Which three authentication methods can Azure AD users use to reset their password each correct answer presents a complete solution?

Table of Contents Show

Out of scope
Authentication methods
Cloud authentication
Federated authentication
Decision tree
Cloud authentication: Password hash synchronization
Cloud authentication: Pass-through Authentication
Federated authentication
Architecture diagrams
Comparing methods
Recommendations

Software. Free for non-commercial use only. muhan Highlight muhan Highlight muhan Highlight Every new Azure AD tenant comes with an initial domain name, domainname.onmicrosoft.com. You can't change or delete the initial domain name, but you can add your organization's names to the list. Adding custom domain names helps you to create user names that are familiar to your users, such as . References: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain QUESTION 3 HOTSPOT You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.You add the users in the following table. Which user can perform each configuration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: 211FAFFAF232F506DC71745551D5493D Correct Answer: Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight Section: (none) Explanation Explanation/Reference: Explanation: Box 1: User1 only. User1: The Owner Role lets you manage everything, including access to resources. Not User3: The Network Contributor role lets you manage networks, but not access to them. Box 2: User1 and User2 only The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles QUESTION 4 211FAFFAF232F506DC71745551D5493D QUESTION 4 You have an Azure subscription named Subscription1 and two Azure Active Directory (Azure AD) tenants named Tenant1 and Tenant2. Subscription1 is associated to Tenant1. Multi-factor authentication (MFA) is enabled for all the users in Tenant1. You need to enable MFA for the users in Tenant2. The solution must maintain MFA for Tenant1. What should you do first? A. Change the directory for Subscription1. Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight muhan Highlight muhan Highlight B. Configure the MFA Server setting in Tenant1. C. Create and link a subscription to Tenant2. D. Transfer the administration of Subscription1 to a global administrator of Tenant2. Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 5 HOTSPOTHOTSPOT You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table. You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.) You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods tab.) 211FAFFAF232F506DC71745551D5493D Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area: 211FAFFAF232F506DC71745551D5493D Correct Answer: Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. Section: (none) Explanation Explanation/Reference: Explanation: Box 1: No Two methods are required. Box 2: No Self-service password reset is only enabled for Group2, and User1 is not a member of Group2. Box 3: Yes As a User Administrator User3 can add security questions to the reset process. Reference:Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq QUESTION 6 You have an Azure Active Directory (Azure AD) tenant. All administrators must enter a verification code to access the Azure portal. You need to ensure that the administrators can access the Azure portal without entering a verification code when they are connecting from your on-premises network. What should you configure? A. an Azure AD Identity Protection user risk policy B. the multi-factor authentication service settings. C. the default for all the roles in Azure AD Privileged Identity Management D. an Azure AD Identity Protection sign-in risk policy 211FAFFAF232F506DC71745551D5493D D. an Azure AD Identity Protection sign-in risk policy Correct Answer: B Section: (none) Explanation Explanation/Reference: Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings QUESTION 7 You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com. Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight muhan Highlight You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1. You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days. Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. a Security group that uses the Assigned membership type B. an Office 365 group that uses the Assigned membership type C. an Office 365 group that uses the Dynamic User membership typeC. an Office 365 group that uses the Dynamic User membership type D. a Security group that uses the Dynamic User membership type E. a Security group that uses the Dynamic Device membership type Correct Answer: BC Section: (none) Explanation Explanation/Reference: Explanation: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner. When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted. You can set up a rule for dynamic membership on security groups or Office 365 groups. Incorrect Answers: A, D, E: You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD). References: https://docs.microsoft.com/en-us/office365/admin/create-groups/office-365-groups-expiration-policy? view=o365-worldwide QUESTION 8 You have an Azure subscription. You enable multi-factor authentication for all users. Some users report that the email applications on their mobile device cannot connect to their Microsoft Exchange Online mailbox. The users can access Exchange Online by using a web browser and from Microsoft Outlook 2016 on their computer. You need to ensure that the users can use the email applications on their mobile device. 211FAFFAF232F506DC71745551D5493D You need to ensure that the users can use the email applications on their mobile device. What should you instruct the users to do? A. Reinstall the Microsoft Authenticator app. B. Create an app password. C. Enable self-service password reset. D. Reset the Azure Active Directory (Azure AD) password. Correct Answer: B Section: (none) Explanation Printed by BoltPDF (c) NCH Software. Free for non-commercial use only. muhan Highlight Explanation/Reference: Explanation: If you're enabled for multi-factor authentication, make sure that you have set up app passwords. Note: During your initial two-factor verification registration process, you're provided with a single app password. If you require more than one, you'll have to create them yourself. Go to the Additional security verification page. References: https://docs.microsoft.com/en-us/office365/troubleshoot/sign-in/sign-in-to-office-365-azure-intune https://docs.microsoft.com/sv-se/azure/active-directory/user-help/multi-factor-authentication-end-user-app-https://docs.microsoft.com/sv-se/azure/active-directory/user-help/multi-factor-authentication-end-user-app-

HOTSPOT -You configure the multi-factor authentication status for three users as shown in the following table.

You create a group named Group1 and add Admin1, Admin2, and Admin3 to the group.For all cloud apps, you create a conditional access policy that includes Group1. The policy requires multi-factor authentication.For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:

Article
15 minutes to read

Choosing the correct authentication method is the first concern for organizations wanting to move their apps to the cloud. Don't take this decision lightly, for the following reasons:

It's the first decision for an organization that wants to move to the cloud.
The authentication method is a critical component of an organization’s presence in the cloud. It controls access to all cloud data and resources.
It's the foundation of all the other advanced security and user experience features in Azure AD.

Identity is the new control plane of IT security, so authentication is an organization’s access guard to the new cloud world. Organizations need an identity control plane that strengthens their security and keeps their cloud apps safe from intruders.

Note

Changing your authentication method requires planning, testing, and potentially downtime. Staged rollout is a great way to test users migration from federation to cloud authentication.

Out of scope

Organizations that don't have an existing on-premises directory footprint aren't the focus of this article. Typically, those businesses create identities only in the cloud, which doesn’t require a hybrid identity solution. Cloud-only identities exist solely in the cloud and aren't associated with corresponding on-premises identities.

Authentication methods

When the Azure AD hybrid identity solution is your new control plane, authentication is the foundation of cloud access. Choosing the correct authentication method is a crucial first decision in setting up an Azure AD hybrid identity solution. Implement the authentication method that is configured by using Azure AD Connect, which also provisions users in the cloud.

To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of implementing your choice. These factors are different for every organization and might change over time.

Azure AD supports the following authentication methods for hybrid identity solutions.

Cloud authentication

When you choose this authentication method, Azure AD handles users' sign-in process. Coupled with seamless single sign-on (SSO), users can sign in to cloud apps without having to reenter their credentials. With cloud authentication, you can choose from two options:

Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose.

Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud.

Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method. For more information on the actual pass-through authentication process, see User sign-in with Azure AD pass-through authentication.

Federated authentication

When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password.

The authentication system can provide additional advanced authentication requirements. Examples are smartcard-based authentication or third-party multifactor authentication. For more information, see Deploying Active Directory Federation Services.

The following section helps you decide which authentication method is right for you by using a decision tree. It helps you determine whether to deploy cloud or federated authentication for your Azure AD hybrid identity solution.

Decision tree

Details on decision questions:

Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.
If you need to apply, user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.
Sign-in features not natively supported by Azure AD:
- Sign-in using on-premises MFA Server.
- Sign-in using third-party authentication solution.
- Multi-site on-premises authentication solution.
Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to provide the Users with leaked credentials report. Organizations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event.

Note

Azure AD Identity Protection require Azure AD Premium P2 licenses.

Cloud authentication: Password hash synchronization

Effort. Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Microsoft 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
User experience. To improve users' sign-in experience, deploy seamless SSO with password hash synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
Advanced scenarios. If organizations choose to, it's possible to use insights from identities with Azure AD Identity Protection reports with Azure AD Premium P2. An example is the leaked credentials report. Windows Hello for Business has specific requirements when you use password hash synchronization. Azure AD Domain Services requires password hash synchronization to provision users with their corporate credentials in the managed domain.

Organizations that require multi-factor authentication with password hash synchronization must use Azure AD Multi-Factor Authentication or Conditional Access custom controls. Those organizations can't use third-party or on-premises multifactor authentication methods that rely on federation.

Note

Azure AD Conditional Access require Azure AD Premium P1 licenses.

Business continuity. Using password hash synchronization with cloud authentication is highly available as a cloud service that scales to all Microsoft datacenters. To make sure password hash synchronization does not go down for extended periods, deploy a second Azure AD Connect server in staging mode in a standby configuration.
Considerations. Currently, password hash synchronization doesn't immediately enforce changes in on-premises account states. In this situation, a user has access to cloud apps until the user account state is synchronized to Azure AD. Organizations might want to overcome this limitation by running a new synchronization cycle after administrators do bulk updates to on-premises user account states. An example is disabling accounts.

Note

The password expired and account locked-out states aren't currently synced to Azure AD with Azure AD Connect. When you change a user's password and set the user must change password at next logon flag, the password hash will not be synced to Azure AD with Azure AD Connect until the user changes their password.

Refer to implementing password hash synchronization for deployment steps.

Cloud authentication: Pass-through Authentication

Effort. For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter network.

Pass-through Authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests. For more information on this process, see the security deep dive on pass-through authentication.
User experience. To improve users' sign-in experience, deploy seamless SSO with Pass-through Authentication. Seamless SSO eliminates unnecessary prompts after users sign in.
Advanced scenarios. Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user’s account state is disabled, locked out, or their password expires or the logon attempt falls outside the hours when the user is allowed to sign in.

Organizations that require multi-factor authentication with pass-through authentication must use Azure AD Multi-Factor Authentication (MFA) or Conditional Access custom controls. Those organizations can't use a third-party or on-premises multifactor authentication method that relies on federation. Advanced features require that password hash synchronization is deployed whether or not you choose pass-through authentication. An example is the leaked credentials report of Identity Protection.
Business continuity. We recommend that you deploy two extra pass-through authentication agents. These extras are in addition to the first agent on the Azure AD Connect server. This additional deployment ensures high availability of authentication requests. When you have three agents deployed, one agent can still fail when another agent is down for maintenance.

There's another benefit to deploying password hash synchronization in addition to pass-through authentication. It acts as a backup authentication method when the primary authentication method is no longer available.
Considerations. You can use password hash synchronization as a backup authentication method for pass-through authentication, when the agents can't validate a user's credentials due to a significant on-premises failure. Fail over to password hash synchronization doesn't happen automatically and you must use Azure AD Connect to switch the sign-on method manually.

For other considerations on Pass-through Authentication, including Alternate ID support, see frequently asked questions.

Refer to implementing pass-through authentication for deployment steps.

Federated authentication

Effort. A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the authentication load.
User experience. The user experience of federated authentication depends on the implementation of the features, topology, and configuration of the federation farm. Some organizations need this flexibility to adapt and configure the access to the federation farm to suit their security requirements. For example, it's possible to configure internally connected users and devices to sign in users automatically, without prompting them for credentials. This configuration works because they already signed in to their devices. If necessary, some advanced security features make users' sign-in process more difficult.
Advanced scenarios. A federated authentication solution is required when customers have an authentication requirement that Azure AD doesn't support natively. See detailed information to help you choose the right sign-in option. Consider the following common requirements:
- Authentication that requires smartcards or certificates.
- On-premises MFA servers or third-party multifactor providers requiring a federated identity provider.
- Authentication by using third-party authentication solutions. See the Azure AD federation compatibility list.
- Sign in that requires a sAMAccountName, for example DOMAIN\username, instead of a User Principal Name (UPN), for example, .
Business continuity. Federated systems typically require a load-balanced array of servers, known as a farm. This farm is configured in an internal network and perimeter network topology to ensure high availability for authentication requests.

Deploy password hash synchronization along with federated authentication as a backup authentication method when the primary authentication method is no longer available. An example is when the on-premises servers aren't available. Some large enterprise organizations require a federation solution to support multiple Internet ingress points configured with geo-DNS for low-latency authentication requests.
Considerations. Federated systems typically require a more significant investment in on-premises infrastructure. Most organizations choose this option if they already have an on-premises federation investment. And if it's a strong business requirement to use a single-identity provider. Federation is more complex to operate and troubleshoot compared to cloud authentication solutions.

For a non-routable domain that can't be verified in Azure AD, you need extra configuration to implement user ID sign in. This requirement is known as Alternate login ID support. See Configuring Alternate Login ID for limitations and requirements. If you choose to use a third-party multi-factor authentication provider with federation, ensure the provider supports WS-Trust to allow devices to join Azure AD.

Refer to Deploying Federation Servers for deployment steps.

Note

When you deploy your Azure AD hybrid identity solution, you must implement one of the supported topologies of Azure AD Connect. Learn more about supported and unsupported configurations at Topologies for Azure AD Connect.

Architecture diagrams

The following diagrams outline the high-level architecture components required for each authentication method you can use with your Azure AD hybrid identity solution. They provide an overview to help you compare the differences between the solutions.

Simplicity of a password hash synchronization solution:
Agent requirements of pass-through authentication, using two agents for redundancy:
Components required for federation in your perimeter and internal network of your organization:

Comparing methods

Note

Custom controls in Azure AD Conditional Access do not currently support device registration.

Recommendations

Your identity system ensures your users' access to cloud apps and the line-of-business apps that you migrate and make available in the cloud. To keep authorized users productive and bad actors out of your organization’s sensitive data, authentication controls access to apps.

Use or enable password hash synchronization for whichever authentication method you choose, for the following reasons:

High availability and disaster recovery. Pass-through Authentication and federation rely on on-premises infrastructure. For pass-through authentication, the on-premises footprint includes the server hardware and networking the Pass-through Authentication agents require. For federation, the on-premises footprint is even larger. It requires servers in your perimeter network to proxy authentication requests and the internal federation servers.

To avoid single points of failure, deploy redundant servers. Then authentication requests will always be serviced if any component fails. Both pass-through authentication and federation also rely on domain controllers to respond to authentication requests, which can also fail. Many of these components need maintenance to stay healthy. Outages are more likely when maintenance isn't planned and implemented correctly. Avoid outages by using password hash synchronization because the Microsoft Azure AD cloud authentication service scales globally and is always available.
On-premises outage survival. The consequences of an on-premises outage due to a cyber-attack or disaster can be substantial, ranging from reputational brand damage to a paralyzed organization unable to deal with the attack. Recently, many organizations were victims of malware attacks, including targeted ransomware, which caused their on-premises servers to go down. When Microsoft helps customers deal with these kinds of attacks, it sees two categories of organizations:
- Organizations that previously also turned on password hash synchronization on top of federated or pass-through authentication changed their primary authentication method to then use password hash synchronization. They were back online in a matter of hours. By using access to email via Microsoft 365, they worked to resolve issues and access other cloud-based workloads.
- Organizations that didn’t previously enable password hash synchronization had to resort to untrusted external consumer email systems for communications to resolve issues. In those cases, it took them weeks to restore their on-premises identity infrastructure, before users were able to sign in to cloud-based apps again.
Identity protection. One of the best ways to protect users in the cloud is Azure AD Identity Protection with Azure AD Premium P2. Microsoft continually scans the Internet for user and password lists that bad actors sell and make available on the dark web. Azure AD can use this information to verify if any of the usernames and passwords in your organization are compromised. Therefore, it's critical to enable password hash synchronization no matter which authentication method you use, whether it's federated or pass-through authentication. Leaked credentials are presented as a report. Use this information to block or force users to change their passwords when they try to sign in with leaked passwords.

Conclusion

This article outlines various authentication options that organizations can configure and deploy to support access to cloud apps. To meet various business, security, and technical requirements, organizations can choose between password hash synchronization, Pass-through Authentication, and federation.

Consider each authentication method. Does the effort to deploy the solution, and the user's experience of the sign-in process address your business requirements? Evaluate whether your organization needs the advanced scenarios and business continuity features of each authentication method. Finally, evaluate the considerations of each authentication method. Do any of them prevent you from implementing your choice?

Next steps

In today’s world, threats are present 24 hours a day and come from everywhere. Implement the correct authentication method, and it will mitigate your security risks and protect your identities.

Get started with Azure AD and deploy the right authentication solution for your organization.

If you're thinking about migrating from federated to cloud authentication, learn more about changing the sign-in method. To help you plan and implement the migration, use these project deployment plans or consider using the new Staged Rollout feature to migrate federated users to using cloud authentication in a staged approach.