MS-100 : Microsoft 365 Identity and Services : Part 13
-
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
An external user has a Microsoft account that uses an email address of [email protected].
An administrator named Admin1 attempts to create a user account for the external user and receives the error message shown in the following exhibit.
You need to ensure that Admin1 can add the user.
What should you do from the Azure Active Directory admin center?
- Add a custom domain name named outlook.com.
- Modify the Authentication methods.
- Modify the External collaboration settings.
- Assign Admin1 the Security administrator role.
Explanation:
In the External Collaboration settings, you can set the following invitation policies:
– Turn off invitations
– Only admins and users in the Guest Inviter role can invite
– Admins, the Guest Inviter role, and members can invite
– All users, including guests, can invite
In this question, an Admin user is unable to invite the guest user. This suggests that invitations are turned off altogether. -
HOTSPOT
You have a Microsoft 365 Enterprise E5 subscription.
You create a password policy as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Explanation:By default, smart lockout locks the account from sign-in attempts for one minute after 10 failed attempts. In this question, the lockout threshold if 5 failed attempts. The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts.
Password evaluation goes through several steps including normalization and Substring matching which is used on the normalized password to check for the user’s first and last name as well as the tenant name.
The next step is to identify all instances of banned passwords in the user’s normalized new password. Then:
1. Each banned password that is found in a user’s password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.Conto$01Pa$$word contains two banned passwords and no remaining unique characters so is given a score of 2 points. This is less than the required 5 points so will be rejected.
Pa$$w0rd contains a banned password and no remaining unique characters so is given a score of 1 point. This is less than the required 5 points so will be rejected.
AzureAD!!111 contains a banned password (AzureAD!!) and has three remaining characters. However, the remaining characters are all the same (they’re all 1s) so that is only one unique character. So that password will be given a score of 2. One for the banned password and 1 for the unique character. This is less than the required 5 points so will be rejected.
PasswordPa55w.rd does not contain a banned password. PasswordPa55w.rd contains 16 characters. However, there are two ‘P’, two ‘a’, two ‘s’, two ‘w’, two ‘r’, two ‘d’, and two ‘5’ so there are 9 unique characters. Therefore, the password will be given a score of 9 points. This is more than the required 5 points so the password will be accepted.
-
SIMULATION
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.
When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
You may now click next to proceed to the lab.
Lab information
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Microsoft 365 Username: [email protected]
Microsoft 365 Password: m3t^We$Z7&xy
If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 11440873
You need to ensure that when Lynne Robbins attempts to sign in to the Microsoft Office 365 portal, Lynne Robbins is prompted to authenticate by using multiple methods.
To answer, sign in to the Microsoft 365 portal.
- See explanation below.
Explanation:You need to enable Multi-Factor Authentication for Lynne Robbins.
1. Sign in to the Microsoft 365 Admin Center.
2. In the left navigation pane, expand the Users section and select Active Users.
3. Click the ‘Multi-factor authentication’ link.
4. Select Lynne Robbins.
5. In the right navigation pane, select the ‘Enable’ link to enable MFA for the account.
6. Confirm the setting by clicking the ‘Enable multi-factor authentication’ button.
7. Click the Close button to close the confirmation window. -
SIMULATION
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.
When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
You may now click next to proceed to the lab.
Lab information
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Microsoft 365 Username: [email protected]
Microsoft 365 Password: m3t^We$Z7&xy
If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 11440873
You need to create a SharePoint site named Project1. Users from your organization must be able to share content from the site to external users.
To answer, sign in to the Microsoft 365 portal.
- See explanation below.
Explanation:You need to create a SharePoint site and configure the sharing settings.
1. Go to the SharePoint Admin Center.
2. In the left navigation pane, expand Sites then select ‘Active Sites’.
3. Click on the ‘+ Create’ link to add a new site.
4. Select ‘Other Options’ then ‘Team Site’ for the template.
5. Give the site the name ‘Project1’.
6. In the ‘Primary Administrator’ field, start typing ‘admin’ then select the [email protected] account when it appears.
7. Click Finish to create the site.
8. In the Active Sites list, select the Project1 site.
9. Click the Sharing link at the top of the sites list.
10. Under ‘External Sharing’, select ‘Anyone’.
11. Click Save to save the changes. -
SIMULATION
Please wait while the virtual machine loads. Once loaded, you may proceed to the lab section. This may take a few minutes, and the wait time will not be deducted from your overall test time.
When the Next button is available, click it to access the lab section. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
You may now click next to proceed to the lab.
Lab information
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Microsoft 365 Username: [email protected]
Microsoft 365 Password: x?-ofP?fG70o
If the Microsoft 365 portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 11325860
You need to ensure that an external user named [email protected] can register an application in your Microsoft 365 tenant. The solution must use the principle of least privilege.
To answer, sign in to the Microsoft 365 portal.
- See explanation below.
Explanation:You need to create a guest account for the external user and assign the Application Developer role. As the user’s domain is an external domain, you will need to ‘invite’ the user. The external user will need to accept the invitation to create the account.
1. Go to the Azure Active Directory Admin Center.
2. In the left navigation pane, select Users.
3. Click on the ‘+ New Guest User’ link.
4. Ensure that the ‘Invite user’ option is selected.
5. Enter [email protected] in the email address field.
6. In the Roles section, ‘user’ will be selected by default. Click on ‘user’ to open a list of roles.
7. Select Application Developer in the list and click the ‘Select’ button to assign the role.
8. Click the ‘Invite’ button to send the invitation. -
Your company has a Microsoft 365 subscription and a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
An external vendor has a Microsoft account that has a username of [email protected].
You plan to provide [email protected] with access to several resources in the subscription.
You need to add the external user account to contoso.onmicrosoft.com. The solution must ensure that the external vendor can authenticate by using [email protected].
What should you do?
- From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify –UserPrincipalName [email protected].
- From the Microsoft 365 admin center, add a contact, and then specify [email protected] as the email address.
- From the Azure portal, add a new guest user, and then specify [email protected] as the email address.
- From the Azure portal, add a custom domain name, and then create a new Azure AD user and use [email protected] as the username.
Explanation:
You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user’s account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.
The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the external vendor already has a Microsoft account ([email protected]) so he can authenticate using that. -
You have a Microsoft 365 subscription that contains several Microsoft SharePoint Online sites.
You discover that users from your company can invite external users to access files on the SharePoint sites.
You need to ensure that the company users can invite only authenticated guest users to the sites.
What should you do?
- From the Microsoft 365 admin center, configure a partner relationship.
- From SharePoint Online Management Shell, run the Set-SPOSite cmdlet.
- From the Azure Active Directory admin center, configure a conditional access policy.
- From the SharePoint admin center, configure the sharing settings.
Explanation:
You need to set the Sharing settings to ‘Existing Guests’. This setting allows sharing only with guests who are already in your directory. These guests may exist in your directory because they previously accepted sharing invitations or because they were manually added. -
Your network contains an on-premises Active Directory domain. The domain contains 2,000 computers that run Windows 10.
You purchase a Microsoft 365 subscription.
You implement password hash synchronization and Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO).
You need to ensure that users can use Seamless SSO from the Windows 10 computers.
What should you do?
- Create a conditional access policy in Azure AD.
- Deploy an Azure AD Connect staging server.
- Join the computers to Azure AD.
- Modify the Intranet zone settings by using Group Policy
-
HOTSPOT
You work at a company named Contoso, Ltd.
Contoso has a Microsoft 365 subscription that is configured to use the DNS domains shown in the following table.
Contoso purchases a company named Fabrikam, Inc.
Contoso plans to add the following domains to the Microsoft 365 subscription:
– fabrikam.com
– east.fabrikam.com
– west.contoso.comYou need to ensure that the devices in the new domains can register by using Autodiscover.
How many domains should you verify, and what is the minimum number of enterpriseregistration DNS records you should add? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
-
Your company has a hybrid deployment of Microsoft 365.
Users authenticate by using pass-through authentication. Several Microsoft Azure AD Connect Authentication Agents are deployed.
You need to verify whether all the Authentication Agents are used for authentication.
What should you do?
- From the Azure portal, use the Troubleshoot option on the Pass-through authentication page.
- From Performance Monitor, use the #PTA authentications counter.
- From the Azure portal, use the Diagnostics settings on the Monitor blade.
- From Performance Monitor, use the Kerberos authentications counter.
Explanation::
On the Troubleshoot page, you can view how many agents are configured. If you click on the agents link, you can view the status of each agent. Each agent will have a status of Active or Inactive. -
HOTSPOT
You have a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
From the Sign-ins blade of the Azure Active Directory admin center, for which users can User1 and User2 view the sign-ins? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Explanation:Who can access the activity reports data?
– Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles
– Global Administrators
– Any user (non-admins) can access their own sign-ins -
HOTSPOT
Your network contains an on-premises Active Directory domain. The domain contains a server named Server1. Server1 has a share named Share1 that contains the files shown in the following table.
You have a hybrid deployment of Microsoft 365.
You create a Microsoft SharePoint site collection named Collection1.
You plan to migrate Share1 to a document library in Collection1.
You configure the SharePoint Migration Tool as shown in the exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: No
File1.txt will not be migrated as it was created before Jan 1 2019Box 2: Yes
File2.txt will be migrated as it was created after Jan 1 2019 and was modified after Mar 1 2019.Box 3: Yes
File3.txt will be migrated as it was created after Jan 1 2019 and was modified after Mar 1 2019. -
HOTSPOT
You have a Microsoft 365 Enterprise E5 subscription.
You add a cloud-based app named App1 to the Microsoft Azure Active Directory (Azure AD) enterprise applications list.
You need to ensure that two-step verification is enforced for all user accounts the next time they connect to App1.
Which three settings should you configure from the policy? To answer, select the appropriate settings in the answer area.
Explanation:In the Cloud Apps section, you need to select the name of the app (App1) that the policy will apply to.
In the Grant section under Access Controls, there is a checkbox named “Require Multi-factor Authentication”. That checkbox needs to be ticked.
-
HOTSPOT
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com and a Microsoft 365 subscription.
Contoso.com contains the users shown in the following table.
You add an enterprise application named App1 to contoso.com.
You configure the following self-service settings for App1:
– Allow users to request access to this application is set to Yes.
– To which group should assigned users be added is set to Group1.
– Who is allowed to approve access to this application is set to User2.
– Require approval before granting access to this application is set to Yes.For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: Yes.
User1 can request access to App1 because “Allow users to request access to this application” is set to Yes.Box 2: No.
User2 is an approver. If User2 requests access to App1, he will still need to approve the request before he is added to Group1.Box 3: Yes.
User2 can approve requests for App1 because “Who is allowed to approve access to this application” is set to User2. -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid deployment of Microsoft 365 that contains the objects shown in the following table.
Azure AD Connect has the following settings:
– Password Hash Sync: Enabled
– Password writeback: Enabled
– Group writeback: EnabledYou need to add User2 to Group 2.
Solution: From Azure PowerShell, you run the Set-AzureADGroup cmdlet.
Does this meet the goal?
- Yes
- No
Explanation:
The Set-AzureADGroup cmdlet updates a group in Azure Active Directory (AD) but User2 and Group2 are objects in Windows Server AD. -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid deployment of Microsoft 365 that contains the objects shown in the following table.
Azure AD Connect has the following settings:
– Password Hash Sync: Enabled
– Password writeback: Enabled
– Group writeback: EnabledYou need to add User2 to Group 2.
Solution: You use the Azure Active Directory admin center.
Does this meet the goal?
- Yes
- No
Explanation:
User2 and Group2 are objects in Windows Server Active Directory (AD) -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid deployment of Microsoft 365 that contains the objects shown in the following table.
Azure AD Connect has the following settings:
– Password Hash Sync: Enabled
– Password writeback: Enabled
– Group writeback: EnabledYou need to add User2 to Group 2.
Solution: You use the Security & Compliance admin center.
Does this meet the goal?
- Yes
- No
Explanation:
Security & Compliance admin center is not used to manage users. -
HOTSPOT
You have a Microsoft 365 subscription that uses a default domain named litwareinc.com. The subscription has a Microsoft SharePoint site collection named Collection1.
From the Azure Active Directory admin center, you configure the External collaboration settings as shown in the External Collaboration Settings exhibit.
From the SharePoint admin center, you configure the sharing settings as shown in the SharePoint Sharing exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: No
In the first exhibit, “Deny invitations to the specified domains” is selected and fabrikam.com is listed. This means that no one can send an invitation to fabrikam.com. Therefore, you cannot share the files in Collection1 to [email protected].Box 2: No
As noted above, “Deny invitations to the specified domains” is selected and fabrikam.com is listed. This means that no one can send an invitation to fabrikam.com. Therefore, you cannot share Collection1 to [email protected].Box 3: Yes
External sharing is enabled for any domain except contoso.com (and fabrikam.com due to the ‘deny invitations’ setting).
Blocking sharing to contoso.com does not block sharing to us.contoso.com. Therefore, you can share Collection1 to [email protected]. -
You have a hybrid deployment of Microsoft 365 and an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table.
Password protection in Azure AD is configured as shown in the following exhibit.
Which users will be prevented from using the word “Contoso” as part of their password?
- User1 only
- User1 and User2 only
- User1 and User3 only
- User1, User2, and User3
-
You have a Microsoft 365 E5 subscription.
You need to ensure that users are prompted for multi-factor authentication (MFA) when they attempt to access Microsoft SharePoint Online resources. Users must NOT be prompted for MFA when they attempt to access other Microsoft 365 services.
What should you do?
- From the Microsoft Endpoint Manager admin center, create an app protection policy.
- From the multi-factor authentication page, configure the users settings.
- From the Azure Active Directory admin center, create a conditional access policy.
- From the Cloud App Security admin center, create an app access policy.
Explanation:
Multi-factor authentication (MFA) is configured through conditional access policies.