ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 1 question 69 discussion

Actual exam question from Microsoft's SC-300
Question #: 69
Topic #: 1
[All SC-300 Questions]

HOTSPOT
-

Your network contains an on-premises Active Directory Domain Services (AD DS) domain named fabrikam.com. The domain contains an Active Directory Federation Services (AD FS) instance and a member server named Server1 that runs Windows Server. The domain contains the users shown in the following table.



You have a Microsoft Entra tenant named contoso.com that is linked to a Microsoft 365 subscription.

You establish federation between fabrikam.com and contoso.com by using a Microsoft Entra Connect instance that is configured as shown in the following exhibit.



You perform the following tasks in contoso.com:

• Create a group named Group1.
• Disable User2.
• Enable User3.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by krisbla at Jan. 26, 2024, 3:24 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MatExam
Highly Voted 1 year, 2 months ago
I would say: Yes: Group1 is created in the entra ID tenant, and the user is synced, so this is possible. It doesn't state that the group should be visible on-prem Yes: The user is a directory-synced user, so authority lies on-prem. Disabling it from the Entra ID portal will have no effect. The server is also an on-prem server. Disabling should be done in on-prem adds No: for the same reason as above, you enable the account in the entra id tenant, but the account is directory synced, so authority lies with the on-prem AD, enabling from the portal is not possible...
upvoted 22 times
test123123
3 months, 3 weeks ago
Agreed.
upvoted 1 times
...
naveenbio
4 months, 3 weeks ago
It is correct (YES, YES & NO)
upvoted 1 times
...
krisbla
5 months, 3 weeks ago
Where did it say Group 1 was created in the Entra ID Tenant and synced? I see a yellow triangle with "!" on Group writeback.
upvoted 1 times
...
ultravincent
1 year, 1 month ago
Funny how the correct answers are the exact opposite of what is shown as the solution. 3/3 wrong.
upvoted 5 times
...
...
mkendell
Highly Voted 11 months, 1 week ago
The question states that changes are made in the Contoso (Azure domain not on-prem), Password writeback and hash synchronisation is enabled. So my answers are: Yes: Group1 is created in the entra ID tenant, and the user is synced and enabled. Yes: The user is a directory-synced but even with writeback enabled, Disabling the account from the Entra ID portal will not lock-out the corresponding on-prem account. No: the account us directory synchronised and will lock again if you try to enable it
upvoted 7 times
...
AcTiVeGrEnAdE
Most Recent 1 day, 4 hours ago
Yes Yes No The provided answers are incorrect
upvoted 1 times
...
d1e85d9
1 month, 3 weeks ago
1. Yes: Fedaration is ON so, 6 character passwrod doesn't impact to sync to Azure 2. Yes: User2 is still enabled in on-prem AD. There is no writeback for user. So user in Azure AD will NOT sync to On-Prem AD 3. No: Same as User2, enable user3 will not write back to on-prem AD.
upvoted 1 times
d1e85d9
3 weeks, 5 days ago
Actually the given answers are correct. 1. NO - 6 character cannot sync even Fed is enable. 2. NO - user2 has been disabled in the last paragraph of question. Writeback in enable.... so user2 has been disabled. 3. YES - user3 has been enabled in the last paragraph of the question so can.
upvoted 2 times
...
...
psp65
1 month, 3 weeks ago
NYN if you disable or enable a synched user from online, the user state will be reset by entra connect according the user's state onprem. Furthermore a user won't be synched if his password is less than 8 char
upvoted 1 times
...
bardock100
2 months, 1 week ago
1. No - Because user1 is not synchronised to Entra because has 6-character password. You need 8-character password to make sync user from AD to Entra. 2. Yes - User2 exist in AD and can login to Server1 which is in local AD. Disabling an account in Entra does not disable it in AD, it only works one way from AD to Entra. Only passwords work both ways if password writeback is enabled. 3. Yes - User3 is in Entra and is now Enabled after following steps: Enable User3
upvoted 3 times
...
YesPlease
2 months, 1 week ago
No: because you are doing a federated connection to o365, the user needs a minimum password of 8 characters to be allowed on o365 No: federation means a sync between both systems, so disabling on o365 side will disable them on local system too Yes: the user meets minimum password requirements for o365 and was enabled.
upvoted 2 times
...
Frank9020
3 months ago
Correct answer is: You can add User1 to Group1. ✅ Yes User2 can sign in to Server1. ✅ Yes (because Server1 is on-prem) User3 can sign in to Microsoft 365. ✅ Yes, User3 can sign in to Microsoft 365 because it is cloud based, and since PHS is enabled, User3 can authenticate directly against Microsoft Entra ID without needing on-premises AD authentication.
upvoted 2 times
...
rtsh06
5 months ago
This is what I feel should be the correct answer. I am open to feedback. please let me know if there is anything wrong. Box 1: No. Group Writeback is not enabled. Box 2: No. User 2 can sign in to Server 1. As User2 is disabled, it will not allow him to sign in to Server. Box 3: Yes, User3 is enabled, so he should be abled to sign in to Microsoft 365.
upvoted 2 times
...
HartMS
1 year ago
YYY In Summary: The cloud-enabled status benefits User 3 for M365 access, but the disabled on-prem status prevents them from logging into Server1. User 2 can access Server1 with valid credentials because their cloud status isn't relevant for on-prem authentication via ADFS.
upvoted 2 times
armid
2 months, 2 weeks ago
this! Federating means all authentication happens on premise. The password hash sync only ensures users can sign in to M36 in case your on prem FS servers fail. So can you add user1 to group1 in the cloud space? YES, it just wont be available on premise Can User 2 sign in to server 1? YES. Remember all auth is on premise. We disabled this user in the cloud which has no effect for on prem environment Can user 3 login to M365? YES, we enabled it on prem and all authentication is on prem with federated services.
upvoted 1 times
armid
2 months, 1 week ago
apologies obviously i got confused about where we enabled the user3 in the Q.. we enable it in Entra! so NO for #3. YES - i think user 1 syncs even though the PW doesnt meet complexity for Entra, however we sync only the hash; so i dont think Entra "knows" what the clear text password is YES - disabled in cloud will not diable it on prem, actually it will get enabled in cloud again during next sync, anyway no reason why he couldnt sign into on prem server NO - same as above but the other way around. The account will get re-disabled on next sync
upvoted 1 times
...
...
...
emartiy
1 year, 1 month ago
It says, 3 actions performed at contoso.com (isn't it AD DS? instead of Entra ID?) So, you can add user 1 to Group1 in AD DS. User2 is disabled, can't sign in to any server. User3 can sign in to entra since password length is suffient to entra id SSPR etc. YES - NO - YES would be my selections for this question.
upvoted 4 times
...
einkaufacs
1 year, 2 months ago
I am confused. If you have a synced user, you can not enable or disable the user in Azure AD. You do this in the AD DS.
upvoted 3 times
Ody
1 year, 2 months ago
It says we have write-back turned on and I haven't tested it, but Entra ID now has a disable option on the User. I also see it on a synched user.
upvoted 2 times
Ody
1 year, 2 months ago
This seems to imply that disabling in Azure will only cause Entra ID connect to re-enable it in the tenant. https://learn.microsoft.com/en-us/answers/questions/1072787/how-do-i-get-actions-such-as-disabling-an-account
upvoted 3 times
...
...
...
[Removed]
1 year, 3 months ago
Why would the first one be no?
upvoted 1 times
Ody
1 year, 2 months ago
I was thinking it was due to the 8 character minimum in Entra ID
upvoted 2 times
Ody
1 year, 2 months ago
Rethinking this and think the answer should be Yes for User 1. "The Microsoft Entra password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Microsoft Entra Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers." https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy
upvoted 2 times
krisbla
5 months, 2 weeks ago
1 is NO, there is an 8 character limit in Entra, they'll be prompted to change the password to meet the policy but the question is, "Can they log in?" ---> "No." (check link above)
upvoted 1 times
armid
2 months, 1 week ago
but you only sync the hash? so technically Entra doesnt know what the password is.
upvoted 1 times
...
...
...
...
Tim1119
1 year, 3 months ago
You can add the user to the group, however it is not available on-premise as group writeback is not enabled.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago