Implement and Manage Hybrid Identity

Question 1

What does each of these initialisms stand for?

• AADC
• PHS
• PTA
• SSO
• ADFS
• ADDCH

Answer 1

• Azure Active Directory Connect
• Password Hash Synchronization
• Pass-through Authentication
• Single Sign-on
• Active Directory Federated Services
• Azure Active Directory Connect Health

Question 2

Within AADC, define synchronization.

Answer 2

Creates users, groups, other objects, and password hashes ensuring on-premises matches the cloud.

Question 3

Within AADC, define password hash synchronization.

Answer 3

Sign-in method that synchronizes a hash of user’s on-premises AD password with Azure AD.

Question 4

Within AADC, define pass-through authentication.

Answer 4

A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.

Question 5

Within AADC, define Federation integration.

Answer 5

An optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure.

Question 6

Within AADC, define health monitoring.

Answer 6

Azure AD Connect Health provides robust monitoring.

Question 7

What is the difference between PHS and PTA

Answer 7

PTA processes all authentication on-premises. PHS is just ensuring the same password exists in both places.

Question 8

What are examples of when Azure AD doesn’t support the authentication requirement natively and a federated service is required?

Answer 8

• Smartcards or Certificates
• MFA Providers (not Microsoft)
• Authentication via 3rd Parties
• Sign in with sAMAccountName

Question 9

How do you ensure business continuity when using Federated systems?

Answer 9

Load-balancing authentication requests among a server farm.

Question 10

Which one of the following are require on-premises services?
A. PTA
B. Federated Services

Answer 10

A

B

Question 11

What authentication service does Microsoft recommend to protect against on-premises authentication outages?

Answer 11

password hash synchronization

Question 12

What subscription level does Microsoft include Identity Protection in?

Answer 12

Azure AD Premium 2

Question 13

An attribute immutable during the lifetime of an object.

Answer 13

sourceAnchor (aka immutableID)

Question 14

With federation, what attribute works with userPrincipalName to uniquely identify a user?

Answer 14

sourceAnchor

Question 15

What attribute allows objects to “hard match” existing objects in Azure AD with on-premises objects.

Answer 15

sourceAnchor

Question 16

What rules does the sourceAnchor attribute value follow? (7)

Answer 16

• less than 60 characters
• no special characters
• globally unique
• string, integer, binary
• not based on user’s name
• not case-sensitive
• assigned when object is created

Question 17

What are the two most common object attributes used as a sourceAnchor?

Answer 17

1. objectGuid

2. employeeID

Question 18

What format is UPN syntax (RFC 822)?

Answer 18

username@domain

Question 19

What attribute does Azure AD Connect use by default to authenticate a user?

Answer 19

UPN

Question 20

Since a verified domain for the UPN suffix is required by Azure AD, what should you do before syncing user accounts?

Answer 20

Add and verify the UPN suffix (e.g. contoso.com) to Azure AD

Question 21

Can Azure AD verify a non-routable domain (e.g. contoso.local)?

Answer 21

No

Question 22

Objects from each connected directory (CD), the actual directories, are staged here first before they can be processed by the provisioning engine.

Answer 22

Connector Space (CS)

Question 23

Objects that need to be synced are created here based on the sync rules.

Answer 23

Metaverse (MV)

Question 24

They decide which objects will be created (projected) or connected (joined) to objects in the MV.

Answer 24

Sync Rules

Question 25

Bundles the process steps of copying objects and their attribute values according to the sync rules between the staging areas and connected directories.

Answer 25

Run Profiles

Question 26

List benefits of Azure AD Cloud Sync

Answer 26

• sync multi-forested environments
• light-weight provisioning agents
• multiple agents can be used
• support for groups up to 50k members

Question 27

How often does the Azure AD Cloud Sync run?

Answer 27

Every 2 Minutes

Question 28

True or False:

Password hash synchronization is turned on by default with Azure AD Connect Express Settings?

Answer 28

True

Question 29

FIPS

Answer 29

Federal Information Processing Standard

Question 30

What is disabled under FIPS?

Answer 30

MD5

Question 31

At what level does Pass-through authentication work?
A. Domain
B. User
C. Tenant

Answer 31

C. Tenant

Question 32

True or False:

Azure AD Connect should only be run during the initial synchronization process.

Answer 32

False

Question 33

Define Hard Match.

Answer 33

Azure AD matches the incoming object using the sourceAnchor attribute to the immutableId attribute of objects in Azure AD.

Question 34

Define Soft Match

Answer 34

Azure AD falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match.

Question 35

What error occurs for the following scenario?

The hard match does not find any matching object AND soft match finds a matching object but that object has a different value of immutableId than the incoming object’s SourceAnchor, suggesting that the matching object was synchronized with another object from on premises Active Directory.

Answer 35

InvalidSoftMatch

Question 36

What feature redues the number of synchronization errors seeen by Azure AD?

Answer 36

Azure AD Duplicate Attribute Resiliency

Question 37

What is the most common reason for getting the InvalidSoftMatch error?

Answer 37

Two objects with different sourceAnchors have the same value for the ProxyAddress and/or UserPrincipalName

Question 38

What error occurs for the following scenario?

Two objects of different “object type” (such as User, Group, Contact etc.) have the same values for the attributes used to perform the soft match.

Answer 38

ObjectTypeMismatch

Question 39

What is the most common reason for getting the ObjectTypeMismatch error?

Answer 39

The ObjectTypeMismatch error is two objects of different type (User, Group, Contact etc.) have the same value for the ProxyAddresses attribute.

Question 40

What error occurs for the following scenario?

Azure Active Directory enforces various restrictions on the data itself before allowing that data to be written into the directory.

Answer 40

ObjectTypeMismatch

Question 41

What is the most common reason for getting the IdentityData ValidationFailed error?

Answer 41

The UserPrincipalName attribute value has invalid/unsupported characters.

Question 42

What is the most common reason for getting the FederatedDomainChangeError?

Answer 42

For a synchronized user, the UserPrincipalName suffix was changed from one federated domain to another federated domain on premises.

Question 43

What error occurs for the following scenario?

The suffix of a user’s UserPrincipalName is changed from one federated domain to another federated domain.

Answer 43

FederatedDomainChangeError

Question 44

What error occurs for the following scenario?

When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema.

Answer 44

LargeObject

Question 45

What are reasons for getting the LargeObject error?

Answer 45

1. Too many certificates
2. Too large thumbnail photo
3. Too many proxyAddresses

Question 46

What error occurs for the following scenario?

A users object has administrative permissions and the same UserPrincipalName as an existing Azure AD object.

Answer 46

Admin role conflict

Question 47

What is the reason for getting the Admin role conflict error?

Answer 47

Azure AD Connect is not allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to it.

Question 48

What license is needed to use Azure AD Connect Health?

Answer 48

Azure AD Premium P1

Question 49

What services are installed with Azure AD Connect Health AD FS?

Answer 49

• Diagnostics Service
• Insights Service
• Monitoring Service

Question 50

What role can manage access, view all information, and change settings within Azure AD Connect Health?

Answer 50

Owner

Question 51

What role can view all information and change settings in Azure AD Connect Health?

Answer 51

Contributor

Question 52

What role can only view all information in Azure AD Connect Health?

Answer 52

Reader

Question 53

What button in Azure AD Connect Health will help you identify an orphaned user?

Answer 53

Diagnose

Question 54

What is the defining feature of hybrid identity solutions?

Answer 54

They create common user identities for authentication and authorization to both on-premises and cloud-based resources.

Question 55

Which authentication method requires the least effort regarding deployment, maintenance, and infrastructure?

Answer 55

Password hash synchronization (PHS)

Question 56

Some situations might require the removal of a server from being monitored by the Azure AD Connect Health service. What needs to be done to start monitoring the same server again?

Answer 56

The Health Agent needs to be uninstalled and reinstalled on this server.