MS-100 : Microsoft 365 Identity and Services : Part 14

MS-100 : Microsoft 365 Identity and Services : Part 14

1. HOTSPOT

   You have a hybrid deployment of Microsoft 365 that contains the users shown in the following table.

   

   You have an on-premises web app named AppA. Group1 has permissions to access AppA.

   You configure an Azure Active Directory (Azure AD) Application Proxy.

   You add an Application Proxy entry for AppA as shown the exhibit. (Click the Exhibit tab.)

   

   You assign the AppA enterprise application in Azure to Group2.

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: No
   User1 is in Group2. The enterprise app is assigned to Group2. However, the authentication method is “Passthrough” so the authentication will be passed to the on-premises web app. Only Group1 has access to the web app. Therefore, User1 will not be able to access the web app.

   Box 2: Yes.
   User2 is in Group1 and Group2. The enterprise app is assigned to Group2. The authentication method is “Passthrough” so the authentication will be passed to the on-premises web app. Group1 has access to the web app. Therefore, User2 will be able to access the web app in MyApps.

   Box 3: No
   User3 is in Group1. Group1 has access to the web app so User3 could access the app on-premises. However, the enterprise app is assigned to Group2 which User3 is not a member of. Therefore, User3 will not be able to access the external URL of the web app.

2. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Microsoft 365 subscription.

   You discover that some external users accessed content on a Microsoft SharePoint site. You modify the SharePoint sharing policy to prevent sharing outside your organization.

   You need to be notified if the SharePoint policy is modified in the future.

   Solution: From the SharePoint site, you create an alert.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   You need to create a threat management policy in the Security & Compliance admin center.

3. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Microsoft 365 subscription.

   You discover that some external users accessed content on a Microsoft SharePoint site. You modify the SharePoint sharing policy to prevent sharing outside your organization.

   You need to be notified if the SharePoint policy is modified in the future.

   Solution: From the SharePoint admin center, you modify the sharing settings.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   You need to create a threat management policy in the Security & Compliance admin center.

4. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Microsoft 365 subscription.

   You discover that some external users accessed content on a Microsoft SharePoint site. You modify the SharePoint sharing policy to prevent sharing outside your organization.

   You need to be notified if the SharePoint policy is modified in the future.

   Solution: From the Security & Compliance admin center, you create a threat management policy.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   We can create a threat management policy to alert us when the sharing policy is changed.
   Create a new Alert policy > under Category select Threat Management > under ‘Activity is’ scroll down to the ‘Site administration activities’ and select ‘Changed a sharing policy’.

5. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Microsoft 365 subscription.

   You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are connected to your on-premises network.

   Solution: From the Device Management admin center, you a trusted location and compliance policy.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   You need to configure a conditional access policy, not a compliance policy.
   Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow access.

6. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Microsoft 365 subscription.

   You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are connected to your on-premises network.

   Solution: From the Microsoft 365 admin center, you configure the Organization profile settings.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   You need to configure a trusted location and a conditional access policy.
   Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow access.

7. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You have a Microsoft 365 subscription.

   You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are connected to your on-premises network.

   Solution: From the Azure Active Directory admin center, you create a trusted location and a conditional access policy.

   Does this meet the goal?

   • Yes
   • No
   Explanation:
   Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow access.
   With named locations, you can create logical groupings of IP address ranges, for example your office IP range. You can then mark the named location as a trusted location.
   Mark as trusted location – A flag you can set for a named location to indicate a trusted location. Typically, trusted locations are network areas that are controlled by your IT department.
   You would then configure the conditional access policy to allow access only from the trusted location.

8. HOTSPOT

   You have a Microsoft 365 subscription that uses a default domain named contoso.com. The domain contains the users shown in the following table.

   

   The domain contains the devices shown in the following table.

   

   The domain contains conditional access policies that control access to a cloud app named App1. The policies are configured as shown in the following table.

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: Yes.
   User1 is in a group named Compliant. All the conditional access policies apply to Group1 so they don’t apply to User1.
   As there is no conditional access policy blocking access for the group named Compliant, User1 is able to access App1 using any device.

   Box 2: Yes.
   User2 is in Group1 so Policy1 applies first. Policy1 excludes compliant devices and Device1 is compliant. Therefore, Policy1 does not apply so we move on to Policy2.
   User2 is also in Group2. Policy2 excludes Group2. Therefore, Policy2 does not apply so we move on to Policy3.
   Policy3 applies to Group1 so Policy3 applies to User2. Policy3 applies to ‘All device states’ so Policy3 applies to Device1. Policy3 grants access. Therefore, User2 can access App1 using Device1.

   Box 3: No.
   User2 is in Group1 so Policy1 applies. Policy1 excludes compliant devices but Devices is non-compliant. Therefore, User2 cannot access App1 from Device2.

9. HOTSPOT

   Your company has a Microsoft 365 tenant named litwareinc.com.

   The Guest access settings in Microsoft Teams are configured as shown in the following exhibit.

   

   The External access settings in Microsoft Teams are configured as shown in the following exhibit.

   

   The company has a third-party supplier named adventureworks.com. Users in litwareinc.com collaborate with the following users by using Microsoft Teams:

   – [email protected]
   – [email protected]

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   The answer to this question depends on whether User1 and User2 have been added as guests. The question does not say that they are guests so we would have to assume they’re not.

   External Access is turned off. Even with the Contoso.com domain added as an allowed domain, the Off settings override this. If the external access settings were ‘On’, they would be on for only the Contoso.com domain.

   Box 1: No
   If External Access was On, the answer to this would still be No. If User2 was a guest, the answer to this would be Yes.

   Box 2: No
   If External Access was On, the answer to this would still be No. External Access does not enable Meet Now for the external user. If User1 was a guest, the answer to this would be Yes.

   Box 3: No
   If External Access was On, the answer to this would still be No. External Access does not allow blocking. If User1 was a guest, the answer to this would be Yes.

10. HOTSPOT

    You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

    

    You configure a multi-factor authentication (MFA) registration policy that has the following settings:

    – Assignments:
        – Include: Group1
        – Exclude: Group2
    – Access controls: Require Azure MFA registration
    Enforce Policy: On

    You create a conditional access policy that has the following settings:

    – Name: Policy1
    – Assignments:
        – Include: Group2
        – Exclude: Group1
    – Access controls:
       – Grant, Require multi-factor authentication
    – Enable policy: On

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: No
    The MFA policy applies to User1 so he will be prompted to register for MFA. He has 14 days to complete the registration. During this 14-day period, he can bypass registration but at the end of the period he will be required to register before he can complete the sign-in process.
    The Conditional Access Policy does not apply to User1 so MFA is not required.

    Box 2: No
    User2’s MFA status is Enabled which means he has been enrolled in MFA but has not yet completed the registration.
    The Conditional Access Policy does not apply to User2 because Group1 is excluded so MFA is not required.

    Box 3: Yes
    The Conditional Access Policy does apply to User3 so MFA will be required. He will need to be enrolled for MFA first.

11. You have a Microsoft 365 subscription.

    You register two applications named App1 and App2 to Azure Active Directory (Azure AD).

    You need to ensure that users who connect to App1 require multi-factor authentication (MFA). MFA is required only for App1.

    What should you do?

    • From the Microsoft 365 admin center, configure the Modern authentication settings.
    • From Multi-Factor Authentication, configure the service settings.
    • From the Enterprise applications blade of the Azure Active Directory admin center, configure the Users settings.
    • From the Azure Active Directory admin center, create a conditional access policy.
12. This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

    The offices have the users and devices shown in the following table.

    

    Contoso recently purchased a Microsoft 365 E5 subscription.

    Existing Environment
    The network contains an Active directory forest named contoso.com and a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

    You recently configured the forest to sync to the Azure AD tenant.

    You add and then verify adatum.com as an additional domain name.

    All servers run Windows Server 2016.

    All desktop computers and laptops run Windows 10 Enterprise and are joined to contoso.com.

    All the mobile devices in the Montreal and Seattle offices run Android. All the mobile devices in the New York office run iOS.

    Contoso has the users shown in the following table.

    

    Contoso has the groups shown in the following table.

    

    Microsoft Office 365 licenses are assigned only to Group2.

    The network also contains external users from a vendor company who have Microsoft accounts that use a suffix of @outlook.com.

    Requirements

    Planned Changes
    Contoso plans to provide email addresses for all the users in the following domains:

    – East.adatum.com
    – Contoso.adatum.com
    – Humongousinsurance.com

    Technical Requirements
    Contoso identifies the following technical requirements:

    – All new users must be assigned Office 365 licenses automatically.
    – The principle of least privilege must be used whenever possible.

    Security Requirements
    Contoso identifies the following security requirements:

    – Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.
    – User2 must be able to view reports and schedule the email delivery of security and compliance reports.
    – The members of Group1 must be required to answer a security question before changing their password.
    – User3 must be able to manage Office 365 connectors.
    – User4 must be able to reset User3 password.

    1. You need to meet the security requirement for Group1.

       What should you do?

       • Configure all users to sign in by using multi-factor authentication.
       • Modify the properties of Group1.
       • Assign Group1 a management role.
       • Modify the Password reset properties of the Azure AD tenant.
       Explanation:

       – The members of Group1 must be required to answer a security question before changing their password.

       If SSPR (Self Service Password Reset) is enabled, you must select at least one of the following options for the authentication methods. Sometimes you hear these options referred to as “gates.”

       Mobile app notification
       Mobile app code
       Email
       Mobile phone
       Office phone
       Security questions

       You can specify the required authentication methods in the Password reset properties of the Azure AD tenant. In this case, you should set the required authentication method to be ‘Security questions’.

    2. You need to meet the security requirement for the vendors.

       What should you do?

       • From the Azure portal, add an identity provider.
       • From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the –UserPrincipalName parameter.
       • From Azure Cloud Shell, run the Set-AzureADUserExtension cmdlet.
       • From the Azure portal, create guest accounts.
       Explanation:

       – Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.

       You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user’s account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.
       The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the vendors already have Microsoft accounts so they can authenticate using them.

    3. You need to meet the security requirement for the vendors.

       What should you do?

       • From Azure Cloud Shell, run the Set-MsolUserPrincipalName and specify the –tenantID parameter.
       • From Azure Cloud Shell, run the Set-AzureADUserExtension cmdlet.
       • Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the –UserPrincipalName parameter.
       • From Azure Cloud Shell, run the New-AzureADMSInvitation cmdlet and specify the –InvitedUserEmailAddress parameter.
       Explanation:

       – Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.

       You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user’s account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.
       The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the vendors already have Microsoft accounts so they can authenticate using them.

       In this solution, we are creating guest account invitations by using the New-AzureADMSInvitation cmdlet and specifying the –InvitedUserEmailAddress parameter.

       Note:
       There are several versions of this question in the exam. The question has two possible correct answers:
       1. From the Azure portal, create guest accounts.
       2. From Azure Cloud Shell, run the New-AzureADMSInvitation cmdlet and specify the –InvitedUserEmailAddress parameter.

       Other incorrect answer options you may see on the exam include the following:
       1. From the Azure portal, modify the authentication methods.
       2. From the Azure portal, add an identity provider.

13. This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000 employees worldwide.

    Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the United States.

    Existing Environment
    Active Directory Environment
    The network contains an Active Directory forest named fabrikam.com. The forest contains all the identities used for user and computer authentication.

    Each department is represented by a top-level organizational unit (OU) that contains several child OUs for user accounts and computer accounts.

    All users authenticate to on-premises applications by signing in to their device by using a UPN format of [email protected].

    Fabrikam does NOT plan to implement identity federation.

    Network Infrastructure

    Each office has a high-speed connection to the Internet.

    Each office contains two domain controllers. All domain controllers are configured as a DNS server.

    The public zone for fabrikam.com is managed by an external DNS server.

    All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All the Exchange servers have the latest cumulative updates installed.

    All shared company documents are stored on a Microsoft SharePoint Server farm.

    Requirements
    Planned Changes
    Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared documents to the subscription.

    Fabrikam plans to implement two pilot projects:

    – Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to Microsoft 365.
    – Project2: After the successful completion of Project1, Microsoft Teams & Skype for Business will be enabled in Microsoft 365 for the sales department users.

    Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft 365 bulk licenses.

    Technical Requirements
    Fabrikam identifies the following technical requirements:

    – All users must be able to exchange email messages successfully during Project1 by using their current email address.
    – Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
    – A user named User1 must be able to view all DLP reports from the Microsoft 365 admin center.
    – Microsoft 365 Apps for enterprise applications must be installed from a network share only.
    – Disruptions to email access must be minimized.

    Application Requirements
    Fabrikam identifies the following application requirements:

    – An on-premises web application named App1 must allow users to complete their expense reports online. App1 must be available to users from the My Apps portal.
    – The installation of feature updates for Microsoft 365 Apps for enterprise must be minimized.

    Security Requirements
    Fabrikam identifies the following security requirements:

    – After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.
    – The memberships of UserLicenses must be validated monthly. Unused user accounts must be removed from the group automatically.
    – After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-based applications automatically.
    – The principle of least privilege must be used.

    1. HOTSPOT

       You create the Microsoft 365 tenant.

       You implement Azure AD Connect as shown in the following exhibit.

       

       Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

       NOTE: Each correct selection is worth one point.

       

       

       Explanation:

       In the exhibit, seamless single sign-on (SSO) is disabled. Therefore, as SSO is disabled in the cloud, the Sales department users can access only on-premises applications by using SSO.

       In the exhibit, directory synchronization is enabled and active. This means that the on-premises Active Directory user accounts are synchronized to Azure Active Directory user accounts. If the on-premises Active Directory becomes unavailable, the users can access resources in the cloud by authenticating to Azure Active Directory. They will not be able to access resources on-premises if the on-premises Active Directory becomes unavailable as they will not be able to authenticate to the on-premises Active Directory.

    2. You need to meet the application requirement for App1.

       Which three actions should you perform? Each correct answer presents part of the solution.

       NOTE: Each correct selection is worth one point.

       • From the Azure Active Directory admin center, configure the application URL settings.
       • From the Azure Active Directory admin center, add an enterprise application.
       • On an on-premises server, download and install the Microsoft AAD Application Proxy connector.
       • On an on-premises server, install the Hybrid Configuration wizard.
       • From the Microsoft 365 admin center, configure the Software download settings.
       Explanation:

       – An on-premises web application named App1 must allow users to complete their expense reports online. App1 must be available to users from the My Apps portal.

       Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Azure AD, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application.

       In this question, we need to add an enterprise application in Azure and configure a Microsoft AAD Application Proxy connector to connect to the on-premises web application (App1).

    3. You need to ensure that all the sales department users can authenticate successfully during Project1 and Project2.

       Which authentication strategy should you implement for the pilot projects?

       • password hash synchronization and seamless SSO
       • pass-through authentication
       • password hash synchronization
       • pass-through authentication and seamless SSO
       Explanation:

       – Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to Microsoft 365.
       – Project2: After the successful completion of Project1, Microsoft Teams & Skype for Business will be enabled in Microsoft 365 for the sales department users.
       – After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-based applications automatically.
       – Fabrikam does NOT plan to implement identity federation.
       – After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.

       You need to enable password hash synchronization to enable the users to continue to authenticate to their mailbox and to SharePoint sites by using their UPN.

       You need to enable SSO to enable all users to be signed in to on-premises and cloud-based applications automatically.

14. Case study

    This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    General Overview

    Litware, Inc. is a consulting company that has a main office in Montreal and a branch office in Seattle.

    Litware collaborates with a third-party company named ADatum Corporation.

    Environment

    On-Premises Environment

    The network of Litware contains an Active Directory domain named litware.com. The domain contains three organizational units (OUs) named LitwareAdmins, Montreal Users, and Seattle Users and the users shown in the following table.

    

    The domain contains 2,000 Windows 10 Pro devices and 100 servers that run Windows Server 2019.

    Cloud environment

    Litware has a pilot Microsoft 365 subscription that includes Microsoft Office 365 Enterprise E3 licenses and Azure Active Directory Premium Plan 2 licenses.

    The subscription contains a verified DNS domain named litware.com.

    Azure AD Connect is installed and has the following configurations:

    Password hash synchronization is enabled.
    Synchronization is enabled for the LitwareAdmins OU only.

    Users are assigned the roles shown in the following table.

    

    Self-service password reset (SSPR) is enabled.

    The Azure Active Directory (Azure AD) tenant has Security defaults enabled.

    Requirements

    Planned Changes

    Litware identifies the following issues:

    – Admin1 cannot create conditional access policies.
    – Admin4 receives an error when attempting to use SSPR.
    – Users access new Office 365 service and feature updates before the updates are reviewed by Admin2.

    Technical Requirements

    Litware plans to implement the following changes:

    – Implement Microsoft Intune.
    – Implement Microsoft Teams.
    – Implement Microsoft Defender for Office 365.
    – Ensure that users can install Office 365 apps on their device.
    – Convert all the Windows 10 Pro devices to Windows 10 Enterprise E5.
    Configure Azure AD Connect to sync the Montreal Users OU and the Seattle Users OU.

    1. HOTSPOT

       You are evaluating the use of multi-factor authentication (MFA).

       For each of the following statements, select Yes if the statement is true. Otherwise, select No.

       NOTE: Each correct selection is worth one point.

       

       

    2. You need to configure just in time access to meet the technical requirements.

       What should you use?

       • access reviews
       • entitlement management
       • Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
       • Azure Active Directory (Azure AD) Identity Protection

15. HOTSPOT

    You are configuring an on-premises application named TestApp in Microsoft Azure as shown in the following exhibit.

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Translate URLs in Application Body to Yes.
    If you set Translate URLs in application body to Yes, when your users access this application, the proxy will automatically scan for internal URLs that have been published through Application Proxy on your tenant.

    Box 2: Use Http-Only Cookie to Yes.
    The Use Http-Only Cookie setting allows Application Proxy to include the HTTPOnly flag in HTTP response headers. This flag provides additional security benefits, for example, it prevents client-side scripting (CSS) from copying or modifying the cookies.

16. Your company has an on-premises Microsoft Exchange Server 2013 organization.

    The company has 100 users.

    The company purchases Microsoft 365 and plans to move its entire infrastructure to the cloud.

    The company does NOT plan to sync the on-premises Active Directory domain to Microsoft Azure Active Directory (Azure AD).

    You need to recommend which type of migration to use to move all email messages, contacts, and calendar items to Exchange Online.

    What should you recommend?

    • cutover migration
    • IMAP migration
    • remote move migration
    • staged migration
    Explanation:

    A cutover migration and an IMAP migration do not require the company to sync the on-premises Active Directory domain to Microsoft Azure Active Directory (Azure AD). Only a cutover migration meets the requirements in this question.
    With a cutover migration, user accounts will need to be created in Azure Active Directory for each user. The mailboxes are all migrated in one go and MX records configured to redirect email to Microsoft 365.

    Incorrect Answers:
    B: Contacts, calendar items and tasks cannot be migrated with an IMAP migration.
    C: A remote move migration requires a hybrid exchange configuration which requires that the on-premises Active Directory domain is synced to Microsoft Azure Active Directory (Azure AD).
    D: A staged migration is recommended when your source email system is Microsoft Exchange Server 2003 or Microsoft Exchange Server 2007. You can’t use a staged migration to migrate Exchange 2013 or Exchange 2010 mailboxes to Office 365. A staged migration also requires that the on-premises Active Directory domain is synced to Microsoft Azure Active Directory (Azure AD).

17. HOTSPOT

    You have a Microsoft 365 subscription.

    You use the Microsoft Office Deployment Tool to install Microsoft 365 Apps for enterprise.

    You create a configuration file that contains the following settings.

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1:
    The C2R (click-to-run) version of Microsoft Visio only will be uninstalled from the computers.
    To remove the MSI version of Microsoft Visio, you would need to specify the RemoveMSI parameter. The RemoveMSI parameter is not configured in the configuration file in this question. Therefore, only the C2R version will be installed.

    Box 2:
    If the Office share on Server1 is missing the Japanese language pack, Microsoft 365 Apps for enterprise will be installed in English only.
    In the configuration file, English is the first in the list above Japanese. Therefore, English is the primary language and the installation will continue in English only.

18. You create a Microsoft 365 Enterprise subscription.

    You assign licenses for all products to all users.

    You need to prepare the environment to ensure that all Microsoft 365 Apps for enterprise installations occur from a network share. The solution must prevent the users from installing Microsoft 365 Apps for enterprise from the Internet.

    You download the Office Deployment Tool (ODT).

    Which three actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • From your computer, run setup.exe /download downloadconfig.xml.
    • Create an XML download file.
    • From the Microsoft 365 admin center, deactivate the Office 365 licenses for all the users.
    • From each client computer, run setup.exe /configure installconfig.xml.
    • From the Microsoft 365 admin center, configure the Software download settings.
    Explanation:

    You can use the Office Deployment Tool (ODT) to download the installation files for Microsoft 365 Apps for enterprise from a local source on your network instead of from the Office Content Delivery Network (CDN).

    The first step is to create the configuration file. You can download an XML template file and modify that.
    The next step to install Microsoft 365 Apps for enterprise is to run the ODT executable in configure mode with a reference to the configuration file you just saved. In the following example, the configuration file is named installconfig.xml. setup.exe /configure installconfig.xml
    After running the command, you should see the Office installation start.

    To prevent the users from installing Microsoft 365 Apps for enterprise from the Internet, you need to configure the Software download settings (disallow downloads) in the Microsoft 365 admin center.

19. HOTSPOT

    You create a Microsoft 365 subscription.

    You plan to deploy Microsoft 365 Apps for enterprise applications to all the client computers at your company.

    You prepare the following XML file for the planned deployment.

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1:
    Microsoft 365 Apps for enterprise feature updates will be installed once every six months.
    The Channel element in the configuration file is set to ‘Targeted’. This means Semi-Annual Targeted.
    To help your organization prepare for a Semi-Annual Channel release, Microsoft provides Semi-Annual Channel (Targeted). The primary purpose of this update channel is to give pilot users and application compatibility testers in your organization a chance to work with the upcoming Semi-Annual Channel release

    Box 2:
    Microsoft 365 Apps for enterprise security updates will be installed every six months in March and September.
    A Semi-Annual Channel (Targeted) release with new features is expected to be released twice a year, in March and September.
    The March and September feature releases for Semi-Annual Channel (Targeted) also include security and non-security updates that have been released previously in Monthly Channel.

20. Your network contains the servers shown in the following table.

    

    You purchase Microsoft 365 Enterprise E5 and plan to move all workloads to Microsoft 365 by using a hybrid identity solution and a hybrid deployment for all workloads.

    You need to identify which server must be upgraded before you move to Microsoft 365.

    What should you identify?

    • Server2
    • Server3
    • Server5
    • Server1
    • Server4
    Explanation:
    Exchange Server 2007 is not supported for a hybrid deployment.