Exam MS-100 topic 2 question 56 discussion

I think answer B. Adding adatum.com to custom domain does not configure ADConnect.

I go for B. It's not mentioned that the domain is verified.

A is the correct answer

This environment has pass through enabled on one domain which is presumably working for contoso.com. Simply adding the domain wouldn't make this work. So yeah B

B. No Adding a custom domain to Azure AD and instructing User2 to sign in with that domain does not meet the goal of allowing User2 to access the resources in Azure AD. The issue is that User2 is not able to authenticate with Azure AD using their user principal name (UPN) of [email protected]. This is because the on-premises Active Directory user object for User2 does not have a matching user principal name in Azure AD. To allow User2 to access the resources in Azure AD, you need to ensure that the on-premises Active Directory user object for User2 is synchronized to Azure AD and that the user object has a matching user principal name in Azure AD. You can do this by configuring Azure AD Connect to synchronize the user principal name attribute from Active Directory to Azure AD. Therefore, the correct solution is to synchronize the on-premises Active Directory user object for User2 to Azure AD and ensure that the user object has a matching user principal name in Azure AD. Adding a custom domain to Azure AD and instructing User2 to sign in with that domain does not address the root cause of the issue.

It's not a complete answer. You need to run Az AD Connect & select the domain.

This question has nothing to do with AD Connect Syncing. The issue in the question is that can not sign in to online applications (Azure AD) with the @fabrikam.

Hopefully in the actual exam there will be additional information. I recall a similar question in MS-500 and the issue was that AD Connect is configured with Pass-through so another option is local AD is down and no-one can sign into M365. Then you would change AD Connect to use Password Hash instead.

the answer is - you need to change the upn to contoso.com

I'm going to go with A as since the user already has the UPN set as fabrikam.com that means Active Directory is configured with it as a UPN suffix for users. By adding it to AzureAD in my mind that assumes (Which could be the unfolding of my answer) that the domain has succesfully been added and not just added to the portal in "Setup in progress" mode. Because the domain is added to AzureAD it can then be assigned to users, since User2 already has fabrikam.com as a UPN suffix once a delta sync has completed they should receive fabrikam.com as a UPN suffix in AzureAD allowing them to login.

Answer is B. Domain was added according to the question, but it wasn't verified.

this qns came out in exam today

Besides that, domain is not verified

In today's exam

It says that the on-premise domain contains both users. Since Azure AD is configured with the contoso domain, the fabrikam users will not sync. if you simply add fabrikam.com to Azure, you should also configure the domain in the on-prem AAD connect app. The only solution is to change the UPN suffix in the on-prem domain ([email protected] to [email protected]) and manually sync or wait for an automatic sync cycle. Therefore, i think, the answer should be B; "no"

User2 fails to authenticate to Azure AD when signing in as [email protected]. Solution: From the Azure Active Directory admin center, you add fabrikam.com as a custom domain. You instruct User2 to sign in as [email protected]. If they add fabrikam.com as a custom domain, configure ad connect verify domain with DNS txt record sync, will be yes, but with the instructions that do not tell nothing apart from fabrikam.com is added IMHO, answer is NO, if you assume add fabrikam.com is add and configure the rest of required steps answer is Yes

I thought about this, technically by adding and verifying the new domain, you can then use the domain for signs. There is no need to sync the user from the source domain, just create an Azure AD domain account and add @adatum.com - this should work!