Skip Navigation Links
 

Microsoft - MS-100: Microsoft 365 Identity and Services

Sample Questions

Question: 286
Measured Skill: Manage User Identity and Roles (35-40%)

Note: This question is part of a series of questions that present the same scenario. Each questions in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution. Determine whether the solution meets the stated goals.

You have a hybrid deployment of Microsoft 365 that contains the objects shown in the following table.



Azure AD Connect has the following settings:
  • Password Hash Sync: Enabled
  • Password writeback: Enabled
  • Group writeback: Enabled
You need to add User2 to Group2.

Solution: You use the Security & Compliance admin center.

Does this meet the goal?

AYes
B No

Correct answer: B

Explanation:

Group2 was created in on-premises Active Directory and synchronized to Azure AD. The properties of objects created on-premises can only be changed on-premises.

Changes to the membership of Group2 are only possible in the Windows Server Active Directory domain. The changes are then synchronized to Azure AD.

What is Azure AD Connect group writeback
Groups writeback enables customers to leverage cloud groups for their hybrid needs. If you use the Microsoft 365 Groups feature, then you can have these groups represented in your on-premises Active Directory. This option is only available if you have Exchange present in your on-premises Active Directory.

Reference: Azure AD Connect group writeback

Question: 287
Measured Skill: Manage User Identity and Roles (35-40%)

Note: This question is part of a series of questions that present the same scenario. Each questions in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution. Determine whether the solution meets the stated goals.

You have a hybrid deployment of Microsoft 365 that contains the objects shown in the following table.



Azure AD Connect has the following settings:
  • Password Hash Sync: Enabled
  • Password writeback: Enabled
  • Group writeback: Enabled
You need to add User2 to Group2.

Solution: From Windows PowerShell, you run the Add-ADGroupMember cmdlet.

Does this meet the goal?

AYes
B No

Correct answer: A

Explanation:

Group2 was created in on-premises Active Directory and synchronized to Azure AD. The properties of objects created on-premises can only be changed on-premises.

Changes to the membership of Group2 are only possible in the Windows Server Active Directory domain. The changes are then synchronized to Azure AD.

What is Azure AD Connect group writeback
Groups writeback enables customers to leverage cloud groups for their hybrid needs. If you use the Microsoft 365 Groups feature, then you can have these groups represented in your on-premises Active Directory. This option is only available if you have Exchange present in your on-premises Active Directory.

Reference: Azure AD Connect group writeback

Question: 288
Measured Skill: Design and Implement Microsoft 365 Services (25-30%)

You have a Microsoft 365 E5 subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains a Microsoft SharePoint Online site named Site1 and the accounts shown in the following table.



You have an on-premises server named Server1 that contains a folder named Folder1. Folder1 contains the files shown in the following table.



The User1, User2, and Group1 accounts have the security identifiers (SIDs) shown in the following table.



You use the SharePoint Migration Tool to migrate Folder1 to Site1. You preserve the file share permissions and use the following user mapping file.

S-1-5-21-4534338-1127018997-2609994386-1304, UserA@Contoso.com, FALSE
S-1-5-21-4534338-1127018997-2609994386-1228, UserB@Contoso.com, FALSE
S-1-5-21-4534338-1127018997-2609994386-1106, GroupA, TRUE


For each of the following statements, select Yes if the statement is true. Otherwise, select No.

(NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AUserA is the owner of File1 on Site1: Yes
UserB is the owner of File2 on Site1: Yes
GroupA is the owner of File3 on Site1: Yes
B UserA is the owner of File1 on Site1: Yes
UserB is the owner of File2 on Site1: Yes
GroupA is the owner of File3 on Site1: No
C UserA is the owner of File1 on Site1: Yes
UserB is the owner of File2 on Site1: No
GroupA is the owner of File3 on Site1: Yes
D UserA is the owner of File1 on Site1: No
UserB is the owner of File2 on Site1: Yes
GroupA is the owner of File3 on Site1: No
E UserA is the owner of File1 on Site1: No
UserB is the owner of File2 on Site1: No
GroupA is the owner of File3 on Site1: Yes
F UserA is the owner of File1 on Site1: No
UserB is the owner of File2 on Site1: No
GroupA is the owner of File3 on Site1: No

Correct answer: F

Explanation:

The SharePoint Migration Tool (SPMT) lets you migrate your files from SharePoint on-premises document libraries or on-premises file shares and move them to Microsoft 365. It's free to Microsoft 365 users.

The "Preserve file share permissions" option preserves permissions on the files migrated. By default, Azure AD lookup is used to map users when submitting migration jobs. But, you can choose a custom user mapping file to preserve user permissions.

The first column in the user mapping file specifies the SID of the user in the source location. The second column specifies the user, who will get the permissions assigned on the target site. The third column specifies, if the user principal name (UPN) on the target site is an Active Directory (AD) group (TRUE). If it's not an AD group, enter FALSE. Required.

UserA, UserB, and GroupA are cloud identities. The third column should have FALSE for each identity.

It is not possible to map an AD group to a SharePoint group in the target site. Currently it is also not possible to map a SharePoint group to a SharePoint group in SPMT.

None of the permissions are migrated and none of the cloud identities will be set as a owner of a migrated file.

References:

Create a user-mapping file for data content migration

File and folder permissions when using the SharePoint Migration Tool

File share to OneDrive and SharePoint migration guide

Question: 289
Measured Skill: Plan Office 365 Workloads and Applications (10-15%)

You have a DNS zone named contoso.com that contains the following records.



You purchase a Microsoft 365 subscription.

You plan to migrate mailboxes to Microsoft Exchange Online.

You need to configure Sender Policy Framework (SPF) to support Exchange Online.

What should you do?

AAdd an additional TXT record.
B Modify the TXT record.
C Modify the expire interval of the SOA record.
D Modify the default TTL of the SOA record.

Correct answer: B

Explanation:

An SPF TXT record is a DNS record that helps prevent spoofing and phishing by verifying the domain name from which email messages are sent. SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain.

Domain administrators publish SPF information in TXT records in DNS. The SPF information identifies authorized outbound email servers. Destination email systems verify that messages originate from authorized outbound email servers.

Each SPF TXT record contains three parts: the declaration that it is an SPF TXT record, the IP addresses that are allowed to send mail from your domain and the external domains that can send on your domain's behalf, and an enforcement rule. You need all three in a valid SPF TXT record.

A typical SPF TXT record for Microsoft 365 has the following syntax:

v=spf1 [<ip4>|<ip6>:<IP address>] [include:<domain name>] <enforcement rule>

For example:

v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 include:spf.protection.outlook.com -all

where:

  • v=spf1 is required. This defines the TXT record as an SPF TXT record.

  • ip4 indicates that you are using IP version 4 addresses. ip6 indicates that you are using IP version 6 addresses. If you are using IPv6 IP addresses, replace ip4 with ip6 in the examples in this article. You can also specify IP address ranges using CIDR notation, for example ip4:192.168.0.1/26.

  • IP address is the IP address that you want to add to the SPF TXT record. Usually, this is the IP address of the outbound mail server for your organization. You can list multiple outbound mail servers.

  • domain name is the domain you want to add as a legitimate sender.

  • Enforcement rule is usually one of the following:

    • -all

      Indicates hard fail. If you know all of the authorized IP addresses for your domain, list them in the SPF TXT record and use the -all (hard fail) qualifier. Also, if you are only using SPF, that is, you are not using DMARC or DKIM, you should use the -all qualifier. We recommend that you use always this qualifier.

    • ~all

      Indicates soft fail. If you're not sure that you have the complete list of IP addresses, then you should use the ~all (soft fail) qualifier. Also, if you are using DMARC with p=quarantine or p=reject, then you can use ~all. Otherwise, use -all.

    • ?all

      Indicates neutral. This is used when testing SPF. We do not recommend that you use this qualifier in your live deployment.

References:

How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing

Set up SPF to help prevent spoofing

Question: 290
Measured Skill: Plan Office 365 Workloads and Applications (10-15%)

You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

You add an app named App1 to the enterprise applications in contoso.com.

You need to configure self-service app access for App1.

What should you do first?

AAssign App1 to users and groups.
B Add an owner to App1.
C Configure the provisioning mode for App1.
D Configure an SSO method for App1.

Correct answer: D

Explanation:

Before your users can self-discover applications from their access panel, you need to enable Self-service application access to any applications that you wish to allow users to self-discover and request access to.

This feature is a great way for you to save time and money as an IT group, and is highly recommended as part of a modern applications deployment with Azure Active Directory.

Using this feature, you can:

  • Let users self-discover applications from the Application Access Panel without bothering the IT group.

  • Add those users to a pre-configured group so you can see who has requested access, remove access, and manage the roles assigned to them.

  • Optionally allow a business approver to approve application access requests so the IT group doesn’t have to.

  • Optionally configure up to 10 individuals who may approve access to this application.

  • Optionally allow a business approver to set the passwords those users can use to sign in to the application, right from the business approver’s Application Access Panel.

  • Optionally automatically assign self-service assigned users to an application role directly.

Before you can enable self-service for App1, you need to configure an SSO method for the app.





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2020 by cert2brain.com