Implement and Manage Identity and Access - Questions Flashcards Preview

MS-500 M365 Security Administrator Associate > Implement and Manage Identity and Access - Questions > Flashcards

Flashcards in Implement and Manage Identity and Access - Questions Deck (29)
Loading flashcards...

Which authentication method must be enabled to utilize Premium AD features like Identity Protection?
-> Password Hash Synchronization (PHS)
-> Pass-through authentication (PTA)
-> Federation (AD FS)

Password Hash Synchronization (PHS)


Azure AD Connect Sync was installed using Express settings, or the default authentication settings. Password hash synchronization will be disabled by default
-> True
-> False



You received an unhealthy Identity Synchronization error notification via email. which of the following is a potential cause?
-> Demo/trial license for Azure AD expired
-> Duplicate users found in sync
-> Password has synchronization not enabled
-> Password write back not enabled

Demo/trial license for Azure AD expired


Self-service password reset can be configured for one or multiple security groups?
-> True
-> False



To create an Accounting group that has automatic membership in Azure AD, you must select ____ for membership type, then set Property to _______ and value to equals _________.

-> Dynamic User
-> Dept
-> Accounting


The owner of the Pride Month committee group is the current chair of the committee. They're about to welcome the incoming chair and would like that incoming chair to review the membership of their Azure AD group during their first month. What solution would be appropriate to configure?

Assign the incoming chair a new one-time access review beginning their first day.


You need to make sure users connecting to the companies O365 environment while outside the main office are required to use MFA. What will you create to ensure this?
-> A compliance policy
-> A user risk policy
-> A sign-in risk policy
-> A conditional access policy

A Conditional Access Policy


Your office has four branches. Their IP addresses and ranges are as follows:
NY: /24
San Fran: /16
Miami: /24
Kansas City: /24
How would you go about creating an MFA policy that doesn't require Kansas City to use MFA when connecting from IP addresses in their range but requires everyone else to do so?

Add /24 as a trusted IP and exclude it in the policy requiring MFA


In order to prevent access to users signing in from non-compliant devices, you must first have configured what?

A Compliance Policy


What should you create in order to restrict users from accessing company resources when they're not connecting from the main office network? select all that could work
-> A trusted IP & compliance policy
-> A named location and a conditional access policy
-> A trusted IP and a conditional access policy
-> A named location and a compliance policy

A named location and a conditional policy
a trusted IP and a conditional access policy


Before users' access to company data via VPN can be restricted, what must first be done?
-> Add VPN server as a cloud app in your conditional access policy
-> Deploy a certificate to your VPN server
-> Download a certificate from Azure AD
-> Create a certificate in Azure AD

Create a certificate in Azure AD


Which of the following is not an RBAC security principal?
-> User
-> Group
-> Managed Identity
-> Subscription



A user has both an allow and deny assignment in RBAC. Which one overrides the other if they conflict on a particular allowance?
-> The allow assignment overrides
-> The deny assignment overrides

The deny assignments overrides


Which PowerShell command is used to make new RBAC role assignments for a user?
-> New-AZRoleAssignment
-> Assign-AzRoleAssignment
-> New-RBACRoleAssignment



Your CIO requests that anybody given the Exchange Admin role has a maximum assignment to that role of 30 days before they must request an extension or the role expires until requested for activation again. Which solution can you use here (assuming an EMS E5 license)?
-> Azure AD Identity Protection
-> Azure AD Privilege Identity Mgmt
-> Azure AD Audit logs
-> Azure AD Role Administration Center

Azure AD Privilege Identity Management


You need to make it easy for people to get temporary access to admin capabilities without assigning them a permanent active role. What should you do to accomplish this?
-> Make the user active for a role for a specific time period.
-> Make the user eligible for a role
-> Review your activation requests
-> Initiate a round of access reviews

Make the user eligible for a role


Which node of PIM allows you to extend role assignments for users?
-> Access reviews
-> My roles
-> Approve requests
-> Assignments



A manager asks to be included on Identity Protection email alerts that go out for high-risk events. What do you need to do first?
-> Make sure the manager is licensed to access Azure AD Identity Protection
-> Add the manager's email address as an additional recipient for high-risk alerts

Make sure the manager is licensed to access Azure AD Identity Protection


Which Azure AD Identity Protection policy allows for requiring a user to change his or her password once identified as a risky user?
-> User Risk Policy
-> Sign-In Risk Policy
-> Conditional Access Policy
-> Compliance Policy

User Risk Policy


Which of the following is not one of the identity methods available with Azure AD?
-> Pass-through authentication
-> Federation
-> MFA
-> Password hash sync

Multi-Factor Authentication
MFA is a secure authentication method as opposed to an identity method.


Which of the following tools could you use to assess your organization's readiness to synchronize their Active Directory to Azure AD?
-> The Remote Connectivity Analyzer tool
-> The IdFix tool
-> The OffCAT tool
-> Synchronization Service Manager

the IdFix tool
IdFix is a tool that scans AD and identifies any objects with attributes that are incompatible with O365 or that would result in a conflict or duplicate object


With password hash sync, users will always authenticate to on-premise AD when logging onto Azure AD
-> True
-> False

Password Hash Sync (PHS) provides the same sign-on experience, where users are authenticated directly to O365/Azure AD


Which of the following M365 licenses allow users to use SSPR(choose two)?
-> Azure AD Premium P2
-> Intune
-> Azure Information Protection P1
-> Azure AD Premium P1

Azure AD Premium P1
Azure AD Premium P1 is the minimum subscription requirement for Self-Service Password Reset (SSPR). It is also available with Azure AD P2.


Which of the following PowerShell commands could you use to run a full Azure AD Connect sync manually?
-> Start-ADSynchSyncCycle -Policy Type Initial
-> Start-ADSyncSyncCycle - PolicyType Delta
-> STart-ADSyncSyncCycle -PolicyType Full
-> Start-ADSyncSyncCycle - PolicyType Immediate

Start-ADSyncSyncCycle - PolicyType Initial

Start-ADSyncSyncCycle - Policytype Delta
-> command will run a delta/incremental sync


Conditional Access is a feature of Azure AD premium designed to give M365 Admins control over user and device access requests to services and applications within Azure AD and to apply actions based on certain conditions
-> True
-> False



What is the maximum number of authentication agents that can be configured in Azure AD for pass-through authentication?
-> 5
-> 10
-> 30
-> 40



How frequently does Azure ADConnect automatically sync on-prem AD changes to Azure AD?
-> Every 20 minutes
-> ONce an hour
-> Every 30 minutes
-> Every 15 minutes

Every 30 minutes


Which of the following, methods can be used to authenticate users to Azure AD with MFA?
-> Code with the Microsoft Authenticator App
-> SMS messages to mobile device
-> Security questions
-> Email Address

-> code with the Microsoft Authenticator App
->SMS message to mobile device


When deploying federation with AD FS what is the minimum number of web application proxy servers you should configure on your perimeter network?
-> 5
-> 2
-> 3
-> 7

Two Web Application Proxy servers are the minimum recommended requirement as per Microsoft best practice guidelines.