Microsoft Microsoft Certifications MS-100 Questions & Answers

• Question 271:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  Your company plans to deploy several Microsoft Office 365 services.

  You need to design an authentication strategy for the planned deployment. The solution must meet the following requirements:

  1.

  Users must be able to authenticate during business hours only.

  2.

  Authentication requests must be processed successfully if a single server fails.

  3.

  When the password for an on-premises user account expires, the new password must be enforced the next time the user signs in.

  4.

  Users who connect to Office 365 services from domain-joined devices that are connected to the internal network must be signed in automatically.

  Solution: You design an authentication strategy that contains a pass-through authentication model. The solution contains two servers that have an Authentication Agent installed and password hash synchronization configured.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  This solution meets the following goals:

  1.

  Users must be able to authenticate during business hours only.

  2.

  Authentication requests must be processed successfully if a single server fails.

  3.

  When the password for an on-premises user account expires, the new password must be enforced the next time the user signs in.

  However, the following goal is not met:

  Users who connect to Office 365 services from domain-joined devices that are connected to the internal network must be signed in automatically.

  You would need to configure Single-sign on (SSO) to meet the last requirement.

  Reference:

  https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

• Question 272:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  Your company plans to deploy several Microsoft Office 365 services.

  You need to design an authentication strategy for the planned deployment. The solution must meet the following requirements:

  1.

  Users must be able to authenticate during business hours only.

  2.

  Authentication requests must be processed successfully if a single server fails.

  3.

  When the password for an on-premises user account expires, the new password must be enforced the next time the user signs in.

  4.

  Users who connect to Office 365 services from domain-joined devices that are connected to the internal network must be signed in automatically.

  Solution: You design an authentication strategy that contains a pass-through authentication model. You install an Authentication Agent on three servers and configure seamless SSO.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  This solution meets all the requirements:

  1.

  Users must be able to authenticate during business hours only. (This can be configured by using Logon Hours in Active Directory. Pass-through authentication passes authentication to the on-premise Active Directory)

  2.

  Authentication requests must be processed successfully if a single server fails. (We have Authentication Agents running on three servers)

  3.

  When the password for an on-premises user account expires, the new password must be enforced the next time the user signs in. (This can be configured in Active Directory. Pass-through authentication passes authentication to the on-premise Active Directory)

  4.

  Users who connect to Office 365 services from domain-joined devices that are connected to the internal network must be signed in automatically. (This goal is met by seamless SSO)

  Reference: https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

• Question 273:

  Your network contains an on-premises Active Directory domain named contoso.local. The domain contains five domain controllers.

  Your company purchases Microsoft 365 and creates a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

  You plan to implement pass-through authentication.

  You need to prepare the environment for the planned implementation of pass-through authentication.

  Which three actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Modify the email address attribute for each user account.

  B. From the Azure portal, add a custom domain name.

  C. From Active Directory Domains and Trusts, add a UPN suffix.

  D. Modify the User logon name for each user account.

  E. From the Azure portal, configure an authentication method.

  F. From a domain controller, install an Authentication Agent.

  Correct Answer: BCF

  To implement pass-through authentication, you need to install and configure Azure AD Connect.

  The on-premise Active Directory domain is named contoso.local. Before you can configure Azure AD Connect, you need to purchase a routable domain, for example, contoso.com. You then need to add the domain contoso.com to Microsoft as a custom domain name.

  The user accounts in the Active Directory domain need to be configured to use the domain name contoso.com as a UPN suffix. You need to add contoso.com to the Active Directory first by using Active Directory Domains and Trusts to add contoso.com add a UPN suffix. You can then configure each account to use the new UPN suffix.

  An Authentication Agent is required on a domain controller to perform the authentication when pass-through authentication is used. When the custom domain and user accounts are configured, you can install and configure Azure AD Connect. An Authentication Agent is installed when you select the pass-through authentication option in the Azure AD Connect configuration or you can install the Authentication Agent manually.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start

• Question 274:

  You have a Microsoft 365 Enterprise E5 subscription.

  You need to enforce multi-factor authentication on all cloud-based applications for the users in the finance department.

  What should you do?

  A. Create a sign-in risk policy.

  B. Create a new app registration.

  C. Assign an Enterprise Mobility + Security E5 license to the finance department users.

  D. Configure the sign-in status for the user accounts of the finance department users.

  Correct Answer: A

  You can configure a sign-in risk policy that applies to the Finance department users. The policy can be configured to `Allow access' but with multi-factor authentication as a requirement.

  Note:

  There are several versions of this question in the exam. The question has two possible correct answers:

  1.

  Create a sign-in risk policy.

  2.

  Create a conditional access policy.

  Other incorrect answer options you may see on the exam include the following:

  1.

  Create an activity policy.

  2.

  Create a session policy.

  3.

  Create an app permission policy.

  4.

  Configure the sign-in status for the user accounts of the finance department users.

  5.

  Assign an Enterprise Mobility + Security E5 license to the finance department users.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy

• Question 275:

  You have a Microsoft 365 Enterprise subscription.

  You have a conditional access policy to force multi-factor authentication when accessing Microsoft SharePoint from a mobile device.

  You need to view which users authenticated by using multi-factor authentication.

  What should you do?

  A. From the Microsoft 365 admin center, view the Security and Compliance reports.

  B. From the Azure Active Directory admin center, view the user sign-ins.

  C. From the Microsoft 365 admin center, view the Usage reports.

  D. From the Azure Active Directory admin center, view the audit logs.

  Correct Answer: B

  With the sign-ins activity report in the Azure portal, you can get the information you need to determine how your environment is doing. The sign-ins report can provide you with information about the usage of managed applications and user sign-in activities, which includes information about multi-factor authentication (MFA) usage. The MFA data gives you insights into how MFA is working in your organization. It enables you to answer questions like:

  1.

  Was the sign-in challenged with MFA?

  2.

  How did the user complete MFA?

  3.

  Why was the user unable to complete MFA?

  4.

  How many users are challenged for MFA?

  5.

  How many users are unable to complete the MFA challenge?

  6.

  What are the common MFA issues end users are running into?

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting

• Question 276:

  Your company recently purchased a Microsoft 365 subscription.

  You enable Microsoft Azure Multi-Factor Authentication (MFA) for all 500 users in the Azure Active Directory (Azure AD) tenant.

  You need to generate a report that lists all the users who completed the Azure MFA registration process.

  What is the best approach to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.

  A. From Azure Cloud Shell, run the Get-AzureADUser cmdlet.

  B. From Azure Cloud Shell, run the Get-MsolUser cmdlet.

  C. From the Azure Active Directory admin center, use the Usage and insights blade.

  D. From the Azure Active Directory admin center, use the Risky sign-ins blade.

  Correct Answer: B

  You can use the Get-MsolUser cmdlet to generate a report that lists all the users who completed the Azure MFA registration process. The full command would look like this:

  Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting

• Question 277:

  You have a Microsoft 365 subscription and a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. Contoso.com is configured as shown in the following exhibit.

  

  You need to ensure that guest users can be created in the tenant. Which setting should you modify?

  A. Guests can invite.

  B. Guest users permissions are limited.

  C. Members can invite.

  D. Admins and users in the guest inviter role can invite.

  E. Deny invitations to the specified domains.

  Correct Answer: D

  The setting "Admins and users in the guest inviter role can invite" is set to No. This means that no one can create guest accounts because they cannot `invite' guests. This setting needs to be changed to Yes to ensure that guest users can be created in the tenant.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/b2b/delegate-invitations https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

• Question 278:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while

  others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have a Microsoft 365 subscription.

  You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are connected to your on-premises network.

  Solution: From the Azure Active Directory admin center, you create a trusted location and a conditional access policy.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow access.

  With named locations, you can create logical groupings of IP address ranges, for example your office IP range. You can then mark the named location as a trusted location. Mark as trusted location - A flag you can set for a named location to

  indicate a trusted location. Typically, trusted locations are network areas that are controlled by your IT department.

  You would then configure the conditional access policy to allow access only from the trusted location.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

  https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Conditional-Access-in-SharePoint-Online-and-OneDrive-for/ba-p/46678

• Question 279:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while

  others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have a Microsoft 365 subscription.

  You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are connected to your on-premises network.

  Solution: From the Microsoft 365 admin center, you configure the Organization profile settings.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  You need to configure a trusted location and a conditional access policy.

  Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow access.

  Reference:

  https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Conditional-Access-in-SharePoint-Online-and-OneDrive-for/ba-p/46678

• Question 280:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while

  others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have a Microsoft 365 subscription.

  You need to prevent users from accessing your Microsoft SharePoint Online sites unless the users are connected to your on-premises network.

  Solution: From the Device Management admin center, you a trusted location and compliance policy.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  You need to configure a conditional access policy, not a compliance policy.

  Conditional Access in SharePoint Online can be configured to use an IP Address white list to allow access.

  Reference:

  https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Conditional-Access-in-SharePoint-Online-and-OneDrive-for/ba-p/46678