The latest Microsoft 365 Identity and Services MS-100 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft 365 Identity and Services MS-100 exam and earn Microsoft 365 Identity and Services MS-100 certification.
Table of Contents
- Question 121
- Question
- Answer
- Question 122
- Question
- Answer
- Question 123
- Question
- Answer
- Question 124
- Question
- Answer
- Question 125
- Question
- Answer
- Question 126
- Question
- Answer
- Question 127
- Question
- Answer
- Manage Access and Authentication Testlet 2
- Overview
- Existing Environment
- Requirements
- Question 128
- Question
- Answer
- Question 129
- Question
- Answer
- Question 130
- Question
- Answer
- Manage Access and Authentication Testlet 3
- Overview
- Existing Environment
- Requirements
Question 121
Question
Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.
You purchase Microsoft 365 and plan to implement several Microsoft 365 services.
You need to identify an authentication strategy for the planned Microsoft 365 deployment. The solution must meet the following requirements:
- Ensure that users can access Microsoft 365 by using their on-premises credentials.
- Use the existing server infrastructure only.
- Store all user passwords on-premises only.
- Be highly available.
Which authentication strategy should you identify?
A. pass-through authentication and seamless SSO
B. pass-through authentication and seamless SSO with password hash synchronization
C. password hash synchronization and seamless SSO
D. federation
Answer
A. pass-through authentication and seamless SSO
Question 122
Question
Your network contains an on-premises Active Directory domain.
You have a Microsoft 365 subscription.
You implement a directory synchronization solution that uses pass-through authentication.
You configure Microsoft Azure Active Directory (Azure AD) smart lockout as shown in the following exhibit.
You discover that Active Directory users can use the passwords in the custom banned passwords list.
You need to ensure that banned passwords are effective for all users.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From a domain controller, install the Azure AD Password Protection Proxy.
B. From a domain controller, install the Microsoft AAD Application Proxy connector.
C. From Custom banned passwords, modify the Enforce custom list setting.
D. From Password protection for Windows Server Active Directory, modify the Mode setting.
E. From all the domain controllers, install the Azure AD Password Protection DC Agent.
F. From Active Directory, modify the Default Domain Policy.
Answer
A. From a domain controller, install the Azure AD Password Protection Proxy.
C. From Custom banned passwords, modify the Enforce custom list setting.
E. From all the domain controllers, install the Azure AD Password Protection DC Agent.
Question 123
Question
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
An external user has a Microsoft account that uses an email address of [email protected].
An administrator named Admin1 attempts to create a user account for the external user and receives the error message shown in the following exhibit.
You need to ensure that Admin1 can add the user.
What should you do from the Azure Active Directory admin center?
A. Add a custom domain name named outlook.com.
B. Modify the Authentication methods.
C. Modify the External collaboration settings.
D. Assign Admin1 the Security administrator role.
Answer
C. Modify the External collaboration settings.
Question 124
Question
Your company has a Microsoft 365 subscription and a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
An external vendor has a Microsoft account that has a username of [email protected].
You plan to provide [email protected] with access to several resources in the subscription.
You need to add the external user account to contoso.onmicrosoft.com. The solution must ensure that the external vendor can authenticate by using [email protected].
What should you do?
A. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify –UserPrincipalName [email protected].
B. From the Microsoft 365 admin center, add a contact, and then specify [email protected] as the email address.
C. From the Azure portal, add a new guest user, and then specify [email protected] as the email address.
D. From the Azure portal, add a custom domain name, and then create a new Azure AD user and use [email protected] as the username.
Answer
C. From the Azure portal, add a new guest user, and then specify [email protected] as the email address.
Question 125
Question
You have a Microsoft 365 subscription that contains several Microsoft SharePoint Online sites.
You discover that users from your company can invite external users to access files on the SharePoint sites.
You need to ensure that the company users can invite only authenticated guest users to the sites.
What should you do?
A. From the Microsoft 365 admin center, configure a partner relationship.
B. From SharePoint Online Management Shell, run the Set-SPOSite cmdlet.
C. From the Azure Active Directory admin center, configure a conditional access policy.
D. From the SharePoint admin center, configure the sharing settings.
Answer
D. From the SharePoint admin center, configure the sharing settings.
Question 126
Question
Your network contains an on-premises Active Directory domain. The domain contains 2,000 computers that run Windows 10.
You purchase a Microsoft 365 subscription.
You implement password hash synchronization and Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO).
You need to ensure that users can use Seamless SSO from the Windows 10 computers.
What should you do?
A. Create a conditional access policy in Azure AD.
B. Deploy an Azure AD Connect staging server.
C. Join the computers to Azure AD.
D. Modify the Intranet zone settings by using Group Policy
Answer
D. Modify the Intranet zone settings by using Group Policy
Question 127
Question
Your company has a hybrid deployment of Microsoft 365.
Users authenticate by using pass-through authentication. Several Microsoft Azure AD Connect Authentication Agents are deployed.
You need to verify whether all the Authentication Agents are used for authentication.
What should you do?
A. From the Azure portal, use the Troubleshoot option on the Pass-through authentication page.
B. From Performance Monitor, use the #PTA authentications counter.
C. From the Azure portal, use the Diagnostics settings on the Monitor blade.
D. From Performance Monitor, use the Kerberos authentications counter.
Answer
A. From the Azure portal, use the Troubleshoot option on the Pass-through authentication page.
Manage Access and Authentication Testlet 2
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The offices have the users and devices shown in the following table.
Contoso recently purchased a Microsoft 365 E5 subscription.
Existing Environment
The network contains an Active directory forest named contoso.com and a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
You recently configured the forest to sync to the Azure AD tenant.
You add and then verify adatum.com as an additional domain name.
All servers run Windows Server 2016.
All desktop computers and laptops run Windows 10 Enterprise and are joined to contoso.com.
All the mobile devices in the Montreal and Seattle offices run Android. All the mobile devices in the New York office run iOS.
Contoso has the users shown in the following table.
Contoso has the groups shown in the following table.
Microsoft Office 365 licenses are assigned only to Group2.
The network also contains external users from a vendor company who have Microsoft accounts that use a suffix of @outlook.com.
Requirements
Planned Changes
Contoso plans to provide email addresses for all the users in the following domains:
- East.adatum.com
- Contoso.adatum.com
- Humongousinsurance.com
Technical Requirements
Contoso identifies the following technical requirements:
- All new users must be assigned Office 365 licenses automatically.
- The principle of least privilege must be used whenever possible.
Security Requirements
Contoso identifies the following security requirements:
- Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.
- User2 must be able to view reports and schedule the email delivery of security and compliance reports.
- The members of Group1 must be required to answer a security question before changing their password.
- User3 must be able to manage Office 365 connectors.
- User4 must be able to reset User3 password.
Question 128
Question
You need to meet the security requirement for Group1.
What should you do?
A. Configure all users to sign in by using multi-factor authentication.
B. Modify the properties of Group1.
C. Assign Group1 a management role.
D. Modify the Password reset properties of the Azure AD tenant.
Answer
D. Modify the Password reset properties of the Azure AD tenant.
Question 129
Question
You need to meet the security requirement for the vendors.
What should you do?
A. From the Azure portal, add an identity provider.
B. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the –UserPrincipalName parameter.
C. From Azure Cloud Shell, run the Set-AzureADUserExtension cmdlet.
D. From the Azure portal, create guest accounts.
Answer
D. From the Azure portal, create guest accounts.
Question 130
Question
You need to meet the security requirement for the vendors.
What should you do?
A. From Azure Cloud Shell, run the Set-MsolUserPrincipalName and specify the –tenantID parameter.
B. From Azure Cloud Shell, run the Set-AzureADUserExtension cmdlet.
C. Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the –UserPrincipalName parameter.
D. From Azure Cloud Shell, run the New-AzureADMSInvitation cmdlet and specify the –InvitedUserEmailAddress parameter.
Answer
D. From Azure Cloud Shell, run the New-AzureADMSInvitation cmdlet and specify the –InvitedUserEmailAddress parameter.
Manage Access and Authentication Testlet 3
Overview
Fabrikam, Inc. is an electronics company that produces consumer products. Fabrikam has 10,000 employees worldwide.
Fabrikam has a main office in London and branch offices in major cities in Europe, Asia, and the United States.
Existing Environment
Active Directory Environment
The network contains an Active Directory forest named fabrikam.com. The forest contains all the identities used for user and computer authentication.
Each department is represented by a top-level organizational unit (OU) that contains several child OUs for user accounts and computer accounts.
All users authenticate to on-premises applications by signing in to their device by using a UPN format of [email protected].
Fabrikam does NOT plan to implement identity federation.
Network Infrastructure
Each office has a high-speed connection to the Internet.
Each office contains two domain controllers. All domain controllers are configured as a DNS server.
The public zone for fabrikam.com is managed by an external DNS server.
All users connect to an on-premises Microsoft Exchange Server 2016 organization. The users access their email by using Outlook Anywhere, Outlook on the web, or the Microsoft Outlook app for iOS. All the Exchange servers have the latest cumulative updates installed.
All shared company documents are stored on a Microsoft SharePoint Server farm.
Requirements
Planned Changes
Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared documents to the subscription.
Fabrikam plans to implement two pilot projects:
- Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to Microsoft 365.
- Project2: After the successful completion of Project1, Microsoft Teams & Skype for Business will be enabled in Microsoft 365 for the sales department users.
Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft 365 bulk licenses.
Technical Requirements
Fabrikam identifies the following technical requirements:
- All users must be able to exchange email messages successfully during Project1 by using their current email address.
- Users must be able to authenticate to cloud services if Active Directory becomes unavailable.
- A user named User1 must be able to view all DLP reports from the Microsoft 365 admin center.
- Microsoft Office 365 ProPlus applications must be installed from a network share only.
- Disruptions to email access must be minimized.
Application Requirements
Fabrikam identifies the following application requirements:
- An on-premises web application named App1 must allow users to complete their expense reports online. App1 must be available to users from the My Apps portal.
- The installation of feature updates for Office 365 ProPlus must be minimized.
Security Requirements
Fabrikam identifies the following security requirements:
- After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.
- The memberships of UserLicenses must be validated monthly. Unused user accounts must be removed from the group automatically.
- After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloudbased applications automatically.
- The principle of least privilege must be used.