Exam MS-102 topic 1 question 91 discussion

B. Cloud user won't be affected. Why? Because Pass-through auth is ON for the on-prem soured users. Password Hash Sync is not an auto-fallback kind of a thing. Therefore, those users cannot authenticate without some work on the configuration to enable it, since the authentication happens on-prem.

I would choose A. According to the MS documentation: "Does password hash synchronization act as a fallback to Pass-through Authentication? No. Pass-through Authentication does not automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability." https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication- Therefore, without any admin actions, authentication won't be possible for any user until the admin make some changes on the tenant.

Explanation: You're using Azure AD Connect with both: Password Hash Sync (PHS) – Enabled Pass-through Authentication (PTA) – Enabled When internet connectivity to on-premises AD is lost, only users who can authenticate directly with Azure AD (i.e., via Password Hash Sync) will still be able to sign in. Let's analyze the users: User1: Source is Azure AD, so it's a cloud-only user. ✅ Can authenticate directly with Azure AD. User2: Sourced from AD DS, but has signed in previously, and Password Hash Sync is enabled. ✅ Can authenticate using PHS when AD connectivity is down. User3: Sourced from AD DS and has never signed in. ❌ Likely no password hash synced yet — can't authenticate if connectivity is lost. ✅ Final Answer: User1 and User2 only ______________________________________________

B is true. PTA doesn't fallback automatically to Password Hash. Since user1 is a cloud only user, user 1 will still be able to login.

My selection is B User 1 only. Direct authentication requires the local network to be available.

The users have been synched then connection to on prem was lost . So you cant log in to on prem but can you log in to the cloud . The question asks “You need to identify which users will be able to authenticate by using Azure AD if connectivity between on-premises Active Directory and the internet is lost. Which users should you identify?” So yes you will be able to log in to azure and seeing the creds for all three users have been synched previously then I would choose D

Lost connection

L'utilisateur 1 uniquement. L'authentification directe nécessite que le réseau local soit disponible or le hachage dee mot de passe crypte les mots de passes et les stocke dans l' entra id

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/choose-ad-authn

https://www.reddit.com/r/Office365/comments/zqmfho/passthrough_authentication_and_password_hash/

Initially i thought User1 and User2 but then realised that a change would be needed to switch to PHS. User1 being cloud only wouldnt be impacted so answer is B.

Chat GPT say only User1 because in the event of a connectivity loss between on-premises Active Directory and the internet, User1 will be able to authenticate using Azure AD because they are cloud-native and have the necessary authentication methods enabled. User2 may face authentication issues as they rely on on-premises AD DS for authentication, and User3 is not provisioned in Azure AD, so they won't be able to authenticate through Azure AD.

Hash Sync syncs every 2 min, so if on prem communication is down i would not think that the authentication will happen

Vote for B

Correct Answer B, Cloud User won't be affected. Tested on my lab.

User1 is a cloud only user, no ? So i think he will be able to authenticate by Azure AD. So B for me.

it Should be A