HOTSPOT You have an Azure Active Directory (Azure AD) tenant that contains a user named User1 and the groups shown in the following table.
In the tenant, you create the groups shown in the following table.
Which members can you add to GroupA and GroupB? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://bitsizedbytes.wordpress.com/2018/12/10/distribution-security-and-office-365-groups-nesting/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest.
You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.
You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.
Solution: You configure conditional access policies.
Does this meet the goal?
b
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
HOTSPOT You have an Azure Active Directory (Azure AD) tenant that contains three users named User1, User2, and User3.
You create a group named Group1. You add User2 and User3 to Group1.
You configure a role in Azure AD Privileged Identity Management (PIM) as shown in the Application Administrator exhibit. (Click the Application Administrator tab.)
Group1 is configured as the approver for the Application administrator role.
You configure User2 to be eligible for the Application administrator role.
For User1 you add an assignment to the Application administrator role as shown in the Assignment exhibit. (Click the Assignment tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: No -
User1 is eligible from 1/1/2021 to 1/31/2021.
However, here the Application Administrator role requires approval.
Box 2: No -
User2 is also member of Group1, and Group1 is configured as the approver for the Application administrator role.
Box 3: Yes -
User1 is eligible from 1/1/2021 to 1/31/2021.
Activation maximum duration (hours) is set to 5 hours.
You work for a company named Contoso, Ltd. that has a Microsoft Entra tenant named contoso.com.
Contoso is working on a project with the following two partner companies:
A company named A. Datum Corporation that has a Microsoft Entra tenant named adatum.com.
A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabrikam.com.
When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error message.
You can successfully invite a new guest user from fabnkam.com to contoso.com.
You need to be able to invite new guest users from adatum.com to contoso.com.
What should you configure?
d
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity Protection policies enforced.
You create an Azure Sentinel instance and configure the Azure Active Directory connector.
You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection.
What should you do first?
a
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-ad-identity-protection
You have an Azure AD tenant named contoso.com that contains the resources shown in the following table.
You create a user named Admin1.
You need to ensure that Admin1 can enable Security defaults for contoso.com.
What should you do first?
b
Case Study
Overview
ADatum Corporation is a consulting company in Montreal.
ADatum recently acquired a Vancouver-based company named Litware, Inc.
Existing Environment. ADatum Environment
The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.
ADatum has a Microsoft 365 E5 subscription. The subscription contains a verified domain that syncs with the adatum.com AD DS domain by using Azure AD Connect.
ADatum has an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant has Security defaults disabled.
The tenant contains the users shown in the following table.
The tenant contains the groups shown in the following table.
Existing Environment. Litware Environment
Litware has an AD DS forest named litware.com
Existing Environment. Problem Statements
ADatum identifies the following issues:
Multiple users in the sales department have up to five devices. The sales department users report that sometimes they must contact the support department to join their devices to the Azure AD tenant because they have reached their device limit.
A recent security incident reveals that several users leaked their credentials, a suspicious browser was used for a sign-in, and resources were accessed from an anonymous IP address.
When you attempt to assign the Device Administrators role to IT_Group1, the group does NOT appear in the selection list.
Anyone in the organization can invite guest users, including other guests and non-administrators.
The helpdesk spends too much time resetting user passwords.
Users currently use only passwords for authentication.
Requirements. Planned Changes
ADatum plans to implement the following changes:
Configure self-service password reset (SSPR).
Configure multi-factor authentication (MFA) for all users.
Configure an access review for an access package named Package1.
Require admin approval for application access to organizational data.
Sync the AD DS users and groups of litware.com with the Azure AD tenant.
Ensure that only users that are assigned specific admin roles can invite guest users.
Increase the maximum number of devices that can be joined or registered to Azure AD to 10.
Requirements. Technical Requirements
ADatum identifies the following technical requirements:
Users assigned the User administrator role must be able to request permission to use the role when needed for up to one year.
Users must be prompted to register for MFA and provided with an option to bypass the registration for a grace period.
Users must provide one authentication method to reset their password by using SSPR. Available methods must include:
- Email
- Phone
- Security questions
- The Microsoft Authenticator app
Trust relationships must NOT be established between the adatum.com and litware.com AD DS domains.
The principle of least privilege must be used.
You need implement the planned changes for application access to organizational data.
What should you configure?
b
You have an Azure Active Directory (Azure AD) tenant that contains cloud-based enterprise apps.
You need to group related apps into categories in the My Apps portal.
What should you create?
b
Reference:
https://support.microsoft.com/en-us/account-billing/customize-app-collections-in-the-my-apps-portal-2dae6b8a-d8b0-4a16-9a5d-71ed4d6a6c1d
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.
You have an administrative unit named Au1. Group1, User2, and User3 are members of Au1.
User5 is assigned the User administrator role for Au1.
For which users can User5 reset passwords?
d
You have an Azure Active Directory (Azure AD) tenant.
You configure self-service password reset (SSPR) by using the following settings:
Require users to register when signing in: Yes
Number of methods required to reset: 1
What is a valid authentication method available to users?
b