MS-100 : Microsoft 365 Identity and Services : Part 08
-
HOTSPOT
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that includes the users shown in the following table.
Group2 is a member of Group1.
You assign Office 365 Enterprise E3 license to User2 as shown in the User2 Licensing exhibit.
You assign Office 365 Enterprise E3 licenses to Group1 as shown in the Group1 Licensing exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Group-based licensing currently does not support groups that contain other groups (nested groups). If you apply a license to a nested group, only the immediate first-level user members of the group have the licenses applied.
Therefore, the license granted to Group1 will not filter down to Group2.Box 1: Yes.
User1 is in Group1 which has been assigned a license to use Exchange Online.Box 2: No
User2 has been assigned a license to use SharePoint online. However, the license to use Exchange Online does not apply to User2.Box 3: No
The license to use Exchange Online is granted to Group1. However, the license granted to Group1 will not filter down to Group2. Therefore, User3 will not be licensed to use Exchange Online. -
You have a Microsoft 365 subscription.
You view the service advisories shown in the following exhibit.
You need to ensure that users who administer Microsoft SharePoint Online can view the advisories to investigate service health issues.
Which role should you assign to the users?
- Compliance administrator
- Message Center reader
- Reports reader
- Service administrator
Explanation:
People who are assigned the global admin or service administrator role can view service health. To allow Exchange, SharePoint, and Skype for Business admins to view service health, they must also be assigned the Service admin role. For more information about roles that can view service health. -
You have a Microsoft 365 subscription that contains a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. The tenant includes a user named User1.
You enable Azure AD Identity Protection.
You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for risk. The solution must use the principle of least privilege.
To which role should you add User1?
- Security reader
- User administrator
- Owner
- Global administrator
Explanation:The risky sign-ins reports are available to users in the following roles:
– Security Administrator
– Global Administrator
– Security ReaderOf the three roles listed above, the Security Reader role has the least privilege.
Note:
There are several versions of this question in the exam. The question has three possible correct answers:
1. Security Reader
2. Security Administrator
3. Global AdministratorOther incorrect answer options you may see on the exam include the following:
1. Service Administrator.
2. Reports Reader
3. Compliance Administrator -
HOTSPOT
Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.
You implement directory synchronization for all 10,000 users in the organization.
You automate the creation of 100 new user accounts.
You need to ensure that the new user accounts synchronize to Azure AD as quickly as possible.
Which command should you run? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Explanation:Azure AD Connect synchronizes Active Directory to Azure Active Directory on a schedule. The minimum time between synchronizations is 30 minutes.
If you want to synchronize changes to Active Directory without waiting for the next sync cycle, you can initiate a sync by using the Start-AdSyncSyncCycle. The Delta option synchronizes changes to Active Directory made since the last sync. The Full option synchronizes all Active Directory objects including those that have not changed. -
Your network contains three Active Directory forests.
You create a Microsoft Azure Active Directory (Azure AD) tenant.
You plan to sync the on-premises Active Directory to Azure AD.
You need to recommend a synchronization solution. The solution must ensure that the synchronization can complete successfully and as quickly as possible if a single server fails.
What should you include in the recommendation?
- three Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode
- one Azure AD Connect sync server and one Azure AD Connect sync server in staging mode
- three Azure AD Connect sync servers and one Azure AD Connect sync server in staging mode
- six Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode
Explanation:
Azure AD Connect can be active on only one server. You can install Azure AD Connect on another server for redundancy but the additional installation would need to be in Staging mode. An Azure AD connect installation in Staging mode is configured and ready to go but it needs to be manually switched to Active to perform directory synchronization. -
Your network contains an Active Directory domain named adatum.com that is synced to Microsoft Azure Active Directory (Azure AD).
The domain contains 100 user accounts.
The city attribute for all the users is set to the city where the user resides.
You need to modify the value of the city attribute to the three-letter airport code of each city.
What should you do?
- From Azure Cloud Shell, run the Get-AzureADUser and Set-AzureADUser cmdlets.
- From Azure Cloud Shell, run the Get-ADUser and Set-ADUser cmdlets.
- From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser cmdlets.
- From Azure Cloud Shell, run the Get-MsolUser and Set-MSOluser cmdlets.
Explanation:The user accounts are synced from the on-premise Active Directory to the Microsoft Azure Active Directory (Azure AD). Therefore, the city attribute must be changed in the on-premise Active Directory.
You can use Windows PowerShell on a domain controller and run the Get-AD User cmdlet to get the required users and pipe the results into Set-AD User cmdlet to modify the city attribute.
Incorrect Answers:
A, D: These answers suggest modifying the city attribute of the users in the Azure Active Directory which is incorrect.
B: This answer has the correct cmdlets but they need to be run on a domain controller, not in the Azure cloud shell.Note:
There are several versions of this question in the exam. The question has two possible correct answers:
From Windows PowerShell on a domain controller, run the Get-AD User and Set-AD User cmdlets.
From Active Directory Administrative Center, select the Active Directory users, and then modify the Properties settings.Other incorrect answer options you may see on the exam include the following:
From the Azure portal, select all the Azure AD users, and then use the User settings blade.
From Windows PowerShell on a domain controller, run the Get-AzureAD User and Set-AzureAD User cmdlets.
From the Microsoft 365 admin center, select the users, and then use the Bulk actions option.
From Azure Cloud Shell, run the Get-AD User and Set-AD User cmdlets. -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an on-premises Active Directory forest named contoso.com. The forest contains the following domains:
– Contoso.com
– East.contoso.comAn Azure AD Connect server is deployed to contoso.com. Azure AD Connect syncs to an Azure Active Directory (Azure AD) tenant.
You deploy a new domain named west.contoso.com to the forest.
You need to ensure that west.contoso.com syncs to the Azure AD tenant.
Solution: From the Azure AD Connect server in contoso.com, you return the setup wizard and include the west.contoso.com domain.
Does this meet the goal?
- Yes
- No
-
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains a Microsoft Exchange Server 2019 organization.
You plan to sync the domain to Azure Active Directory (Azure AD) and to enable device writeback and group writeback.
You need to identify which group types will sync from Azure AD.
Which two group types should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- an Office 365 group that uses the Assigned membership type
- a security group that uses the Dynamic Device membership type
- an Office 365 group that uses the Dynamic User membership type
- a security group that uses the Assigned membership type
- a security group that uses the Dynamic User membership type
Explanation:
Group writeback in Azure AD Connect synchronizes Office 365 groups only from Azure Active Directory back to the on-premise Active Directory. -
You have a Microsoft 365 subscription.
You view the service advisories shown in the following exhibit.
You need to ensure that a user named User1 can view the advisories to investigate service health issues.
Which role should you assign to User1?
- Compliance administrator
- Message Center reader
- Reports reader
- Service administrator
Explanation:
People who are assigned the global admin or service administrator role can view service health. To allow Exchange, SharePoint, and Skype for Business admins to view service health, they must also be assigned the Service admin role. -
Your network contains an on-premises Active Directory domain that syncs to Azure Active Directory (Azure AD).
The on-premises network contains a Microsoft SharePoint Server 2019 farm.
The company purchases a Microsoft 365 subscription.
You have the users shown in the following table
You plan to assign User1 and User2 the required roles to run the SharePoint Hybrid Configuration Wizard.
User1 will be used for on-premises credentials and User2 will be used for cloud credentials.
You need to assign the correct role to User2. The solution must use the principle of least privilege.
Which role should you assign to User2?
- Application administrator
- SharePoint farm administrator
- Global administrator
- SharePoint administrator
Explanation:
To run the SharePoint Hybrid Configuration Wizard, you need to provide credentials of a user (in this case User2) of a Global Administrator account in Azure Active Directory. -
HOTSPOT
Your network contains an on-premises Active Directory domain named contoso.com.
Your company purchases a Microsoft 365 subscription and establishes a hybrid deployment of Azure Active Directory (Azure AD) by using password hash synchronization. Password writeback is disabled in Azure AD Connect.
You create a new user named User10 on-premises and a new user named User20 in Azure AD.
You need to identify where an administrator can reset the password of each new user.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Explanation:If a user account is created in the on-premise Active Directory and synchronized to Azure Active Directory, you can reset the password of the user account in the on-premise Active Directory only.
If a user account is created in Azure Active Directory, you can reset the password of the user account in the Azure Active Directory only. -
Your network contains an Active Directory forest named contoso.local.
You have a Microsoft 365 subscription.
You plan to implement a directory synchronization solution that will use password hash synchronization.
From the Microsoft 365 admin center, you verify the contoso.com domain name.
You need to prepare the environment for the planned directory synchronization solution.
What should you do first?
- From the public DNS zone of contoso.com, add a new mail exchanger (MX) record.
- From Active Directory Domains and Trusts, add contoso.com as a UPN suffix.
- From the Microsoft 365 admin center, verify the contoso.local domain name.
- From Active Directory Users and Computers, modify the UPN suffix for all users.
Explanation:The on-premise Active Directory domain is named contoso.local. Therefore, all the domain users accounts will have a UPN suffix of contoso.local by default.
To enable directory synchronization that will use password hash synchronization, you need to configure the domain user accounts to have the same UPN suffix as the verified domain (contoso.com in this case). Before you can change the UPN suffix of the domain user accounts to contoso.com, you need to add contoso.com as a UPN suffix in the domain. -
Your company has a Microsoft 365 subscription.
Your plan to add 100 newly hired temporary users to the subscription next week.
You create the user accounts for the new users.
You need to assign licenses to the new users.
Which command should you run?
Explanation:
The first line gets all users from the Temp department that have a Usage Location assigned and stores them in the $NewStaff variable. You cannot use PowerShell to assign a license to a user that does not have a Usage Location configured.
The second line adds the licenses to each user in the $NewStaff variable. -
Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.
The network uses a firewall that contains a list of allowed outbound domains.
You begin to implement directory synchronization.
You discover that the firewall configuration contains only the following domain names in the list of allowed domains:
– *.microsoft.com
– *.office.comDirectory synchronization fails.
You need to ensure that directory synchronization completes successfully.
What is the best approach to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.
- From the firewall, allow the IP address range of the Azure data center for outbound communication.
- From Azure AD Connect, modify the Customize synchronization options task.
- Deploy an Azure AD Connect sync server in staging mode.
- From the firewall, create a list of allowed inbound domains.
- From the firewall, modify the list of allowed outbound domains.
Explanation:
Azure AD Connect needs to be able to connect to various Microsoft domains such as login.microsoftonline.com. Therefore, you need to modify the list of allowed outbound domains on the firewall. -
Your network contains an on-premises Active Directory forest.
You are evaluating the implementation of Microsoft 365 and the deployment of an authentication strategy.
You need to recommend an authentication strategy that meets the following requirements:
– Allows users to sign in by using smart card-based certificates
– Allows users to connect to on-premises and Microsoft 365 services by using SSOWhich authentication strategy should you recommend?
- password hash synchronization and seamless SSO
- federation with Active Directory Federation Services (AD FS)
- pass-through authentication and seamless SSO
Explanation:Federation with Active Directory Federation Services (AD FS) is required to allow users to sign in by using smart card-based certificates.
Federated authentication
When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password.
The authentication system can provide additional advanced authentication requirements. Examples are smartcard-based authentication or third-party multifactor authentication. -
HOTSPOT
Your network contains an on-premises Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD) as shown in the following exhibit.
An on-premises Active Directory user account named Allan Yoo is synchronized to Azure AD. You view Allan’s account from Microsoft 365 and notice that his username is set to [email protected].
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
-
HOTSPOT
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
You have users in contoso.com as shown in the following table.
The users have the passwords shown in the following table.
You implement password protection as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: No
User1’s password contains the banned password ‘Contoso’. However, User1 will not be required to change his password at next sign in. When the password expires or when User1 (or an administrator) changes the password, the password will be evaluated and will have to meet the password requirements.Box 2: Yes
Password evaluation goes through several steps including normalization and Substring matching which is used on the normalized password to check for the user’s first and last name as well as the tenant name. Normalization is the process of converting common letter substitutes into letters. For example, 0 converts to o. $ converts to s. etc.The next step is to identify all instances of banned passwords in the user’s normalized new password. Then:
Each banned password that is found in a user’s password is given one point.
Each remaining unique character is given one point.
A password must be at least five (5) points for it to be accepted.‘C0nt0s0’ becomes ‘contoso’ after normalization. Therefore, C0nt0s0_C0mplex123 contains one instance of the banned password (contoso) so that equals 1 point. After ‘contoso’, there are 11 unique characters. Therefore, the score for ‘C0nt0s0_C0mplex123’ is 12. This is more than the required 5 points so the password is acceptable.
Box 3:
The ‘Password protection for Windows Server Active Directory’ is in ‘Audit’ mode. This means that the password protection rules are not applied. Audit mode is for logging policy violations before putting the password protection ‘live’ by changing the mode to ‘enforced’. -
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
User1 is the owner of Group1. User2 is the owner of Group2.
You create an access review that contains the following configurations:
Users to review: Members of a group
Scope: Everyone
Group: Group1, Group2
Reviewers: Group ownersFor each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: Yes
User1 is the owner of Group1. User2 is in Group1 and Group2. Group owners can review access. Therefore, User1 can review User2’s membership of Group1.Box 2: Yes
User1 is the owner of Group1. User3 is in Group1 and Group2. Group owners can review access. Therefore, User1 can review User3’s membership of Group1.Box 3: No
Only group owners can review access. User3 is not a group owner. Therefore, User3 cannot review membership of the groups. -
HOTSPOT
You need to ensure that a user named User1 can create documents by using Office Online.
Which two Microsoft Office 365 license options should you turn on for User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct section is worth one point.
Explanation:You need “Office Online” to be able to create documents by using Office Online. You also need an online location to save and store the documents. For this, you would use SharePoint online.
-
Your network contains two on-premises Active Directory forests named contoso.com and fabrikam.com. Fabrikam.com contains one domain and five domain controllers. Contoso.com contains the domains shown in the following table.
You need to sync all the users from both the forests to a single Azure Active Directory (Azure AD) tenant by using Azure AD Connect.
What is the minimum number of Azure AD Connect sync servers required?
- 1
- 2
- 3
- 4
Explanation:You can have only one active Azure AD Connect server synchronizing accounts to a single Azure Active Directory (Azure AD) tenant. You can have ‘backup’ Azure AD Connect servers, but these must be running in ‘staging’ mode. Staging mode means the Azure AD Connect instance is not actively synchronizing users but is ready to be bought online if the active Azure AD Connect instance goes offline.
When you have multiple forests, all forests must be reachable by a single Azure AD Connect sync server. The server must be joined to a domain. If necessary, to reach all forests, you can place the server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).