Microsoft Microsoft Certifications MS-100 Questions & Answers

• Question 21:

  HOTSPOT

  You have a Microsoft 365 subscription that contains a Microsoft 365 group named Group1. Group1 is configured as shown in the following exhibit.

  

  An external user named User1 has an email address of [email protected]. You need to add User1 to Group1.

  What should you do first and which portal should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Invite User1 to collaborate with your organization as a guest.

  To manage guest users of a Microsoft 365 tenant via the Admin Center portal, go through the following steps.

  Navigate with your Web browser to https://admin.microsoft.com.

  On the left pane, click on “Users”, then click “Guest Users”.

  On the “Guest Users” page, to create a new guest user, click on either the “Add a guest user” link on the top of the page or click on “Go to Azure Active Directory to add guest users” link at the bottom of the page. Both of these links will take

  you to the Azure Active Directory portal, which is located at https://aad.portal.azure.com.

  

  On the “New user” page in the Microsoft Azure portal, you must choose to either “Create user” or “Invite user”. If you choose the “Create user” option, this will create a new user in your organization, which will have a login address with format username@tenantdomain,dot,com. If you choose the “Invite user” option, this will invite a new guest user to collaborate with your organization. The user will be emailed an email invitation which they can accept in order to begin collaborating. For the purpose of creating a guest user, you must choose the “Invite user” option.

  

  Box 2: The Azure Active Directory admin center Reference: https://stefanos.cloud/kb/how-to-manage-microsoft-365-guest-users

• Question 22:

  HOTSPOT

  You have a Microsoft 365 E5 subscription.

  You create a Conditional Access policy named Policy1 and assign Policy1 to all users.

  You need to configure Policy 1 to enforce multi-factor authentication (MFA) if the user risk level is high.

  Which two settings should you configure in Policy1? To answer, select the appropriate settings in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Conditions

  Sign-in risk policy in Conditional Access (see steps 7 and 8 below).

  1.

  Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.

  2.

  Browse to Azure Active Directory > Security > Conditional Access.

  3.

  Select New policy.

  4.

  Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  5.

  Under Assignments, select Users or workload identities.

  a.

  Under Include, select All users.

  b.

  Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

  c.

  Select Done.

  6.

  Under Cloud apps or actions > Include, select All cloud apps.

  7.

  Under Conditions > Sign-in risk, set Configure to Yes. Under Select the sign-in risk level this policy will apply to. (This guidance is based on Microsoft recommendations and may be different for each organization)

  a.Select High and Medium.

  b.Select Done.

  8.

  Under Access controls > Grant.

  a.

  Select Grant access, Require multifactor authentication.

  b.

  Select Select.

  9. Under Session.

  a.

  Select Sign-in frequency.

  b.

  Ensure Every time is selected.

  c.

  Select Select.

  10.

  Confirm your settings and set Enable policy to Report-only.

  11.

  Select Create to create to enable your policy.

  Reference: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

• Question 23:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains a group named Group1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.

  The Identity Governance settings for contoso.com are configured as shown in the following table.

  

  On March 1, 2022, you invite the guest users shown in the following table to contoso.com.

  

  On March 2, 2022, you add Guest1 to Group1.

  On March 5, 2022, you create an access package named Package1 that has the following settings:

  Resource roles

  1.

  Name: Group1

  2.

  Type: Group and Team

  3.

  Role: Member

  Lifecycle

  1.

  Access package assignments expire: On date

  2.

  Assignment expiration date: March 20, 2022

  On March 5, 2022, you assign Package1 to the guest users shown in the following table.

  

  On March 6, 2022, you assign the Reports reader role to Guest3.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Guest2 is invited on March 1, 2022. Guest2 will be removed before April 10, 2022.

  Disable and delete external identities with Azure AD Access Reviews

  In addition to the option of removing unwanted external identities from resources such as groups or applications, Azure AD Access Reviews can block external identities from signing-in to your tenant and delete the external identities from your

  tenant after 30 days. Once you select Block user from signing-in for 30 days, then remove user from the tenant, the review will stay in the “applying” state for 30 days. During this period, settings, results, reviewers or Audit logs under the

  current review won't be viewable or configurable.

  Box 2: No

  Guest3 is assigned Package1 on March 5, 2022. Package1 assignment expiration date is March 20, 2022, so access will not be granted on April 25, 2002

  Box 3: No

  Guest1 is invited on March 1, 2022.

  On March 2, 2022, you add Guest1 to Group1.

  Group1 assignment expiration date is March 20, 2022, so access will not be granted on May 1, 2020.

  Note: An assignment of an access package to a user ensures the user has all the resource roles of that access package. Access package assignments typically have a time limit before they expire.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-external-users

• Question 24:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains the following group:

  1.

  Name: Group1

  2.

  Members: User1, User2

  3.

  Owner: User3

  You create an access review that has the following settings:

  1.

  Review name: Review1

  2.

  Group: Group1

  3.

  Scope: All users

  4.

  Select reviewers: Users review their own access

  5.

  Duration (in days): 14

  6.

  Review recurrence: Monthly

  7.

  Start date: 5/1/2022

  8.

  End: End after number of occurrences

  9.

  Occurrences: 6 10.Auto apply results to resource: Enable

  Initial user responses to Review1 are shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 25:

  HOTSPOT

  Your network contains an on-premises Active Directory domain. The domain contains the servers shown in the following table.

  

  You purchase a Microsoft 365 E5 subscription.

  You need to implement Azure AD Connect cloud sync.

  Hot Area:

  

  Correct Answer:

  

  Box 1: The Azure AD Connect provisioning agent

  Install the Azure AD Connect provisioning agent

  How is Azure AD Connect cloud sync different from Azure AD Connect sync?

  With Azure AD Connect cloud sync, provisioning from AD to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a

  bridge between Azure AD and AD. The provisioning configuration is stored in Azure AD and managed as part of the service.

  Box 2: Server1 or Server2 only.

  Cloud provisioning agent requirements include:

  * An on-premises server for the provisioning agent with Windows 2016 or later.

  This server should be a tier 0 server based on the Active Directory administrative tier model. Installing the agent on a domain controller is supported.

  Note: Windows Server Core is a minimal installation option for the Windows Server operating system (OS) that has no GUI and only includes the components required to perform server roles and run applications.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-install https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-prerequisites

• Question 26:

  HOTSPOT

  You have a Microsoft 365 subscription that has a Conditional Access policy named Policy1. Policy1 is configured as shown in the following exhibit.

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  Only one of the controls is required.

  Note: Grant access

  Administrators can choose to enforce one or more controls when granting access.

  When administrators choose to combine these options, they can use the following methods:

  Require all the selected controls (control and control)

  Require one of the selected controls (control or control)

  Box 2: prompt for multi-factor authentication (MFA) MFA would be required as the other control is not met.

  Reference: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant

• Question 27:

  HOTSPOT

  You have a Microsoft 365 E5 subscription.

  You need to implement identity protection. The solution must meet the following requirements:

  1.

  Identify when a user's credentials are compromised and shared on the dark web.

  2.

  Provide users that have compromised credentials with the ability to self-remediate.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 28:

  HOTSPOT

  You have a new Microsoft 365 E5 tenant.

  Enable Security defaults is set to Yes.

  A user signs in to the tenant for the first time.

  Which multi-factor authentication (MFA) method can the user use, and how many days does the user have to register for MFA? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Notification to Microsoft Authenticator app Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones, which begins from the first time they sign in after security defaults has been enabled. After 14 days have passed, the user won't be able to sign in until MFA registration is completed.

  Box 2: 14

  Reference: https://docs.microsoft.com/en-us/microsoft-365/solutions/empower-people-to-work-remotely-secure-sign-in

• Question 29:

  HOTSPOT

  You are securing a wet API by using the Microsoft identity Platform. The web API must meet the following requirements:

  Authenticated Azure Active Directory (Azure AD) users must be able to retrieve user information from Azure AD.

  Authenticated Azure AD users must be able to manage Microsoft 365 groups.

  You need to grant permissions for the web API. The solution must use the principle of least privilege. What should you grant? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 30:

  HOTSPOT

  You work at a company named Contoso, Ltd.

  Contoso has a Microsoft 365 subscription that is configured to use the DNS domains shown in the following table.

  

  Contoso purchases a company named Fabrikam, Inc.

  Contoso plans to add the following domains to the Microsoft 365 subscription:

  fabrikam.com

  east.fabrikam.com

  west.contoso.com

  You need to ensure that the devices in the new domains can register by using Autodiscover.

  How many domains should you verify, and what is the minimum number of enterpriseregistration DNS records you should add? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer: