ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-100 All Questions

View all questions & answers for the MS-100 exam
Go to Exam

Exam MS-100 topic 4 question 60 discussion

Actual exam question from Microsoft's MS-100
Question #: 60
Topic #: 4
[All MS-100 Questions]

HOTSPOT -
You have a hybrid deployment of Microsoft 365 that contains the users shown in the following table.

You have an on-premises web app named AppA. Group1 has permissions to access AppA.
You configure an Azure Active Directory (Azure AD) Application Proxy.
You add an Application Proxy entry for AppA as shown the exhibit. (Click the Exhibit tab.)

You assign the AppA enterprise application in Azure to Group2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
User1 is in Group2. The enterprise app is assigned to Group2. However, the authentication method is ג€Passthroughג€ so the authentication will be passed to the on-premises web app. Only Group1 has access to the web app. Therefore, User1 will not be able to access the web app.
Box 2: Yes.
User2 is in Group1 and Group2. The enterprise app is assigned to Group2. The authentication method is ג€Passthroughג€ so the authentication will be passed to the on-premises web app. Group1 has access to the web app. Therefore, User2 will be able to access the web app in MyApps.

Box 3: No -
User3 is in Group1. Group1 has access to the web app so User3 could access the app on-premises. However, the enterprise app is assigned to Group2 which
User3 is not a member of. Therefore, User3 will not be able to access the external URL of the web app.
by TheWallPTA at April 19, 2021, 8:54 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 3 years, 8 months ago
The app is assigned to Group 2 in Azure. You cannot use the external URL or open the app via My Apps if you are not in Group 2. Therefore, User 3 will only be able to use the app from the on-premise network with the internal URL. Pre-authentication is pass-through: the on-premise AD wins. On-premise Group 1 (User 2 and User 3) has acces to the app. Therefore User 2 can access the app. User 1 with External URL? No. User 2 from My Apps? Yes. User 3 with External URL? No. Am I missing something? I agree with the provided answers but other commenters' opinions seem to be all over the place?
upvoted 8 times
Durden871
3 years, 1 month ago
I find this question confusing. User 1/Group 2 is assigned the web app. So, if I understand correctly, they try to authenticate, but because it's PTA it gets to the server where they don't have access to the app so they're not able to access the web app simply because they can't authenticate to it? user3/group1 Have access to the enterprise app on prem, but because they don't have access to the web app, they can't use the external link for access, but can access the app locally. Since User2 is assigned to both groups, they can authenticate because they're assigned the enterprise app and can access it externally because they are granted web app access.
upvoted 1 times
...
...
Startkabels
Most Recent 2 years, 4 months ago
Shit questions so ill just go with the answers and explanations provided and move on.
upvoted 4 times
...
Gresch123123
3 years, 1 month ago
Provided answer makes sense, NYN
upvoted 1 times
...
Wojer
3 years, 3 months ago
I am not an expert but because it's PTA auth. everything is sent to on-prem server so in my opinion its NYY as an answer.
upvoted 1 times
joergsi
3 years, 2 months ago
The provided explanation: Box 3: No - User3 is in Group1. Group1 has access to the web app so User3 could access the app on-premises. However, the enterprise app is assigned to Group2 which User3 is not a member of. Therefore, User3 will not be able to access the external URL of the web app. Does not make sense at all, because => However, the enterprise app is assigned to Group2 is not shown in the screenshot! It should be Y
upvoted 1 times
...
...
tf444
3 years, 4 months ago
the explanation is wrong, nowhere in the question indicates Group1 has access to the web. app . You have an on-premises web app named AppA. Group1 has permissions to access AppA.
upvoted 2 times
...
gonick
3 years, 7 months ago
In the properties sheet for the app is a slider "User assignment required?". This is set to Yes as default. When set to 'Yes', users will NOT be able to access using the external URL unless authorised to do so, in this case be a member of Group 2. since we cant see the slider in this example, assume it's default to 'Yes', so User 3 can't access. NYN.
upvoted 3 times
...
gkp_br
3 years, 10 months ago
User need to be member of both groups: "You have an on-premises web app named AppA. Group1 has permissions to access AppA." and "You assign the AppA enterprise application in Azure to Group2."
upvoted 4 times
...
F_M
3 years, 10 months ago
https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application#add-an-on-premises-app-to-azure-ad I think it's No | Yes | Yes. The reference states that with Passthrough pre-authentication AzureAD auth is bypassed so basically anyone can use the external URL and the authentication is managed by the backend of the App. Since on-prem the app is configured to grant access only to group 1 members User1 can't access while User 2 and 3 can. User1 anyway is blocked on the backend side, he can still use the url but fails the authentication on the app.
upvoted 4 times
[Removed]
3 years, 8 months ago
Pass-through skips the Azure AD authentication steps, but does it also _not_ check wether the user is assigned the app or not? The two things do not sound mutually exclusive to me.
upvoted 1 times
...
...
lucidgreen
4 years ago
I'm thinking Y, Y, N... https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn383639(v=ws.11)
upvoted 2 times
melatocaroca
3 years, 11 months ago
usr 1 member of grp 2 usr 2 member of grp 1 and gpr2 usr 3 member of grp 1 You assign the AppA enterprise application in Azure to Group2. usr 1 member of grp 2 gpr2 have access to app, Y usr 2 member of grp and 1 gpr2, pr2 have access to app, Y usr 3 member of grp 1 ; gpr1 have no access to app, N
upvoted 1 times
AlexLiourtas
3 years, 4 months ago
group1 not group2, group1 has permissions
upvoted 1 times
...
...
...
TheWallPTA
4 years ago
User 3 not having access does not make sense to me? Part of Group 1.
upvoted 2 times
lucidgreen
4 years ago
Same here. I'm pretty sure User3 doesn't have access, otherwise, what's the point of assigning access?
upvoted 1 times
...
balajim212
4 years ago
True, Group1 has permissions to access AppA & User3 is a member of Group1. Ans should be Yes.
upvoted 1 times
balajim212
4 years ago
My bad, external URL access is via Azure app group access, which is only Group2. Group 1 will give on-premises app access. Hence no access here.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago