Microsoft Microsoft Certifications MS-100 Questions & Answers

• Question 61:

  HOTSPOT

  An on-premises Active Directory user account named Allan Yoo is synchronized to Azure AD. You view Allan's account from Microsoft 365 and notice that his username is set to [email protected].

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Allan Yoo's user account is synchronized from the on-premise Active Directory. This means that most user account settings have to be configured in the on-premise Active Directory.

  In the exhibit, Password Writeback is disabled. Therefore, you cannot reset the password of Allan Yoo from the Azure portal.

  You also cannot change Allan Yoo's job title in the Azure portal because his account is synchronized from the on-premise Active Directory.

  One setting that you can configure for synchronized user accounts I the usage location. The usage location must be configured on a user account before you can assign licenses to the user.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

• Question 62:

  HOTSPOT

  Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.

  You implement directory synchronization for all 10,000 users in the organization.

  You automate the creation of 100 new user accounts.

  You need to ensure that the new user accounts synchronize to Azure AD as quickly as possible.

  Which command should you run? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Azure AD Connect synchronizes Active Directory to Azure Active Directory on a schedule. The minimum time between synchronizations is 30 minutes.

  If you want to synchronize changes to Active Directory without waiting for the next sync cycle, you can initiate a sync by using the Start-AdSyncSyncCycle. The Delta option synchronizes changes to Active Directory made since the last sync.

  The Full option synchronizes all Active Directory objects including those that have not changed.

  Reference:

  https://blogs.technet.microsoft.com/rmilne/2014/10/01/how-to-run-manual-dirsync-azure-active-directory-sync-updates/

• Question 63:

  HOTSPOT

  Your company has offices in several cities and 100,000 users.

  The network contains an Active Directory domain named contoso.com.

  You purchase Microsoft 365 and plan to deploy several Microsoft 365 services.

  You are evaluating the implementation of pass-through authentication and seamless SSO. Azure AD Connect will NOT be in staging mode.

  You need to identify the redundancy limits for the planned implementation.

  What should you identify? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Azure AD Connect can be active on only one server. You can install Azure AD Connect on another server for redundancy but the additional installation would need to be in Staging mode. An Azure AD connect installation in Staging mode is

  configured and ready to go but it needs to be manually switched to Active to perform directory synchronization.

  Azure authentication agents can be installed on as many servers as you like.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start

• Question 64:

  HOTSPOT

  Your company has a Microsoft Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

  

  The tenant includes a security group named Admin1. Admin1 will be used to manage administrative accounts. You need to identify which users can perform the following administrative tasks:

  1.

  Create guest user account

  2.

  Add User3 to Admin1

  Which users should you identify for each task? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  A User Administrator is the only role listed that can create user accounts included Guest user accounts. A Global Administrator can also create user accounts. A User Administrator is also the only role listed that can modify the group membership of users.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

• Question 65:

  HOTSPOT

  Your company has a Microsoft 365 subscription that contains the users shown in the following table.

  

  You need to identify which users can perform the following administrative tasks:

  1.

  Modify the password protection policy.

  2.

  Create guest user accounts.

  Which users should you identify for each task? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Only a Global Admin can modify the password protection policy.

  A Global Admin or a user with the Guest Inviter role can create guest accounts.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations

  Your network contains an on-premises Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD) as shown in the following two exhibits.

  

• Question 66:

  HOTSPOT

  

  You create a user named User1 in Active Directory as shown in the following exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  The Azure AD Attributes page shows which attributes will be synchronized based on the Office 365 services you are using (Exchange, SharePoint etc). We can see that ExtenstionAttribute10 and ExtensionAttribute11 have been deselected.

  The Directory Extensions page shows which additional attributes will be synchronized (additional to the list in the Azure AD Attributes page).

  ExtensionAttribute1:

  Will be synchronized because it is ticked in the Azure AD Attributes page.

  ExtensionAttribute10.

  Will be synchronized because although it is unticked in the Azure AD Attributes page, it is added again in the Directory Extensions page.

  ExtensionAttribute11.

  Will not be synchronized because it is unticked in the Azure AD Attributes page and it is not added again in the Directory Extensions page.

  ExtensionAttribute12:

  Will be synchronized because it is ticked in the Azure AD Attributes page. It is also added again in the Directory Extensions page but this will have no effect as it is already ticked in the Azure AD Attributes page.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

• Question 67:

  HOTSPOT

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Default permissions for guests are restrictive by default. Guests can be added to administrator roles, which grant them full read and write permissions contained in the role. There is one additional restriction available, the ability for guests to invite other guests. Setting Guests can invite to No prevents guests from inviting other guests.

  User1 is assigned the User Administrator role. Therefore, User1 can open the Azure portal, view users, create new users, and create new guest users.

  In the exhibit, the ‘Guest user permissions are limited’ is set to no. This means that guest users have the same permissions as members. However, the ‘Guests can invite’ setting is set to No. Therefore, other guest users (all guest users

  except User1) can open the Azure portal and view users in the same way as member users can.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/b2b/delegate-invitations

  https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

• Question 68:

  HOTSPOT

  Your company has a hybrid deployment of Microsoft 365.

  An on-premises user named User1 is synced to Microsoft Azure Active Directory (Azure AD).

  Azure AD Connect is configured as shown in the following exhibit.

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  User1 cannot change her password from any Microsoft portals because Password Writeback is disabled in the Azure AD Connect configuration.

  If the password for User1 is changed in Active Directory, the password will be synchronized to Azure AD because Password Synchronization is enabled in the Azure AD Connect configuration.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

• Question 69:

  HOTSPOT

  You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com that includes a user named User1.

  You enable multi-factor authentication for contoso.com and configure the following two fraud alert settings:

  1.

  Set Allow users to submit fraud alerts: On

  2.

  Automatically block users who report fraud: On

  You need to instruct the users in your organization to use the fraud reporting features correctly.

  What should you tell the users to do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Code to report fraud during initial greeting: When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default,

  but you can customize it.

  Block user when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report, and take appropriate action to

  prevent future fraud. An administrator can then unblock the user's account.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#fraud-alert

  You have a Microsoft 365 subscription that contains a guest user named User1. User1 is assigned the User administrator role.

  You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. Contoso.com is configured as shown in the following exhibit.

  

• Question 70:

  Your company has a Microsoft 365 subscription and a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

  An external vendor has a Microsoft account that has a username of [email protected].

  You plan to provide [email protected] with access to several resources in the subscription.

  You need to add the external user account to contoso.onmicrosoft.com. The solution must ensure that the external vendor can authenticate by using [email protected].

  What should you do?

  A. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify -UserPrincipalName [email protected].

  B. From the Microsoft 365 admin center, add a contact, and then specify [email protected] as the email address.

  C. From the Azure portal, add a new guest user, and then specify [email protected] as the email address.

  D. From the Azure portal, add a custom domain name, and then create a new Azure AD user and use [email protected] as the username.

  Correct Answer: C

  You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest

  user must then redeem their invitation to access resources. An invitation of a user does not expire.

  The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the external vendor already has a Microsoft account ([email protected]) so he can authenticate

  using that.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator