MS-100 : Microsoft 365 Identity and Services : Part 12

  1. Your company has a Microsoft 365 subscription that has multi-factor authentication configured for all users.

    Users that connect to Microsoft 365 services report that they are prompted for multi-factor authentication multiple times a day.

    You need to reduce the number of times the users are prompted for multi-factor authentication on their company-owned devices. Your solution must ensure that users are still prompted for MFA.

    What should you do?

    • Enable the multi-factor authentication trusted IPs setting, and then verify each device as a trusted device.
    • Enable the remember multi-factor authentication setting, and then verify each device as a trusted device.
    • Enable the multi-factor authentication trusted IPs setting, and then join all client computers to Microsoft Azure Active Directory (Azure AD).
    • Enable the remember multi-factor authentication setting, and then join all client computers to Microsoft Azure Active Directory (Azure AD).

    Explanation:
    The remember Multi-Factor Authentication feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users. Users can bypass subsequent verifications for a specified number of days, after they’ve successfully signed-in to a device by using Multi-Factor Authentication. The feature enhances usability by minimizing the number of times a user has to perform two-step verification on the same device.

  2. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: 3&YWyjse-6-d

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10887751

    You plan to allow the users in your organization to invite external users as guest users to your Microsoft 365 tenant.

    You need to prevent the organization’s users from inviting guests who have an email address that uses a suffix of @gmail.com.

    • See explanation below.
    Explanation:

    You need to add gmail.com as a denied domain in the ‘External collaboration settings’.

    1. Go to the Azure Active Directory admin center.
    2. Select Users then select ‘User settings’.
    3. Under External Users, select the ‘Manage external collaboration settings’.
    4. Under ‘Collaboration restrictions’, select the ‘Deny invitations to the specified domains’ option.
    5. Under, Target Domains, type in the domain name ‘gmail.com’
    6. Click the Save button at the top of the screen to save your changes.

  3. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.
     
    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
     
    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
     
    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
     
    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
     
    You may now click next to proceed to the lab.
     
    Lab information
     
    Use the following login credentials as needed:
     
    To enter your username, place your cursor in the Sign in box and click on the username below.
     
    To enter your password, place your cursor in the Enter password box and click on the password below.
     
    Microsoft 365 Username:
     
    Microsoft 365 Password: 3&YWyjse-6-d
     
    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
     
    The following information is for technical support purposes only:
     
    Lab Instance: 10887751
     
     
    You hire a new global administrator named Irvin Sayers to manage your Microsoft 365 tenant.
     
    You need to modify Irvin Sayers to meet the following requirements:
     
    – Uses at least two methods of user authentication
    – Has the highest Microsoft Office 365 administrative privileges
    • See explanation below.
    Explanation: 

    You need to assign the Global Admin role to Irvin Sayers. You then need to configure the account to require Multi-Factor Authentication (MFA).

    1. In the Microsoft 365 admin center, select Users then select Active Users.
    2. Select the Irvin Sayers account to open the account properties blade.
    3. In the Roles section, click on the ‘Manage roles’ link.
    4. Select the ‘Admin center access’ option.
    5. Select Global Administrator then click the ‘Save changes’ button.

    The next step is to enable the account for Multi-Factor Authentication (MFA).

    1. If the Irvin Sayers account is selected in the user accounts list, deselect it (click on the tick icon next to the account name). Selecting a user account changes the menu options at the top of the page; deselecting the accounts changes the menu options back.
    2. Click on the ‘Multi-factor authentication’ link at the top of the page.
    3. In the ‘Multi-factor authentication’ page, select the Irvin Sayers account.
    4. Click the ‘Enable’ link on the right side of the page.
    5. In the pop-up window, click the ‘enable multi-factor auth’ button.

  4. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: 3&YWyjse-6-d

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10887751

    Your company has a web application named App1.

    The company plans to publish App1 by using a URL of https://app1.contoso.com.

    You need to register App1 to your Microsoft Office 365 tenant.

    • See explanation below.
    Explanation:

    You need to register App1 in Azure Active Directory.

    1. Go to the Azure Active Directory admin center.
    2. Select Azure Active Directory.
    3. Select ‘App registrations’.
    4. Click the ‘New registration’ link.
    5. Enter the name App1.
    6. Click the Register button.
    7. To add the URL to App1, select App1 in the list of registered apps.
    8. In the properties page of App1, select Branding.
    9. Enter the URL https://app1.contoso.com in the ‘Home page URL’ box.
    10. Click Save to save the changes.

  5. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: 3&YWyjse-6-d

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10887751

    You plan to provide an external user named [email protected] with access to several resources in your Microsoft 365 tenant.

    You need to ensure that the external user can be added to Office 365 groups.

    • See explanation below.
    Explanation:

    You need to create a guest account for the external user.

    1. Go to the Azure Active Directory admin center.
    2. Select Users.
    3. Click the ‘New guest user’ link.
    4. Select the ‘Invite user’ option.
    5. Give the account a name and enter [email protected] in the email address field.
    6. Click the ‘Invite’ button.

  6. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: 3&YWyjse-6-d

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10887751

    You need to ensure that all mobile devices that connect to Microsoft Exchange Online meet the following requirements:

    -​ A password must be used to access the devices.
    -​ Data on the devices must be encrypted.

    • See explanation below.
    Explanation:

    You need to modify the default mobile device mailbox policy.

    1. Go to the Exchange Admin Center.
    2. Select ‘mobile’ then select ‘mobile device mailbox policies’.
    3. Click the ‘Create a policy’ button.
    4. Select the Default policy and click the edit icon (pencil icon).
    5. Select the ‘Security’ link to open the security settings.
    6. Tick the ‘Require a password’ checkbox.
    7. Tick the ‘Require encryption on device’ checkbox.
    8. Click the Save button to save the changes.

  7. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: *yfLo7Ir2&y-

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10811525

    You plan to invite several guest users to access the resources in your organization.

    You need to ensure that only guests who have an email address that uses the @contoso.com suffix can connect to the resources in your Microsoft 365 tenant.

    • See explanation below.
    Explanation:

    You need to add contoso.com as an allowed domain in the ‘External collaboration settings’.

    1. Go to the Azure Active Directory admin center.
    2. Select Users then select ‘User settings’.
    3. Under External Users, select the ‘Manage external collaboration settings’.
    4. Under ‘Collaboration restrictions’, select the ‘Allow invitations only to the specified domains (most restrictive)’ option.
    5. Under, Target Domains, type in the domain name ‘contoso.com’
    6. Click the Save button at the top of the screen to save your changes.

  8. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: *yfLo7Ir2&y-

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10811525

    You need to prevent non-administrators in your organization from registering applications.

    • See explanation below.
    Explanation:

    You need to configure the App Registrations setting in Azure Active Directory.

    1. Go to the Azure Active Directory admin center.
    2. Select Azure Active Directory.
    3. Select ‘User settings’
    4. In the ‘App registrations’ section, toggle the ‘Users can register applications’ setting to No.
    5. Click Save to save the changes.

  9. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: *yfLo7Ir2&y-

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10811525

    Your organization recently partnered with another organization named Fabrikam, Inc.

    You plan to provide a Microsoft 365 license to an external user named [email protected], and then to share documents with the user.

    You need to invite [email protected] to access your organization.

    • See explanation below.
    Explanation:

    You need to create a guest account for user1.

    1. Go to the Azure Active Directory admin center.
    2. Select Users.
    3. Click the ‘New guest user’ link.
    4. Select the ‘Invite user’ option.
    5. Give the account a name (User1) and enter [email protected] in the email address field.
    6. Click the ‘Invite’ button.

  10. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: *yfLo7Ir2&y-

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10811525

    You plan to provide several users in your organization with the ability to join their Windows 10 device to Microsoft Azure Active Directory (Azure AD).

    You need to ensure that all the users who join a device use multi-factor authentication.

    • See explanation below.
    Explanation:

    You need to configure the device settings in Azure Active Directory.

    1. Go to the Azure Active Directory admin center.
    2. Select Azure Active Directory.
    3. Select Devices.
    4. Select Device Settings.
    5. Toggle the ‘Require Multi-Factor Auth to join devices’ setting to Yes.
    6. Click Save to save the changes.

  11. SIMULATION

    Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.

    When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.

    Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.

    Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.

    Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.

    You may now click next to proceed to the lab.

    Lab information

    Use the following login credentials as needed:

    To enter your username, place your cursor in the Sign in box and click on the username below.

    To enter your password, place your cursor in the Enter password box and click on the password below.

    Microsoft 365 Username:
    [email protected]

    Microsoft 365 Password: *yfLo7Ir2&y-

    If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

    The following information is for technical support purposes only:

    Lab Instance: 10811525

    You need to prevent the users in your organization from establishing voice calls from Microsoft Skype for Business to external Skype users.

    • See explanation below.
    Explanation:

    You need to configure the External Communications settings in the Skype for Business admin center.

    1. You need to go to the Skype for Business admin center. If you see a Skype for Business admin center in the admin center list in the Microsoft portal, open it and skip to step 4.
    2. If you don’t see a Skype for Business admin center in the admin center list in the Microsoft portal, open the Teams admin center.
    3. In the Teams admin center, choose Skype > Legacy Portal.
    4. In the Skype for Business admin center, select Organization.
    5. Select External communications.
    6. Untick the ‘Let people use Skype for Business to communicate with Skype users outside your organization’ checkbox.
    7. Click Save to save the changes.

  12. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your network contains an Active Directory forest.

    You deploy Microsoft 365.

    You plan to implement directory synchronization.

    You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:

    – Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
    – User passwords must be 10 characters or more.

    Solution: Implement pass-through authentication and configure password protection in the Azure AD tenant.

    Does this meet the goal?

    • Yes
    • No
    Explanation:

    This solution does not meet the following requirement:
    – Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
    This is because with pass-through authentication, the authentication is performed by the on-premise Active Directory.

    This solution does not meet the following requirement:
    – Users passwords must be 10 characters or more.
    To meet this requirement, you would need to configure the Default Domain Policy in the on-premise Active Directory.

    Azure Password Protection can prevent users from using passwords from a ‘banned password’ list but it cannot be configured to require that passwords must be 10 characters or more.

  13. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your network contains an Active Directory forest.

    You deploy Microsoft 365.

    You plan to implement directory synchronization.

    You need to recommend a security solution for the synchronized identities. The solution must meet the following requirements:

    – Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable.
    – User passwords must be 10 characters or more.

    Solution: Implement password hash synchronization and modify the password settings from the Default Domain Policy in Active Directory.

    Does this meet the goal?

    • Yes
    • No
    Explanation:
    This solution meets the requirements:
    Users must be able to authenticate successfully to Microsoft 365 services if Active Directory becomes unavailable. (this is because the authentication is performed by Azure Active Directory).
    Users passwords must be 10 characters or more. (the Default Domain Policy in the on-premise Active Directory can be configured to require the password length)
  14. Your company has three main offices and one branch office. The branch office is used for research.

    The company plans to implement a Microsoft 365 tenant and to deploy multi-factor authentication.

    You need to recommend a Microsoft 365 solution to ensure that multi-factor authentication is enforced only for users in the branch office.

    What should you include in the recommendation?

    • Microsoft Azure Active Directory (Azure AD) conditional access.
    • Microsoft Azure Active Directory (Azure AD) password protection.
    • A Microsoft Endpoint Manager device compliance policy.
    • A Microsoft Endpoint Manager device configuration profile.
    Explanation:

    With Azure Active Directory (Azure AD) Conditional Access, you can control how authorized users can access your cloud apps. The location condition of a Conditional Access policy enables you to tie access controls settings to the network locations of your users.

    For this question, we need to configure a location condition in a conditional access policy and apply the policy to users in that location (the branch office). The conditional access policy can be required to ‘Allow Access’ but ‘Required MFA’.

  15. Your network contains an Active Directory domain named contoso.com.

    All users authenticate by using a third-party authentication solution.

    You purchase Microsoft 365 and plan to implement several Microsoft 365 services.

    You need to recommend an identity strategy that meets the following requirements:

    – Provides seamless SSO
    – Minimizes the number of additional servers required to support the solution
    – Stores the passwords of all the users in Microsoft Azure Active Directory (Azure AD)
    – Ensures that all the users authenticate to Microsoft 365 by using their on-premises user account

    You are evaluating the implementation of federation.

    Which two requirements are met by using federation? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • minimizes the number of additional servers required to support the solution
    • provides seamless SSO
    • stores the passwords of all the users in Azure AD
    • ensures that all the users authenticate to Microsoft 365 by using their on-premises user account
    Explanation:

    When you choose this federation as the authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password. AD FS can use on-premise Active Directory as an authentication provider. AD FS can also provide SSO when using Active Directory as an authentication provider.

    Incorrect Answers:
    A: Additional servers are required to support the AD FS infrastructure.
    C: The passwords are not synchronised to Azure AD.

  16. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company plans to deploy several Microsoft Office 365 services.

    You need to design an authentication strategy for the planned deployment. The solution must meet the following requirements:

    – Users must be able to authenticate during business hours only.
    – Authentication requests must be processed successfully if a single server fails.
    – When the password for an on-premises user account expires, the new password must be enforced the next time the user signs in.
    – Users who connect to Office 365 services from domain-joined devices that are connected to the internal network must be signed in automatically.

    Solution: You design an authentication strategy that uses federation authentication by using Active Directory Federation Services (AD FS). The solution contains two AD FS servers and two Web Application Proxies.

    Does this meet the goal?

    • Yes
    • No
    Explanation:

    This solution meets the following requirements:
    – Users must be able to authenticate during business hours only.
    – Authentication requests must be processed successfully if a single server fails.
    – When the password for an on-premises user account expires, the new password must be enforced the next time the user signs in.

    The following requirement is not met:
    – Users who connect to Office 365 services from domain-joined devices that are connected to the internal network must be signed in automatically.

    To meet this requirement, you would need to configure seamless Single Sign-on (SSO)

  17. HOTSPOT

    You have a Microsoft 365 subscription that contains the users shown in the following table.

    MS-100 Microsoft 365 Identity and Services Part 12 Q17 152
    MS-100 Microsoft 365 Identity and Services Part 12 Q17 152

    You have the named locations shown in the following table.

    MS-100 Microsoft 365 Identity and Services Part 12 Q17 153
    MS-100 Microsoft 365 Identity and Services Part 12 Q17 153

    You create a conditional access policy that has the following configurations:

    – Users and groups:
        – Include: Group1
        – Exclude: Group2
    – Cloud apps: Include all cloud apps
    Conditions:
        – Include: Any location
        – Exclude: Montreal
    – Access control: Grant access, Require multi-factor authentication

    User1 is on the multi-factor authentication (MFA) blocked users list.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    MS-100 Microsoft 365 Identity and Services Part 12 Q17 154 Question
    MS-100 Microsoft 365 Identity and Services Part 12 Q17 154 Question
    MS-100 Microsoft 365 Identity and Services Part 12 Q17 154 Answer
    MS-100 Microsoft 365 Identity and Services Part 12 Q17 154 Answer
    Explanation:

    The Blocked User list is used to block specific users from being able to receive Multi-Factor Authentication requests. Any authentication attempts for blocked users are automatically denied. Users remain blocked for 90 days from the time that they are blocked.

    Box 1: Yes
    133.107.10.20 is in the Montreal named location. The conditional access policy excludes Montreal so the policy does not apply. Therefore, User1 can access Microsoft Office 365.

    Box 2: No
    193.77.10.15 is in the Toronto named location. The conditional access policy applies to Group1 which User1 is a member of and all locations except for Montreal. Therefore, the conditional access policy applies in this case. The policy requires MFA but User1 is on the MFA blocked list so he is unable to use MFA. Therefore, User1 cannot access Microsoft 365.

    Box 3: Yes
    User2 is in Group1 and Group2. The conditional access policy applies to Group1 but excludes Group2. Therefore, the conditional access policy does not apply in this case so User2 can access Microsoft Office 365.

  18. Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.

    You purchase Microsoft 365 and plan to implement several Microsoft 365 services.

    You need to identify an authentication strategy for the planned Microsoft 365 deployment. The solution must meet the following requirements:

    – Ensure that users can access Microsoft 365 by using their on-premises credentials.
    – Use the existing server infrastructure only.
    – Store all user passwords on-premises only.
    – Be highly available.

    Which authentication strategy should you identify?

    • pass-through authentication and seamless SSO
    • pass-through authentication and seamless SSO with password hash synchronization
    • password hash synchronization and seamless SSO
    • federation
    Explanation:

    Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn’t happen in the cloud.

    Incorrect Answers:
    B: Password hash synchronization replicates passwords to Azure Active Directory. This does not meet the following requirement: Store all user passwords on-premises only
    C: Password hash synchronization replicates passwords to Azure Active Directory. This does not meet the following requirement: Store all user passwords on-premises only
    D: Federation requires additional servers running Active Directory Federation Services. This does not meet the following requirement: Use the existing server infrastructure only.

  19. Your network contains an on-premises Active Directory domain.

    You have a Microsoft 365 subscription.

    You implement a directory synchronization solution that uses pass-through authentication.

    You configure Microsoft Azure Active Directory (Azure AD) smart lockout as shown in the following exhibit.

    MS-100 Microsoft 365 Identity and Services Part 12 Q19 155
    MS-100 Microsoft 365 Identity and Services Part 12 Q19 155

    You discover that Active Directory users can use the passwords in the custom banned passwords list.

    You need to ensure that banned passwords are effective for all users.

    Which three actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    •  From a domain controller, install the Azure AD Password Protection Proxy.
    • From a domain controller, install the Microsoft AAD Application Proxy connector.
    • From Custom banned passwords, modify the Enforce custom list setting.
    • From Password protection for Windows Server Active Directory, modify the Mode setting.
    • From all the domain controllers, install the Azure AD Password Protection DC Agent.
    • From Active Directory, modify the Default Domain Policy.
    Explanation:

    Azure AD password protection is a feature that enhances password policies in an organization. On-premises deployment of password protection uses both the global and custom banned-password lists that are stored in Azure AD. It does the same checks on-premises as Azure AD does for cloud-based changes. These checks are performed during password changes and password reset scenarios.

    You need to install the Azure AD Password Protection Proxy on a domain controller and install the Azure AD Password Protection DC Agent on all domain controllers. When the proxy and agent are installed and configured, Azure AD password protection will work.

    In the exhibit, the password protection is configured in Audit mode. This is used for testing. To enforce the configured policy, you need to set the password protection setting to Enforced.

  20. HOTSPOT

    You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that includes a user named User1.

    You enable multi-factor authentication for contoso.com and configure the following two fraud alert settings:

    Set Allow users to submit fraud alerts: On
    Automatically block users who report fraud: On

    You need to instruct the users in your organization to use the fraud reporting features correctly.

    What should you tell the users to do? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    MS-100 Microsoft 365 Identity and Services Part 12 Q20 156 Question
    MS-100 Microsoft 365 Identity and Services Part 12 Q20 156 Question
    MS-100 Microsoft 365 Identity and Services Part 12 Q20 156 Answer
    MS-100 Microsoft 365 Identity and Services Part 12 Q20 156 Answer
    Explanation:

    Code to report fraud during initial greeting: When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it.

    Block user when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report, and take appropriate action to prevent future fraud. An administrator can then unblock the user’s account.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments