Microsoft Microsoft Certifications MS-100 Questions & Answers

• Question 71:

  Your network contains an on-premises Active Directory domain.

  You have a Microsoft 365 subscription.

  You implement a directory synchronization solution that uses pass-through authentication.

  You configure Microsoft Azure Active Directory (Azure AD) smart lockout as shown in the following exhibit.

  

  You discover that Active Directory users can use the passwords in the custom banned passwords list.

  You need to ensure that banned passwords are effective for all users.

  Which three actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. From a domain controller, install the Azure AD Password Protection Proxy.

  B. From a domain controller, install the Microsoft AAD Application Proxy connector.

  C. From Custom banned passwords, modify the Enforce custom list setting.

  D. From Password protection for Windows Server Active Directory, modify the Mode setting.

  E. From all the domain controllers, install the Azure AD Password Protection DC Agent.

  F. From Active Directory, modify the Default Domain Policy.

  Correct Answer: ADE

  Azure AD password protection is a feature that enhances password policies in an organization. On-premises deployment of password protection uses both the global and custom banned-password lists that are stored in Azure AD. It does the same checks on-premises as Azure AD does for cloud-based changes. These checks are performed during password changes and password reset scenarios.

  You need to install the Azure AD Password Protection Proxy on a domain controller and install the Azure AD Password Protection DC Agent on all domain controllers. When the proxy and agent are installed and configured, Azure AD password protection will work.

  In the exhibit, the password protection is configured in Audit mode. This is used for testing. To enforce the configured policy, you need to set the password protection setting to Enforced.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises

• Question 72:

  You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.

  An external user has a Microsoft account that uses an email address of [email protected].

  An administrator named Admin1 attempts to create a user account for the external user and receives the error message shown in the following exhibit.

  

  You need to ensure that Admin1 can add the user.

  What should you do from the Azure Active Directory admin center?

  A. Add a custom domain name named outlook.com.

  B. Modify the Authentication methods.

  C. Modify the External collaboration settings.

  D. Assign Admin1 the Security administrator role.

  Correct Answer: C

  In the External Collaboration settings, you can set the following invitation policies:

  1.

  Turn off invitations

  2.

  Only admins and users in the Guest Inviter role can invite

  3.

  Admins, the Guest Inviter role, and members can invite

  4.

  All users, including guests, can invite

  In this question, an Admin user is unable to invite the guest user. This suggests that invitations are turned off altogether.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/b2b/delegate-invitations

• Question 73:

  You have a Microsoft 365 subscription that contains several Microsoft SharePoint Online sites.

  You discover that users from your company can invite external users to access files on the SharePoint sites.

  You need to ensure that the company users can invite only authenticated guest users to the sites.

  What should you do?

  A. From the Microsoft 365 admin center, configure a partner relationship.

  B. From SharePoint Online Management Shell, run the Set-SPOSite cmdlet.

  C. From the Azure Active Directory admin center, configure a conditional access policy.

  D. From the SharePoint admin center, configure the sharing settings.

  Correct Answer: D

  You need to set the Sharing settings to `Existing Guests'. This setting allows sharing only with guests who are already in your directory. These guests may exist in your directory because they previously accepted sharing invitations or because they were manually added.

  Reference: https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off

• Question 74:

  Your network contains an on-premises Active Directory domain. The domain contains 2,000 computers that run Windows 10.

  You purchase a Microsoft 365 subscription.

  You implement password hash synchronization and Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO).

  You need to ensure that users can use Seamless SSO from the Windows 10 computers.

  What should you do?

  A. Create a conditional access policy in Azure AD.

  B. Deploy an Azure AD Connect staging server.

  C. Join the computers to Azure AD.

  D. Modify the Intranet zone settings by using Group Policy

  Correct Answer: D

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

• Question 75:

  You need to meet the security requirement for the vendors. What should you do?

  A. From the Azure portal, modify the authentication methods.

  B. From Azure Cloud Shell, run the New-AzureADMSInvitation and specify the -InvitedIserEmailAddress cmdlet.

  C. From Azure Cloud Shell, run the Set-MsolUserPrincipalNameand specify the -tenantIDparameter.

  D. From the Azure portal, add an identity provider.

  Correct Answer: B

  Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.

  You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest

  user must then redeem their invitation to access resources. An invitation of a user does not expire.

  The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the vendors already have Microsoft accounts so they can authenticate using them.

  In this solution, we are creating guest account invitations by using the New-AzureADMSInvitationcmdlet and specifying the –InvitedUserEmailAddressparameter.

  Note:

  There are several versions of this question in the exam. The question has two possible correct answers:

  1.

  From the Azure portal, create guest accounts.

  2.

  From Azure Cloud Shell, run the New-AzureADMSInvitationcmdlet and specify the –InvitedUserEmailAddress parameter. Other incorrect answer options you may see on the exam include the following:

  1.

  From the Azure portal, modify the authentication methods.

  2.

  From the Azure portal, add an identity provider.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator

  https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation?view=azureadps-2.0

• Question 76:

  You need to meet the security requirement for the vendors.

  What should you do?

  A. From Azure Cloud Shell, run the Set-MsolUserPrincipalName and specify the -tenantID parameter.

  B. From Azure Cloud Shell, run the Set-AzureADUserExtension cmdlet.

  C. Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the-UserPrincipalName parameter.

  D. From Azure Cloud Shell, run the New-AzureADMSInvitation cmdlet and specify the -InvitedUserEmailAddress parameter.

  Correct Answer: D

  Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.

  You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest

  user must then redeem their invitation to access resources. An invitation of a user does not expire.

  The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question,the vendors already have Microsoft accounts so they can authenticate using them.

  In this solution, we are creating guest account invitations by using the New-AzureADMSInvitation cmdlet and specifying the -InvitedUserEmailAddress parameter.

  Note:

  There are several versions of this question in the exam. The question has two possible correct answers:

  1.

  From the Azure portal, create guest accounts.

  2.

  From Azure Cloud Shell, run the New-AzureADMSInvitation cmdlet and specify the ?€andquot;InvitedUserEmailAddress parameter.

  Other incorrect answer options you may see on the exam include the following:

  1.

  From the Azure portal, modify the authentication methods.

  2.

  From the Azure portal, add an identity provider.

  Reference: https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator https://docs.microsoft.com/enus/powershell/module/azuread/new-azureadmsinvitation?view=azureadps-2.0

• Question 77:

  You need to assign User2 the required roles to meet the security requirements and the technical requirements. To which two roles should you assign User2? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  A. the Exchange View-only Organization Management role

  B. the Microsoft 365 Records Management role

  C. the Exchange Online Help Desk role

  D. the Microsoft 365 Security Reader role

  E. the Exchange Online Compliance Management role

  Correct Answer: DE

  User2 must be able to view reports and schedule the email delivery of security and compliance reports.

  The Security Reader role can view reports but not schedule the email delivery of security and compliance reports.

  The Exchange Online Compliance Management role can schedule the email delivery of security and compliance reports.

  Reference:

  https://docs.microsoft.com/en-us/exchange/permissions-exo/permissions-exo

• Question 78:

  To which Azure AD role should you add User4 to meet the security requirement?

  A. Password administrator

  B. Global administrator

  C. Security administrator

  D. Privileged role administrator

  Correct Answer: B

  User4 must be able to reset User3 password.

  User3 is assigned the Customer Lockbox Access Approver role. Only global admins can reset the passwords of people assigned to this role as it's considered a privileged role.

  Reference:

  https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Customer-Lockbox-Approver-Role-Now-Available/ba-p/223393

• Question 79:

  You need to meet the security requirement for Group1. What should you do?

  A. Configure all users to sign in by using multi-factor authentication.

  B. Modify the properties of Group1.

  C. Assign Group1 a management role.

  D. Modify the Password reset properties of the Azure AD tenant.

  Correct Answer: D

  The members of Group1 must be required to answer a security question before changing their password.

  If SSPR (Self Service Password Reset) is enabled, you must select at least one of the following options for the authentication methods. Sometimes you hear these options referred to as "gates."

  1.

  Mobile app notification

  2.

  Mobile app code

  3.

  Email

  4.

  Mobile phone

  5.

  Office phone

  6.

  Security questions

  You can specify the required authentication methods in the Password reset properties of the Azure AD tenant. In this case, you should set the required authentication method to be ‘Security questions’.

  References:

  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

• Question 80:

  You need to meet the security requirement for the vendors. What should you do?

  A. From the Azure portal, add an identity provider.

  B. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the -UserPrincipalName parameter.

  C. From the Azure portal, create guest accounts.

  D. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the -UserType parameter.

  Correct Answer: C

  Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.

  You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest

  user must then redeem their invitation to access resources. An invitation of a user does not expire.

  The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the vendors already have Microsoft accounts so they can authenticate using them.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator