Implement and Manage Hybrid Identity Flashcards

1
Q

What does each of these initialisms stand for?

  • AADC
  • PHS
  • PTA
  • SSO
  • ADFS
  • ADDCH
A
  • Azure Active Directory Connect
  • Password Hash Synchronization
  • Pass-through Authentication
  • Single Sign-on
  • Active Directory Federated Services
  • Azure Active Directory Connect Health
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Within AADC, define synchronization.

A

Creates users, groups, other objects, and password hashes ensuring on-premises matches the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Within AADC, define password hash synchronization.

A

Sign-in method that synchronizes a hash of user’s on-premises AD password with Azure AD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Within AADC, define pass-through authentication.

A

A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Within AADC, define Federation integration.

A

An optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Within AADC, define health monitoring.

A

Azure AD Connect Health provides robust monitoring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the difference between PHS and PTA

A

PTA processes all authentication on-premises. PHS is just ensuring the same password exists in both places.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are examples of when Azure AD doesn’t support the authentication requirement natively and a federated service is required?

A
  • Smartcards or Certificates
  • MFA Providers (not Microsoft)
  • Authentication via 3rd Parties
  • Sign in with sAMAccountName
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you ensure business continuity when using Federated systems?

A

Load-balancing authentication requests among a server farm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which one of the following are require on-premises services?
A. PTA
B. Federated Services

A

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What authentication service does Microsoft recommend to protect against on-premises authentication outages?

A

password hash synchronization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What subscription level does Microsoft include Identity Protection in?

A

Azure AD Premium 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An attribute immutable during the lifetime of an object.

A

sourceAnchor (aka immutableID)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

With federation, what attribute works with userPrincipalName to uniquely identify a user?

A

sourceAnchor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What attribute allows objects to “hard match” existing objects in Azure AD with on-premises objects.

A

sourceAnchor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What rules does the sourceAnchor attribute value follow? (7)

A
  • less than 60 characters
  • no special characters
  • globally unique
  • string, integer, binary
  • not based on user’s name
  • not case-sensitive
  • assigned when object is created
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the two most common object attributes used as a sourceAnchor?

A
  1. objectGuid

2. employeeID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What format is UPN syntax (RFC 822)?

A

username@domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What attribute does Azure AD Connect use by default to authenticate a user?

A

UPN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Since a verified domain for the UPN suffix is required by Azure AD, what should you do before syncing user accounts?

A

Add and verify the UPN suffix (e.g. contoso.com) to Azure AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Can Azure AD verify a non-routable domain (e.g. contoso.local)?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Objects from each connected directory (CD), the actual directories, are staged here first before they can be processed by the provisioning engine.

A

Connector Space (CS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Objects that need to be synced are created here based on the sync rules.

A

Metaverse (MV)

24
Q

They decide which objects will be created (projected) or connected (joined) to objects in the MV.

A

Sync Rules

25
Q

Bundles the process steps of copying objects and their attribute values according to the sync rules between the staging areas and connected directories.

A

Run Profiles

26
Q

List benefits of Azure AD Cloud Sync

A
  • sync multi-forested environments
  • light-weight provisioning agents
  • multiple agents can be used
  • support for groups up to 50k members
27
Q

How often does the Azure AD Cloud Sync run?

A

Every 2 Minutes

28
Q

True or False:

Password hash synchronization is turned on by default with Azure AD Connect Express Settings?

A

True

29
Q

FIPS

A

Federal Information Processing Standard

30
Q

What is disabled under FIPS?

A

MD5

31
Q

At what level does Pass-through authentication work?
A. Domain
B. User
C. Tenant

A

C. Tenant

32
Q

True or False:

Azure AD Connect should only be run during the initial synchronization process.

A

False

33
Q

Define Hard Match.

A

Azure AD matches the incoming object using the sourceAnchor attribute to the immutableId attribute of objects in Azure AD.

34
Q

Define Soft Match

A

Azure AD falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match.

35
Q

What error occurs for the following scenario?

The hard match does not find any matching object AND soft match finds a matching object but that object has a different value of immutableId than the incoming object’s SourceAnchor, suggesting that the matching object was synchronized with another object from on premises Active Directory.

A

InvalidSoftMatch

36
Q

What feature redues the number of synchronization errors seeen by Azure AD?

A

Azure AD Duplicate Attribute Resiliency

37
Q

What is the most common reason for getting the InvalidSoftMatch error?

A

Two objects with different sourceAnchors have the same value for the ProxyAddress and/or UserPrincipalName

38
Q

What error occurs for the following scenario?

Two objects of different “object type” (such as User, Group, Contact etc.) have the same values for the attributes used to perform the soft match.

A

ObjectTypeMismatch

39
Q

What is the most common reason for getting the ObjectTypeMismatch error?

A

The ObjectTypeMismatch error is two objects of different type (User, Group, Contact etc.) have the same value for the ProxyAddresses attribute.

40
Q

What error occurs for the following scenario?

Azure Active Directory enforces various restrictions on the data itself before allowing that data to be written into the directory.

A

ObjectTypeMismatch

41
Q

What is the most common reason for getting the IdentityData ValidationFailed error?

A

The UserPrincipalName attribute value has invalid/unsupported characters.

42
Q

What is the most common reason for getting the FederatedDomainChangeError?

A

For a synchronized user, the UserPrincipalName suffix was changed from one federated domain to another federated domain on premises.

43
Q

What error occurs for the following scenario?

The suffix of a user’s UserPrincipalName is changed from one federated domain to another federated domain.

A

FederatedDomainChangeError

44
Q

What error occurs for the following scenario?

When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema.

A

LargeObject

45
Q

What are reasons for getting the LargeObject error?

A
  1. Too many certificates
  2. Too large thumbnail photo
  3. Too many proxyAddresses
46
Q

What error occurs for the following scenario?

A users object has administrative permissions and the same UserPrincipalName as an existing Azure AD object.

A

Admin role conflict

47
Q

What is the reason for getting the Admin role conflict error?

A

Azure AD Connect is not allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to it.

48
Q

What license is needed to use Azure AD Connect Health?

A

Azure AD Premium P1

49
Q

What services are installed with Azure AD Connect Health AD FS?

A
  • Diagnostics Service
  • Insights Service
  • Monitoring Service
50
Q

What role can manage access, view all information, and change settings within Azure AD Connect Health?

A

Owner

51
Q

What role can view all information and change settings in Azure AD Connect Health?

A

Contributor

52
Q

What role can only view all information in Azure AD Connect Health?

A

Reader

53
Q

What button in Azure AD Connect Health will help you identify an orphaned user?

A

Diagnose

54
Q

What is the defining feature of hybrid identity solutions?

A

They create common user identities for authentication and authorization to both on-premises and cloud-based resources.

55
Q

Which authentication method requires the least effort regarding deployment, maintenance, and infrastructure?

A

Password hash synchronization (PHS)

56
Q

Some situations might require the removal of a server from being monitored by the Azure AD Connect Health service. What needs to be done to start monitoring the same server again?

A

The Health Agent needs to be uninstalled and reinstalled on this server.