MS-500 - Module 1
Your organization wants additional Azure AD Connect server(s) for disaster recovery purposes. How can this be achieved? (A) Install multiple Azure AD Connect server connected to a single Azure AD or Office 365 tenant (B) Install additional Azure AD Connect server(s) in staging mode (C) Install the additional Active Directory Federation Services feature (D) Configure password writeback in Azure AD Connect
(B) Install additional Azure AD Connect server(s) in staging mode
If you delete users in your on-premises Active Directory and the deletion is synchronized to Office 365, the user object is put in a deleted state and no longer appears in the user list. Which Windows PowerShell cmdlet can you use for restoring a user? (A) Recover-MsolUser (B) Restore-MsolUser (C) Set-MsolUser (D) Recycle-MsolUser
(B) Restore-MsolUser
A guest user has requested to use Multi-Factor Authentication in your environment, and his company has already set it up. What may need to occur before the guest can use this feature? (A) The guest may need an additional license. (B) The guest may need to perform the authentication once in his or her home Organization and then again in your environment. (C) The guest may need to get authorization from his company. (D) The customer will need to do nothing; everything has been provided.
(B) The guest may need to perform the authentication once in his or her home Organization and then again in your environment.
If you delete users in your on-premises Active Directory and the deletion is synchronized to Office 365, the user object is put in a deleted state and no longer appears in the user list. How long can the user object be recovered in Office 365? (A) 90 days (B) 120 days (C) 30 days (D) 60 days
(C) 30 days
A user has added a new application. The application's permissions have been updated, the application is running, and a user is about to use it for the first time. What does Azure AD need before the user can access the application? (A) User certificate (B) Security token (C) Authorization Code (D) Endpoint authorization
(C) Authorization Code
Which Windows PowerShell cmdlet must be used to configure Web Application Proxy (WAP) for publishing Active Directory Federation Services (AD FS)? (A) Deploy-AdfsApplicationProxy (B) Install-AdfsProxy (C) Install-WebApplicationProxy (D) Configure-WebApplicationProxy (E) Set-AdfsWebProxy
(C) Install-WebApplicationProxy
Which statement about default password policy settings for Microsoft 365 users is correct? (A) Passwords expire after 90 days, and users receive notification expiration 7 days before it occurs. (B) Passwords expire after 120 days, and users receive notification expiration 14 days before it occurs. (C) Passwords expire after 90 days, and users receive notification expiration 14 days before it occurs. (D) Passwords expire after 120 days, and users receive notification expiration 7 days before it occurs.
(C) Passwords expire after 90 days, and users receive notification expiration 14 days before it occurs.
When planning Azure AD Connect directory synchronization deciding which object to use as the sourceAnchor attribute is important. Why will the sourceAnchor attribute be used? (A) The sourceAnchor attribute is required for single sign-on capabilities with Azure AD Connect and Active Directory Federation Services (AD FS). (B) The sourceAnchor attribute is required for migrating on-premises Exchange mailboxes to Exchange Online. (C) The sourceAnchor attribute is required for matching both the source and the target object; thereby linking both objects together. (D) The sourceAnchor attribute is required for changing the default Azure AD Connect installation path.
(C) The sourceAnchor attribute is required for matching both the source and the target object; thereby linking both objects together.
What should you configure if you want users to authenticate by using MFA if they want to access a specific company resource? (A)Device configuration profile (B)Device compliance policy (C)Conditional access policy (D)Azure AD integration with Intune
(C)Conditional access policy
Your company is using Intune for device management. You need to identify devices that are jail-broken or don't use encryption to protect local data. What should you create in Intune? (A)Device enrollment restrictions (B)Device configuration profile (C)Device compliance policy (D)Conditional access policy
(C)Device compliance policy
What is the maximum number of days you can allow your users to remember a multi-factor authentication session in an app? (A) 1 (B) 14 (C) 30 (D) 60
(D) 60
Which authentication solution should be used if you want to address an on-premises multi-factor authentication solution? (A) Azure AD Connect Password Synchronization (B) Azure AD Connect Pass-through authentication (C) Azure AD Connect Pass-through authentication with Azure AD Seamless SSO (D) Active Directory Federation Services (AD FS)
(D) Active Directory Federation Services (AD FS)
What group type in Microsoft 365 provides a shared workspace for email, conversations, files, and calendar events? (A) Security group (B) Distribution list (C) Mail-enabled security group (D) Office 365 group (E) Dynamic distribution group
(D) Office 365 group
The group writeback feature writes Office 365 Groups from Azure AD to on-premises Active Directory. This feature is included as an optional feature in Azure AD Connect. Which type of groups can be written back from Azure AD to your on-premises Active Directory? (A) Security groups (B) Mail-enabled security groups (C) Distribution groups (D) Office 365 groups
(D) Office 365 groups
Active Directory Federation Services (AD FS) 2016 supports the use of access control policy templates and includes several built-in access control policy templates. What policy template should you use if you want to grant access to everyone and require MFA for everyone? (A) Permit everyone and require MFA for specific group (B) Permit everyone and require MFA from extranet access (C) Permit specific group (D) Permit everyone and require MFA
(D) Permit everyone and require MFA
Which Windows PowerShell cmdlet triggers a manual full directory synchronization? (A) Start-AdSyncCycle (B) Start-AdSyncSyncCycle -PolicyType Delta (C) Start-AdSynchronization -Now (D) Start-AdSyncSyncCycle -PolicyType Initial
(D) Start-AdSyncSyncCycle -PolicyType Initial
Users can now change their passwords via the login page or user settings in Office 365 and have them written back to on-premises Active Directory. Which of the following is required to make that happen? (A) You need an Office 365 E5 license (B) Your domain controllers must be at least Windows Server 2003 (C) Your users need Office 2016 installed on their clients (D) You need an Azure Active Directory Premium license P1
(D) You need an Azure Active Directory Premium license P1
You work for a company called Contoso. Contoso is using Intune to manage their Windows 10, Android, and iOS devices. You noticed that several users are accessing company resources from devices that are not enrolled to Intune. You need to ensure that users can access company resources only from enrolled devices. What should you configure in Intune? (A)Device enrollment restrictions (B)Device configuration profile (C)Device compliance policy (D)Conditional access policy (E)Azure AD integration with Intune
(D)Conditional access policy
Your company's users are using several types of devices that are running different operating systems. Since you have configured integration between Azure AD and Intune, you need to select a device that can be automatically enrolled to Intune when you join it to Azure AD. Which device should you choose? (A)Android (B)iOS (C)macOS (D)Windows 10
(D)Windows 10
Which calculator-like spreadsheet helps your organization to determine the optimal number of federation servers and required hardware for your environment? (A) Exchange Server Role Requirements Calculator (B) Microsoft Remote Connectivity Analyzer (C) Microsoft 365 Bandwidth Calculator (D) Lync 2010 and 2013 Bandwidth Calculator (E) AD FS Capacity Planning Spreadsheet (F) Microsoft 365 Network Analysis Tool
(E) AD FS Capacity Planning Spreadsheet
Which of the following group types can only be created in the Exchange admin center, but not in the Microsoft 365 admin center? (A) Security group (B) Distribution list (C) Mail-enabled security group (D) Office 365 group (E) Dynamic distribution group
(E) Dynamic distribution group
What are the three authentication categories for Microsoft 365?
- Cloud-only - Directory Synchronization with Pass-through authentication (PTA) - Single Sign-On (SSO) with ADFS
What are four methods for provisioning user accounts?
- Microsoft 365 admin center - Import multiple users - Windows PowerShell - Directory Synchronization
Why should you use Azure AD Connect for your Active Directory Federation Services (AD FS) installation and configuration? (A) It helps you to avoid AD FS configuration issues because installation and configuration is done automatically in the background. (B) It provides more features like MFA and smart card authentication as if you install and configure it manually with Windows Server 2016. (C) You can only use Azure AD Connect for installing and configuring AD FS for Microsoft 365. (D) With Azure AD Connect, you do not have to validate domain ownership in your domain name registrar.
(A) It helps you to avoid AD FS configuration issues because installation and configuration is done automatically in the background.
Your organization implemented Active Directory Federation Services (AD FS) successfully. You want to change the AD FS sign-in page using Windows PowerShell. Which cmdlet must be used to change the company name? (A) Set-AdfsGlobalWebContent (B) Set-AdfsWebTheme (C) Set-AdfsWebConfig (D) New-AdfsWebTheme
(A) Set-AdfsGlobalWebContent
What is required when publishing an on-premises application for remote access? (A) DNS TXT file (B) Connector Group (C) POST Authentication (D) Short Backend Application Timeout
(B) Connector Group
What user identity type is described as: a synchronized account authenticated by using AD FS? (A) Cloud identity (B) Federated identity (C) Synchronized identity (D) Group identity
(B) Federated identity
If an administrator forgets his password, how can he have it reset? (2 methods)
1. Ask another administrator to reset it (a global admin PW must be reset by another global admin). 2. Reset the PW himself with "Can't access your account?" on the sign-in page for Microsoft 365.
What 7 security benefits does the Azure AD Application Proxy provide?
1. Authenticated access 2. Conditional access 3. Traffic termination 4. All access is outbound 5. Cloud-scale analytics 6. Remote access as a service 7. DDOS prevention
What are the three Microsoft 365 tenant / Azure AD requirements to deploy Azure AD Connect?
1. Azure AD subscription or Microsoft 365 tenant 2. Added and verified domains to be used in Azure AD. 3. Verify that the object quota is sufficient (unverified = 50k, verified = 300k, >300k requires a MS ticket)
What are six benefits of directory synchronization?
1. Hybrid Identity (between on-prem and cloud) 2. AD Policies (on prem can drive cloud) 3. Leverage Identity (common identity through multiple apps) 4. Single-sign-on (SSO for cloud and on-prem managed on prem) 5. Multi-factor authentication (MFA can be used both on-prem and in cloud) 6. Common identity model
What three vulnerabilities are tracked by Azure Active Directory?
1. Multi-factor authentication (MFA) registration not configured 2. Unmanaged cloud apps 3. Security alerts from Privileged Identity Management (PIM)
Name four common access concerns that conditional access can help you with?
1. Sign-in risk 2. Network location 3. Device management 4. Client application
What are the three parts of Azure AD Connect?
1. The synchronization services 2. The optional Active Directory Federation Services piece 3. The monitoring piece, which is done using Azure AD Connect Health
What six risk event types are tracked by Azure Active Directory?
1. Users with leaked credentials 2. Sign-ins from anonymous IP address 3. Impossible travel to atypical locations 4. Sign-in from unfamiliar locations 5. Sign-ins from infected devices 6.Sign-ins from IP addresses with suspicious activity
For Active Directory risk events, what timeframe is considered "Offline"?
2 to 4 hours
For how long after deletion can an object be recovered in Microsoft 365?
30 days
For Active Directory risk events, what timeframe is considered "Real-Time"?
5 to 10 minutes
By default in Microsoft 365, after how many days do users' passwords expire, and how long before expiration will a user receive a notification?
A password will expire after 90 days, and a user will receive notification 14 days prior to expiration.
For Active Directory risk events, what is considered a "High" risk?
A risk with both high confidence and high severity
For Active Directory risk events, what is considered a "Low" risk?
A risk with both low confidence and low severity
For Active Directory risk events, what is considered a "Medium" risk?
A risk with either high confidence or high severity, but not both
What PowerShell cmdlet is used to assign a role to a user?
Add-MsolRoleMember eg: Add-MsolRoleMember -RoleName "Exchange Service Administrator" -RoleMemberEmailAddress "[email protected]"
What is multi-factor authentication (MFA)?
An authentication method that requests a username and password and then employs one of the following secondary authentication methods: - Call to phone - Text message to phone - Notification through mobile app - Verification code from mobile app
What Azure AD level is required to use password write-back with federated and synchronized identities?
Azure AD Premium
What licensing is required to implement device compliance policies?
Azure AD premium P1 or P2 and Intune, or MS 365, or Enterprise Mobility + Security
What is synchronized by default by Azure AD Connect?
By default, all users, contacts, groups, and Windows 10 computers are synchronized.
True or False: Self-service password reset (SSPR) is enabled by default?
FALSE
True or False: After the initial Azure AD Connect sync is completed, objects may be configured in the cloud or on-premises.
False. After the first synchronization cycle has completed, the source of authority is transferred from the cloud to the on-premises Active Directory. All subsequent changes to cloud objects (except for licensing) are mastered from the on-premises Active Directory tools. The corresponding cloud objects are read-only, and Microsoft 365 administrators cannot edit cloud objects if the source of authority is on-premises.
true/false: At least one domain controller must be running at least Windows Server 2008 R2 to use gMSA (Group Managed Service Account).
False. At least one domain controller must be running at least Windows Server 2012 to enable gMSA.
True / False: The Azure AD Connect server must be deployed in the perimeter network in order to accept incoming requests from the cloud to perform pass-through authentication.
False. Since all communication from the Azure AD Connect server is outbound only, it does not need to be in the perimeter network. It pulls requests for authentication from a queue, thus eliminating the need for incoming communications.
true/false: The ADFS farm should be located in the perimeter network.
False. The ADFS farm should be domain-joined to the internal network.
true/false: The Web Application Proxy (WAP) should be located in the internal network and be domain joined.
False. The WAP should be located in the perimeter network.
What PowerShell cmdlet is used to view MS 365 groups?
Get-MsolGroup
What PowerShell cmdlet is used to view available administrator roles?
Get-MsolRole
Which directory roles are supported by Azure Identity Protection?
Global Administrator Security Administrator Security Reader
What is the source anchor attribute?
In Azure AD Connect, the sourceAnchor attribute matches both the source and the target object, thereby linking both objects together.
What is pass-through authentication?
In pass-through authentication, the user authenticates in Azure AD and Azure AD passes the encrypted password to on-prem AD for authentication. The on-prem AD returns either "success", "failure", "password expired", or "user locked out".
What PowerShell cmdlet is used to create a MS 365 group?
New-MsolGroup
What PowerShell cmdlet is used to provision user accounts?
New-MsolUser eg: New-MsolUser -UserPrincipalName [email protected] -DisplayName "Stella Carrillo" - FirstName "Stella" -LastName "Carrillo" -UsageLocation "US" -LicenseAssignment "Adatum: ENTERPRISEPREMIUM"
What is password write-back?
Password write-back allows users to change their passwords in the cloud according to their on-premises AD.
What PowerShell cmdlet is used to delete MS 365 groups?
Remove-MsolGroup
What PowerShell cmdlet is used to delete user accounts?
Remove-MsolUser (Use -ObjectId Guid or -UserPrincipalName parameters)
What PowerShell cmdlet is used to restore deleted user accounts?
Restore-MsolUser
What kind of databases are supported for ADFS?
SQL or WID (Windows Internal Database)
What cmdlet is used to add a home link to the ADFS sign in page?
Set-AdfsGlobalWebContent
What cmdlet is used to add a privacy link to the ADFS sign in page?
Set-AdfsGlobalWebContent
What cmdlet is used to add a sign-in description on the ADFS sign in page?
Set-AdfsGlobalWebContent
What cmdlet is used to add help desk links on the ADFS sign in page?
Set-AdfsGlobalWebContent
What cmdlet is used to change the company name on the ADFS sign in page?
Set-AdfsGlobalWebContent
What cmdlet is used to change the company logo on the ADFS sign in page?
Set-AdfsWebTheme
What cmdlet is used to change the illustration on the ADFS sign in page?
Set-AdfsWebTheme
What cmdlet is used to switch authentication between "federated" (ADFS) and "managed" (Password Sync)
Set-MsolDomainAuthentication
What is the Azure AD default directory quota for a verified domain?
The default quota for a verified domain is 300k objects.
What is the Azure AD default directory quota for an unverified domain?
The default quota for an unverified domain is 50k objects.
What is password synchronization?
The on-premises AD provides a hash of the user's password to Azure AD. When the user signs in, Azure AD validates the password against this hash.
What is the purpose of Azure AD Connect?
The purpose of Azure AD Connect to enable coexistence between your on-premises Active Directory environment and Microsoft 365 in the cloud.
true/false: The ADFS farm should be located in the internal network and be domain joined.
True.
true/false: The Web Application Proxy (WAP) should be located in the perimeter network.
True.
true/false: ADFS can be fully deployed in Azure.
True. However, a VPN connection may be required to the local environment.
What is a good way to test ADFS connectivity from a browser?
Use the ADFS IdP-Initiated sign on page. Note that by default, this page is disabled, so it will need to be enabled to perform this test.
What database is recommended for most ADFS deployments?
WID (Windows Internal Database)
What is the minimum domain functional level for deploying ADFS?
Windows Server 2008
What is the minimum OS that Azure AD Connect can be installed on?
Windows Server 2008 (for password sync or password write-back, Windows Server 2008 R2)
What are the minimum and maximum number of days before password expiration that Microsoft 365 can be set to send a warning?
minimum = 1 day maximum = 30 days
What are the minimum and maximum number of days until user password expiration that can be set in Microsoft 365?
minimum = 14 days maximum = 730 days