@spinnetho - the correct answer is A - https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#common-questions
The question is Tricky! it mentions "meet authentication requirements" and if you just read this and go back up to read the "Authentication Requirements" there is nothing that mentioned anything related to needing PHS. HOWEVER!!!!!! If you read the whole question again "You need to meet the authentication requirements FOR LEAVK CREDENTIALS", you realize there is nothing that mentioned LEAKED CREDENTIALS on the "Authentications Requirements" related to it.
The answer is A because none of the other ones has anything to do with LEAKED CREDENTIALS.
You don't use B for anything related to LEAKED CREDENTIALS - You would use this one for addressing the requirement
You don't use C for anything related to LEAKED CREDENTIALS
You don't use D for anything related to LEAKED CREDENTIALS
I had to read this multiple times!!! LOL
Correct Answer is PHS required for leaked credentials, because Password Protection compares against a fixed list. On-premises deployment of Microsoft Entra Password Protection uses the same global and custom banned password lists that are stored in Microsoft Entra ID. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad-on-premises
Protect against leaked credentials and add resilience against outages
The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Microsoft Entra ID is to enable password hash synchronization (PHS).
I think A actually makes a lot of sense since the case study mentions they use pass-through auth with hash sync disabled. This would mean that Azure AD doesn't know the password hash and can't compare it with the hashes from the leaked credentials list. Once you enable the hash sync, Azure can start comparing the password hashes to the hashes from the leaked creds list.
Enabling PTH sync does nothing to solve for question. Automatically detect and remediate externally leaked credentials.
It is needed to allow for other steps that do. Yet another bad question that forces you make unstated assumptions to determine the "best" answer.
I also thought initially that Passwor Protection should be correct, based on its global banned password. But in the online documentation, MSFT notes: The global banned password list isn't based on any third-party data sources, including compromised password lists.
So, yes, after all, MSFT obviously uses another tricks in Entra ID Protection (P1 and P2) to "Detect risks" such as "Leaked credentials". But for this it needs the data, and this can only be the password hashes, or hashes of hashes, as they say, but who knows exactly ;)
https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection#detect-risks
The Users with leaked credentials report in Azure AD warns of username and password pairs, which have been exposed publically. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities.
https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#protect-against-leaked-credentials-and-add-resilience-against-outages
Password hash synchronization
"Risk detections like leaked credentials require the presence of password hashes for detection to occur. For more information about password hash synchronization, see the article, Implement password hash synchronization with Azure AD Connect sync."
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-hash-synchronization
Password Hash Sync also enables leaked credential detection for your hybrid accounts. Microsoft works alongside dark web researchers and law enforcement agencies to find publicly available username/password pairs. If any of these pairs match those of our users, the associated account is moved to high risk.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises#design-principles
The software isn't dependent on other Azure AD features. For example, Azure AD password hash sync (PHS) isn't related or required for Azure AD Password Protection.
This clearly states that PSH isn't required
https://docs.microsoft.com/en-us/learn/modules/manage-user-authentication/5-deploy-manage-password-protection
PHS is not required for "Password Protection" which enables the use of a "Custom Banned Password List" on prem. To protect against the requirement of "Leaked Passwords" an Identity Protection / User Risk Policy is required and that requires passwords in Azure AD, therefore PHS is required.
Azure ad password protection is configured when there is requirement of including Banned password. how can anyone configure leaked credential in banned password section so the answer should be Password Hash Synchronization. as a same time if there was no password hash synchronization option in answer section the it should be answer D
This section is not available anymore. Please use the main Exam Page.SC-300 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Val_0
Highly Voted 3 years, 5 months agoHot_156
Highly Voted 2 years, 1 month agophoton99
Most Recent 4 months, 1 week agoa6792d4
5 months, 1 week agoSneekygeek
8 months, 4 weeks agoSneekygeek
8 months, 4 weeks agoEr_01
9 months agoAK_1234
1 year agoNyamnyam
11 months, 2 weeks agodule27
1 year, 3 months agoDeepMoon
2 years agoEfficia
2 years, 3 months agosapien45
2 years, 3 months agoJun143
2 years, 7 months agoWS_21
2 years, 7 months agostromnessian
2 years, 8 months agoandersonlrlima
2 years, 9 months agoJdburner
2 years, 10 months ago007Ali
2 years, 9 months agogirikedar
2 years, 10 months ago