add the domain to Microsoft 365 as a custom domain.

5. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the users shown in the following table.

   

   The domain syncs to an Azure Active Directory (Azure AD) tenant named contoso.com as shown in the exhibit.

   

   User2 fails to authenticate to Azure AD when signing in as [email protected].

   You need to ensure that User2 can access the resources in Azure AD.

   Solution: From the on-premises Active Directory domain, you set the UPN suffix for User2 to @contoso.com. You instruct User2 to sign in as [email protected].

   Does this meet the goal?

   • Yes
   • No
   Explanation: 
   The on-premises Active Directory domain is named contoso.com. You can enable users to sign on using a different UPN (different domain), by adding the domain to Microsoft 365 as a custom domain. Alternatively, you can configure the user account to use the existing domain (contoso.com).

6. HOTSPOT

   Your network contains an on-premises Active Directory forest named contoso.com. The forest contains the following domains:

   – Contoso.com
   – East.contoso.com

   The forest contains the users shown in the following table.

   

   The forest syncs to an Azure Active Directory (Azure AD) tenant named contoso.com as shown in the exhibit.

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: Yes
   The UPN of user1 is [email protected] so he can authenticate to Azure AD by using the username [email protected].

   Box 2: No
   The UPN of user2 is [email protected] so he cannot authenticate to Azure AD by using the username [email protected].

   Box 3: No
   The UPN of user3 is [email protected] so he cannot authenticate to Azure AD by using the username [email protected].

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the users shown in the following table.

   

   The domain syncs to an Azure Active Directory (Azure AD) tenant named contoso.com as shown in the exhibit.

   

   User2 fails to authenticate to Azure AD when signing in as [email protected].

   You need to ensure that User2 can access the resources in Azure AD.

   Solution: From the Azure Active Directory admin center, you assign User2 the Security reader role. You instruct User2 to sign in as [email protected].

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   This is not a permissions issue so you do not need to assign the Security Reader role.
   The on-premises Active Directory domain is named contoso.com. User2 could sign on as [email protected] but you would first need to change the UPN of User2 to [email protected].

8. HOTSPOT

   You have a Microsoft 365 E5 subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a Microsoft SharePoint Online site named Site1 and the accounts shown in the following table.

   

   You have an on-premises server named Server1 that contains a folder named Folder1. Folder1 contains the files shown in the following table.

   

   The User1, User2, and Group1 accounts have the security identifiers (SIDs) shown in the following table.

   

   You use the SharePoint Migration Tool to migrate Folder1 to Site1. You preserve the file share permissions and use the following user mapping file.

   S-1-5-21-4534338-1127018997-2609994386-1304, [email protected], FALSE
   S-1-5-21-4534338-1127018997-2609994386-1228, [email protected], FALSE
   S-1-5-21-4534338-1127018997-2609994386-1106, GroupA, TRUE

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point

   

   

9. You have a DNS zone named contoso.com that contains the following records.

   

   You purchase a Microsoft 365 subscription.

   You plan to migrate mailboxes to Microsoft Exchange Online.

   You need to configure Sender Policy Framework (SPF) to support Exchange Online.

   What should you do?

   • Add an additional TXT record.
   • Modify the TXT record. 
   • Modify the expire interval of the SOA record.
   • Modify the default TTL of the SOA record.

10. DRAG DROP

    You have a Microsoft 365 subscription and a DNS domain. The domain is hosted by a third-party DNS service.

    You plan to add the domain to the subscription.

    You need to use Microsoft Exchange Online to send and receive emails for the domain.

    Which type of DNS record should you add to the DNS zone of the domain for each task? To answer, drag the appropriate records to the correct tasks. Each record may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: MX
    When you update your domain’s MX record, all new email for anyone who uses your domain will now come to Microsoft 365.

    Box 2: CNAME
    Add CNAME records to connect other service. You can add CNAME records for each service that you want to connect.

    Box 3: TXT
    Add or edit an SPF TXT record to help prevent email spam

11. HOTSPOT

    You have a Microsoft 365 subscription linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

    In the subscription, an administrator adds two custom domains named sub1.contoso.onmicrosoft.com and sub2.contoso.onmicrosoft.com and the objects shown in the following table.

    

    You plan to delete sub1.contoso.onmicrosoft.com and sub2.contoso.onmicrosoft.com.

    Which objects must you delete or modify manually before you can delete the domains? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Anything with an email address in the subdomain needs to be removed or moved to another domain. This includes users, mail-enabled security groups, distribution groups and contacts. Office 365 groups will also need to be removed from the subdomains (they cannot be moved to another domain). However, the only Office 365 group in this question is in the parent domain, not the subdomains.

12. You have an on-premises Microsoft Exchange Server organization that contains 100 mailboxes.

    You have a hybrid Microsoft 365 tenant.

    You run the Hybrid Configuration wizard and migrate the mailboxes to the tenant.

    You need to ensure that Microsoft 365 spam filtering is applied to incoming email.

    What should you do?

    • Run the Hybrid Configuration wizard again.
    • Update the Sender Policy Framework (SPF) TXT record to point to the on-premises Exchange IP address.
    • Run the Azure Active Directory Connect wizard again.
    • Update the MX record to point to Exchange Online.

13. You have an on-premises Microsoft Exchange Server organization that contains 500 mailboxes and a third-party email archive solution.

    You have a Microsoft 365 tenant that contains a user named User1.

    You plan to use the User1 account to perform a PST import of the archive mailboxes to the tenant.

    Which two roles does User1 require to perform the import? The solution must use the principle of least privilege. Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Mail Recipients
    • Exchange admin
    • Records Management
    • Mailbox Import Export
    • eDiscovery Manager

14. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company has a Microsoft Office 365 tenant.

    You suspect that several Office 365 features were recently updated.

    You need to view a list of the features that were recently updated in the tenant.

    Solution: You review the Windows release health in the Microsoft 365 admin center.

    Does this meet the goal?

    • Yes
    • No

15. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company has a Microsoft Office 365 tenant.

    You suspect that several Office 365 features were recently updated.

    You need to view a list of the features that were recently updated in the tenant.

    Solution: You use the Service health option in the Microsoft 365 admin center.

    Does this meet the goal?

    • Yes
    • No

16. Case study

    This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

    The offices have the users and devices shown in the following table.

    

    Contoso recently purchased a Microsoft 365 E5 subscription.

    Existing Environment
    The network contains an Active directory forest named contoso.com and a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

    You recently configured the forest to sync to the Azure AD tenant.

    You add and then verify adatum.com as an additional domain name.

    All servers run Windows Server 2016.

    All desktop computers and laptops run Windows 10 Enterprise and are joined to contoso.com.

    All the mobile devices in the Montreal and Seattle offices run Android. All the mobile devices in the New York office run iOS.

    Contoso has the users shown in the following table.

    

    Contoso has the groups shown in the following table.

    

    Microsoft Office 365 licenses are assigned only to Group2.

    The network also contains external users from a vendor company who have Microsoft accounts that use a suffix of @outlook.com.

    Requirements

    Planned Changes
    Contoso plans to provide email addresses for all the users in the following domains:

    – East.adatum.com
    – Contoso.adatum.com
    – Humongousinsurance.com

    Technical Requirements
    Contoso identifies the following technical requirements:

    – All new users must be assigned Office 365 licenses automatically.
    – The principle of least privilege must be used whenever possible.

    Security Requirements
    Contoso identifies the following security requirements:

    – Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.
    – User2 must be able to view reports and schedule the email delivery of security and compliance reports.
    – The members of Group1 must be required to answer a security question before changing their password.
    – User3 must be able to manage Office 365 connectors.
    – User4 must be able to reset User3 password.

    1. You need to add the custom domain names to Office 365 to support the planned changes as quickly as possible.

       What should you create to verify the domain names successfully?

       • three alias (CNAME) records
       • one text (TXT) record
       • one alias (CNAME) record
       • three text (TXT) records
       Explanation:

       Contoso plans to provide email addresses for all the users in the following domains:
       – East.adatum.com
       – Contoso.adatum.com
       – Humongousinsurance.com

       To verify three domain names, you need to add three TXT records.

17. Case study

    This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000 employees worldwide.

    Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the United States.

    Existing Environment
    Active Directory Environment
    The network contains an Active Directory forest named fabrikam.com. The forest contains all the identities used for user and computer authentication.

    Each department is represented by a top-level organizational unit (OU) that contains several child OUs for user accounts and computer accounts.

    All users authenticate to on-premises applications by signing in to their device by using a UPN format of [email protected].

    Fabrikam does NOT plan to implement identity federation.

    Network Infrastructure

    Each office has a high-speed connection to the Internet.

    Each office contains two domain controllers. All domain controllers are configured as a DNS server.

    The public zone for fabrikam.com is managed by an external DNS server.

    All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All the Exchange servers have the latest cumulative updates installed.

    All shared company documents are stored on a Microsoft SharePoint Server farm.

    Requirements
    Planned Changes
    Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared documents to the subscription.

    Fabrikam plans to implement two pilot projects:

    – Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to Microsoft 365.
    – Project2: After the successful completion of Project1, Microsoft Teams & Skype for Business will be enabled in Microsoft 365 for the sales department users.

    Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft 365 bulk licenses.

    Technical Requirements
    Fabrikam identifies the following technical requirements:

    – All users must be able to exchange email messages successfully during Project1 by using their current email address.
    – Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
    – A user named User1 must be able to view all DLP reports from the Microsoft 365 admin center.
    – Microsoft 365 Apps for enterprise applications must be installed from a network share only.
    – Disruptions to email access must be minimized.

    Application Requirements
    Fabrikam identifies the following application requirements:

    – An on-premises web application named App1 must allow users to complete their expense reports online. App1 must be available to users from the My Apps portal.
    – The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

    Security Requirements
    Fabrikam identifies the following security requirements:

    – After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.
    – The memberships of UserLicenses must be validated monthly. Unused user accounts must be removed from the group automatically.
    – After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-based applications automatically.
    – The principle of least privilege must be used.

    1. DRAG DROP

       You need to prepare the environment for Project1.

       You create the Microsoft 365 tenant.

       Which three actions should you perform in sequence next? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

       

       

       Explanation:

       Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared documents to the subscription.
       All users must be able to exchange email messages successfully during Project1 by using their current email address.
       After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.

       This configuration requires a hybrid Exchange configuration during the pilot phase. This means that you will have mailboxes hosted in Exchange Online and mailboxes hosted in Exchange on-premise.

       The first steps to configure Exchange hybrid are to Create the Azure AD tenant, add the Fabrikam.com domain as a custom domain, then configure directory synchronization to replicate the on-prem Active Directory user accounts to Azure Active Directory.

    2. You are evaluating the required processes for Project1.

       You need to recommend which DNS record must be created before adding a domain name for the project.

       Which DNS record should you recommend?

       • alias (CNAME)
       • host information (HINFO)
       • host (A)
       • mail exchanger (MX)
       Explanation:

       When you add a custom domain to Office 365, you need to verify that you own the domain. You can do this by adding either an MX record or a TXT record to the DNS for that domain.

       Note:
       There are several versions of this question in the exam. The question has two possible correct answers:
       1. Text (TXT)
       2. Mail exchanger (MX)

       Other incorrect answer options you may see on the exam include the following:
       1. Host (AAAA)
       2. Pointer (PTR)
       3. Name Server (NS)

    3. You are evaluating the required processes for Project1.

       You need to recommend which DNS record must be created before adding a domain name for the project.

       Which DNS record should you recommend?

       • alias (CNAME)
       • text (TXT)
       • host (AAAA)
       • pointer (PTR)
       Explanation:

       When you add a custom domain to Office 365, you need to verify that you own the domain. You can do this by adding either an MX record or a TXT record to the DNS for that domain.

       Note:
       There are several versions of this question in the exam. The question has two possible correct answers:
       1. Text (TXT)
       2. Mail exchanger (MX)

       Other incorrect answer options you may see on the exam include the following:
       1. Host Information (HINFO)
       2. Host (A)
       3. Name Server (NS)

18. You have a Microsoft 365 subscription.

    You plan to enable Microsoft Azure Information Protection.

    You need to ensure that only the members of a group named PilotUsers can protect content.

    What should you do?

    • Run the Add-AadrmRoleBaseAdministrator cmdlet.
    • Create an Azure Information Protection policy.
    • Configure the protection activation status for Azure Information Protection.
    • Run the Set-AadrmOnboardingControlPolicy cmdlet.
    Explanation:

    If you don’t want all users to be able to protect documents and emails immediately by using Azure Rights Management, you can configure user onboarding controls by using the
    Set-AadrmOnboardingControlPolicy cmdlet.

    Note: Set-AadrmOnboardingControlPolicy from the AADRM module is now deprecated. After July 15, 2020, this cmdlet name will be supported only as an alias to its replacement in the AIPService module. Set-AipServiceOnboardingControlPolicy Sets the user on-boarding control policy for Azure Information Protection.

19. Your company has a Microsoft 365 subscription.

    You need to identify which users performed the following privileged administration tasks:

    – Deleted a folder from the second-stage Recycle Bin if Microsoft SharePoint
    – Opened a mailbox of which the user was not the owner
    – Reset a user password

    What should you use?

    • Microsoft Azure Active Directory (Azure AD) audit logs
    • Microsoft Azure Active Directory (Azure AD) sign-ins
    • Security & Compliance content search
    • Security & Compliance audit log search
    Explanation:
    You can view the required information in the audit logs. The Azure AD audit logs provide records of system activities for compliance. To access the audit report, select Audit logs in the Activity section of Azure Active Directory.

20. You have a Microsoft 365 subscription. You have a user named User1.

    You need to ensure that User1 can place a hold on all mailbox content.

    What permission should you assign to User1?

    • the User management administrator role from the Microsoft 365 admin center
    • the eDiscovery Manager role from the Security & Compliance admin center
    • the Information Protection administrator role from the Azure Active Directory admin center
    • the Compliance Management role from the Exchange admin center
    Explanation:
    To create a query-based In-Place Hold, a user requires both the Mailbox Search and Legal Hold roles to be assigned directly or via membership in a role group that has both roles assigned. To create an In-Place Hold without using a query, which places all mailbox items on hold, you must have the Legal Hold role assigned. The Discovery Management role group is assigned both roles.