exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam

Exam SC-300 topic 1 question 16 discussion

Actual exam question from Microsoft's SC-300
Question #: 16
Topic #: 1
[All SC-300 Questions]

Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table.

All the users work remotely.
Azure AD Connect is configured in Azure AD as shown in the following exhibit.

Connectivity from the on-premises domain to the internet is lost.
Which users can sign in to Azure AD?

  • A. User1 and User3 only
  • B. User1 only
  • C. User1, User2, and User3
  • D. User1 and User2 only
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
examkid
Highly Voted 3 years, 7 months ago
I think the answer is correct. When the connection to on-premise is lost, PTA will not work anymore. The failover to Password Hash Synchronization is not automatic and needs to be configured manually in AD Connect. If the connection to on-premise is lost, and the AD Connect server runs un-premise, user 2 cannot login. -~~~~~- Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
upvoted 37 times
...
AmazingKies
Highly Voted 3 years, 6 months ago
Pass-through authentication is configured, Sync user will try to authenticate on local AD and unable to authenticate due to internet outage only cloud users ( User 1 and User 3) can be authenticated Correct Answer : A
upvoted 15 times
...
stefwanders
Most Recent 2 days, 3 hours ago
Selected Answer: A
Microsoft FAQ states: "No. Pass-through Authentication doesn't automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability." https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication-
upvoted 1 times
...
krutesh
3 weeks, 6 days ago
Selected Answer: C
Pass-through Authentication (PTA) validates users' passwords directly against on-premises Active Directory. It ensures on-premises security policies are enforced and does not store passwords in the cloud. Password Hash Synchronization (PHS) synchronizes a hash of user's password from on-premises Active Directory to Azure AD. It allows users to sign in to Azure AD using the same password they use on-premises. If both methods are enabled, PTA will take precedence for authentication. PHS can act as a backup, allowing users to sign in even if the PTA agent is temporarily unavailable.
upvoted 1 times
...
Frank9020
2 months ago
Selected Answer: C
User1: Can sign in because they are not directory-synced and their account exists solely in Azure AD. User2: Can sign in because Password Hash Sync is enabled, allowing authentication to Azure AD even without on-premises connectivity. User3: Can sign in because guest accounts authenticate directly with their own identity provider and do not rely on the on-premises domain.
upvoted 2 times
...
test123123
2 months, 1 week ago
Selected Answer: C
By enabling Password Hash sync, you ensure that password hashes are synchronized to Azure AD, allowing users to authenticate even if the on-premises environment is unavailable. Password Hash sync is enabled, so answer is C.
upvoted 2 times
test123123
2 months ago
if your Azure AD Connect sync status shows "Password Hash Sync Enabled" and "Pass-Through Authentication Enabled," it means that users can still log on to Microsoft 365 even if the on-premises Active Directory loses internet connection.
upvoted 1 times
...
...
SebArgy
2 months, 4 weeks ago
Selected Answer: C
Reponse C. 1 - The password is sync 2 - TPHS ensures that users can authenticate to cloud services even if the on-premises AD is down. 3 - The tenant is not Federate, that means that tenant is Managed. Like that, you can directly authenticate with Entra.
upvoted 1 times
...
AlexBrazil
4 months, 2 weeks ago
Selected Answer: A
According to https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-current-limitations: Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
upvoted 2 times
...
Olami
5 months, 1 week ago
Connectivity to on-prems directory to the internet is lost, not the users' connectivity to the internet. I think User 1 and User 3 are not syncing with the on-prems directory. They are on the Azure AD. Only User 2 will have difficulty to sign in to Azure AD because of the Password Hash Sync btw on-prems and Azure AD. Answer is A
upvoted 2 times
...
melatocaroca
5 months, 3 weeks ago
Answer C Both password hash sync and pass-through are enabled, no password change in the question, just login Only on-premises domain to the internet is lost User1 and User 3 are users that will log in with their hash in AAD, User3 is an AAD guest will log with his own credentials created guest on AAD, so IMHO answer must be C Pass-through Authentication does not automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability. The password hash synchronization process runs every 2 minutes. When a user attempts to sign into Azure AD and enters their password, the password is run through the same MD4+salt+PBKDF2+HMAC-SHA256 process. If the resulting hash matches the hash stored in Azure AD, the user has entered the correct password and is authenticated.
upvoted 1 times
Jonasweimar
2 years, 5 months ago
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations "Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication."
upvoted 1 times
...
...
rachee
5 months, 3 weeks ago
C. Per https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations, Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. The diagram shows Pasword Hash Synchronization is enabled.
upvoted 6 times
Tuvshinjargal
1 year, 1 month ago
I agree with that. Since the Password Hash Synchronization is enabled, it must have been synched an hour ago, and also the password is saved in Azure AD. It remains when the on-premise AD lost the connection to the internet. See below article. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-faq When you use Microsoft Entra Connect to switch the sign-in method from password hash synchronization to Pass-through Authentication, Pass-through Authentication becomes the primary sign-in method for your users in managed domains. All users' password hashes that are previously synchronized by password hash synchronization remain stored on Microsoft Entra ID.
upvoted 1 times
RahulX
1 year, 1 month ago
If password hash synchronization is enabled, all synced users can login with an AD pwd hash value if DC connectivity is lost, and if any user changes their pwd during this period, the hash will remain until the connection is restored. If you have enabled PTA earlier or have installed the PTA DC agent, it will show the pass-through authentication. Enabled 1 or 2 agents under User Sign-In status in azure ad portal.
upvoted 1 times
...
...
...
[Removed]
5 months, 3 weeks ago
Selected Answer: A
Answer A is correct. PTA cannot be used for directory synchronised objects when the connectivity is lost.
upvoted 2 times
...
simonseztech
5 months, 3 weeks ago
Selected Answer: A
Does password hash synchronization act as a fallback to Pass-through Authentication? No. Pass-through Authentication does not automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability.
upvoted 2 times
...
f2bf85a
5 months, 3 weeks ago
Selected Answer: A
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations#unsupported-scenarios Read the Note: Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication. Since the Password Hash sync failover is not automatic, in this case the answer is A. User2 that is directory sync will need Pass-Through Authentication, which will be unavailable at that moment.
upvoted 2 times
...
NotanAdmin
10 months ago
I got correct answer, but maybe my logic is off? All users work remotely, so wouldnt they log in to AAD, not on prem? Assuming User 2 uses a VPN to login through AD on-prem, I read it as User 2 is already synced. Therefore, A.
upvoted 1 times
...
RahulX
1 year, 1 month ago
A. User1 and User3 only correct ans.
upvoted 1 times
RahulX
1 year, 1 month ago
Sorry, The correct ans will be C. User1, User2, and User3.
upvoted 1 times
...
...
EmnCours
1 year, 7 months ago
Selected Answer: A
Correct Answer : A
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago