Exam SC-300 topic 1 question 16 discussion

I think the answer is correct. When the connection to on-premise is lost, PTA will not work anymore. The failover to Password Hash Synchronization is not automatic and needs to be configured manually in AD Connect. If the connection to on-premise is lost, and the AD Connect server runs un-premise, user 2 cannot login. -~~~~~- Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.

Pass-through authentication is configured, Sync user will try to authenticate on local AD and unable to authenticate due to internet outage only cloud users ( User 1 and User 3) can be authenticated Correct Answer : A

Microsoft FAQ states: "No. Pass-through Authentication doesn't automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability." https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication-

Pass-through Authentication (PTA) validates users' passwords directly against on-premises Active Directory. It ensures on-premises security policies are enforced and does not store passwords in the cloud. Password Hash Synchronization (PHS) synchronizes a hash of user's password from on-premises Active Directory to Azure AD. It allows users to sign in to Azure AD using the same password they use on-premises. If both methods are enabled, PTA will take precedence for authentication. PHS can act as a backup, allowing users to sign in even if the PTA agent is temporarily unavailable.

User1: Can sign in because they are not directory-synced and their account exists solely in Azure AD. User2: Can sign in because Password Hash Sync is enabled, allowing authentication to Azure AD even without on-premises connectivity. User3: Can sign in because guest accounts authenticate directly with their own identity provider and do not rely on the on-premises domain.

By enabling Password Hash sync, you ensure that password hashes are synchronized to Azure AD, allowing users to authenticate even if the on-premises environment is unavailable. Password Hash sync is enabled, so answer is C.

Reponse C. 1 - The password is sync 2 - TPHS ensures that users can authenticate to cloud services even if the on-premises AD is down. 3 - The tenant is not Federate, that means that tenant is Managed. Like that, you can directly authenticate with Entra.

According to https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-current-limitations: Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.

Connectivity to on-prems directory to the internet is lost, not the users' connectivity to the internet. I think User 1 and User 3 are not syncing with the on-prems directory. They are on the Azure AD. Only User 2 will have difficulty to sign in to Azure AD because of the Password Hash Sync btw on-prems and Azure AD. Answer is A

Answer C Both password hash sync and pass-through are enabled, no password change in the question, just login Only on-premises domain to the internet is lost User1 and User 3 are users that will log in with their hash in AAD, User3 is an AAD guest will log with his own credentials created guest on AAD, so IMHO answer must be C Pass-through Authentication does not automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability. The password hash synchronization process runs every 2 minutes. When a user attempts to sign into Azure AD and enters their password, the password is run through the same MD4+salt+PBKDF2+HMAC-SHA256 process. If the resulting hash matches the hash stored in Azure AD, the user has entered the correct password and is authenticated.

C. Per https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations, Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. The diagram shows Pasword Hash Synchronization is enabled.

Answer A is correct. PTA cannot be used for directory synchronised objects when the connectivity is lost.

Does password hash synchronization act as a fallback to Pass-through Authentication? No. Pass-through Authentication does not automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations#unsupported-scenarios Read the Note: Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication. Since the Password Hash sync failover is not automatic, in this case the answer is A. User2 that is directory sync will need Pass-Through Authentication, which will be unavailable at that moment.

I got correct answer, but maybe my logic is off? All users work remotely, so wouldnt they log in to AAD, not on prem? Assuming User 2 uses a VPN to login through AD on-prem, I read it as User 2 is already synced. Therefore, A.

A. User1 and User3 only correct ans.

Correct Answer : A