You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" SC-300 Practice Test 7 "
0 of 65 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
SC-300
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking on “View Answers” option. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
Question 1 of 65
1. Question
Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. Users sign in to computers that run Windows 10 and are joined to the domain. You plan to implement Azure AD Seamless Single Sign-On (Azure AD Seamless SSO). You need to configure the Windows 10 computers to support Azure AD Seamless SSO. What should you do?
Correct
You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users‘ Intranet zone settings by using Group Policy in Active Directory:Â https://autologon.microsoftazuread-sso.com. In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy. More information here:Â https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
Incorrect
You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users‘ Intranet zone settings by using Group Policy in Active Directory:Â https://autologon.microsoftazuread-sso.com. In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy. More information here:Â https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
Unattempted
You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users‘ Intranet zone settings by using Group Policy in Active Directory:Â https://autologon.microsoftazuread-sso.com. In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy. More information here:Â https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
Question 2 of 65
2. Question
You have an Azure Active Directory (Azure AD) tenant that contains the following objects:
– A device named Device1
– Users named User1, User2, User3, User4, and User5
– Groups named Group1, Group2, Group3, Group4, and Group5
The groups are configured as shown in the following table.
To which groups can you assign a Microsoft Office 365 Enterprise E5 license directly?
You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com. Several users use their contoso.com email address for self-service sign-up to Azure Active Directory (Azure AD). You gain global administrator privileges to the Azure AD tenant that contains the self-signed users. You need to prevent the users from creating user accounts in the contoso.com Azure AD tenant for self-service sign-up to Microsoft 365 services. Which PowerShell cmdlet should you run?
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users. From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise E5 licenses to the users. You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort. What should you use?
Correct
Set-AzureAdUser cannot be used to assign license, you must use Set-AzureAdUserLicense. Adds or removes licenses for a Microsoft online service to the list of assigned licenses for a user. Steps: Go to the Licenses blade in the Azure Active Directory admin center and uncheck the licenses that you want to remove. You can check all users at once and unassign licenses.
Incorrect
Set-AzureAdUser cannot be used to assign license, you must use Set-AzureAdUserLicense. Adds or removes licenses for a Microsoft online service to the list of assigned licenses for a user. Steps: Go to the Licenses blade in the Azure Active Directory admin center and uncheck the licenses that you want to remove. You can check all users at once and unassign licenses.
Unattempted
Set-AzureAdUser cannot be used to assign license, you must use Set-AzureAdUserLicense. Adds or removes licenses for a Microsoft online service to the list of assigned licenses for a user. Steps: Go to the Licenses blade in the Azure Active Directory admin center and uncheck the licenses that you want to remove. You can check all users at once and unassign licenses.
Question 5 of 65
5. Question
You have a Microsoft 365 tenant named contoso.com.
Guest user access is enabled.
Users are invited to collaborate with contoso.com as shown in the following table.
From the External collaboration settings in the Azure Active Directory admin center, you configure the Collaboration restrictions settings as shown in the following exhibit.
From a Microsoft SharePoint Online site, a user invites [email protected] to the site.
For each of the following statements, choose Yes if the statement is true. Otherwise, choose No.
Correct
Box 1: Yes – Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the application.
Box 2: Yes – Invitations can only be sent to outlook.com. However, User2 has already received and accepted an invitation so User2 can access the application.
Box 3: No – Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.
The list does not apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user‘s attempt to redeem the invitation will fail.
Reference https://docs.microsoft.com/en-us/azure/active-directory/external-identities/allow-deny-list
Incorrect
Box 1: Yes – Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the application.
Box 2: Yes – Invitations can only be sent to outlook.com. However, User2 has already received and accepted an invitation so User2 can access the application.
Box 3: No – Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.
The list does not apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user‘s attempt to redeem the invitation will fail.
Reference https://docs.microsoft.com/en-us/azure/active-directory/external-identities/allow-deny-list
Unattempted
Box 1: Yes – Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the application.
Box 2: Yes – Invitations can only be sent to outlook.com. However, User2 has already received and accepted an invitation so User2 can access the application.
Box 3: No – Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.
The list does not apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user‘s attempt to redeem the invitation will fail.
Reference https://docs.microsoft.com/en-us/azure/active-directory/external-identities/allow-deny-list
Question 6 of 65
6. Question
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to bulk invite Azure AD business-to-business (B2B) collaboration users. Which two parameters must you include when you create the bulk invite? Each correct answer presents part of the solution.
You have an Azure Active Directory (Azure AD) tenant that contains the objects shown in the following table.
Which objects can you add as members to Group3?
Correct
Guest or Unlicensed User (no tenant license) can be added on a Mail-enabled Security Group from Microsoft Office 365 portal and Exchange Online admin center.
If you look at it from the groups tab you cannot find the user in the list to add it to the Mail-enabled Security Group, but if you go to the user you can add a membership to the group. You have to distinguish between Security group and Mail-enabled Security Group.
Reference https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-mail-enabled-security-groups
Incorrect
Guest or Unlicensed User (no tenant license) can be added on a Mail-enabled Security Group from Microsoft Office 365 portal and Exchange Online admin center.
If you look at it from the groups tab you cannot find the user in the list to add it to the Mail-enabled Security Group, but if you go to the user you can add a membership to the group. You have to distinguish between Security group and Mail-enabled Security Group.
Reference https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-mail-enabled-security-groups
Unattempted
Guest or Unlicensed User (no tenant license) can be added on a Mail-enabled Security Group from Microsoft Office 365 portal and Exchange Online admin center.
If you look at it from the groups tab you cannot find the user in the list to add it to the Mail-enabled Security Group, but if you go to the user you can add a membership to the group. You have to distinguish between Security group and Mail-enabled Security Group.
Reference https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-mail-enabled-security-groups
Question 8 of 65
8. Question
You have an on-premises Microsoft Exchange organization that uses an SMTP address space of contoso.com. You discover that users use their email address for self-service sign-up to Microsoft 365 services. You need to gain global administrator privileges to the Azure Active Directory (Azure AD) tenant that contains the self-signed users. Which four actions should you perform?
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1 and the groups shown in the following table.
In the tenant, you create the groups shown in the following table.
Which members can you add to GroupA and GroupB?
To answer, choose the appropriate options in the answer area.
Correct
Type: Security – Used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. A security group can have users, devices, groups and service principals as its members and users and service principals as its owners. For more info about managing access to resources, see Manage access to resources with Azure Active Directory groups.
Type: Microsoft 365Â – Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. A Microsoft 365 group can have only users as its members.
GroupA: User1, Group1, Group2 and Group3Â – GroupA cannot contain Microsoft 365 groups.
GroupB: User1 only – Microsoft 365 groups cannot contain other groups.
Type: Security – Used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. A security group can have users, devices, groups and service principals as its members and users and service principals as its owners. For more info about managing access to resources, see Manage access to resources with Azure Active Directory groups.
Type: Microsoft 365Â – Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. A Microsoft 365 group can have only users as its members.
GroupA: User1, Group1, Group2 and Group3Â – GroupA cannot contain Microsoft 365 groups.
GroupB: User1 only – Microsoft 365 groups cannot contain other groups.
Type: Security – Used to manage member and computer access to shared resources for a group of users. For example, you can create a security group for a specific security policy. By doing it this way, you can give a set of permissions to all the members at once, instead of having to add permissions to each member individually. A security group can have users, devices, groups and service principals as its members and users and service principals as its owners. For more info about managing access to resources, see Manage access to resources with Azure Active Directory groups.
Type: Microsoft 365Â – Provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group. A Microsoft 365 group can have only users as its members.
GroupA: User1, Group1, Group2 and Group3Â – GroupA cannot contain Microsoft 365 groups.
GroupB: User1 only – Microsoft 365 groups cannot contain other groups.
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes. You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD. Solution: You configure password writeback. Does this meet the goal?
Correct
Password writeback is a feature of Azure AD Connect which ensures that when a password changes in Azure AD (password change, self-service password reset, or an administrative change to a user password) it is written back to the local AD – if they meet the on-premises AD password policy. Technically, a password write-back operation is a password “reset” action. Password writeback removes the need to set up an on-premises solution for users to reset their password. It all happens in real time, and so users are notified immediately if their password could not be reset or changed for any reason. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Incorrect
Password writeback is a feature of Azure AD Connect which ensures that when a password changes in Azure AD (password change, self-service password reset, or an administrative change to a user password) it is written back to the local AD – if they meet the on-premises AD password policy. Technically, a password write-back operation is a password “reset” action. Password writeback removes the need to set up an on-premises solution for users to reset their password. It all happens in real time, and so users are notified immediately if their password could not be reset or changed for any reason. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Unattempted
Password writeback is a feature of Azure AD Connect which ensures that when a password changes in Azure AD (password change, self-service password reset, or an administrative change to a user password) it is written back to the local AD – if they meet the on-premises AD password policy. Technically, a password write-back operation is a password “reset” action. Password writeback removes the need to set up an on-premises solution for users to reset their password. It all happens in real time, and so users are notified immediately if their password could not be reset or changed for any reason. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Question 11 of 65
11. Question
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes. You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD. Solution: You configure pass-through authentication. Does this meet the goal?
Correct
Azure AD Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications by using the same passwords. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Incorrect
Azure AD Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications by using the same passwords. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Unattempted
Azure AD Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications by using the same passwords. Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Question 12 of 65
12. Question
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes. You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD. Solution: You configure Azure AD Password Protection. Does this meet the goal?
Correct
Azure AD Password Protection – With this feature, you can use the same checks for passwords in Azure AD on your on-premises Active Directory implementation. You can enforce both the Microsoft Global Banned Passwords and Custom banned-passwords list stored in Azure AD tenant. The DC agent software must be installed on all DCs in a domain. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
Incorrect
Azure AD Password Protection – With this feature, you can use the same checks for passwords in Azure AD on your on-premises Active Directory implementation. You can enforce both the Microsoft Global Banned Passwords and Custom banned-passwords list stored in Azure AD tenant. The DC agent software must be installed on all DCs in a domain. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
Unattempted
Azure AD Password Protection – With this feature, you can use the same checks for passwords in Azure AD on your on-premises Active Directory implementation. You can enforce both the Microsoft Global Banned Passwords and Custom banned-passwords list stored in Azure AD tenant. The DC agent software must be installed on all DCs in a domain. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
Question 13 of 65
13. Question
You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest. You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes. You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD. Solution: You configure conditional access policies. Does this meet the goal?
Correct
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign into both on-premises and cloud-based applications using the same passwords It uses a lightweight on-premises agent that listens for and responds to password validation requests. If disabled user can not login. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Incorrect
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign into both on-premises and cloud-based applications using the same passwords It uses a lightweight on-premises agent that listens for and responds to password validation requests. If disabled user can not login. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Unattempted
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign into both on-premises and cloud-based applications using the same passwords It uses a lightweight on-premises agent that listens for and responds to password validation requests. If disabled user can not login. Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Question 14 of 65
14. Question
You have an Azure Active Directory (Azure AD) tenant that contains the following objects.
? A device named Device1
? Users named User1, User2, User3, User4, and User5
? Five groups named Group1, Group2, Group3, Group4, and Group5
The groups are configured as shown in the following table.
How many licenses are used if you assign the Microsoft 365 Enterprise E5 license to Group1?
Correct
Use group-based licensing with dynamic groups
You can use group-based licensing with any security group, which means it can be combined with Azure AD dynamic groups. Dynamic groups run rules against user resource attributes to automatically add and remove users from groups.
For example, you can create a dynamic group for some set of products you want to assign to users. Each group is populated by a rule adding users by their attributes, and each group is assigned the licenses that you want them to receive. You can assign the attribute on-premises and sync it with Azure AD, or you can manage the attribute directly in the cloud.
Licenses are assigned to the user shortly after they are added to the group. When the attribute is changed, the user leaves the groups and the licenses are removed.
Reference https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-group-advanced#limitations-and-known-issues
Incorrect
Use group-based licensing with dynamic groups
You can use group-based licensing with any security group, which means it can be combined with Azure AD dynamic groups. Dynamic groups run rules against user resource attributes to automatically add and remove users from groups.
For example, you can create a dynamic group for some set of products you want to assign to users. Each group is populated by a rule adding users by their attributes, and each group is assigned the licenses that you want them to receive. You can assign the attribute on-premises and sync it with Azure AD, or you can manage the attribute directly in the cloud.
Licenses are assigned to the user shortly after they are added to the group. When the attribute is changed, the user leaves the groups and the licenses are removed.
Reference https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-group-advanced#limitations-and-known-issues
Unattempted
Use group-based licensing with dynamic groups
You can use group-based licensing with any security group, which means it can be combined with Azure AD dynamic groups. Dynamic groups run rules against user resource attributes to automatically add and remove users from groups.
For example, you can create a dynamic group for some set of products you want to assign to users. Each group is populated by a rule adding users by their attributes, and each group is assigned the licenses that you want them to receive. You can assign the attribute on-premises and sync it with Azure AD, or you can manage the attribute directly in the cloud.
Licenses are assigned to the user shortly after they are added to the group. When the attribute is changed, the user leaves the groups and the licenses are removed.
Reference https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-group-advanced#limitations-and-known-issues
Question 15 of 65
15. Question
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains an Azure AD enterprise application named App1. A contractor uses the credentials of [email protected]. You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as [email protected]. What should you do?
Your network contains an Active Directory forest named contoso.com that is linked to an Azure Active Directory (Azure AD) tenant named contoso.com by using Azure AD Connect. You need to prevent the synchronization of users who have the extensionAttribute15 attribute set to NoSync. What should you do in Azure AD Connect?
Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table.
All the users work remotely.
Azure AD Connect is configured in Azure AD as shown in the following exhibit.
Connectivity from the on-premises domain to the internet is lost.
Which users can sign in to Azure AD?
Correct
Pass-through authentication is configured, Sync user will try to authenticate on local AD and unable to authenticate due to internet outage.
Only cloud users (User1 and User3) can be authenticated.
When the connection to on-premise is lost, PTA will not work anymore. The failover to Password Hash Synchronization is not automatic and needs to be configured manually in AD Connect. If the connection to on-premise is lost, and the AD Connect server runs on-premise, User2 cannot login.
Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You‘ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you‘ll require help from Microsoft Support to turn off Pass-through Authentication.
Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication
Incorrect
Pass-through authentication is configured, Sync user will try to authenticate on local AD and unable to authenticate due to internet outage.
Only cloud users (User1 and User3) can be authenticated.
When the connection to on-premise is lost, PTA will not work anymore. The failover to Password Hash Synchronization is not automatic and needs to be configured manually in AD Connect. If the connection to on-premise is lost, and the AD Connect server runs on-premise, User2 cannot login.
Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You‘ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you‘ll require help from Microsoft Support to turn off Pass-through Authentication.
Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication
Unattempted
Pass-through authentication is configured, Sync user will try to authenticate on local AD and unable to authenticate due to internet outage.
Only cloud users (User1 and User3) can be authenticated.
When the connection to on-premise is lost, PTA will not work anymore. The failover to Password Hash Synchronization is not automatic and needs to be configured manually in AD Connect. If the connection to on-premise is lost, and the AD Connect server runs on-premise, User2 cannot login.
Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You‘ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you‘ll require help from Microsoft Support to turn off Pass-through Authentication.
Reference https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication
Question 18 of 65
18. Question
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains the objects shown in the following table.
You install Azure AD Connect. You configure the Domain and OU filtering settings as shown in the Domain and OU Filtering exhibit.
You configure the Filter users and devices settings as shown in the Filter Users and Devices exhibit.
For each of the following statements, choose Yes if the statement is true. Otherwise, choose No.
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You need to ensure that Azure AD External Identities pricing is based on monthly active users (MAU). What should you configure?
You have a new Microsoft 365 tenant that uses a domain name of contoso.onmicrosoft.com. You register the name contoso.com with a domain registrar. You need to use contoso.com as the default domain name for new Microsoft 365 users. Which four actions should you perform? To answer, choose the appropriate options from the list of actions.
Correct
The answer provided is correct and verified, the contoso.onmicrosoft.com CANNOT be deleted. Once you add the custom domain, the TXT Records need to be added to the DNS Registrar, and then after TTL set, the same needs to be verified on the AAD Portal. Once verified successfully, you can set it as Primary Domain. The right sequence would be: 1. Add a custom domain name of contoso.com. 2. Create a new TXT record in DNS. 3. Successfully verify the domain name. 4. Set the domain to primary. Reference https://practical365.com/configure-a-custom-domain-in-office-365/
Incorrect
The answer provided is correct and verified, the contoso.onmicrosoft.com CANNOT be deleted. Once you add the custom domain, the TXT Records need to be added to the DNS Registrar, and then after TTL set, the same needs to be verified on the AAD Portal. Once verified successfully, you can set it as Primary Domain. The right sequence would be: 1. Add a custom domain name of contoso.com. 2. Create a new TXT record in DNS. 3. Successfully verify the domain name. 4. Set the domain to primary. Reference https://practical365.com/configure-a-custom-domain-in-office-365/
Unattempted
The answer provided is correct and verified, the contoso.onmicrosoft.com CANNOT be deleted. Once you add the custom domain, the TXT Records need to be added to the DNS Registrar, and then after TTL set, the same needs to be verified on the AAD Portal. Once verified successfully, you can set it as Primary Domain. The right sequence would be: 1. Add a custom domain name of contoso.com. 2. Create a new TXT record in DNS. 3. Successfully verify the domain name. 4. Set the domain to primary. Reference https://practical365.com/configure-a-custom-domain-in-office-365/
Question 21 of 65
21. Question
You have an Azure Active Directory (Azure AD) tenant that has an Azure Active Directory Premium Plan 2 license. The tenant contains the users shown in the following table.
You have the Device Settings shown in the following exhibit.
User1 has the devices shown in the following table.
For each of the following statements, choose Yes if the statement is true. Otherwise, choose No.
You have an Azure Active Directory (Azure AD) tenant that has Security defaults disabled.
You are creating a conditional access policy as shown in the following exhibit.
Select the answer choice that completes each statement based on the information presented in the graphic. Each setting may be used once.
You have an Azure Active Directory (Azure AD) tenant that contains a user named SecAdmin1. SecAdmin1 is assigned the Security administrator role. SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal. You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of non-administrative users. The solution must use the principle of least privilege. Which role should you assign to SecAdmin1?
You have a Microsoft 365 tenant. All users have mobile phones and laptops. The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access. You plan to implement multi-factor authentication (MFA). Which MFA authentication method can the users use from the remote location?
You have a Microsoft 365 tenant. All users have mobile phones and laptops. The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access. You plan to implement multi-factor authentication (MFA). Which MFA authentication method can the users use from the remote location?
Correct
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user‘s device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users. Incorrect answers: A: The Microsoft Authenticator app requires a mobile phone connectivity that runs Android or iOS. B: An app password can be used to open an application but it cannot be used to sign in to a computer. D: SMS requires a mobile phone. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
Incorrect
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user‘s device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users. Incorrect answers: A: The Microsoft Authenticator app requires a mobile phone connectivity that runs Android or iOS. B: An app password can be used to open an application but it cannot be used to sign in to a computer. D: SMS requires a mobile phone. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
Unattempted
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user‘s device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users. Incorrect answers: A: The Microsoft Authenticator app requires a mobile phone connectivity that runs Android or iOS. B: An app password can be used to open an application but it cannot be used to sign in to a computer. D: SMS requires a mobile phone. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview
Question 27 of 65
27. Question
You configure a new Microsoft 365 tenant to use a default domain name of contoso.com. You need to ensure that you can control access to Microsoft 365 resources by using conditional access policies. What should you do first?
Your company has a Microsoft 365 tenant. The company has a call center that contains 300 users. In the call center, the users share desktop computers and might use a different computer every day. The call center computers are NOT configured for biometric identification. The users are prohibited from having a mobile phone in the call center. You need to require multi-factor authentication (MFA) for the call center users when they access Microsoft 365 services. What should you include in the solution?
You have an Azure Active Directory (Azure AD) tenant named contoso.com. All users who run applications registered in Azure AD are subject to conditional access policies. You need to prevent the users from using legacy authentication. What should you include in the conditional access policies to filter out legacy authentication attempts?
Correct
Directly blocking legacy authentication The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. Indirectly blocking legacy authentication Client apps – By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition is not configured. Reference https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
Incorrect
Directly blocking legacy authentication The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. Indirectly blocking legacy authentication Client apps – By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition is not configured. Reference https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
Unattempted
Directly blocking legacy authentication The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. Indirectly blocking legacy authentication Client apps – By default, all newly created Conditional Access policies will apply to all client app types even if the client apps condition is not configured. Reference https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
Question 30 of 65
30. Question
You have an Azure Active Directory (Azure AD) tenant that contains an administrative unit named Department1.
Department1 has the users shown in the Users exhibit.
Department1 has the groups shown in the Groups exhibit.
Department1 has the User Administrator assignments shown in the Assignments exhibit.
The members of Group2 are shown in the Group2 exhibit.
For each of the following statements, choose Yes if the statement is true. Otherwise, choose No.
You have a Microsoft 365 tenant. All users have computers that run Windows 10. Most computers are company-owned and joined to Azure Active Directory (Azure AD). Some computers are user- owned and are only registered in Azure AD. You need to prevent users who connect to Microsoft SharePoint Online on their user-owned computer from downloading or syncing files. Other users must NOT be restricted. Which policy type should you create?
Correct
First step is to create a Conditional Access Policy with Session configured in Azure AD, then create a Session Policy in Cloud App Security: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-blocking-data-downloads-via-microsoft-cloud-app/ba-p/326357 App-enforced restrictions give the ability to restrict unmanaged devices from downloading/printing/syncing data. You need to Use app enforced restrictions from the Session control of the Conditional Access. Incorrect answers: A and D: both wrong as Microsoft Cloud App Security (MCAS) relies on Azure AD conditional access policies. C: There are no “client apps conditions“ under Conditional Access Policy. Reference https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
Incorrect
First step is to create a Conditional Access Policy with Session configured in Azure AD, then create a Session Policy in Cloud App Security: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-blocking-data-downloads-via-microsoft-cloud-app/ba-p/326357 App-enforced restrictions give the ability to restrict unmanaged devices from downloading/printing/syncing data. You need to Use app enforced restrictions from the Session control of the Conditional Access. Incorrect answers: A and D: both wrong as Microsoft Cloud App Security (MCAS) relies on Azure AD conditional access policies. C: There are no “client apps conditions“ under Conditional Access Policy. Reference https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
Unattempted
First step is to create a Conditional Access Policy with Session configured in Azure AD, then create a Session Policy in Cloud App Security: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-blocking-data-downloads-via-microsoft-cloud-app/ba-p/326357 App-enforced restrictions give the ability to restrict unmanaged devices from downloading/printing/syncing data. You need to Use app enforced restrictions from the Session control of the Conditional Access. Incorrect answers: A and D: both wrong as Microsoft Cloud App Security (MCAS) relies on Azure AD conditional access policies. C: There are no “client apps conditions“ under Conditional Access Policy. Reference https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices
Question 33 of 65
33. Question
You have an Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The on-premises network contains a VPN server that authenticates to the on-premises Active Directory domain. The VPN server does NOT support Azure Multi-Factor Authentication (MFA). You need to recommend a solution to provide Azure MFA for VPN connections. What should you include in the recommendation?
Correct
NPS (Network Policy and Access Service)Â is like a middle man between the VPN client and Azure MFA. The NPS role is installed on a domain-joined server or the domain controller and is configured to authenticate and authorize RADIUS requests from the VPN client. The VPN should be configured to use RADIUS authentication and point to the NPS server. The MFA NPS extension is installed anywhere but the VPN server. When a user/VPN client attempts to authenticate, it sends a RADIUS request to the NPS server through the VPN which performs the primary authentication and then triggers the NPS Extension for secondary authentication. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
Incorrect
NPS (Network Policy and Access Service)Â is like a middle man between the VPN client and Azure MFA. The NPS role is installed on a domain-joined server or the domain controller and is configured to authenticate and authorize RADIUS requests from the VPN client. The VPN should be configured to use RADIUS authentication and point to the NPS server. The MFA NPS extension is installed anywhere but the VPN server. When a user/VPN client attempts to authenticate, it sends a RADIUS request to the NPS server through the VPN which performs the primary authentication and then triggers the NPS Extension for secondary authentication. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
Unattempted
NPS (Network Policy and Access Service)Â is like a middle man between the VPN client and Azure MFA. The NPS role is installed on a domain-joined server or the domain controller and is configured to authenticate and authorize RADIUS requests from the VPN client. The VPN should be configured to use RADIUS authentication and point to the NPS server. The MFA NPS extension is installed anywhere but the VPN server. When a user/VPN client attempts to authenticate, it sends a RADIUS request to the NPS server through the VPN which performs the primary authentication and then triggers the NPS Extension for secondary authentication. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
Question 34 of 65
34. Question
You have a Microsoft 365 tenant.
The Azure Active Directory (Azure AD) tenant is configured to sync with an on-premises Active Directory domain. The domain contains the servers shown in the following table.
The domain controllers are prevented from communicating to the internet.
You implement Azure AD Password Protection on Server1 and Server2.
You deploy a new server named Server4 that runs Windows Server 2019.
You need to ensure that Azure AD Password Protection will continue to work if a single server fails.
What should you implement on Server4?
You have a Microsoft 365 E5 tenant. You purchase a cloud app named App1. You need to enable real-time session-level monitoring of App1 by using Microsoft Cloud App Security. In which order should you perform the following actions? To answer, choose the appropriate options from the list of actions using the order of letters. AÂ – From Microsoft Cloud App Security, create a session policy. BÂ – Publish App1 in Azure Active Directory (Azure AD). CÂ – Create a conditional access policy that has session controls configured. DÂ – From Microsoft Cloud App Security, modify the Connected apps settings for App1.
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You plan to implement Azure AD Identity Protection.
Which users can configure the user risk policy, and which users can view the risky users report?
To answer, choose the appropriate options in the answer area. Each answer option may be used once.
Correct
Configure the user risk policy:Â User3Â (Security Administrator)
View the risky users report: User3 and User4 (Security Administrator and Security Operator)
Conditional Access Administrator
– Does not have access to Identity Protection | User risk policy
– Does not have “Grants access to Risky Users Report“
Authentication Administrator
– Does not have access to Identity Protection | User risk policy
– Does not have “Grants access to Risky Users Report“
Security Administrator
– Has update access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/update = Update all resources in Azure AD Identity Protection
– Grants access to Risky Users Report
Security Operator
– Has only read access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/allTasks = Create and delete all resources, and read and update standard properties in Azure AD Identity Protection
– Grants access to Risky Users Report
Users who can set up policies have the security or global admin role. According to given link https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection, Security Operator can view all Identity Protection reports and overview blade, dismiss user risk, confirm safe sign-in and confirm compromise but can‘t configure or change policies, and configure alerts.
Reference https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#permissions https://docs.microsoft.com/en-us/learn/modules/manage-azure-active-directory-identity-protection/2-review-identity-protection-basics
Incorrect
Configure the user risk policy:Â User3Â (Security Administrator)
View the risky users report: User3 and User4 (Security Administrator and Security Operator)
Conditional Access Administrator
– Does not have access to Identity Protection | User risk policy
– Does not have “Grants access to Risky Users Report“
Authentication Administrator
– Does not have access to Identity Protection | User risk policy
– Does not have “Grants access to Risky Users Report“
Security Administrator
– Has update access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/update = Update all resources in Azure AD Identity Protection
– Grants access to Risky Users Report
Security Operator
– Has only read access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/allTasks = Create and delete all resources, and read and update standard properties in Azure AD Identity Protection
– Grants access to Risky Users Report
Users who can set up policies have the security or global admin role. According to given link https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection, Security Operator can view all Identity Protection reports and overview blade, dismiss user risk, confirm safe sign-in and confirm compromise but can‘t configure or change policies, and configure alerts.
Reference https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#permissions https://docs.microsoft.com/en-us/learn/modules/manage-azure-active-directory-identity-protection/2-review-identity-protection-basics
Unattempted
Configure the user risk policy:Â User3Â (Security Administrator)
View the risky users report: User3 and User4 (Security Administrator and Security Operator)
Conditional Access Administrator
– Does not have access to Identity Protection | User risk policy
– Does not have “Grants access to Risky Users Report“
Authentication Administrator
– Does not have access to Identity Protection | User risk policy
– Does not have “Grants access to Risky Users Report“
Security Administrator
– Has update access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/update = Update all resources in Azure AD Identity Protection
– Grants access to Risky Users Report
Security Operator
– Has only read access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/allTasks = Create and delete all resources, and read and update standard properties in Azure AD Identity Protection
– Grants access to Risky Users Report
Users who can set up policies have the security or global admin role. According to given link https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection, Security Operator can view all Identity Protection reports and overview blade, dismiss user risk, confirm safe sign-in and confirm compromise but can‘t configure or change policies, and configure alerts.
Reference https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#permissions https://docs.microsoft.com/en-us/learn/modules/manage-azure-active-directory-identity-protection/2-review-identity-protection-basics
Question 37 of 65
37. Question
You have a Microsoft 365 tenant. All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services. Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request. You need to block the users automatically when they report an MFA request that they did not initiate. Solution: From the Azure portal, you configure the Notifications settings for multi-factor authentication (MFA). Does this meet the goal?
You have a Microsoft 365 tenant. All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services. Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request. You need to block the users automatically when they report an MFA request that they did not initiate. Solution: From the Azure portal, you configure the Account lockout settings for multi-factor authentication (MFA). Does this meet the goal?
You have a Microsoft 365 tenant. All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services. Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request. You need to block the users automatically when they report an MFA request that they did not initiate. Solution: From the Azure portal, you configure the Fraud alert settings for multi-factor authentication (MFA). Does this meet the goal?
Correct
The fraud alert feature lets users report fraudulent attempts to access their resources. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt using the Microsoft Authenticator app or through their phone. The following fraud alert configuration options are available: ? Automatically block users who report fraud. ? Code to report fraud during initial greeting. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#fraud-alert
Incorrect
The fraud alert feature lets users report fraudulent attempts to access their resources. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt using the Microsoft Authenticator app or through their phone. The following fraud alert configuration options are available: ? Automatically block users who report fraud. ? Code to report fraud during initial greeting. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#fraud-alert
Unattempted
The fraud alert feature lets users report fraudulent attempts to access their resources. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt using the Microsoft Authenticator app or through their phone. The following fraud alert configuration options are available: ? Automatically block users who report fraud. ? Code to report fraud during initial greeting. Reference https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#fraud-alert
Question 40 of 65
40. Question
You have a Microsoft 365 tenant. All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing Microsoft 365 services. Some users report that they received an MFA prompt on their Microsoft Authenticator app without initiating a sign-in request. You need to block the users automatically when they report an MFA request that they did not initiate. Solution: From the Azure portal, you configure the Block/unblock users settings for multi-factor authentication (MFA). Does this meet the goal?
You have a Microsoft 365 tenant.
You have 100 IT administrators who are organized into 10 departments.
You create the access review shown in the following exhibit.
You discover that all access review requests are received by Megan Bowen.
You need to ensure that the manager of each department receives the access reviews of their respective department.
Solution: You add each manager as a fallback reviewer.
Does this meet the goal?
You have a Microsoft 365 tenant. The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain. Users connect to the internet by using a hardware firewall at your company. The users authenticate to the firewall by using their Active Directory credentials. You plan to manage access to external applications by using Azure AD. You need to use the firewall logs to create a list of unmanaged external applications and the users who access them. What should you use to gather the information?
You have an Azure Active Directory (Azure AD) tenant that uses conditional access policies. You plan to use third-party security information and event management (SIEM) to analyze conditional access usage. You need to download the Azure AD log by using the administrative portal. The log file must contain changes to conditional access policies. What should you export from Azure AD?
You have an Azure Active Directory (Azure AD) tenant that contains Azure AD Privileged Identity Management (PIM) role settings for the User administrator role as shown in the following exhibit.
Select the answer choice that completes each statement based on the information presented in the graphic.
You have a Microsoft 365 tenant.
You have 100 IT administrators who are organized into 10 departments.
You create the access review shown in the following exhibit.
You discover that all access review requests are received by Megan Bowen.
You need to ensure that the manager of each department receives the access reviews of their respective department.
Solution: You create a separate access review for each role.
Does this meet the goal?
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1.
User1 has the devices shown in the following table.
On November 5, 2020, you create and enforce terms of use in contoso.com that has the following settings:
? Name: Terms1
? Display name: Contoso terms of use
? Require users to expand the terms of use: On
? Require users to consent on every device: On
? Expire consents: On
? Expire starting on: December 10, 2020
? Frequency: Monthly
On November 15, 2020, User1 accepts Terms1 on Device3.
For each of the following statements, choose Yes if the statement is true. Otherwise, choose No.
Correct
Box 1: Yes, because User1 has not yet accepted the terms on Device1 registered in contoso.com.
Box 2: Yes, because User1 has not yet accepted the terms on Device2. User1 will be prompted to register the device before the terms can be accepted. “The terms of use will be enforced immediately and users will be required to re-consent on this date“ Device2 hasn‘t registered the terms yet and will be asked to do it on December 11, 2020.
Box 3: No, because User1 has already accepted the terms on Device3. The terms do not expire until December 10 and then monthly after that.
Reference https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use
Incorrect
Box 1: Yes, because User1 has not yet accepted the terms on Device1 registered in contoso.com.
Box 2: Yes, because User1 has not yet accepted the terms on Device2. User1 will be prompted to register the device before the terms can be accepted. “The terms of use will be enforced immediately and users will be required to re-consent on this date“ Device2 hasn‘t registered the terms yet and will be asked to do it on December 11, 2020.
Box 3: No, because User1 has already accepted the terms on Device3. The terms do not expire until December 10 and then monthly after that.
Reference https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use
Unattempted
Box 1: Yes, because User1 has not yet accepted the terms on Device1 registered in contoso.com.
Box 2: Yes, because User1 has not yet accepted the terms on Device2. User1 will be prompted to register the device before the terms can be accepted. “The terms of use will be enforced immediately and users will be required to re-consent on this date“ Device2 hasn‘t registered the terms yet and will be asked to do it on December 11, 2020.
Box 3: No, because User1 has already accepted the terms on Device3. The terms do not expire until December 10 and then monthly after that.
Reference https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use
Question 48 of 65
48. Question
Your company recently implemented Azure Active Directory (Azure AD) Privileged Identity Management (PIM). While you review the roles in PIM, you discover that all 15 users in the IT department at the company have permanent security administrator rights. You need to ensure that the IT department users only have access to the Security administrator role when required. What should you configure for the Security administrator role assignment?
Correct
The best way to read this question is “What should you configure FIRST for the Security administrator role assignment?“ You should setup Assignment type to Eligible, so the admins can request the role in future, for a limited time based on the Role Setting of “Activation maximum duration (hours): 8 (by default)“. Only then, you would set Expire active assignments after from the Role settings details. Eligible role user permissions: • Request activation of a role that requires approval • View the status of your request to activate • Complete your task in Azure AD if activation was approve Reference https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Incorrect
The best way to read this question is “What should you configure FIRST for the Security administrator role assignment?“ You should setup Assignment type to Eligible, so the admins can request the role in future, for a limited time based on the Role Setting of “Activation maximum duration (hours): 8 (by default)“. Only then, you would set Expire active assignments after from the Role settings details. Eligible role user permissions: • Request activation of a role that requires approval • View the status of your request to activate • Complete your task in Azure AD if activation was approve Reference https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Unattempted
The best way to read this question is “What should you configure FIRST for the Security administrator role assignment?“ You should setup Assignment type to Eligible, so the admins can request the role in future, for a limited time based on the Role Setting of “Activation maximum duration (hours): 8 (by default)“. Only then, you would set Expire active assignments after from the Role settings details. Eligible role user permissions: • Request activation of a role that requires approval • View the status of your request to activate • Complete your task in Azure AD if activation was approve Reference https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Question 49 of 65
49. Question
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
User1 is the owner of Group1.
You create an access review that has the following settings:
? Users to review: Members of a group
? Scope: Everyone
? Group: Group1
? Reviewers: Members (self)
Which users can perform access reviews for User3?
Correct
Azure AD Premium P2:
• Guest users who are assigned as reviewers.
• Guest users who perform a self-review
• Guest users as group owners who perform an access review.
• Guest users as application owners who perform an access review.
• Member users who are assigned as reviewers
• Member users who perform a self-review
• Member users as group owners who perform an access review
• Member users as application owners who perform an access review
Reference https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
Incorrect
Azure AD Premium P2:
• Guest users who are assigned as reviewers.
• Guest users who perform a self-review
• Guest users as group owners who perform an access review.
• Guest users as application owners who perform an access review.
• Member users who are assigned as reviewers
• Member users who perform a self-review
• Member users as group owners who perform an access review
• Member users as application owners who perform an access review
Reference https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
Unattempted
Azure AD Premium P2:
• Guest users who are assigned as reviewers.
• Guest users who perform a self-review
• Guest users as group owners who perform an access review.
• Guest users as application owners who perform an access review.
• Member users who are assigned as reviewers
• Member users who perform a self-review
• Member users as group owners who perform an access review
• Member users as application owners who perform an access review
Reference https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
Question 50 of 65
50. Question
You have an Azure Active Directory (Azure AD) tenant. You configure self-service password reset (SSPR) by using the following settings: * Require users to register when signing in:Â Yes * Number of methods required to reset:Â 1 What is a valid authentication method available to users?
You have a Microsoft 365 tenant that uses the domain named fabrikam.com. The Guest invite settings for Azure Active Directory (Azure AD) are configured as shown in the following exhibit.
A user named [email protected] shares a Microsoft SharePoint Online document library to the users shown in the following table.
Which users will be emailed a passcode?
Correct
When the email one-time passcode feature is enabled, newly invited users who meet certain conditions will use one-time passcode authentication. Guest users who redeemed an invitation before email one-time passcode was enabled will continue to use their same authentication method.
User1 is already a registered guest user in fabrikan.com so will not receive additional OTP.
User2 has never accessed fabrikam.com so will receive OTP each time he login.
User3 will not receive a OTP as they are a domain user.
Reference https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode#when-does-a-guest-user-get-a-one-time-passcode
Incorrect
When the email one-time passcode feature is enabled, newly invited users who meet certain conditions will use one-time passcode authentication. Guest users who redeemed an invitation before email one-time passcode was enabled will continue to use their same authentication method.
User1 is already a registered guest user in fabrikan.com so will not receive additional OTP.
User2 has never accessed fabrikam.com so will receive OTP each time he login.
User3 will not receive a OTP as they are a domain user.
Reference https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode#when-does-a-guest-user-get-a-one-time-passcode
Unattempted
When the email one-time passcode feature is enabled, newly invited users who meet certain conditions will use one-time passcode authentication. Guest users who redeemed an invitation before email one-time passcode was enabled will continue to use their same authentication method.
User1 is already a registered guest user in fabrikan.com so will not receive additional OTP.
User2 has never accessed fabrikam.com so will receive OTP each time he login.
User3 will not receive a OTP as they are a domain user.
Reference https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode#when-does-a-guest-user-get-a-one-time-passcode
Question 52 of 65
52. Question
You have an Azure subscription that contains the resources shown in the following table.
For which resources can you create an access review?
You have a Microsoft 365 tenant. You need to identify users who have leaked credentials. The solution must meet the following requirements: ? Identify sign-ins by users who are suspected of having leaked credentials. ? Flag the sign-ins as a high-risk event. ? Immediately enforce a control to mitigate the risk, while still allowing the user to access applications. What should you use? To answer, choose the appropriate options in the answer area.
You use Azure Monitor to analyze Azure Active Directory (Azure AD) activity logs. Yon receive more than 100 email alerts each day for tailed Azure Al) user sign-in attempts. You need to ensure that a new security administrator receives the alerts instead of you. Solution: From Azure AD, you create an assignment for the Insights at administrator role. Does this meet the goal?
You have a Microsoft 365 tenant. The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain. You plan to create an emergency-access administrative account named Emergency1. Emergency1 will be assigned the Global administrator role in Azure AD. Emergency1 will be used in the event of Azure AD functionality failures and on-premises infrastructure failures. You need to reduce the likelihood that Emergency1 will be prevented from signing in during an emergency. What should you do?
Correct
Monitor sign-in and audit logs – Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications to other administrators. When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies. You can use Azure Log Analytics to monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts sign-in.
Incorrect
Monitor sign-in and audit logs – Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications to other administrators. When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies. You can use Azure Log Analytics to monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts sign-in.
Unattempted
Monitor sign-in and audit logs – Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications to other administrators. When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies. You can use Azure Log Analytics to monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts sign-in.
Question 56 of 65
56. Question
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity Protection enabled. You need to implement a sign-in risk remediation policy without blocking user access. What should you do first?
You have a Microsoft 365 tenant. In Azure Active Directory (Azure AD), you configure the terms of use. You need to ensure that only users who accept the terms of use can access the resources in the tenant. Other users must be denied access. What should you configure?
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com. The company has a business partner named Fabrikam, Inc. Fabrikam uses Azure AD and has two verified domain names of fabrikam.com and litwareinc.com. Both domain names are used for Fabrikam email addresses. You plan to create an access package named package1 that will be accessible only to the users at Fabrikam. You create a connected organization for Fabrikam. You need to ensure that the package1 will be accessible only to users who have fabrikam.com email addresses. What should you do? To answer, choose the appropriate options in the answer area.
You have a Microsoft 365 tenant.
You have 100 IT administrators who are organized into 10 departments.
You create the access review shown in the following exhibit.
You discover that all access review requests are received by Megan Bowen.
You need to ensure that the manager of each department receives the access reviews of their respective department.
Solution: You set Reviewers to Member (self).
Does this meet the goal?
Correct
Members (self)Â – Use this option to have the users review their own role assignments. Groups assigned to the role will not be a part of the review when this option is selected. This option is only available if the review is scoped to Users and Groups.
Also, Megan Brow still there as Fallback Reviewer so will still receiving reviews.
Reference https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Incorrect
Members (self)Â – Use this option to have the users review their own role assignments. Groups assigned to the role will not be a part of the review when this option is selected. This option is only available if the review is scoped to Users and Groups.
Also, Megan Brow still there as Fallback Reviewer so will still receiving reviews.
Reference https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Unattempted
Members (self)Â – Use this option to have the users review their own role assignments. Groups assigned to the role will not be a part of the review when this option is selected. This option is only available if the review is scoped to Users and Groups.
Also, Megan Brow still there as Fallback Reviewer so will still receiving reviews.
Reference https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Question 60 of 65
60. Question
You have an Azure Active Directory (Azure AD) tenant that has the default App registrations settings. The tenant contains the users shown in the following table.
You purchase two cloud apps named App1 and App2. The global administrator registers App1 in Azure AD.
You need to identify who can assign users to App1, and who can register App2 in Azure AD.
What should you identify?
To answer, choose the appropriate options.
You have a Microsoft 365 tenant. The Sign-ins activity report shows that an external contractor signed in to the Exchange admin center. You need to review access to the Exchange admin center at the end of each month and block sign-ins if required. What should you create?
Correct
An access package that targets users outside your directory and an access package that targets users in your directory – An access package is a bundle of resources that a team or project needs and is governed with policies. Access packages are defined in containers called catalogs. To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. A group-based access review that targets guest users – You can target a group with a conditional policy to detect and remediate the login at the end of each month. An application-based access review that targets guest users – Admin is not using an app is using a privileged role to use Exchange admin center. Therefore, a group-based access review that targets guest users is the correct answer. Reference https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Incorrect
An access package that targets users outside your directory and an access package that targets users in your directory – An access package is a bundle of resources that a team or project needs and is governed with policies. Access packages are defined in containers called catalogs. To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. A group-based access review that targets guest users – You can target a group with a conditional policy to detect and remediate the login at the end of each month. An application-based access review that targets guest users – Admin is not using an app is using a privileged role to use Exchange admin center. Therefore, a group-based access review that targets guest users is the correct answer. Reference https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Unattempted
An access package that targets users outside your directory and an access package that targets users in your directory – An access package is a bundle of resources that a team or project needs and is governed with policies. Access packages are defined in containers called catalogs. To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. A group-based access review that targets guest users – You can target a group with a conditional policy to detect and remediate the login at the end of each month. An application-based access review that targets guest users – Admin is not using an app is using a privileged role to use Exchange admin center. Therefore, a group-based access review that targets guest users is the correct answer. Reference https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Question 63 of 65
63. Question
You have an Azure Active Directory (Azure AD) tenant named contoso.com. You implement entitlement management to provide resource access to users at a company named Fabrikam, Inc. Fabrikam uses a domain named fabrikam.com. Fabrikam users must be removed automatically from the tenant when access is no longer required. You need to configure the following settings: ? Block external user from signing in to this directory: No ? Remove external user: Yes ? Number of days before removing external user from this directory: 90 What should you configure on the Identity Governance blade?
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity Protection policies enforced. You create an Azure Sentinel instance and configure the Azure Active Directory connector. You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection. What should you do first?
Your company requires that users request access before they can access corporate applications. You register a new enterprise application named MyApp1 in Azure Active Directory (Azure AD) and configure single sign-on (SSO) for MyApp1. Which settings should you configure next for MyApp1?