Exam AZ-500 topic 2 question 103 discussion

Confirmed in my lab, you'll get " Unfortunately, you can't use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password." when you select either of those password.

Audit or not it doesn't matter in this scenario. The question is about Azure AD users where Password Protection is enabled. PP is composed by 2 lists: Microsoft and Custom Banned Password list. Evaluating proccess will be: C0nt0s0. - contoso will get 1 point as it is in Custom Banned Password list + 1 point for "." = 2 points F@brikamHQ. - fabrikam will get 1 point as it is in Custom Banned Password list + 2 points for HQ + 1 point for "." = 4 points. You need 5 for password to be accepted. Product123. - product will get 1 point as it is in Custom Banned Password list + 1 point for each character in 123 + 1 point for "." = 5 points. So I will say that the password for User3 might be accepted but as we don't have the option for "User1 and User2 only", I suppose that "123" is a combination included in Microsoft Banned Password list and if it so - this fact sucks as nobody knows what it contains, you have to test it because you won't find it in any documentation.

It is Normalization guys.. Answer is E Link https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad#how-are-passwords-evaluated

The custom banned password list considers common character substitution, such as "o" and "0", or "a" and "@". For that reason all three are banned. https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection#what-are-banned-password-lists

This is because Azure AD Password Protection is designed to check passwords for patterns including sequences of prohibited characters, even when some letters are stripped for numbers or special characters. It performs a thorough check of passwords against a list of banned words and common patterns to improve password security. In this case, the passwords "C0nt0s0", "F@brikamHQ", and "Pr0duct123" contain variations of prohibited words in the custom list, such as "Contoso", "Fabrikam", and "Product", and are therefore considered insecure by Azure AD password protection. The tool is sensitive to substitutions of letters for numbers, special characters and other variations, as these practices still result in predictable and insecure passwords.

On exam 7/8/23. Answers are correct as audit mode only.

E. User1, User2, and User3

I think all attempts will pass thr successfully as the setting enable password protection on Windows AD is set to NO but in answers there is no such option. Something is wrong here Can some one please verify?

Set the option for Enable password protection on Windows Server Active Directory to Yes. When this setting is set to No, all deployed Azure AD Password Protection DC agents go into a quiescent mode where all passwords are accepted as-is. No validation activities are performed, and audit events aren't generated.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations