Show Software. Free for non-commercial use only. muhan Highlight muhan Highlight muhan Highlight Every new Azure AD tenant comes with an initial domain name, domainname.onmicrosoft.com. You can't change or delete the initial domain name, but you can add your organization's names to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as . References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain QUESTION 3 HOTSPOT You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.You add the users in the following table. Which user can perform each configuration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: 211FAFFAF232F506DC71745551D5493D Correct Answer: Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight Section: (none) Explanation Explanation/Reference: Explanation: Box 1: User1 only. User1: The Owner Role lets you manage everything, including access to resources. Not User3: The Network Contributor role lets you manage networks, but not access to them. Box 2: User1 and User2 only The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles QUESTION 4 211FAFFAF232F506DC71745551D5493D QUESTION 4 You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2. Subscription1 is associated to Tenant1. Multi-factor authentication (MFA) is enabled for all the users in Tenant1. You need to enable MFA for the users in Tenant2. The solution must maintain MFA for Tenant1. What should you do first? A. Change the directory for Subscription1. Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight muhan Highlight muhan Highlight B. Configure the MFA Server setting in Tenant1. C. Create and link a subscription to Tenant2. D. Transfer the administration of Subscription1 to a global administrator of Tenant2. Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 5 HOTSPOTHOTSPOT You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table. You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.) You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods tab.) 211FAFFAF232F506DC71745551D5493D Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area: 211FAFFAF232F506DC71745551D5493D Correct Answer: Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. Section: (none) Explanation Explanation/Reference: Explanation: Box 1: No Two methods are required. Box 2: No Self-service password reset is only enabled for Group2, and User1 is not a member of Group2. Box 3: Yes As a User Administrator User3 can add security questions to the reset process. Reference:Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq QUESTION 6 You have an Azure Active Directory (Azure AD) tenant. All administrators must enter a verification code to access the Azure portal. You need to ensure that the administrators can access the Azure portal without entering a verification code when they are connecting from your on-premises network. What should you configure? A. an Azure AD Identity Protection user risk policy B. the multi-factor authentication service settings. C. the default for all the roles in Azure AD Privileged Identity Management D. an Azure AD Identity Protection sign-in risk policy 211FAFFAF232F506DC71745551D5493D D. an Azure AD Identity Protection sign-in risk policy Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings QUESTION 7 You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight muhan Highlight You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1. You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days. Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. a Security group that uses the Assigned membership type B. an Office 365 group that uses the Assigned membership type C. an Office 365 group that uses the Dynamic User membership typeC. an Office 365 group that uses the Dynamic User membership type D. a Security group that uses the Dynamic User membership type E. a Security group that uses the Dynamic Device membership type Correct Answer: BC Section: (none) Explanation Explanation/Reference: Explanation: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner. When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted. You can set up a rule for dynamic membership on security groups or Office 365 groups. Incorrect Answers: A, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). References: https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy? view=o365-worldwide QUESTION 8 You have an Azure subscription. You enable multi-factor authentication for all users. Some users report that the email applications on their mobile device cannot connect to their Microsoft Exchange Online mailbox. The users can access Exchange Online by using a web browser and from Microsoft Outlook 2016 on their computer. You need to ensure that the users can use the email applications on their mobile device. 211FAFFAF232F506DC71745551D5493D You need to ensure that the users can use the email applications on their mobile device. What should you instruct the users to do? A. Reinstall the Microsoft Authenticator app. B. Create an app password. C. Enable self-service password reset. D. Reset the Azure Active Directory (Azure AD) password. Correct Answer: B Section: (none) Explanation Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight Explanation/Reference: Explanation: If you're enabled for multi-factor authentication, make sure that you have set up app passwords. Note: During your initial two-factor verification registration process, you're provided with a single app password. If you require more than one, you'll have to create them yourself. Go to the Additional security verification page. References: https://docs.microsoft.com/en-us/office365/troubleshoot/sign-in/sign-in-to-office-365-azure-intune https://docs.microsoft.com/sv-se/azure/active-directory/user-help/multi-factor-authentication-end-user-app-https://docs.microsoft.com/sv-se/azure/active-directory/user-help/multi-factor-authentication-end-user-app-
HOTSPOT -You configure the multi-factor authentication status for three users as shown in the following table. You create a group named Group1 and add Admin1, Admin2, and Admin3 to the group.For all cloud apps, you create a conditional access policy that includes Group1. The policy requires multi-factor authentication.For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Choosing the correct authentication method is the first concern for organizations wanting to move their apps to the cloud. Don't take this decision lightly, for the following reasons:
Identity is the new control plane of IT security, so authentication is an organization’s access guard to the new cloud world. Organizations need an identity control plane that strengthens their security and keeps their cloud apps safe from intruders.
Note Changing your authentication method requires planning, testing, and potentially downtime. Staged rollout is a great way to test users migration from federation to cloud authentication. Out of scopeOrganizations that don't have an existing on-premises directory footprint aren't the focus of this article. Typically, those businesses create identities only in the cloud, which doesn’t require a hybrid identity solution. Cloud-only identities exist solely in the cloud and aren't associated with corresponding on-premises identities. Authentication methodsWhen the Azure AD hybrid identity solution is your new control plane, authentication is the foundation of cloud access. Choosing the correct authentication method is a crucial first decision in setting up an Azure AD hybrid identity solution. Implement the authentication method that is configured by using Azure AD Connect, which also provisions users in the cloud. To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of implementing your choice. These factors are different for every organization and might change over time. Azure AD supports the following authentication methods for hybrid identity solutions. Cloud authenticationWhen you choose this authentication method, Azure AD handles users' sign-in process. Coupled with seamless single sign-on (SSO), users can sign in to cloud apps without having to reenter their credentials. With cloud authentication, you can choose from two options: Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose. Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method. For more information on the actual pass-through authentication process, see User sign-in with Azure AD pass-through authentication. Federated authenticationWhen you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password. The authentication system can provide additional advanced authentication requirements. Examples are smartcard-based authentication or third-party multifactor authentication. For more information, see Deploying Active Directory Federation Services. The following section helps you decide which authentication method is right for you by using a decision tree. It helps you determine whether to deploy cloud or federated authentication for your Azure AD hybrid identity solution. Decision treeDetails on decision questions:
Note Azure AD Identity Protection require Azure AD Premium P2 licenses. Cloud authentication: Password hash synchronization
Note Azure AD Conditional Access require Azure AD Premium P1 licenses.
Note The password expired and account locked-out states aren't currently synced to Azure AD with Azure AD Connect. When you change a user's password and set the user must change password at next logon flag, the password hash will not be synced to Azure AD with Azure AD Connect until the user changes their password. Refer to implementing password hash synchronization for deployment steps. Cloud authentication: Pass-through Authentication
Refer to implementing pass-through authentication for deployment steps. Federated authentication
For a non-routable domain that can't be verified in Azure AD, you need extra configuration to implement user ID sign in. This requirement is known as Alternate login ID support. See Configuring Alternate Login ID for limitations and requirements. If you choose to use a third-party multi-factor authentication provider with federation, ensure the provider supports WS-Trust to allow devices to join Azure AD. Refer to Deploying Federation Servers for deployment steps.
Note When you deploy your Azure AD hybrid identity solution, you must implement one of the supported topologies of Azure AD Connect. Learn more about supported and unsupported configurations at Topologies for Azure AD Connect. Architecture diagramsThe following diagrams outline the high-level architecture components required for each authentication method you can use with your Azure AD hybrid identity solution. They provide an overview to help you compare the differences between the solutions.
Comparing methods
Note Custom controls in Azure AD Conditional Access do not currently support device registration. RecommendationsYour identity system ensures your users' access to cloud apps and the line-of-business apps that you migrate and make available in the cloud. To keep authorized users productive and bad actors out of your organization’s sensitive data, authentication controls access to apps. Use or enable password hash synchronization for whichever authentication method you choose, for the following reasons:
ConclusionThis article outlines various authentication options that organizations can configure and deploy to support access to cloud apps. To meet various business, security, and technical requirements, organizations can choose between password hash synchronization, Pass-through Authentication, and federation. Consider each authentication method. Does the effort to deploy the solution, and the user's experience of the sign-in process address your business requirements? Evaluate whether your organization needs the advanced scenarios and business continuity features of each authentication method. Finally, evaluate the considerations of each authentication method. Do any of them prevent you from implementing your choice? Next stepsIn today’s world, threats are present 24 hours a day and come from everywhere. Implement the correct authentication method, and it will mitigate your security risks and protect your identities. Get started with Azure AD and deploy the right authentication solution for your organization. If you're thinking about migrating from federated to cloud authentication, learn more about changing the sign-in method. To help you plan and implement the migration, use these project deployment plans or consider using the new Staged Rollout feature to migrate federated users to using cloud authentication in a staged approach. |