Manage authentication by using Microsoft Entra ID

Question 1

Microsoft Entra authentication includes the following components

Answer 1

Self service password reset
Microsoft Entra multifactor authentication
Hybrid integration to write password changed back to on premises environment
Hybrid integration to enforce password protection policies for an on premises environment
Passwordless authentication

Question 2

T or F

Microsoft Entra ID helps to protect a users identity and simplify their sign in experience

Answer 2

True

Question 3

Self - service

Answer 3

Allows password reset through a web browser

Question 4

Microsoft Entra multifactor authentication

Answer 4

additional form of authentication

ex. mobile app notification
phone call
text message

Question 5

Passwordless authentication

Answer 5

security keys to sign in without the need for passwords

Question 6

Self service password reset

Answer 6

password change
password reset
account lock

Question 7

Mutilfactor authentication available for Microsoft Entra

Answer 7

Account lockout

Block/ unblock users

Report suspicious activity

notifications

open authorization tokens (OATH)

Phone call settings

providers

Question 8

Account lockout

Answer 8

specify how many failed attempts

the lockout is only applied when a PIN code is entered for MFA

Question 9

Block / unblock users

Answer 9

block MFA attempts - if device is stolen/lost

block last for 90 days

unblock users if fit

Question 10

Where can you view suspicious activity events

Answer 10

in the audit logs and risk detection reports

Question 11

Report suspicious activity and fraud alert

Answer 11

If Fraud Alert is enabled with Automatic Blocking and Report Suspicious Activity is enabled, the user will be added to the blocklist and set as high-risk and in-scope for any other policies configured

Question 12

OATH tokens

Answer 12

Microsoft Entra ID supports the use of OATH TOTP (Time-based One Time Password) SHA-1 tokens that refresh codes every 30 or 60 seconds

Question 13

OATH TOTP

Answer 13

hardware tokens typically come with a secret key, or seed, pre-programmed in the token

Question 14

Passwordless authentication options

Answer 14

Microsoft Authenticator
FIDO2- compliant security keys
Windows Hello for Business

Question 15

What devices would be best for Microsoft Authenticator

Answer 15

Shared devices
Kiosks

Question 16

What devices would be best for FIDO2 compliant security keys

Answer 16

Dedicated non-windows devices
Dedicated windows 10 computers
Kiosks and shared computers

Question 17

What devices would be best for Windows Hello for Business

Answer 17

Dedicated Windows 10 computers

Question 18

T or F

When you deploy passwordless authentication you should first enable one or more pilot groups

Answer 18

True

Question 19

Your communications to end users should include

Answer 19

Guidance on combined registration for both Microsoft Entra multifactor authentication and self-service password reset (SSPR)

Downloading Microsoft Authenticator

Registering in Microsoft Authenticator

Signing in with your phone

Question 20

T or F
Microsoft Authenticator turns any iOS or Android phone into a strong, password less credential

Answer 20

True

Question 21

T or F

Microsoft Entra logs registration of security keys and the Authenticator app, and any other changes to the authentication methods

Answer 21

True

Question 22

Active Directory Federation Services (AD FS) Integration

Answer 22

directed here if user chooses “use your password instead”

Question 23

Device registration

Answer 23

to used the authenticator app for password less authentication, the device needs to be registered in the Microsoft Entra tenant and cannot be a shared device

Question 24

3 types of passwordless sign in deployments available with security keys

Answer 24

Microsoft Entra web apps on a supported browser

Microsoft Entra joined Windows 10 devices

Microsoft Entra hybrid joined Windows 10 devices

Question 25

For Microsoft Entra web apps and Microsoft Entra joined Windows devices, use:

Answer 25

Windows 10 version 1809 or higher using a supported browser like Microsoft Edge or Mozilla Firefox (version 67 or higher).

Question 26

For hybrid Microsoft Entra domain joined devices, use:

Answer 26

Windows 10 version 2004 or later.
Fully patched domain servers running Windows Server 2016 or 2019.
Latest version of Microsoft Entra Connect.

Question 27

How can you restrict keys

Answer 27

Authenticator Attestation GUID (AAGUID)

Question 28

T or F

Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block weak terms that are specific to your organization

Answer 28

true

Question 29

t or f

On-premises deployment of Microsoft Entra Password Protection uses the same global and custom banned password lists that are stored in Microsoft Entra ID, and does the same checks for on-premises password changes as Microsoft Entra ID does for cloud-based changes

Answer 29

true

Question 30

Domain Controllers (DCs)

Answer 30

never communicate directly with the internet

Question 31

T or F

Microsoft Entra Password Protection supports incremental deployment across DCs in a Microsoft Entra ID domain

Answer 31

True

Question 32

When can the Microsoft Entra Password Protection DC agent software validate passwords?

Answer 32

When it’s installed on a DC and only for password changes that are sent to that DC

Question 33

How to guarantee consistent behavior and universal Microsoft Entra Password Protection?

Answer 33

DC agent software must be installed on all DCs in a domain

Question 34

T or F

Partial deployments aren’t secure and aren’t recommended for DC agent software

Answer 34

True.

partial deployment should only occur for testing purposes

Question 35

What does The Microsoft Entra Password Protection Proxy service run on

Answer 35

any domain joined machine in the current Microsoft Entra ID forest

Question 36

What is the services primary purpose for Microsoft entry Password Protection Proxy?

Answer 36

to forward password policy download requests from DCs to Microsoft Entra ID and then return the responses from Microsoft Entra ID to the DC

Question 37

Where does the password filter DLL of the DC Agent receive user password validation request from

Answer 37

The OS and then the filter forwards them to the DC agent service that is running locally on the DC

Question 38

How does the DC agent service handle password validation requests?

Answer 38

processes them by using the current password policy and returns the result pass or fail

Question 39

How often does the DC Agent service check the age of the current policy

Answer 39

hourly

Question 40

What are Microsoft Entra Password Protection policies a combination of?

Answer 40

Microsoft global banned password list and. the per-tenant custom based password list

Question 41

What does the DC Agent never listen on?

Answer 41

a network available port

Question 42

T or F

The proxy service is stateless

Answer 42

True

it never caches policies or any other state downloaded from Azure

Question 43

what happens if their is no password policy available on the local DC?

Answer 43

the password is automatically accepted and an event message is logged to warn the administrator

Question 44

T or F

there can be a delay between password policy configuration change

Answer 44

true

Question 45

t or f

Microsoft Entra Password Protection acts as a supplement to existing Microsoft entra ID policies, not a replacement

Answer 45

true

Question 46

Microsoft Entra ID creates a certificate that is by default valid for how many years

Answer 46

3

Question 47

where can you change the certificate duration?

Answer 47

in the microsoft entry admin center

Question 48

When you enable federation on SAML application, Microsoft Entra ID does what?

Answer 48

Creates a certificate that is by default valid for 3 years

Question 49

T or F

Communication is critical to the success of any new service

Answer 49

True

Make sure you were letting your users know that a change is coming, when it has arrived, and what to do now

Question 50

SAML

Answer 50

Security Assertion Markup Language

Question 51

T or F

SSO for pre integrated enterprise applications are free

Answer 51

True

Question 52

T or F

Objects in your directory and features may require specific licenses

Answer 52

True

Question 53

Shared accounts - SSO

Answer 53

create a security group for each combination of user set and credentials

Question 54

T or F

Choosing a SSO method depends on how the application is configured for authentication

Answer 54

True

Question 55

Options for cloud applications to use SSO

Answer 55

OpenID Connect
OAuth
SAML
password-based
Linked

Question 56

Can SSO be disabled?

Answer 56

yes

Question 57

Options for on premises applications for SSO

Answer 57

password based
Integrated Windows Authentication
header-based
linked

Question 58

OpenID Connect and OAuth

Answer 58

if the application supports it

Question 59

SAML

Answer 59

when possible for apps that dont use OpenID Connect or OAuth

Question 60

Password-based

Answer 60

when the application has an HTML sign in page.

password based is also known as password vaulting

Question 61

Linked

Answer 61

choose linked when the application is configured for SSO in another identity provider service

Question 62

Disabled

Answer 62

choose disabled SSO when the application isn’t ready to be configured for SSO

Question 63

Integrated Windows Authentication (IWA)

Answer 63

for apps that uses IWA or claims aware applications

Question 64

Header based

Answer 64

for when the app uses headers for authentication

Question 65

T or F

You can integrate your cloud enabled SaaS applications with Microsoft Entra ID

Answer 65

True

Question 66

Cloud enabled SaaS providers

Answer 66

Atlassian Cloud
ServiceNow
Slack
SuccessFactors
Workday

Question 67

Cloud Integrations

Answer 67

AWS
Alibaba Cloud (role bases SSO)
Google Cloud Platform
Salesforce
SAP (Systems, Applications, and Products in Data Processing) Cloud Identity Platform

Question 68

Integrating Slack with Microsoft Entra ID enables you to

Answer 68

control who has access to Slack in Microsoft Entra ID

enable your users to be automatically signed in to Slack with their Microsoft Entra accounts

manage your accounts in on central location

Question 69

what is needed to integrate slack and microsoft entra id?

Answer 69

a microsoft entra subscription

slack single sign on enameled subscription

Question 70

How can you configure the integration of Slack into Microsoft Entra ID?

Answer 70

add Slack from the gallery to your list of managed SaaS apps

Question 71

How to configure and test Microsoft Entra SSO for Slack

Answer 71

enable the feature to users and then create a test user

Question 72

Configure Microsoft Entra SSO

Answer 72

must be signed on as at least a cloud application administrator

go to - identity
applications,
enterprise applications,
slack,
single sign on

on SSO page select SAML

Question 73

DIDs

Answer 73

user generated, self owned, globally unique identifiers rooted in decentralized systems trust systems

Question 74

what are verifiable credentials?

Answer 74

data objects consisting of claims made by the issuer attesting information about a subject

Question 75

t or f

the issuer’s DID creates a digital signature as proof that they attest to this information

Answer 75

True

Question 76

how do most organizations provide credentials to employees?

Answer 76

centralized identity systems

Question 77

How decentralized identity systems work

Answer 77

the issuer, user, and relying party (RP) each have a role in establishing and ensuring ongoing trusted exchange of each others credentials.

Question 78

What passwordless authentication methods does Microsoft recommend?

Answer 78

Windows Hello
FIDO2 security keys
Microsoft Authenticator app