Exam Prep Questions - Implement Azure Active Directory Flashcards

1
Q

You are the Azure AD administrator of Nutex. Test users are testing an Azure AD integrated application named CompanyApp. Users of nutex.com are allowed to access the application. After one year of successful access to CompanyApp through the use of single sign-on (SSO) with multifactor authentication (MFA) and smartcards, users need to read from and write to files from SharePoint Online through the CompanyApp application.

Test users report that it is not possible for them to save files through the CompanyApp on SharePoint Online. You open the Azure AD management portal and navigate to the CompanyApp settings under Configure.

What should you configure to allow the test users the ability to read and write to files on SharePoint Online through the CompanyApp

A

You have to configure permissions to other applications to grant the application CompanyApp the Read and write user files permission on SharePoint Online, so that CompanyApp has this permission to SharePoint Online. The users have successfully authenticated to CompanyApp, but they have no write access because the application in this scenario has no access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are the administrator of Nutex Corporation. You have prepared your Azure AD, ACS namespace, and Azure AD endpoint mapping. You have configured Azure AD as an identity provider. You add an application named CompanyApp as a relying party application with the default settings.

What else do you have to configure in the Azure ACS portal to make it possible for your WS-Federation based application CompanyApp to use Azure AD identities through ACS for authentication and single sign-on?

A

You should add a rule manually for the Default Rule Group for CompanyApp. If you add CompanyApp as a relying party trust with default settings, then you must select Create a new Rule Group under Rule Groups. Under Rule Groups will be a rule group named Default Rule Group for CompanyApp, but this rule group will not have a rule. You have to select Add to manually generate a rule in the rule group. You have to select the manual Rule creation option because you have to select Access Control Service as Input Claim Issuer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You administer Azure for an organization called Nutex. The forest functional level is Windows Server 2012 R2. You want to configure synchronization of your on-premises user accounts to Azure AD. Your Office 365 users must be able to change their Office 365 passwords in the cloud.

Which configuration steps will allow the synchronization of on-premise accounts to the Azure AD, and allow Office 365 users to change their Office 365 passwords in the cloud?

A
  1. Enable the Password Writeback option in AADConnect sync settings
  2. Run Get-ADSyncConnector | FL name, AADPasswordResetConfiguration
  3. Run Get-ADSyncAADPasswordResetConfiguration - Connector “nutex.onmicrosoft.com -AAD”
  4. Run Set-ADSyncAADPasswordResetConfiguration -Connector “nutex.onmicrosoft.com - AAD” -Enable $True
  5. Set the permissions on prem for the passwords to be written back with a PowerShell Script
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are the administrator of the Nutex Corporation. You have prepared your Azure AD named nutex.com for Azure Access Control Service (ACS). You have created an ACS namespace named TestApps for an ASP.NET MVC application named WebApp1. The developer now has to integrate WebApp1 into ACS. You copied the 256-bit symmetric key from the Access Control Service Portal and sent it to the developer. The developer added the key under Enter the management key for the namespace in Visual Studio and saved the key.

In the next step, the developer wants to select the authority that authenticates user identities and issues security tokens. He can only select Windows Live ID as the identity provider. The developer should be able to add Google as an authority that authenticates user identities and issues security tokens.

Where should you add a new identity provider in the Azure AD Access Control Service Portal?

A

You can add a new identity provider through the Trust Relationship setting in the Azure AD Access Control Service Portal. From this setting, you should select Identity Providers. An identity provider (IP) authenticates a user’s identity and issues security tokens, such as Google, Facebook, and Yahoo. When you configure Azure Access Control Service (ACS) to trust an IP, ACS will validate and accept tokens issued by the IP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your developer team wants to more easily integrate Azure AD access token access into their OAuth 2.0 desktop applications. They want to get access tokens for calling the Azure AD Graph API using the OAuth 2.0 authentication protocol.

What Azure component should you configure?

A

You have to prepare the Azure AD Authentication Library (ADAL) to integrate authentication elements to the code, so that the application can accept access tokens for SSO. With ADAL, the developer gets enhanced possibilities like token cache, automatic token refresh, or other, to handle securing resources and to integrate that easily in the application code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You are the administrator of Nutex Corporation. You want to set up ADFS functionality with claims authentication in Azure. You have created an Azure subscription and prepared your Azure Active Directory (AAD) instance. You have created the AAD endpoint mapping under the name ACS. Now you want to make it possible for application developers to use ACS to redirect the application users to the Active Directory login.

Which URL should be used in Visual Studio for the on-premises authority for WS-Federation applications with Microsoft Azure AD to use this endpoint for single sign-on and directory access for WS-Federation applications?

A

You have to copy the WS-Federation metadata document URL and send this to the developers to use in Visual Studio as the URL of the on-premises authority for WS- Federation applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are the Azure AD Administrator of the Nutex Corporation. You add an application named CompanyApp to your Azure AD. After that, you want to ensure that only users from the Marketing department can access the application. All other users’ access to this application should be revoked.

What configuration step do you have to perform from the Azure management portal in the Application settings of CompanyApp?

A
  1. Choose Configure
  2. On the properties page, set User assignment required to access app to YES
  3. Assign the Azure AD Marketing group to the application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are the administrator of the Nutex Corporation. Your Sales department’s users report that they always have to use their smartcards and PIN to access their Azure AD applications, named App1, App2, and App3. Users are not allowed to use app passwords for Outlook, which is installed locally on their computers.

They can access the applications from inside the company from the internal subnet without problem. When they are traveling outside the office, they want to access these three apps without their smartcard and PIN if they are in the corporate intranet.

What setting should you configure?

A

Skip multi-factor authentication for requests from federated users on my intranet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You administer Azure for Nutex. The on-premises domain is nutex.com. Nutex has 200 employees with on-premises AD user accounts who use Office 2010. As part of the pilot phase of the planned Office 365 migration, you have created a Windows Azure domain named verigon.com for test purposes, with a single Azure VM DC that is responsible for sign-on to verigon.com and a single Azure VM AD FS server that is responsible for relying party verigon.com.

After you have created an Office 365 Azure AD named verigon.onmicrosoft.com and you have synchronized the on-premises user test@verigon.com to Office 365 Azure AD, you perform the following actions:
•Add the custom domain verigon.com
•Change the users UPN suffix from verigon.onmicrosoft.com to verigon.com
•Configure single sign-on (SSO) for the pilot user
•Verify that the user can log in successfully to Office 365 with this name
You accidently removed the single Azure VM AD FS server. The pilot user can no longer log in to Office 365.

What should you run to correct the problem?

A

Set-MsolDomainAuthentication -DomainName verigon.com -Authentication Managed, Convert-MsolFederatedUser -UserPrincipalName test@verigon.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You administer Azure for Nutex, which consists of two forests named nutex.com and metroil.net and two child domains named usa.metroil.net and eu.metroil.net. You have to configure single sign-on (SSO) for Office 365 and other Web applications for all users of both forests. There is an ADFS 3.0 server named ADFS1 in nutex.com and one ADFS 3.0 server named ADFS2 in metroil.net. Directory Synchronization to Azure AD is already configured in both on-premises forests.

To support single sign-on, you have converted your domain to a federated domain with the following cmdlet:

Convert-MsolDomainToFederated
-DomainName nutex.com -SupportMultipleDomain

After you execute this command, all users from usa.metroil.net and eu.metroil.net report that they cannot sign in to Office 365.

What rule should you edit on the AD FS server?

A

You have to edit ITR rule 3 because this third rule uses the suffix value of the UPN attribute and generates a new claim called issuerid. For example, the issuerid in the Token for a user named User1@metroil.net will be http://metroil.net/adfs/services/trust/. For a UPN suffix usa.metroil.net, it will still generate an issuer value of http://metroil.net/adfs/services/trust/ instead of http://usa.metroil.net/adfs/services/trust/.

An issuance transform rule (ITR) controls how claims are issued to a trusting relying party (such as Office 365). By default, the ITR transforms the WindowsAccountName, UPN, and ImmutableID attributes from the claims provider (such as Active Directory) so that these attributes can be used for the token created by the AD FS server, enabling the Office 365 user to be authenticated. The attributes are used to identify the user object in AD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are the administrator of the forest named nutex.com. Your company consists of two forests, nutex.com and prod.nutex.com. There is an ADFS 3.0 server named ADFS1 in nutex.com and an ADFS 3.0 server named ADFS2 in prod.nutex.com. You created the necessary domain in Azure AD.

Because of business requirements, the enterprise administrators from prod.nutex.com cannot manage SSO configuration in nutex.com. They have installed and configured their own AD FS server. All AD FS servers are Azure VMs accessible through their VIP from the Internet. Both ADFS servers are configured with a valid wildcard certificate for *.nutex.com from DigiCert and the trusted root certificate from DigiCert. Both ADFS services are running. ADFS2 is prepared for a federation trust.

You want to add the ADFS server from prod.nutex.com into your claims provider trust configuration to configure the federation trust between your forest and prod.nutex.com. You get an error message.

You are able to access https://adfs2.prod.nutex.com/federationmetadata/2007-06/federationmetadata.xml, but you cannot add ADFS2 as a claims provider trust.

Your claims provider must trust ADFS2. What configuration change should be made?

A

The problem is the subject name on the certificate. You should have the administrator of prod.nutex.com request a new certificate from DigiCert and replace the old certificate on ADFS2. This is necessary because the root forest domain name, prod.nutex.com, is a subdomain of nutex.com. You require a new certificate from DigiCert. The https://adfs2.prod.nutex.com/adfs/ls URL can then be verified from the Add Claims Provider Trust configuration wizard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Your company has an Active Directory infrastructure with six forests, named metroil.com, nutex.com, verigon.com, dreamsuites.com, cdpress.com, and virtuart.com. Metroil.com has two child domains, north.metroil.com and south.metroil.com. Nutex.com has two child domains, north.nutex.com and south.nutex.com. No other forests have child domains.

There is a forest trust between metroil.com and nutex.com. This is the only forest trust in your AD infrastructure. You plan to prepare your Azure AD custom domains.

You want to ensure that all users from all forests can use Office 365 with single sign-on (SSO). What is the minimum number of verified custom domains you have to add in Azure for your AD infrastructure?

A

You will need at least five Azure AD domains. You need one Azure AD domain for metroil.com and nutex.com, because you have a forest trust between these two forests. If you want to deliver SSO to all users of both forests, a Kerberos trust between both forests has to exist to make SSO possible for a user from forest metroil.com to access Office 365 through nutex.com and a user from nutex.com to access Office 365 through metroil.com.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are the Azure administrator for the Nutex Corporation, which has 750 clients. You manage the Azure AD for these 750 clients through your single Nutex subscription. You know that you can add up to 900 domains to one Office 365 Azure AD subscription. In the last few months, 580 of your clients have switched to Skype for Business Online. You get the order to join 40 additional clients to Skype for Business Online.

You have to ensure that 40 additional clients can use Skype for Business Online. You must use the fewest possible Azure AD subscriptions and minimize administrative effort. What should you do?

A

You should join 20 clients to Skype for Business Online with your current subscription, create a new subscription, and use that subscription to join the remaining 20 clients to that subscription. You can add up to 900 domains to one Office 365 subscription, but Skype for Business Online has a limit of 600 domains. While you still can add up to 900 domains to Office 365, only 600 of them will be available for use with Skype for Business Online. It is less administrative effort to add 20 clients to the current subscription because you would not have to move the domains to a new subscription; you only have to move the domains of the other 20 clients to the new subscription.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are the administrator of the Nutex Corporation. You have integrated the Yammer application as a relying party on your internal AD FS server and added Yammer to your Azure AD.

You want to use the Yammer Sign-on URL for single sign-on (SSO) in Azure AD.

What single sign-on mode should you use?

A

You should choose to use the existing single sign-on mode because this setting is the only setting that you can use with the Yammer Sign-on URL for single sign-on (SSO).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are the administrator of Nutex Corporation. An Azure AD integrated API named Nutex.WebAPI is used for a desktop application named CompanyApp. The application requires read access to Nutex.WebAPI through OAuth 2.0 on behalf of the user of the application.

What is the necessary step in Azure AD to grant CompanyApp read access to Nutex.WebAPI?

A

You will need to configure the read permissions for the Nutex.WebAPI through the manifest file. The manifest file can allow the application to access mobile services. In the OAuth2permissions section of that file you can configure permissions. After adding the relevant permissions, you should save the file and upload the changed manifest file back to Azure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are the administrator of Nutex Corporation. You get a call from your support team, that users have problems accessing an Azure AD integrated Web application named CompanyApp. CompanyApp is integrated through the Graph API and was built through Visual Studio 2013.

You have detected that your current key is expired. What is your solution?

A

Generate a new password key, update and deploy your code with the new key, and remove the old key.

17
Q

You administer Azure for the Nutex Corporation. You want to configure a Facebook application in the Azure ACS portal to allow authentication through Azure ACS with a Facebook ID. Which steps should you choose?

A
  1. Go to the Facebook Developers Page
  2. Create New App
  3. Copy the values of the App ID and App Secret fields
  4. Specify the FQDN URL of your namespace
  5. In the Azure Portal select nutex.com and click Manage
  6. Choose Trust Relationships - Identify Providers, and add the Facebook App
  7. Enter the values for the App ID and App Secret
18
Q

You administer Azure for Nutex, which consists of three forests with the forest root domains nutex.com, corp.nutex.com, and prod.nutex.com. You configure single sign-on (SSO) for Office 365 and other Web applications for all users of all forests. There is an ADFS 3.0 server named ADFS1 in nutex.com, an ADFS 3.0 server named ADFS2 in corp.nutex.com, and an ADFS 3.0 server named ADFS3 in prod.nutex.com. Directory Synchronization is already configured for all on-premises forests. All users from all forests are synchronized to the Office 365 domain nutex.com.

To configure single sign-on, you successfully converted your domain nutex.com on server ADFS1 to a federated domain with the following command:

Convert-MsolDomainToFederated -DomainName nutex.com -SupportMultipleDomain

How many issuance transform rules (ITR) and issuance authorization rules (IAR) will be created on ADFS1 with this command by default?

A

If you use the -SupportMultipleDomain parameter with the Convert-MsolDomainToFederated cmdlet, it will automatically create three issuance transform rules (ITR) and one issuance authorization rule (IAR) on the AD FS server. This parameter is required when you configure federation with multiple top-level domains.

An issuance transform rule (ITR) controls how claims are issued to a trusting relying party (in this scenario, Office 365). By default, the ITR transforms the WindowsAccountName, UPN, and ImmutableID attributes from the claims provider (in this case, Active Directory) so that these attributes can be used for the token created by the AD FS server, enabling the Office 365 user to be authenticated. The attributes are used to identify the user object in AD.

An issuance authorization rule (IAR) controls access to a trusting relying party. In this scenario, the IAR grants access to Office 365 for all users.

Only with the -SupportMultipleDomains parameter will you get a third ITR like the following:

c:[Type
== “”]
=> issue(Type = “”, Value = regexreplace(c.Value, “”, “http://${domain}/adfs/services/trust/”));

This third rule uses the suffix value of the UPN attribute and generates a new claim called issuerid. For example, the issuerID in the Token for a user named VerigonUser@nutex.com will be http://nutex.com/adfs/services/trust/. For a UPN suffix corp.nutex.com, this will still generate an issuerid value of http://nutex.com/adfs/services/trust/ instead of http://corp.nutex.com/adfs/services/trust/, to resolve a login error like “Your organization could not sign you in to this service.”

19
Q

You are responsible for Azure AD monitoring for Nutex. You log in to the Azure Portal and select your company’s directory. You want to download an Excel file containing information about the password reset activities of your Azure AD users.

You open the reporting feature. What Azure AD report type do you have to select?

A

Activity Logs