MS-100 Practice Test 2

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.Your company has 3,000 users. All the users are assigned Microsoft 365 E3 licenses.Some users are assigned licenses for all Microsoft 365 services. Other users are assigned licenses for only certain Microsoft 365 services.You need to determine whether a user named User1 is licensed for Exchange Online only.Solution: You launch the Azure portal, and then review the Licenses blade.Does this meet the goal? A. Yes B. No

Answer : A Explanation:In the Licenses blade, click All Products then select the E3 License. This will display a list of all users assigned an E3 license. Select User1. Youג€™ll see how many services are assigned in the Enabled Services column. Click on the number in the Enabled Services column for User1 and youג€™ll be taken to the licenses page for that user. Click on the number in the Enabled Services column for User1 again and a page will open which shows you exactly which services are enabled or disabled.Alternatively, you can go into the user account properties directly then select Licenses. This will display the licenses blade for that user. You can then click on the number in the Enabled Services column for the user and a page will open which shows you exactly which services are enabled or disabled.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.Your network contains an Active Directory domain.You deploy a Microsoft Azure Active Directory (Azure AD) tenant.Another administrator configures the domain to synchronize to Azure AD.You discover that 10 user accounts in an organizational unit (OU) are NOT synchronized to Azure AD. All the other user accounts synchronized successfully.You review Azure AD Connect Health and discover that all the user account synchronizations completed successfully.You need to ensure that the 10 user accounts are synchronized to Azure AD.Solution: From Azure AD Connect, you modify the filtering settings.Does this meet the goal? A. Yes B. No

Answer : A Explanation:The question states that ג€all the user account synchronizations completed successfullyג€. Therefore, we know that Azure AD Connect is working and configured correctly. The only thing that would prevent the 10 user accounts from being synchronized is that they are being excluded from the synchronization cycle by a filtering rule.Reference:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering

You have a Microsoft 365 subscription that contains a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. The tenant includes a user namedUser1.You enable Azure AD Identity Protection.You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for risk. The solution must use the principle of least privilege.To which role should you add User1? A. Security reader B. User administrator C. Owner D. Global administrator

Answer : A Explanation:The risky sign-ins reports are available to users in the following roles:✑ Security Administrator✑ Global Administrator✑ Security ReaderOf the three roles listed above, the Security Reader role has the least privilege.Note:There are several versions of this question in the exam. The question has three possible correct answers:1. Security Reader2. Security Administrator3. Global AdministratorOther incorrect answer options you may see on the exam include the following:1. Service Administrator.2. Reports Reader3. Compliance AdministratorReference:https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risky-sign-ins

Your network contains an Active Directory domain named adatum.com that is synced to Microsoft Azure Active Directory (Azure AD).The domain contains 100 user accounts.The city attribute for all the users is set to the city where the user resides.You need to modify the value of the city attribute to the three-letter airport code of each city.What should you do? A. From Active Directory Administrative Center, select the Active Directory users, and then modify the Properties settings. B. From the Microsoft 365 admin center, select the users, and then use the Bulk actions option. C. From Azure Cloud Shell, run the Get-MsolUser and Set-MSOluser cmdlets. D. From Windows PowerShell on a domain controller, run the Get-AzureADUser and Set-AzureADUser cmdlets.

Answer : A Explanation:The user accounts are synced from the on-premise Active Directory to the Microsoft Azure Active Directory (Azure AD). Therefore, the city attribute must be changed in the on-premise Active Directory.You can modify certain attributes of multiple user accounts simultaneously by selecting them in Active Directory Administrative Center or Active Directory Users and Computers, right clicking then selecting Properties.The other three options all suggest modifying the city attribute of the users in the Azure Active Directory which is incorrect.Note:There are several versions of this question in the exam. The question has two possible correct answers:1. From Windows PowerShell on a domain controller, run the Get-ADUser and Set-ADUser cmdlets.2. From Active Directory Administrative Center, select the Active Directory users, and then modify the Properties settings.Other incorrect answer options you may see on the exam include the following:1. From the Azure portal, select all the Azure AD users, and then use the User settings blade.2. From Windows PowerShell on a domain controller, run the Get-AzureADUser and Set-AzureADUser cmdlets.3. From the Microsoft 365 admin center, select the users, and then use the Bulk actions option.Reference:https://blogs.technet.microsoft.com/canitpro/2015/11/25/step-by-step-managing-multiple-user-accounts-via-active-directory-admin-center/

You add another user named User5 to the User administrator role.You need to identify which two management tasks User5 can perform.Which two tasks should you identify? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point. A. Delete User2 and User4 only. B. Reset the password of User2 and User4 only. C. Delete User1, User2, and User4 only. D. Delete any user in Azure AD. E. Reset the password of any user in Azure AD. F. Reset the password of User4 only.

Answer : AB Explanation:Users with the User Administrator role can create users and manage all aspects of users with some restrictions (see below).Only on users who are non-admins or in any of the following limited admin roles:✑ Directory Readers✑ Guest InviterHelpdesk Administrator - ✑ Message Center Reader✑ Reports Reader✑ User AdministratorReference:https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles

Your network contains an on-premises Active Directory domain named contoso.com. The domain contains a Microsoft Exchange Server 2019 organization.You plan to sync the domain to Azure Active Directory (Azure AD) and to enable device writeback and group writeback.You need to identify which group types will sync from Azure AD.Which two group types should you identify? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point. A. an Office 365 group that uses the Assigned membership type B. a security group that uses the Dynamic Device membership type C. an Office 365 group that uses the Dynamic User membership type D. a security group that uses the Assigned membership type E. a security group that uses the Dynamic User membership type

Answer : AC Explanation: Group writeback in Azure AD Connect synchronizes Office 365 groups only from Azure Active Directory back to the on-premise Active Directory. Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-preview

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and adatum.com.Your company recently purchased a Microsoft 365 subscription.You deploy a federated identity solution to the environment.You use the following command to configure contoso.com for federation.Convert-MsolDomaintoFederated ג€"DomainName contoso.comIn the Microsoft 365 tenant, an administrator adds and verifies the adatum.com domain name.You need to configure the adatum.com Active Directory domain for federated authentication.Which two actions should you perform before you run the Azure AD Connect wizard? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point. A. From Windows PowerShell, run the Convert-MsolDomaintoFederated ג€"DomainName contoso.com ג€"SupportMultipleDomain command. B. From Windows PowerShell, run the New-MsolFederatedDomain ג€"SupportMultipleDomain -DomainName contoso.com command. C. From Windows PowerShell, run the New-MsolFederatedDomain -DomainName adatum.com command. D. From Windows PowerShell, run the Update-MSOLFederatedDomain ג€"DomainName contoso.com ג€"SupportMultipleDomain command. E. From the federation server, remove the Microsoft Office 365 relying party trust.

Answer : AE Explanation:When the Convert-MsolDomaintoFederated ג€"DomainName contoso.com command was run, a relying party trust was created.Adding a second domain (adatum.com in this case) will only work if the SupportMultipleDomain switch was used when the initial federation was configured by running the Convert-MsolDomaintoFederated ג€"DomainName contoso.com command.Therefore, we need to start again by removing the relying party trust then running the Convert-MsolDomaintoFederated command again with theSupportMultipleDomain switch.

Your network contains three Active Directory forests.You create a Microsoft Azure Active Directory (Azure AD) tenant.You plan to sync the on-premises Active Directory to Azure AD.You need to recommend a synchronization solution. The solution must ensure that the synchronization can complete successfully and as quickly as possible if a single server fails.What should you include in the recommendation? A. three Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode B. one Azure AD Connect sync server and one Azure AD Connect sync server in staging mode C. three Azure AD Connect sync servers and one Azure AD Connect sync server in staging mode D. six Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode

Answer : B Explanation:Azure AD Connect can be active on only one server. You can install Azure AD Connect on another server for redundancy but the additional installation would need to be in Staging mode. An Azure AD connect installation in Staging mode is configured and ready to go but it needs to be manually switched to Active to perform directory synchronization.Reference:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

Your network contains an on-premises Active Directory forest.You are evaluating the implementation of Microsoft 365 and the deployment of an authentication strategy.You need to recommend an authentication strategy that meets the following requirements:✑ Allows users to sign in by using smart card-based certificates✑ Allows users to connect to on-premises and Microsoft 365 services by using SSOWhich authentication strategy should you recommend? A. password hash synchronization and seamless SSO B. federation with Active Directory Federation Services (AD FS) C. pass-through authentication and seamless SSO

Answer : B Explanation:Federation with Active Directory Federation Services (AD FS) is required to allow users to sign in by using smart card-based certificates.Federated authentication -When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premisesActive Directory Federation Services (AD FS), to validate the userג€™s password.The authentication system can provide additional advanced authentication requirements. Examples are smartcard-based authentication or third-party multifactor authentication.Reference:https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.Your company has 3,000 users. All the users are assigned Microsoft 365 E3 licenses.Some users are assigned licenses for all Microsoft 365 services. Other users are assigned licenses for only certain Microsoft 365 services.You need to determine whether a user named User1 is licensed for Exchange Online only. Solution: You run the Get-MsolAccountSku cmdlet.Does this meet the goal?

Answer : B Explanation:The Get-MsolAccountSku cmdlet returns all the SKUs that the company owns. It does not tell you which licenses are assigned to users.Reference:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolaccountsku?view=azureadps-1.0

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.Your company has 3,000 users. All the users are assigned Microsoft 365 E3 licenses.Some users are assigned licenses for all Microsoft 365 services. Other users are assigned licenses for only certain Microsoft 365 services.You need to determine whether a user named User1 is licensed for Exchange Online only.Solution: You run the Get-MsolUser cmdlet.Does this meet the goal? A. Yes B. No

Answer : B Explanation:The Get-MsolUser cmdlet will tell you if a user is licensed for Microsoft 365 but it does not tell you which licenses are assigned.Reference:https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoluser?view=azureadps-1.0

Your company has a Microsoft 365 subscription.Your plan to add 100 newly hired temporary users to the subscription next week.You create the user accounts for the new users.You need to assign licenses to the new users.Which command should you run?

Answer : B Explanation:The first line gets all users from the Temp department that have a UsageLocation assigned and stores them in the $NewStaff variable. You cannot use PowerShell to assign a license to a user that does not have a UsageLocation configured.The second line adds the licenses to each user in the $NewStaff variable.Reference:https://docs.microsoft.com/en-us/office365/enterprise/powershell/assign-licenses-to-user-accounts-with-office-365-powershell

Your network contains an Active Directory forest named contoso.local.You have a Microsoft 365 subscription.You plan to implement a directory synchronization solution that will use password hash synchronization.From the Microsoft 365 admin center, you verify the contoso.com domain name.You need to prepare the environment for the planned directory synchronization solution.What should you do first? A. From the public DNS zone of contoso.com, add a new mail exchanger (MX) record. B. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix. C. From the Microsoft 365 admin center, verify the contoso.local domain name. D. From Active Directory Users and Computers, modify the UPN suffix for all users.

Answer : B Explanation:The on-premise Active Directory domain is named contoso.local. Therefore, all the domain users accounts will have a UPN suffix of contoso.local by default.To enable directory synchronization that will use password hash synchronization, you need to configure the domain user accounts to have the same UPN suffix as the verified domain (contoso.com in this case). Before you can change the UPN suffix of the domain user accounts to contoso.com, you need to add contoso.com as a UPN suffix in the domain.Reference:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname

You plan to assign User1 and User2 the required roles to run the SharePoint Hybrid Configuration Wizard.User1 will be used for on-premises credentials and User2 will be used for cloud credentials.You need to assign the correct role to User2. The solution must use the principle of least privilege.Which role should you assign to User2? A. Application administrator B. SharePoint farm administrator C. Global administrator D. SharePoint administrator

Answer : C Explanation:To run the SharePoint Hybrid Configuration Wizard, you need to provide credentials of a user (in this case User2) of a Global Administrator account in AzureActive Directory.Reference:https://www.c-sharpcorner.com/article/sharepoint-2019-enable-hybrid-experience/

You need to consider the underlined segment to establish whether it is accurate.You company has a Microsoft 365 subscription.To prevent your company from receiving phishing email messages, create a new mail flow rule.Select ג€No adjustment requiredג€ if the underlined segment is accurate. If the underlined segment is inaccurate, select the accurate option. A. No adjustment required B. Label policy. C. Threat management policy. D. Spam filter policy.

Answer : C References:https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies

You need to ensure that a user named User1 can view the advisories to investigate service health issues.Which role should you assign to User1? A. Compliance administrator B. Message Center reader C. Reports reader D. Service administrator

Answer : D Explanation:People who are assigned the global admin or service administrator role can view service health. To allow Exchange, SharePoint, and Skype for Business admins to view service health, they must also be assigned the Service admin role.Reference:https://docs.microsoft.com/en-us/office365/enterprise/view-service-health

Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.The network uses a firewall that contains a list of allowed outbound domains.You begin to implement directory synchronization.You discover that the firewall configuration contains only the following domain names in the list of allowed domains:✑ *.microsoft.com*.office.com Directory synchronization fails.You need to ensure that directory synchronization completes successfully.What is the best approach to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer. A. From the firewall, allow the IP address range of the Azure data center for outbound communication. B. From Azure AD Connect, modify the Customize synchronization options task. C. Deploy an Azure AD Connect sync server in staging mode. D. From the firewall, create a list of allowed inbound domains. E. From the firewall, modify the list of allowed outbound domains.

Answer : E Explanation:Azure AD Connect needs to be able to connect to various Microsoft domains such as login.microsoftonline.com. Therefore, you need to modify the list of allowed outbound domains on the firewall.Reference:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports

Your company has offices in several cities and 100,000 users.The network contains an Active Directory domain named contoso.com.You purchase Microsoft 365 and plan to deploy several Microsoft 365 services.You are evaluating the implementation of pass-through authentication and seamless SSO. Azure AD Connect will NOT be in staging mode.You need to identify the redundancy limits for the planned implementation.What should you identify? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area: How many servers can you run Azure AD Connect on? How many servers can you run Standalone Authentication Agents on?

Answer: One Answer: As many as you want. Azure AD Connect can be active on only one server. You can install Azure AD Connect on another server for redundancy but the additional installation would need to be in Staging mode. An Azure AD connect installation in Staging mode is configured and ready to go but it needs to be manually switched to Active to perform directory synchronization.Azure authentication agents can be installed on as many servers as you like.

User1 must change their password at next login? User2 can change their password to C0mpl3xC0nt0so? User3 can change his password to mypasswordcontoso123

Box 1: No -User1ג€™s password contains the banned password ג€˜Contosoג€™. However, User1 will not be required to change his password at next sign in. When the password expires or when User1 (or an administrator) changes the password, the password will be evaluated and will have to meet the password requirements.Box 2: Yes -Password evaluation goes through several steps including normalization and Substring matching which is used on the normalized password to check for the userג€™s first and last name as well as the tenant name. Normalization is the process of converting common letter substitutes into letters. For example, 0 converts to o. $ converts to s. etc.The next step is to identify all instances of banned passwords in the user's normalized new password. Then:1. Each banned password that is found in a userג€™s password is given one point.2. Each remaining unique character is given one point.3. A password must be at least five (5) points for it to be accepted.ג€˜C0nt0s0ג€™ becomes contoso after normalization. Therefore, C0nt0s0_C0mplex123 contains one instance of the banned password (contoso) so that equals 1 point. After ג€˜contosoג€™, there are 11 unique characters. Therefore, the score for ג€˜C0nt0s0_C0mplex123ג€™ is 12. This is more than the required 5 points so the password is acceptable.Box 3:The ג€˜Password protection for Windows Server Active Directoryג€™ is in ג€˜Auditג€™ mode. This means that the password protection rules are not applied. Audit mode is for logging policy violations before putting the password protection ג€˜liveג€™ by changing the mode to ג€˜enforcedג€™.Reference:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad

User1 can review access for User2 User1 can review access for User3 User3 can reciew access for User4

Box 1: Yes -User1 is the owner of Group1. User2 is in Group1 and Group2. Group owners can review access. Therefore, User1 can review User2ג€™s membership of Group1.Box 2: Yes -User1 is the owner of Group1. User3 is in Group1 and Group2. Group owners can review access. Therefore, User1 can review User3ג€™s membership of Group1.Box 3: No -Only group owners can review access. User3 is not a group owner. Therefore, User3 cannot review membership of the groups.References:https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

If you create a security group in Azure AD the group will: Not sync to adatum.com Sync to adatum.com as security group Sync to adatum.com as distribution group If you join a computer to Azure AD the object will: Not sync to adatum.com Sync to the computers container in adatum.com Sync to the LostandFound container in adatum.com Sync to the RegisteredDevices container in adatum.com

If you create a security group in Azure AD the group will: Sync to adatum.com as security group If you join a computer to Azure AD the object will: Sync to the RegisteredDevices container in adatum.com Explanation:Group Writeback is enabled in the Azure AD Connect configuration so groups created in Azure Active Directory will be synchronized to the on-premise ActiveDirectory. A security group created in Azure Active Directory will be synchronized to the on-premise Active Directory as a security group.Device Writeback is enabled in the Azure AD Connect configuration so computers joined to the Azure Active Directory will be synchronized to the on-premiseActive Directory. They will sync to the RegisteredDevices container in the on-premise Active Directory.Reference:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback

Service Support Admin

view the service dashboard and the Microsoft Office 365 Message center create Microsoft support tickets