ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-303 All Questions

View all questions & answers for the AZ-303 exam
Go to Exam

Exam AZ-303 topic 2 question 43 discussion

Actual exam question from Microsoft's AZ-303
Question #: 43
Topic #: 2
[All AZ-303 Questions]

HOTSPOT -
You need to design an authentication solution that will integrate on-premises Active Directory and Azure Active Directory (Azure AD). The solution must meet the following requirements:
✑ Active Directory users must not be able to sign in to Azure AD-integrated apps outside of the sign-in hours configured in the Active Directory user accounts.
✑ Active Directory users must authenticate by using multi-factor authentication (MFA) when they sign in to Azure AD-integrated apps.
✑ Administrators must be able to obtain Azure AD-generated reports that list the Active Directory users who have leaked credentials.
✑ The infrastructure required to implement and maintain the solution must be minimized.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Pass-through Authentication with Azure AD Seamless SSO
Azure AD Seamless SSO versus Active Directory Federation Services
Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use Azure AD Pass-through Authentication.
You can combine Pass-through Authentication with the Seamless Single Sign-On feature.
Note: Azure AD supports the following authentication methods for hybrid identity solutions.
✑ Azure AD password hash synchronization
✑ Azure AD Pass-through Authentication

Box 2: Azure MFA -
One key benefit with Azure AD Pass-through Authentication is that it works seamlessly with Azure MFA.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
by TSMRE at June 2, 2021, 1:58 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
tp42
Highly Voted 3 years, 10 months ago
Should be Pass-through with SSO and Password HashSync Pass-Through for the sign-in hours Password HashSync for the Leaked Credentials Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use PassThrough Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
upvoted 49 times
rdemontis
3 years, 9 months ago
Thanks so much for the clear explanation
upvoted 2 times
...
pentium75
3 years, 9 months ago
Think so too.
upvoted 2 times
...
...
cannibalcorpse
Highly Voted 3 years, 10 months ago
Part1: Pass-thorough SSO+Password Hash Sync Ref:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
upvoted 11 times
...
hikpd
Most Recent 3 years, 1 month ago
Should be Password Hash and Azure MFA. Leaked credential reports are only available with Password Hash. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn Check the comparison table on this wiki and search for "What advanced scenarios are supported?"
upvoted 1 times
...
plmmsg
3 years, 3 months ago
1. Pass-through with SSO and Password HashSync 2. Azure MFA
upvoted 2 times
...
sam
3 years, 4 months ago
https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#protect-against-leaked-credentials-and-add-resilience-against-outages.
upvoted 2 times
...
syu31svc
3 years, 8 months ago
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree First one should be Pass-through with SSO and Password HashSync MFA using Azure MFA
upvoted 7 times
...
tp42
3 years, 10 months ago
Password Hash Sync also enables leaked credential detection for your hybrid accounts. Microsoft works alongside dark web researchers and law enforcement agencies to find publicly available username/password pairs. If any of these pairs match those of our users, the associated account is moved to high risk. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
upvoted 3 times
...
henry1985
3 years, 10 months ago
Probably is pass-through + seamless so with password hash sync, because leaked credential reports require password hash sync, and sign-in hours requires pass-through. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn Azure AD Pass-through Authentication - "Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.". Also check this feature request https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33623875-logon-hours See the decision tree https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree
upvoted 2 times
tita_tovenaar
3 years, 9 months ago
excellent reference, thanks
upvoted 1 times
...
...
TSMRE
3 years, 11 months ago
If admins on Azure need to handle those who have leaked credentials, wouldn't it make sense to allow them to change the password from Azure with hash sync?
upvoted 5 times
betamode
3 years, 10 months ago
Exactly. Password Hash Sync enables leaked credential detection for your hybrid accounts. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs Correct option for first box should be Password Hash sync
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago