Topic 2 - Manage user identity and roles Flashcards Preview

MS-100 - Microsoft 365 Identity and Services > Topic 2 - Manage user identity and roles > Flashcards

Flashcards in Topic 2 - Manage user identity and roles Deck (30)
Loading flashcards...
1

You have a Microsoft 365 subscription.
You view the service advisories shown in the following exhibit.
You need to ensure that users who administer Microsoft SharePoint Online can view the advisories to investigate health issues.
Which role should you assign to the users?

A. SharePoint administrator

B. Message Center reader

C. Reports reader

D. Service administrator

D. Service administrator

2

Your network contains an Active Directory forest named contoso.local.
You have a Microsoft 365 subscription.
You plan to implement a directory synchronization solution that will use password hash synchronization.
From the Microsoft 365 admin center, you verify the contoso.com domain name.
You need to prepare the environment for the planned directory synchronization solution.
What should you do first?

A. From the public DNS zone of contoso.com, add a new mail exchanger (MX) record.

B. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix.

C. From the Microsoft 365 admin center, verify the contoso.local domain name.

D. From Active Directory Users and Computers, modify the UPN suffix for all users.

B. From Active Directory Domains and Trusts, add contoso.com as a UPN suffix.

3

Your company has a Microsoft 365 subscription.
Your plan to add 100 newly hired temporary users to the subscription next week.
You create the user accounts for the new users.
You need to assign licenses to the new users.
Which command should you run?

B

4

Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.
The network uses a firewall that contains a list of allowed outbound domains.
You begin to implement directory synchronization.
You discover that the firewall configuration contains only the following domain names in the list of allowed domains:
✑ *.microsoft.com
✑ *.office.com
Directory synchronization fails.
You need to ensure that directory synchronization completes successfully.
What is the best approach to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.

A. From the firewall, allow the IP address range of the Azure data center for outbound communication.

B. From Azure AD Connect, modify the Customize synchronization options task.

C. Deploy an Azure AD Connect sync server in staging mode.

D. From the firewall, create a list of allowed inbound domains.

E. From the firewall, modify the list of allowed outbound domains.

E. From the firewall, modify the list of allowed outbound domains.

5

Your network contains an on-premises Active Directory forest.
You are evaluating the implementation of Microsoft 365 and the deployment of an authentication strategy.
You need to recommend an authentication strategy that meets the following requirements:
✑ Allows users to sign in by using smart card-based certificates
✑ Allows users to connect to on-premises and Microsoft 365 services by using SSO
Which authentication strategy should you recommend?

A. password hash synchronization and seamless SSO

B. federation with Active Directory Federation Services (AD FS)

C. pass-through authentication and seamless SSO

B. federation with Active Directory Federation Services (AD FS)

6

7

HOTSPOT -
Your company has offices in several cities and 100,000 users.
The network contains an Active Directory domain named contoso.com.
You purchase Microsoft 365 and plan to deploy several Microsoft 365 services.
You are evaluating the implementation of pass-through authentication and seamless SSO. Azure AD Connect will NOT be in staging mode.
You need to identify the redundancy limits for the planned implementation.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

8

Your network contains an Active Directory domain named adatum.com that is synced to Microsoft Azure Active Directory (Azure AD).
The domain contains 100 user accounts.
The city attribute for all the users is set to the city where the user resides.
You need to modify the value of the city attribute to the three-letter airport code of each city.
What should you do?

A. From Active Directory Administrative Center, select the Active Directory users, and then modify the Properties settings.

B. From the Microsoft 365 admin center, select the users, and then use the Bulk actions option.

C. From Azure Cloud Shell, run the Get-AzureADUser and Set-AzureADUser cmdlets.

D. From Windows PowerShell on a domain controller, run the Get-AzureADUser and Set-AzureADUser cmdlets.

A. From Active Directory Administrative Center, select the Active Directory users, and then modify the Properties settings.

9

2only

2only

10

You have a Microsoft 365 subscription that contains a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. The tenant includes a user named
User1.
You enable Azure AD Identity Protection.
You need to ensure that User1 can review the list in Azure AD Identity Protection of users flagged for risk. The solution must use the principle of least privilege.
To which role should you add User1?

A. Security reader

B. Compliance administrator

C. Reports reader

D. Global administrator

A. Security reader

11

HOTSPOT -
Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.
You implement directory synchronization for all 10,000 users in the organization.
You automate the creation of 100 new user accounts.
You need to ensure that the new user accounts synchronize to Azure AD as quickly as possible.
Which command should you run? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

12

Your network contains three Active Directory forests.
You create a Microsoft Azure Active Directory (Azure AD) tenant.
You plan to sync the on-premises Active Directory to Azure AD.
You need to recommend a synchronization solution. The solution must ensure that the synchronization can complete successfully and as quickly as possible if a single server fails.
What should you include in the recommendation?

A. three Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode

B. one Azure AD Connect sync server and one Azure AD Connect sync server in staging mode

C. three Azure AD Connect sync servers and one Azure AD Connect sync server in staging mode

D. six Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode

B. one Azure AD Connect sync server and one Azure AD Connect sync server in staging mode

13

Your company has 10,000 users who access all applications from an on-premises data center.
You plan to create a Microsoft 365 subscription and to migrate data to the cloud.
You plan to implement directory synchronization.
User accounts and group accounts must sync to Microsoft Azure Active Directory (Azure AD) successfully.
You discover that several user accounts fail to sync to Azure AD.
You need to identify which user accounts failed to sync. You must resolve the issue as quickly as possible.
What should you do?

A. From Active Directory Administrative Center, search for all the users, and then modify the properties of the user accounts.

B. Run idfix.exe, and then click Complete.

C. From Windows PowerShell, run the Start-AdSyncCycle â€"PolicyType Delta command.

D. Run idfix.exe, and then click Edit.

D. Run idfix.exe, and then click Edit.

14

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and adatum.com.
Your company recently purchased a Microsoft 365 subscription.
You deploy a federated identity solution to the environment.
You use the following command to configure contoso.com for federation.
Convert-MsolDomaintoFederated â€"DomainName contoso.com
In the Microsoft 365 tenant, an administrator adds and verifies the adatum.com domain name.
You need to configure the adatum.com Active Directory domain for federated authentication.
Which two actions should you perform before you run the Azure AD Connect wizard? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. From Windows PowerShell, run the Convert-MsolDomaintoFederated command. â€"DomainName contoso.com â€"SupportMultipleDomain

B. From Windows PowerShell, run the New-MsolFederatedDomain command. â€"SupportMultipleDomain -DomainName contoso.com

C. From Windows PowerShell, run the New-MsolFederatedDomain command. -DomainName adatum.com

D. From Windows PowerShell, run the Update-MSOLFederatedDomain command. â€"DomainName contoso.com â€"SupportMultipleDomain

E. From the federation server, remove the Microsoft Office 365 relying party trust.

A. From Windows PowerShell, run the Convert-MsolDomaintoFederated command. â€"DomainName contoso.com â€"SupportMultipleDomain

E. From the federation server, remove the Microsoft Office 365 relying party trust.

15

1 only 

 

1 / 2 only

16

Your network contains a single Active Directory domain and two Microsoft Azure Active Directory (Azure AD) tenants.
You plan to implement directory synchronization for both Azure AD tenants. Each tenant will contain some of the Active Directory users.
You need to recommend a solution for the planned directory synchronization.
What should you include in the recommendation?

A. Deploy two servers that run Azure AD Connect, and then filter the users for each tenant by using organizational unit (OU)-based filtering.

B. Deploy one server that runs Azure AD Connect, and then specify two sync groups.

C. Deploy one server that runs Azure AD Connect, and then filter the users for each tenant by using organizational unit (OU)-based filtering.

D. Deploy one server that runs Azure AD Connect, and then filter the users for each tenant by using domain-based filtering.

A. Deploy two servers that run Azure AD Connect, and then filter the users for each tenant by using organizational unit (OU)-based filtering.

17

Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains a user named User1.
You suspect that an imposter is signing in to Azure AD by using the credentials of User1.
You need to ensure that an administrator named Admin1 can view all the sign in details of User1 from the past 24 hours.
To which three roles should you add Admin1? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Security administrator

B. Password administrator

C. User administrator

D. Compliance administrator

E. Reports reader

F. Security reader

A. Security administrator

B. Password administrator

C. User administrator

18

1

1

 

19

HOTSPOT -
Your network contains an on-premises Active Directory domain named contoso.com. The domain contains five domain controllers.
Your company purchases Microsoft 365 and creates a Microsoft Azure Directory (Azure AD) tenant named contoso.onmicrosoft,com.
You plan to establish federation authentication between on-premises Active Directory and the Azure AD tenant by using Active Directory Federation Services (AD
FS).
You need to establish the federation.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

1

2

 

20

You have a Microsoft 365 subscription.
You plan to enable Microsoft Azure Information Protection.
You need to ensure that only the members of a group named PilotUsers can protect content.
What should you do?

A. Run the Add-AadrmRoleBaseAdministrator cmdlet.

B. Create an Azure Information Protection policy.

C. Configure the protection activation status for Azure Information Protection.

D. Run the Set-AadrmOnboardingControlPolicy cmdlet.

D. Run the Set-AadrmOnboardingControlPolicy cmdlet.

21

Your company has a Microsoft 365 subscription.
You need to identify which users performed the following privileged administration tasks:
✑ Deleted a folder from the second-stage Recycle Bin if Microsoft SharePoint
✑ Opened a mailbox of which the user was not the owner
✑ Reset a user password
What should you use?

A. Microsoft Azure Active Directory (Azure AD) audit logs

B. Microsoft Azure Active Directory (Azure AD) sign-ins

C. Security & Compliance content search

D. Security & Compliance audit log search

A. Microsoft Azure Active Directory (Azure AD) audit logs

22

You have a Microsoft 365 subscription. You have a user named User1.
You need to ensure that User1 can place a hold on all mailbox content.
What permission should you assign to User1?

A. the User management administrator role from the Microsoft 365 admin center

B. the eDiscovery Manager role from the Security & Compliance admin center

C. the Information Protection administrator role from the Azure Active Directory admin center

D. the Compliance Management role from the Exchange admin center

B. the eDiscovery Manager role from the Security & Compliance admin center

23

Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.
You sign up for Microsoft Store for Business.
The tenant contains the users shown in the following table.

Microsoft Store for Business has the following Shopping behavior settings:
✑ Allow users to shop is set to On.
✑ Make everyone a Basic Purchaser is set to Off.
You need to identify which users can install apps from the Microsoft for Business private store.
Which users should you identify?

A. A. user1, User2, User3, User4, and User5

B. User1 only

C. User1 and User2 only

D. User3 and User4 only

E. User1, User2, User3, and User4 only

C. User1 and User2 only

24

You have a Microsoft 365 subscription that contains a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.
In the tenant, you create a user named User1.
You need to ensure that User1 can publish retention labels from the Security & Compliance admin center. The solution must use the principle of least privilege.
To which role group should you add User1?

A. Security Administrator

B. Records Management

C. Compliance Administrator

D. eDiscovery Manager

B. Records Management

25

2

1

 

26

Your company has a Microsoft 365 E5 subscription.
Users in the research department work with sensitive data.
You need to prevent the research department users from accessing potentially unsafe websites by using hyperlinks embedded in email messages and documents. Users in other departments must not be restricted.
What should you do from the Security & Compliance admin center?

A. Create a data loss prevention (DLP) policy that has a Content contains condition.

B. Create a data loss prevention (DLP) policy that has a Content is shared condition.

C. Modify the default safe links policy.

D. Create a new safe links policy.

D. Create a new safe links policy.

27

yes

no

yes

 

28

A user receives the following message when attempting to sign in to https://myapps.microsoft.com:
"Your sign-in was blocked. We've detected something unusual about this sign-in. For example, you might be signing in from a new location, device, or app. Before you can continue, we need to verify your identity. Please contact your admin."
Which configuration prevents the users from signing in?

A. Security & Compliance supervision policies

B. Security & Compliance data loss prevention (DLP) policies

C. Microsoft Azure Active Directory (Azure AD) conditional access policies

D. Microsoft Azure Active Directory (Azure AD) Identity Protection policies

C. Microsoft Azure Active Directory (Azure AD) conditional access policies

29

no

yes

yes

30

yes

no

no