Exam MS-102 topic 1 question 90 discussion

Answers are correct Only T4il$pin45dg4 will be allowed to change, the other two have an exact or within 1 character match to the banned passwords: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#fuzzy-matching-behavior Lockout period is 10 minutes (600 seconds) meaning on the 11th minute, the count starts again from 1 and would need another 15 bad passwords within the next 9 minutes to lock the user out.

Box 1 - T4il$pin45dg4 Box 2 will be locked out again https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

Answers correct T4il$pin45dg4 Signs in immediately The account locks again after each subsequent failed sign-in attempt. The lockout period is one minute at first, and longer in subsequent attempts. To minimize the ways an attacker could work around this behavior, we don't disclose the rate at which the lockout period increases after unsuccessful sign-in attempts. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout#testing-smart-lockout

If the first sign-in after a lockout period has expired also fails, the account locks out again. If an account locks repeatedly, the lockout duration increases.

I think people are missing the point. 15 bad password attempts does not go over the threshold. Lockout happens on 16th try

Box 1 - T4il$pin45dg4 Box 2 - Can attempt to sign in again immediately. Explanation for Box2: After 15times user will be locked out. If user wait more than 600 seconds, he will be allowed to try again. Now the user has waited 60sec x 11 = 660. That means the user will be allowed to try again immediately

Box 1 - T4il$pin45dg4 Box 2 will be locked out again The reason why the F@lcon does not work is documented here : https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection#configure-custom-banned-passwords Regarding why its locked out again is found here : https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout

Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior doesn't cause the account to lock out.

All 3 passwords must be allowed , Password is different to Password22 and Falcon as well as F@lcon are not the same thing.

Key here is "Same wrong password" - entering the same wrong password 15 times would only be seen as 1 threshold on the counter so wouldnt trigger a lockout. Therefore the user could just attempt to sign in again. Seems like a poorly worded question or a trick..

Picture is correct. The trap is, that this persons enters the SAME password multiple times. This doesn't count to the lockout policy because of smart lock out . https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

Box 1 - T4il$pin45dg4 -Each banned password that's found in a user's password is given one point. -Each remaining character that is not part of a banned password is given one point. -A password must be at least five (5) points to be accepted. Box 2 is incorrect The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts.

1 Box Correct T4il$pin45dg4 The 2nd Box is incorrect it should be lockout

Box 1 - only T4il$pin45dg4 Box 2 - will be locked

Box1:Only F@lcon and T4il$pin45dg4. Because "a" is replaced "@", and match this policy.

If you fail again after a lockout periode, you are locked again no?