Azure AD and Microsoft 365 Quiz

Questions and Answers

Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. Users sign in to computers that run Windows 10 and are joined to the domain. You plan to implement Azure AD Seamless Single Sign-On (Azure AD Seamless SSO). You need to configure the Windows 10 computers to support Azure AD Seamless SSO. What should you do?

• Configure Sign-in options from the Settings app.
• Enable Enterprise State Roaming.
• Modify the Intranet Zone settings. (correct)
• Install the Azure AD Connect Authentication Agent.

You have an Azure Active Directory (Azure AD) tenant that contains the following objects:

• A device named Device1
• Users named User1, User2, User3, User4, and User5
• Groups named Group1, Group2, Group3, Group4, and Group5 The groups are configured as shown in the following table. To which groups can you assign a Microsoft Office 365 Enterprise E5 license directly?

• Group1, Group2, Group3, Group4, and Group5
• Group1, Group2, Group4, and Group5 only
• Group1 and Group4 only
• Group1 and Group2 only (correct)
• Group1 only

You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com. Several users use their contoso.com email address for self-service sign-up to Azure Active Directory (Azure AD). You gain global administrator privileges to the Azure AD tenant that contains the self-signed users. You need to prevent the users from creating user accounts in the contoso.com Azure AD tenant for self-service sign-up to Microsoft 365 services. Which PowerShell cmdlet should you run?

• Set-MsolDomain
• Set-MsolCompanySettings (correct)
• Set-MsolDomainFederationSettings
• Update-MsolfederatedDomain

You have a Microsoft 365 tenant that uses the domain named fabrikam.com. The Guest invite settings for Azure Active Directory (Azure AD) are configured as shown in the exhibit. (Click the Exhibit tab.) A user named [email protected] shares a Microsoft SharePoint Online document library to the users shown in the following table. Which users will be emailed a passcode?

User2 only (A)

You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users. From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise E5 licenses to the users. You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort. What should you use?

the Licenses blade in the Azure Active Directory admin center (D)

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to bulk invite Azure AD business-to-business (B2B) collaboration users. Which two parameters must you include when you create the bulk invite? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

redirection URL (A), email address (E)

You have an Azure Active Directory (Azure AD) tenant that contains the objects shown in the following table. Which objects can you add as members to Group3?

User2 only (E)

You have an on-premises Microsoft Exchange organization that uses an SMTP address space of contoso.com. You discover that users use their email address for self-service sign-up to Microsoft 365 services. You need to gain global administrator privileges to the Azure Active Directory (Azure AD) tenant that contains the self-signed users. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Sign in to the Microsoft 365 admin center. = Create a self-signed user account in the Azure AD tenant. Create a TXT record in the contoso.com DNS zone. = Respond to the Become the admin message. From the Microsoft 365 admin center, add the domain name. = From the Microsoft 365 admin center, remove the domain name.

You have an Azure Active Directory (Azure AD) tenant that contains a user named User1 and the groups shown in the following table. In the tenant, you create the groups shown in the following table. Which members can you add to GroupA and GroupB? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

GroupA = User1 only User1 and Group1 only User1, Group1, and Group2 only User1, Group1, Group2, and Group3 only User1, Group1, Group2, Group3, and Group4 GroupB = User1 only User1 and Group4 only User1, Group1, and Group4 only User1, Group1, Group2, and Group4 only User1, Group1, Group2, Group3, and Group4

Flashcards

Outbound Synchronization Rule

A setting in Azure AD Connect that lets you exclude certain users from being synchronized to Azure AD by using a specific attribute.

Self-Service Password Reset (SSPR)

A feature in Azure AD that allows users to reset their own passwords, either by using a mobile app, security questions, or a verification code. This eliminates the need for IT support to reset passwords, making the process more efficient.

Multi-Factor Authentication (MFA)

A type of authentication where the user provides a second factor, such as a PIN, biometric authentication, or a mobile app notification, in addition to their password, to verify their identity and grant access to resources.

Azure AD Identity Protection

An Azure service that protects users from unauthorized access by blocking sign-ins based on risk. It can detect risky login attempts based on factors like location, device, and password strength, and take actions like blocking the account, requiring MFA, or sending an alert.

Azure AD Password Protection

A setting in Azure AD that protects against weak passwords by enforcing password complexity and length requirements. It also blocks common passwords and patterns that are easily guessed.

Passwordless Authentication

A security feature that allows a user to access a device or application without entering their password. It uses biometric authentication, such as a fingerprint or facial recognition, or a PIN code to verify the user's identity.

Pass-Through Authentication

A type of authentication where users sign in to Azure AD by using their on-premises Active Directory credentials. The user's authentication is handled by the on-premises domain controllers, and Azure AD only verifies the user's identity.

Conditional Access Policies

A feature in Azure AD that allows users to access resources based on predefined conditions. These conditions can include factors like location, device type, or user risk. It allows you to control access to your resources by using policies.

Enterprise Application

A type of Azure AD object that represents a cloud-based application or service. It defines how users can access the application and what permissions they have within it.

Self-Service Account Sign-Up

A feature in Azure AD that allows users to create new accounts or access existing accounts in an Azure AD tenant without requiring an administrator to provision them. This simplifies the process for employees to access cloud resources.

Azure AD Connect

An on-premises server solution that allows users to authenticate to Active Directory by using their Active Directory credentials. This eliminates the need for users to remember separate passwords for on-premises and cloud resources.

Security Defaults

A set of security settings and policies that are automatically enabled in a new Azure tenant. It strengthens the security of your tenant by enforcing certain security measures like MFA, password complexity, and account lockout.

Passwordless Authentication

A feature that enables a user to access a device or application without entering their password. It uses a mobile app, biometric authentication, or a PIN, and prompts the user to approve the sign-in with a simple click or gesture.

Azure AD Group

A collection of user accounts in Azure AD that have similar permissions and roles. This makes it easier to manage access to resources by allowing you to assign permissions to a group instead of to individual users.

Azure AD Password Protection Proxy

A type of password protection that can be configured on an Active Directory domain to prevent users from using commonly used or weak passwords. It can also block specific patterns in passwords.

Azure AD Application Proxy

A feature that allows users to access on-premises resources through the cloud. It makes it easier for users to access these resources from remote locations without having to establish a VPN connection.

Azure AD Identity Protection

A feature that automatically checks incoming sign-ins for any activity that might indicate a risk. These risks can include unusual login times, locations, or devices or potentially compromised passwords. It can also track suspicious user activity and identify users who might be trying to access sensitive data.

Location Condition

A feature that allows you to control access to applications and resources based on user location. This helps prevent access from high-risk countries, ensuring the security of your data.

User Risk

A type of risk that is associated with a user account. This can occur when a user's credentials are compromised through a data breach, phishing attack, or malware infection.

Cloud App Security

A feature that allows you to track and manage the activities of users within a cloud application. This helps you monitor potential security risks and identify any suspicious behaviour within specific apps.

Account Lockout

A setting in Azure AD that automatically locks out accounts after repeated incorrect password attempts to prevent unauthorized access.

Session Control

A feature in Azure AD that lets you control the duration of a user's authentication session. This helps reduce the risk of unauthorized access if a user's device is compromised and allows you to control what resources are accessible during a specific time.

Block/Unblock Users

A feature in Azure AD that allows administrators to block access to a user's account as a security measure. This is used to prevent unauthorized access to sensitive information or to mitigate a potential security risk.

Atypical Travel

A type of risk that indicates a sign-in from a location that is unlikely for the user to be in, such as a foreign country or a location far outside of their usual working hours.

Client Apps Condition

A feature in Azure AD that lets you restrict access to resources based on the type of client that is being used to access the resource. This helps prevent access from unauthorized or insecure devices.

Network Policy Server (NPS)

A feature in Azure AD that allows you to track and identify the users and applications that are accessing your on-premises network through a VPN connection. This helps increase security by identifying suspicious activity and potential risks with VPN connections.

Malicious IP Address

A type of risk that indicates a sign-in from a location that is potentially compromised or known to be associated with malicious activity. This can include specific IP addresses, DNS servers, or locations.

User Risk

A type of risk that is associated with a user account. This can occur when a user's credentials are compromised through a data breach, phishing attack, or malware infection.

Azure AD Administrative Unit

A feature in Azure AD that allows you to configure a group of users who have specific permissions and roles within Azure AD. It makes it easier to manage user access to Azure AD resources by applying permissions to a group instead of individual users.

Distribution Group

A feature in Azure AD that lets administrators create groups that are designed to be used as a distribution list for sending emails or distributing information, rather than providing access to resources.

Anonymous IP Address

A type of risk that indicates a sign-in from an anonymous IP address or a system or device that is unable to be identified. This can be a security concern as unauthorized users can access your resources without being identified.

User Risk

A type of risk that is associated with a user account. This can occur when a user's credentials are compromised through a data breach, phishing attack, or malware infection.

Azure Monitor

A feature in Azure that allows you to track and manage the resources that are being accessed from your Azure tenant. This helps you monitor potential security risks and identify any suspicious behavior.

Session Control

A setting in Azure AD that lets you control the amount of time a user can stay authenticated to an Azure AD application. This helps reduce the risk of unauthorized access if a user's device is compromised.

Multi-Factor Authentication (MFA)

A type of authentication where the user provides two factors to verify their identity. This helps improve security by ensuring that the user is who they claim to be.

Access Review

A feature in Azure AD that allows administrators to review the permissions that have been assigned to users and applications within Azure AD. This helps ensure compliance and identify any potential security risks.

Azure AD Connect

A feature in Azure AD that enables you to synchronize your on-premises user accounts with Azure AD. This helps simplify user management, enabling users to access cloud resources with their existing on-premises credentials.

Conditional Access

A setting in Azure AD that lets you define a set of rules for managing access to Azure AD resources. These rules can include factors like location, device type, or user risk. This allows you to control access to your resources based on specific conditions.

Cloud App Discovery

A cloud app security feature that automatically identifies unmanaged cloud applications that are being accessed from your network. This provides insights into which unauthorized apps are being used, helping you improve security by identifying potential risks.

Conditional Access Policy

A feature in Azure AD that lets you create a rule to prevent specific users from accessing specific resources. This helps improve security by limiting access based on user roles or access levels.

App Password

A type of password that is used to access an application or resource, rather than signing in to a computer. It is often generated by an authenticator app and is typically used in combination with multi-factor authentication.

Azure AD Role Assignments

A feature in Azure AD that allows administrators to assign a specific role to a user or group within an Azure AD tenant. This grants the user or group specific permissions to manage resources within the tenant.

Study Notes

Question Set 1

• Question 1: To configure Windows 10 computers to support Azure AD Seamless Single Sign-On (SSO), modify the Intranet Zone settings.

• Question 2: Microsoft Office 365 Enterprise E5 licenses can be directly assigned to Group1 and Group2.

• Question 3: Use the Set-MsolCompanySettings PowerShell cmdlet to prevent users from creating accounts in contoso.com Azure AD for self-service sign-up to Microsoft 365 services.

• Question 4: Only users [email protected] will be sent a passcode since they are guests on the fabrikam.com network.

• Question 5: Use the Licenses blade in the Azure Active Directory admin center to remove Office 365 Enterprise E3 licenses from users with the least administrative effort.

• Question 6: User1 cannot access the enterprise application, User2 can access the enterprise application, and User3 can access the SharePoint site.

• Question 7: When creating a bulk invite for Azure AD B2B collaboration users, include email addresses and redirection URLs.

• Question 8: User2 and Group2 can be added as members in Group3.

• Question 9: To take over global administrator privileges, first sign into the Microsoft 365 admin center, create a self-signed user account, add the domain name, respond to the Become the admin message, and then create a TXT record in the contoso.com DNS zone.

• Question 10:

• GroupA: User1 only

• GroupB: User1 and Group1 only

Question Set 2

• Question 1:

• To enable MFA when accessing cloud apps, configure the Conditions settings.

• To enable authentication every eight hours, configure the Sessions settings in your Azure AD conditional access policy.

• Question 2:

• Use Microsoft Cloud App Security to receive an alert if a registered application gains read and write access to user email.

• Question 3:

• Configure a conditional access policy that has session controls enabled to manage access to Microsoft 365 resources.

• Question 4:

• Users can use a verification code from the Microsoft Authenticator app (or a voice call) when working remotely without a Wi-Fi or mobile phone connection.

• Question 5:

• Enable Security Defaults first to control access to Microsoft 365 resources through conditional access policies.

• Question 6:

• Use FIDO2 tokens to require MFA for call center users accessing Microsoft 365 services.

• Question 7:

• Use a Client apps condition in an Azure AD conditional access policy to prevent legacy authentications.

• Question 8:

• Leaked credentials is a user risk detection type.

• Question 9:

• Create an Azure AD conditional access policy with session controls to prevent users from downloading or syncing SharePoint files on their user-owned computers.

• Question 10:

• Implement Azure AD Application Proxy on a separate server if domain controllers are internet-restricted to achieve high availability of pass-through authentication.

• Question 11:

• To ensure users can connect to Service1 without being prompted for authentication from Azure AD-joined computers, publish App1 to Azure AD.

Question Set 3

• Question 1:

  1. Configure the authentication methods to use a mobile app notification and security questions for self-service password resets.
  2. Ensure that password hash synchronization is enabled in Azure AD Connect, to ensure passwords are synced between the Azure AD tenant and the on-premises domain, regardless of where the password was reset.

• Question 2:

• Implement Microsoft Cloud App Security and use an app discovery policy to receive alerts when registered apps gain elevated (read/write email) access.

• Question 3:

• Use Cloud App Discovery in Microsoft Cloud App Security to achieve this.

Question Set 4

• Question 1:

• Configure terms of use to ensure only users who accept the terms can use resources.

• Question 2:

• Group1, Group2, Group4, and Group5 support access reviews; device groups do not

• Question 3:

• Only User1 can perform access reviews for User3 in Azure AD.

• Question 4:

• Multi-Factor Authentication (MFA): A user must perform MFA every 8 hours to access the User administrator role.

• Approval for Activation: A global administrator or a privileged role administrator must approve the activation before a user who isn't already in the role can perform a task.

• Question 5:

• November 20, 2020: User1 can accept terms on Device1.

• December 11, 2020: User1 can't accept terms on Device2.

• December 7, 2020: User1 can't accept terms on Device3.

• Question 6:

• Implement Assignment type to "Eligible" for the Security administrator role in PIM.