ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-100 All Questions

View all questions & answers for the MS-100 exam
Go to Exam

Exam MS-100 topic 3 question 43 discussion

Actual exam question from Microsoft's MS-100
Question #: 43
Topic #: 3
[All MS-100 Questions]

HOTSPOT -
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
You have users in contoso.com as shown in the following table.

The users have the passwords shown in the following table.

You implement password protection as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
User1's password contains the banned password 'Contoso'. However, User1 will not be required to change his password at next sign in. When the password expires or when User1 (or an administrator) changes the password, the password will be evaluated and will have to meet the password requirements.

Box 2: Yes -
Password evaluation goes through several steps including normalization and Substring matching which is used on the normalized password to check for the user's first and last name as well as the tenant name. Normalization is the process of converting common letter substitutes into letters. For example, 0 converts to o. $ converts to s. etc.
The next step is to identify all instances of banned passwords in the user's normalized new password. Then:
1. Each banned password that is found in a user's password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.
'C0nt0s0' becomes 'contoso' after normalization. Therefore, C0nt0s0_C0mplex123 contains one instance of the banned password (contoso) so that equals 1 point. After 'contoso', there are 11 unique characters. Therefore, the score for 'C0nt0s0_C0mplex123' is 12. This is more than the required 5 points so the password is acceptable.
Box 3:
The 'Password protection for Windows Server Active Directory' is in 'Audit' mode. This means that the password protection rules are not applied. Audit mode is for logging policy violations before putting the password protection 'live' by changing the mode to 'enforced'.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
by Domza at April 6, 2021, 2:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lucidgreen
Highly Voted 4 years ago
The policy is in Audit mode. So it isn't enforced. Passwords can be whatever they want.
upvoted 11 times
Scooter454
3 years, 12 months ago
Audit mode is only for Active Directory accounts. It is enabled for Azure users, so User 1 and User 2 has this policy applied
upvoted 14 times
charat
2 years, 10 months ago
That's incorrect. "Audit mode is intended as a way to run the software in a "what if" mode. Each Azure AD Password Protection DC agent service evaluates an incoming password according to the currently active policy. If the current policy is configured to be in audit mode, "bad" passwords result in event log messages but are processed and updated. This behavior is the only difference between audit and enforce mode. All other operations run the same."
upvoted 2 times
...
...
...
ColmTheMeanie
Most Recent 2 years, 1 month ago
This has irritated me so i worked it out. 1, N - there's straightforward if you know these policies. 2, Y - Here's why below Each banned password that's found in a user's password is given one point. Each remaining character that is not part of a banned password is given one point. A password must be at least five (5) points to be accepted. C0nt0s0 normalised to contoso = 1 Complex - C=0 O=0 M=1 P=1 L=1 E=1 X=1 1=1 2=1 3=1 so it's a score of 9 so it's OK 3, Y - You can see without going too much into it 1=1 2=1 3=1 that's 3 already then 1 point for contoso that's 4 and the "MyPassword" it's a point for every letter not in contso Pretty sure that's right. Audit still applies if it's including and on prem AD
upvoted 1 times
ColmTheMeanie
2 years, 1 month ago
and the reference https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#how-are-passwords-evaluated
upvoted 1 times
...
...
TechMinerUK
2 years, 10 months ago
The answer is correct due to the following: 1. AADPP doesn't assess existing passwords, I can testify to this as when rolling it out if a user has a password deemed unacceptable they will not be automatically forced to reset it. 2. As mentioned here (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#how-are-passwords-evaluated) even if a password contains words which are banned providing the score is over 5 it will be accepted 3. The picture illustrates that AADPP is not being enforced on prem so if a user has a banned password in AD it will be audited but not banned
upvoted 3 times
...
[Removed]
2 years, 11 months ago
From: https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection What are banned password lists? Azure AD includes a global banned password list. The contents of the global banned password list isn't based on any external data source. Instead, the global banned password list is based on the ongoing results of Azure AD security telemetry and analysis. When a user or administrator tries to change or reset their credentials, the desired password is checked against the list of banned passwords. The password change request fails if there's a match in the global banned password list. You can't edit this default global banned password list. URL talks, when user Change ou Reset password, if it already set User1 don't need to change their password
upvoted 1 times
[Removed]
2 years, 11 months ago
More info: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq#does-azure-ad-password-protection-validate-existing-passwords-after-being-installed Does Azure AD Password Protection validate existing passwords after being installed? No - Azure AD Password Protection can only enforce password policy on cleartext passwords during a password change or set operation. Once a password is accepted by Active Directory, only authentication-protocol-specific hashes of that password are persisted. The clear-text password is never persisted, therefore Azure AD Password Protection cannot validate existing passwords. After initial deployment of Azure AD Password Protection, all users and accounts will eventually start using an Azure AD Password Protection-validated password as their existing passwords expire normally over time. If desired, this process can be accelerated by a one-time manual expiration of user account passwords. Accounts configured with "password never expires" will never be forced to change their password unless manual expiration is done.
upvoted 1 times
...
...
musiman
3 years ago
It should be N N Y. User2 wants to use C0nt0s0 and he uses common letter substitution. Smart lockout also checks for common letter substitutions. A new password first goes through a normalization process. This technique allows for a small set of banned passwords to be mapped to a much larger set of potentially weak passwords. Normalization has the following two parts: All uppercase letters are changed to lower case. Then, common character substitutions are performed, such as in the following example: o => 0 s => $ l => 1 etc. Source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#how-are-passwords-evaluated
upvoted 4 times
Ltgoldman
2 years, 6 months ago
"Even if a user's password contains a banned password, the password may be accepted if the overall password is otherwise strong enough."
upvoted 1 times
...
...
Jcbrow27
3 years, 5 months ago
answare : Y,Y,Y User1 no need change the password : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq#does-azure-ad-password-protection-validate-existing-passwords-after-being-installed User 2 : password is valid User 3 : the password is audit mode. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations#audit-mode
upvoted 1 times
AGill
3 years, 3 months ago
Based on your explanation, the answer is N, Y, Y? First line asks if user 1 must change their password on sign in. But the link says it only takes effect at a password change or set operation - not sign in.
upvoted 2 times
...
...
JakeH
3 years, 5 months ago
In exam today
upvoted 2 times
...
[Removed]
3 years, 7 months ago
If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged.
upvoted 3 times
...
Davidchercm
3 years, 8 months ago
here is the explanation between audit mode and enforced : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations
upvoted 2 times
...
Domza
4 years ago
So, What is the question? lol
upvoted 1 times
Scooter454
3 years, 12 months ago
Audit mode is only for Active Directory accounts. It is enabled for Azure users, so User 1 and User 2 has this policy applied
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago