Flashcards in Implement and Manage Identity and Access - Questions Deck (29)
Which authentication method must be enabled to utilize Premium AD features like Identity Protection?
-> Password Hash Synchronization (PHS)
-> Pass-through authentication (PTA)
-> Federation (AD FS)
Password Hash Synchronization (PHS)
Azure AD Connect Sync was installed using Express settings, or the default authentication settings. Password hash synchronization will be disabled by default
You received an unhealthy Identity Synchronization error notification via email. which of the following is a potential cause?
-> Demo/trial license for Azure AD expired
-> Duplicate users found in sync
-> Password has synchronization not enabled
-> Password write back not enabled
Demo/trial license for Azure AD expired
Self-service password reset can be configured for one or multiple security groups?
To create an Accounting group that has automatic membership in Azure AD, you must select ____ for membership type, then set Property to _______ and value to equals _________.
-> Dynamic User
The owner of the Pride Month committee group is the current chair of the committee. They're about to welcome the incoming chair and would like that incoming chair to review the membership of their Azure AD group during their first month. What solution would be appropriate to configure?
Assign the incoming chair a new one-time access review beginning their first day.
You need to make sure users connecting to the companies O365 environment while outside the main office are required to use MFA. What will you create to ensure this?
-> A compliance policy
-> A user risk policy
-> A sign-in risk policy
-> A conditional access policy
A Conditional Access Policy
Your office has four branches. Their IP addresses and ranges are as follows:
NY: 192.0.2.0 /24
San Fran: 192.168.0.0 /16
Miami: 198.51.100.0 /24
Kansas City: 203.0.113.0 /24
How would you go about creating an MFA policy that doesn't require Kansas City to use MFA when connecting from IP addresses in their range but requires everyone else to do so?
Add 203.0.113.0 /24 as a trusted IP and exclude it in the policy requiring MFA
In order to prevent access to users signing in from non-compliant devices, you must first have configured what?
A Compliance Policy
What should you create in order to restrict users from accessing company resources when they're not connecting from the main office network? select all that could work
-> A trusted IP & compliance policy
-> A named location and a conditional access policy
-> A trusted IP and a conditional access policy
-> A named location and a compliance policy
A named location and a conditional policy
a trusted IP and a conditional access policy
Before users' access to company data via VPN can be restricted, what must first be done?
-> Add VPN server as a cloud app in your conditional access policy
-> Deploy a certificate to your VPN server
-> Download a certificate from Azure AD
-> Create a certificate in Azure AD
Create a certificate in Azure AD
Which of the following is not an RBAC security principal?
-> Managed Identity
A user has both an allow and deny assignment in RBAC. Which one overrides the other if they conflict on a particular allowance?
-> The allow assignment overrides
-> The deny assignment overrides
The deny assignments overrides
Which PowerShell command is used to make new RBAC role assignments for a user?
Your CIO requests that anybody given the Exchange Admin role has a maximum assignment to that role of 30 days before they must request an extension or the role expires until requested for activation again. Which solution can you use here (assuming an EMS E5 license)?
-> Azure AD Identity Protection
-> Azure AD Privilege Identity Mgmt
-> Azure AD Audit logs
-> Azure AD Role Administration Center
Azure AD Privilege Identity Management
You need to make it easy for people to get temporary access to admin capabilities without assigning them a permanent active role. What should you do to accomplish this?
-> Make the user active for a role for a specific time period.
-> Make the user eligible for a role
-> Review your activation requests
-> Initiate a round of access reviews
Make the user eligible for a role
Which node of PIM allows you to extend role assignments for users?
-> Access reviews
-> My roles
-> Approve requests
A manager asks to be included on Identity Protection email alerts that go out for high-risk events. What do you need to do first?
-> Make sure the manager is licensed to access Azure AD Identity Protection
-> Add the manager's email address as an additional recipient for high-risk alerts
Make sure the manager is licensed to access Azure AD Identity Protection
Which Azure AD Identity Protection policy allows for requiring a user to change his or her password once identified as a risky user?
-> User Risk Policy
-> Sign-In Risk Policy
-> Conditional Access Policy
-> Compliance Policy
User Risk Policy
Which of the following is not one of the identity methods available with Azure AD?
-> Pass-through authentication
-> Password hash sync
MFA is a secure authentication method as opposed to an identity method.
Which of the following tools could you use to assess your organization's readiness to synchronize their Active Directory to Azure AD?
-> The Remote Connectivity Analyzer tool
-> The IdFix tool
-> The OffCAT tool
-> Synchronization Service Manager
the IdFix tool
IdFix is a tool that scans AD and identifies any objects with attributes that are incompatible with O365 or that would result in a conflict or duplicate object
With password hash sync, users will always authenticate to on-premise AD when logging onto Azure AD
Password Hash Sync (PHS) provides the same sign-on experience, where users are authenticated directly to O365/Azure AD
Which of the following M365 licenses allow users to use SSPR(choose two)?
-> Azure AD Premium P2
-> Azure Information Protection P1
-> Azure AD Premium P1
Azure AD Premium P1
Azure AD Premium P1 is the minimum subscription requirement for Self-Service Password Reset (SSPR). It is also available with Azure AD P2.
Which of the following PowerShell commands could you use to run a full Azure AD Connect sync manually?
-> Start-ADSynchSyncCycle -Policy Type Initial
-> Start-ADSyncSyncCycle - PolicyType Delta
-> STart-ADSyncSyncCycle -PolicyType Full
-> Start-ADSyncSyncCycle - PolicyType Immediate
Start-ADSyncSyncCycle - PolicyType Initial
Start-ADSyncSyncCycle - Policytype Delta
-> command will run a delta/incremental sync
Conditional Access is a feature of Azure AD premium designed to give M365 Admins control over user and device access requests to services and applications within Azure AD and to apply actions based on certain conditions
What is the maximum number of authentication agents that can be configured in Azure AD for pass-through authentication?
How frequently does Azure ADConnect automatically sync on-prem AD changes to Azure AD?
-> Every 20 minutes
-> ONce an hour
-> Every 30 minutes
-> Every 15 minutes
Every 30 minutes
Which of the following, methods can be used to authenticate users to Azure AD with MFA?
-> Code with the Microsoft Authenticator App
-> SMS messages to mobile device
-> Security questions
-> Email Address
-> code with the Microsoft Authenticator App
->SMS message to mobile device