MS-100 : Microsoft 365 Identity and Services : Part 10

MS-100 : Microsoft 365 Identity and Services : Part 10

1. SIMULATION

   Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

   When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

   Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

   Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

   Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

   You may now click next to proceed to the lab.

   Lab information

   Use the following login credentials as needed:

   To enter your username, place your cursor in the Sign in box and click on the username below.

   To enter your password, place your cursor in the Enter password box and click on the password below.

   Microsoft 365 Username:
   [email protected]

   Microsoft 365 Password: oL9z0=?Nq@ox

   If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

   The following information is for technical support purposes only:

   Lab Instance: 11098651

   

   You recently discovered that several users in your organization have permissions on the mailbox of another user in the organization.

   You need to ensure that Lee Gu receives a notification when a user is granted permissions on another user’s mailbox.

   To answer the question, sign in to the Microsoft 365 portal.

   • See explanation below.
   Explanation:

   Create an activity alert
   1. Go to https://protection.office.com/managealerts.
   2. Sign in to Office 365 using your work or school account.
   3. On the Activity alerts page, click + New.
   The flyout page to create an activity alert is displayed.

   

   4. Complete the following fields to create an activity alert:

   – Name – Type a name for the alert. Alert names must be unique within your organization.
   – Description (Optional) – Describe the alert, such as the activities and users being tracked, and the users that email notifications are sent to. Descriptions provide a quick and easy way to describe the purpose of the alert to other admins.
   – Alert type – Make sure the Custom option is selected.
   Send this alert when – Click Send this alert when and then configure these two fields:
       – Activities – Click the drop-down list to display the activities that you can create an alert for. This is the same activities list that’s displayed when you search the Office 365 audit log. You can select one or more specific activities or you can click the activity group name to select all activities in the group. For a description of these activities, see the “Audited activities” section in Search the audit log. When a user performs any of the activities that you’ve added to the alert, an email notification is sent.
      – Users – Click this box and then select one or more users. If the users in this box perform the activities that you added to the Activities box, an alert will be sent. Leave the Users box blank to send an alert when any user in your organization performs the activities specified by the alert.
   – Send this alert to – Click Send this alert, and then click in the Recipients box and type a name to add a users who will receive an email notification when a user (specified in the Users box) performs an activity (specified in the Activities box). Note that you are added to the list of recipients by default. You can remove your name from this list.
   5. Click Save to create the alert.
   The new alert is displayed in the list on the Activity alerts page.

   

   The status of the alert is set to On. Note that the recipients who will received an email notification when an alert is sent are also listed.

2. SIMULATION

   Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

   When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

   Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

   Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

   Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

   You may now click next to proceed to the lab.

   Lab information

   Use the following login credentials as needed:

   To enter your username, place your cursor in the Sign in box and click on the username below.

   To enter your password, place your cursor in the Enter password box and click on the password below.

   Microsoft 365 Username:
   [email protected]

   Microsoft 365 Password: oL9z0=?Nq@ox

   If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

   The following information is for technical support purposes only:

   Lab Instance: 11098651

   

   You need to ensure that all the users in your organization are prompted to change their password every 180 days.

   To answer the question, sign in to the Microsoft 365 portal.

   • See explanation below.
   Explanation:

   You need to configure the Password Expiration Policy.

   1. Sign in to the Microsoft 365 Admin Center.
   2. In the left navigation pane, expand the Settings section then select the Settings option.
   3. Click on Security and Privacy.
   4. Select the Password Expiration Policy.
   5. Ensure that the checkbox labelled “Set user passwords to expire after a number of days” is ticked.
   6. Enter 180 in the “Days before passwords expire” field.
   7. Click the ‘Save changes’ button.

3. HOTSPOT

   Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD) by using the Azure AD Connect Express Settings. Password writeback is disabled.

   You create a user named User1 and enter Pass in the Password field as shown in the following exhibit.

   

   The Azure AD password policy is configured as shown in the following exhibit.

   

   

   Explanation:

   Box 1: Yes
   The question states that User1 is synced to Azure AD. This tells us that the short password (Pass) meets the on-premise Active Directory password policy and you were able to create the on-premise account for User1. The on-premise Active Directory password policy applies over the Azure AD password policy for synced user accounts.

   Box 2: No
   Self-Service Password Reset would need to be configured.

   Box 3: Yes
   The password for the Azure AD User1 account will expire after 90 days according to the Azure AD password policy. If the on-premise password policy has a shorter password expiration period, User1 would have the change his/her on-premise AD password. The new password would then sync to Azure AD.

4. SIMULATION

   Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

   When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

   Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

   Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

   Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

   You may now click next to proceed to the lab.

   Lab information

   Use the following login credentials as needed:

   To enter your username, place your cursor in the Sign in box and click on the username below.

   To enter your password, place your cursor in the Enter password box and click on the password below.

   Microsoft 365 Username: [email protected]

   Microsoft 365 Password: m3t^We$Z7&xy

   If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

   The following information is for technical support purposes only:

   Lab Instance: 11440873

   

   You need to add Adele Vance to a group named Managers. The solution must ensure that you can grant permissions to Managers.To answer, sign in to the Microsoft 365 portal.

   • See explanation below.
   Explanation:

   You need to create a group named Managers and add Adele Vance to the group. To ensure that you can grant permissions to the Managers group, the group needs to be a Security Group.

   1. Sign in to the Microsoft 365 Admin Center.
   2. In the left navigation pane, expand the Groups section then select Groups.
   3. Click the ‘Add a group’ link.
   4. For the group type, select Security and click Next.
   5. Enter ‘Managers’ in the Name field and click Next.
   6. Click the ‘Create Group’ button to create the Managers group.
   7. In the list of groups, select the Managers group.
   8. Click the Members link.
   9. Click the ‘View all and manage members link’.
   10. Click the ‘Add Members’ button.
   11. Select Adele Vance and click the Save button.
   12. Click the Close button to close the group page.

5. SIMULATION

   Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

   When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

   Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

   Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

   Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

   You may now click next to proceed to the lab.

   Lab information

   Use the following login credentials as needed:

   To enter your username, place your cursor in the Sign in box and click on the username below.

   To enter your password, place your cursor in the Enter password box and click on the password below.

   Microsoft 365 Username: [email protected]

   Microsoft 365 Password: m3t^We$Z7&xy

   If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

   The following information is for technical support purposes only:

   Lab Instance: 11440873

   

   You need to create a policy that allows a user named Lee Gu to use Outlook Web App to review 50 percent of the outbound email messages sent by a user named Joni Sherman.

   To answer, sign in to the Microsoft 365 portal.

   • See explanation below.
   Explanation:

   You need to configure a Supervision Policy.

   1. Go to https://protection.office.com or navigate to the Security & Compliance admin center.
   2. In the left navigation pane, select Supervision.
   3. Click the ‘+Create’ button to create a new supervision policy.
   4. Give the policy a name such as ‘Joni Sherman’ and click Next.
   5. In the ‘Supervised users’ section, click ‘+Add users or groups’.
   6. Select Joni Sherman from the users list and click the Add button.
   7. Deselect the ‘Teams chats’ and ‘Skype for Business Conversations’ checkboxes leaving only the ‘Exchange Email’ checkbox ticked and click Next.
   8. Under ‘Direction is’, deselect Inbound leaving only Outbound selected and click Next.
   9. In the ‘Percentage to review’ section, enter 50 and click Next.
   10. In the ‘Reviewers’ section, start typing Lee Gu then select his account when it appears.
   11. Click Next.
   12. On the ‘Review your settings’ page, check the settings are correct the click the Finish button to create the policy.

6. SIMULATION

   Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

   When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

   Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

   Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

   Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

   You may now click next to proceed to the lab.

   Lab information

   Use the following login credentials as needed:

   To enter your username, place your cursor in the Sign in box and click on the username below.

   To enter your password, place your cursor in the Enter password box and click on the password below.

   Microsoft 365 Username: [email protected]

   Microsoft 365 Password: m3t^We$Z7&xy

   If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

   The following information is for technical support purposes only:

   Lab Instance: 11440873

   

   You need to ensure that all the users in your organization are prompted to change their password every 60 days. The solution must ensure that the users are reminded that their password must be changed 10 days before the required change.

   To answer, sign in to the Microsoft 365 portal.

   • See explanation below.
   Explanation:

   You need to configure the Password Expiration Policy.

   1. Sign in to the Microsoft 365 Admin Center.
   2. In the left navigation pane, expand the Settings section then select the Settings option.
   3. Click on Security and Privacy.
   4. Select the Password Expiration Policy.
   5. Ensure that the checkbox labelled “Set user passwords to expire after a number of days” is ticked.
   6. Enter 60 in the “Days before passwords expire” field.
   7. Enter 10 in the “Days before a user is notified about expiration” field.
   8. Click the ‘Save changes’ button.

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your network contains an on-premises Active Directory forest named contoso.com. The forest contains the following domains:

   – Contoso.com
   – East.contoso.com

   An Azure AD Connect server is deployed to contoso.com. Azure AD Connect syncs to an Azure Active Directory (Azure AD) tenant.

   You deploy a new domain named west.contoso.com to the forest.

   You need to ensure that west.contoso.com syncs to the Azure AD tenant.

   Solution: You install a new Azure AD Connect server in west.contoso.com and set AD Connect to active mode.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   You can only have one the AD Connect per tenant and one is already located in the root domain. Instead, run the wizard and add the new child domain to sync.

8. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   Your network contains an on-premises Active Directory forest named contoso.com. The forest contains the following domains:

   – Contoso.com
   – East.contoso.com

   An Azure AD Connect server is deployed to contoso.com. Azure AD Connect syncs to an Azure Active Directory (Azure AD) tenant.

   You deploy a new domain named west.contoso.com to the forest.

   You need to ensure that west.contoso.com syncs to the Azure AD tenant.

   Solution: You install a new Azure AD Connect server in west.contoso.com and set AD Connect to staging mode.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   When Azure AD Connect is set to staging mode, this action makes the server active for import and synchronization, but it does not run any exports. A server in staging mode is not running password sync or password writeback, even if you selected these features during installation.

9. You have a Microsoft 365 subscription that contains the domains shown in the following exhibit.

   

   Which domain name suffixes can you use when you create users?

   • only Sub1.Contoso1919.onmicrosoft.com
   • only Contoso1919.onmicrosoft.com and Sub2.Contoso1919.onmicrosoft.com
   • only Contoso1919.onmicrosoft.com, Sub1.Contoso1919.onmicrosoft.com, and Sub2.Contoso1919.onmicrosoft.com
   • all the domains in the subscription

10. You have a Microsoft 365 subscription that contains the users shown in the following table.

    

    You plan to use Exchange Online to manage email for a DNS domain.

    An administrator adds the DNS domain to the subscription.

    The DNS domain has a status of incomplete setup.

    You need to identify which user can complete the setup of the DNS domain. The solution must use the principle of least privilege.

    Which user should you identify?

    • User1
    • User2
    • User3
    • User4

11. Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the objects shown in the following table.

    

    You configure Azure AD Connect to sync contoso.com to Azure Active Directory.

    Which objects will sync to Azure AD?

    • Group1, User1, and User2
    • Group1 and User1 only
    • User1 and User2 only
    • Group1 only

12. HOTSPOT

    Your network contains an on-premises Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD) as shown in the following two exhibits.

    

    

    You create a user named User1 in Active Directory as shown in the following exhibit.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    The Azure AD Attributes page shows which attributes will be synchronized based on the Office 365 services you are using (Exchange, SharePoint etc). We can see that ExtenstionAttribute10 and ExtensionAttribute11 have been deselected.

    The Directory Extensions page shows which additional attributes will be synchronized (additional to the list in the Azure AD Attributes page).

    ExtensionAttribute1:
    Will be synchronized because it is ticked in the Azure AD Attributes page.

    ExtensionAttribute10.
    Will be synchronized because although it is unticked in the Azure AD Attributes page, it is added again in the Directory Extensions page.

    ExtensionAttribute11.
    Will not be synchronized because it is unticked in the Azure AD Attributes page and it is not added again in the Directory Extensions page.

    ExtensionAttribute12:
    Will be synchronized because it is ticked in the Azure AD Attributes page. It is also added again in the Directory Extensions page but this will have no effect as it is already ticked in the Azure AD Attributes page.

13. HOTSPOT

    Your company has a Microsoft 365 subscription that contains the users shown in the following table.

    

    External collaboration settings have default configuration.

    You need to identify which users can perform the following administrative tasks:

    Modify the password protection policy.
    Create guest user accounts.

    Which users should you identify for each task? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Only a Global Admin can modify the password protection policy.
    A Global Admin or a user with the Guest Inviter role can create guest accounts.

14. Your network contains a single Active Directory domain and two Microsoft Azure Active Directory (Azure AD) tenants.

    You plan to implement directory synchronization for both Azure AD tenants. Each tenant will contain some of the Active Directory users.

    You need to recommend a solution for the planned directory synchronization.

    What should you include in the recommendation?

    • Deploy two servers that run Azure AD Connect, and then filter the users for each tenant by using organizational unit (OU)-based filtering.
    • Deploy one server that runs Azure AD Connect, and then specify two sync groups.
    • Deploy one server that runs Azure AD Connect, and then filter the users for each tenant by using organizational unit (OU)-based filtering.
    • Deploy one server that runs Azure AD Connect, and then filter the users for each tenant by using domain-based filtering.
    Explanation:

    There’s a 1:1 relationship between an Azure AD Connect sync server and an Azure AD tenant. For each Azure AD tenant, you need one Azure AD Connect sync server installation.
    Therefore, we need to deploy two servers that run Azure AD Connect for the two Azure AD tenants.

    Each user account can only be synchronized to one Azure AD tenant. Therefore, we need a way of splitting the users between the two Azure AD tenants. Azure AD Connect offers three ways to filter which users get synchronized to an Azure AD tenant. You can use domain-based filtering if you have multiple domains in a forest, attribute-based filtering or OU-based filtering.

    Note:
    Other incorrect answers for this question include:
    1. Deploy one server that runs Azure AD Connect, and then filter the users for each tenant by using attribute-based filtering.
    2. Deploy one server that runs Azure AD Connect, and then specify two sync groups.

15. HOTSPOT

    Your company has a hybrid deployment of Microsoft 365.

    An on-premises user named User1 is synced to Microsoft Azure Active Directory (Azure AD).

    Azure AD Connect is configured as shown in the following exhibit.

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    User1 cannot change her password from any Microsoft portals because Password Writeback is disabled in the Azure AD Connect configuration.

    If the password for User1 is changed in Active Directory, the password hash will be synchronized to Azure AD because Password Synchronization is enabled in the Azure AD Connect configuration.

16. HOTSPOT

    You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.

    

    Password writeback is disabled in Azure AD Connect.

    You enable self-service password reset (SSPR) for Group1.

    You configure password protection for contoso.com as shown in the following exhibit.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    With the password policy, VeRYC0MplexPa55w.rd. is an acceptable password.

    Box 1: Yes
    User1 is an Azure AD account so User1 can reset his password.

    Box 2: No
    User2 is a Windows Server Active Directory Account. User2 could change the password for the Azure AD account. However, as Password Writeback is disabled, the password change will not be written back to the Windows Server Active Directory account.

    Box 3: No
    The Azure AD Tenant is named contoso.com. User3 is a guest account from a different directory named outlook.com. You cannot use SSPR in one directory to change the password for an account in a different directory.

17. You have a Microsoft 365 E5 subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.

    You purchase 100 Microsoft 365 Business Voice add-on licenses.

    You need to ensure that the members of a group named Voice are assigned a Microsoft 365 Business Voice add-on license automatically.

    What should you do?

    • From the Azure Active Directory admin center, modify the settings of the Voice group.
    • From the Microsoft 365 admin center, modify the settings of the Voice group.
    • From the Licenses page of the Microsoft 365 admin center, assign the licenses.
    Explanation:
    You can assign licenses to a user or a group from the Licenses page of the Microsoft 365 admin center.

18. Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains a user named User1.

    You suspect that an imposter is signing in to Azure AD by using the credentials of User1.

    You need to ensure that an administrator named Admin1 can view all the sign in details of User1 from the past 24 hours.

    To which three roles should you add Admin1? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • Security administrator
    • Password administrator
    • User administrator
    • Compliance administrator
    • Reports reader
    • Security reader
    Explanation:
    Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles can view the sign in details.

19. You have Microsoft 365 tenant that contains a Microsoft Power Platform environment named Environment1 (default). Environment1 contains a Microsoft Dataverse database.

    In the tenant, you create a user named User1. You assign a Microsoft Power Apps license to User1.

    Which security role for Environment1 is assigned automatically to User1?

    • Environment maker
    • System customizer
    • Delegate
    • Environment admin

20. You have a hybrid deployment of Microsoft 365 that contains the users shown in the following table.

    

    You plan to provide access to an on-premises app named App1 by using Azure AD Application Proxy. App1 will be managed by User4.

    You need to identify which user can install the Application Proxy connector.

    Which user should you identify?

    • User1
    • User2
    • User3
    • User4