ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 62 discussion

Actual exam question from Microsoft's AZ-500
Question #: 62
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD).
The Azure AD tenant contains the users shown in the following table.

You configure the Authentication methods `" Password Protection settings for adatum.com as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
by maylevi at Sept. 28, 2021, 7:15 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
maylevi
Highly Voted 3 years, 7 months ago
NO,YES,YES. 3)Audit mode Audit mode is intended as a way to run the software in a "what if" mode. Each Azure AD Password Protection DC agent service evaluates an incoming password according to the currently active policy. If the current policy is configured to be in audit mode, "bad" passwords result in event log messages but are processed and updated. This behavior is the only difference between audit and enforce mode. All other operations run the same.
upvoted 55 times
ConanBarb
2 years, 1 month ago
1 - No: Of course, nothing can evaluate existing passwords since they are stored hashed and not clear-text. And it says here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy "It is important to note that Azure AD Password Protection can only validate passwords during password change or set operations. Passwords that were accepted and stored in Active Directory prior to the deployment of Azure AD Password Protection will never be validated and will continue working as-is. Over time, all users and accounts will eventually start using Azure AD Password Protection-validated passwords as their existing passwords expire normally. Accounts configured with "password never expires" are exempt from this." 2 - No "Enforce custom list" in effect. (The Audit mode is under the title sub-title "Password protection for Windows Server Active Directory" and applies only to that.) Yes Even though "Enforce custom list" is in effect, the subordinate setting for "Password protection for Windows Server Active Directory" is in Mode = Audit.
upvoted 22 times
ConanBarb
2 years, 1 month ago
And in fact, I tested case 2 in portal, and was denied password change due to banned words (had Mode = Audit)
upvoted 8 times
...
...
xavi1
3 years, 6 months ago
audit only applies to the local AD, not azure ad
upvoted 12 times
OpsecDude
2 years, 7 months ago
But Password protection is an AAD feature.
upvoted 1 times
...
...
Jacky_YO
3 years, 1 month ago
my Answer : No , Yes , Yes
upvoted 3 times
IvanIco
1 year, 5 months ago
and it's wrong
upvoted 2 times
...
...
...
Floweezy
Highly Voted 3 years, 5 months ago
YES - User 1 is Azure AD hence his Adatum123 is now consider a bad password and must change it NO - User 2 cannot change his password as suggested cause it contains a reference to Adatum (replacing A with @ will not bypass it) YES - In audit mode so the policy does not enforce
upvoted 30 times
xRiot007
9 months, 2 weeks ago
Box 1 is No - In Audit mode when a bad password is used for login or changed into, an event is logged, but the change still happens.
upvoted 1 times
...
adamsca
3 years, 4 months ago
Why did you just Apply Audit mode to User3 and not User1 and User3? Because it's in audit mode policies will not be enforced so answers are NO, YES, YES.
upvoted 3 times
adamsca
3 years, 4 months ago
Correction: I meant to say...Why did you just Apply Audit mode to User3 and not User1 and User2?
upvoted 1 times
Naqsh27
3 years, 4 months ago
I think its because the audit only applies to on Prem Accounts which user 3 is. It does not apply to the other cloud accounts. But i am not 100% sure.
upvoted 2 times
...
...
...
dzampar
3 years, 4 months ago
yes, right explanation YES,NO,YES
upvoted 2 times
...
Patchfox
3 years, 3 months ago
I think it is NO NO YES. Because the documenation say nothing about current password evaluations. Only when the user will change or reset the password the evaluation will happen
upvoted 15 times
Patchfox
3 years, 3 months ago
Update: I tested it in lab. The behaviour is like I said.
upvoted 5 times
rooban
3 years, 2 months ago
1. NO. Password protection does not prompt a user to change the password during logon, it only works during a password change/reset. 2. YES. Policy is in Audit mode so no enforcement. 3. YES. Policy in Audit mode so no enforcement.
upvoted 13 times
Nickname01
2 years, 3 months ago
you are not correct, the audit mode is only for on-prem accounts and not for azure ad accounts. answer should be no no yes https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations
upvoted 1 times
MathiasC
1 year, 5 months ago
agree, N N Y when "Enable password protection on Windows Server Active Directory" is set to "No", Mode options "Enforced" and "Audit" are greyed out.
upvoted 2 times
...
...
Load full discussion...
...
...
...
...
Tom_tank
Most Recent 2 months, 3 weeks ago
1. User1: No, there's no information about a policy prompting a password change on next sign-in. 2. User2: No, "@da@tum_C0mpleX123" is not allowed because it contains "Adatum," which is on the banned passwords list. 3. User3: No, "Adatum123!" is not allowed for the same reason—it contains "Adatum."
upvoted 2 times
...
Srirupam
5 months, 2 weeks ago
No-No-Yes
upvoted 2 times
...
pentium75
9 months ago
NO (policy is only applied during password change) NO (matches the banned password, audit mode is relevant only for AD) YES (Audit mode is on for AD)
upvoted 2 times
...
JaridB
1 year ago
Given that the policy is set to Audit mode, the enforcement of the custom banned password list is not active; instead, it will log any occurrences where a banned password would have been used if the policy were in Enforced mode. 1. User1 will be prompted to change the password on the next sign-in. No. There is no indication that User1 is required to change their password on the next sign-in due to a password policy. Audit mode does not enforce password changes; it only logs events. 2. User2 can change the password to @d@tum_C0mpleX123. Yes. In Audit mode, User2 would be able to change their password to this since the policy is not actively blocking the use of banned passwords but will log an event stating that this password would have been banned if the policy was in Enforced mode. 3. User3 can change the password to Adatum123. Yes. Similar to User2, User3 would be able to change their password to Adatum123, and an event would be logged due to the policy being in Audit mode, not Enforced mode.
upvoted 2 times
...
joegie00698
1 year, 3 months ago
No : user is not changing password AND auditing is on YES: password has more than 5 points after rules check YES: same as above Onprem password protection is also enabled and uses the global and custom lists also. I assume that the necessairy components are installed on-prem as the option is activated
upvoted 1 times
...
brooklyn510
1 year, 3 months ago
On exam 1/2/24
upvoted 1 times
...
[Removed]
1 year, 4 months ago
If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged. this is the explanation of Mode We recommend that you start deployments in audit mode. Audit mode is the default initial setting, where passwords can continue to be set. Passwords that would be blocked are recorded in the event log. After you deploy the proxy servers and DC agents in audit mode, monitor the impact that the password policy will have on users when the policy is enforced. During the audit stage, many organizations find that the following situations apply: They need to improve existing operational processes to use more secure passwords. Users often use unsecure passwords. They need to inform users about the upcoming change in security enforcement, possible impact on them, and how to choose more secure passwords.
upvoted 1 times
...
flafernan
1 year, 4 months ago
N, Y, Y
upvoted 1 times
...
PierreTang
1 year, 4 months ago
Test on lab. N, N, N
upvoted 2 times
...
TheProfessor
1 year, 5 months ago
Correct answer. Policy is in Audit mode. It says " If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged."
upvoted 1 times
...
alopezme
1 year, 7 months ago
YES NO YES https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq Why is Azure AD still rejecting weak passwords even though I've configured the policy to be in Audit mode? Audit mode is only supported in the on-premises Active Directory environment. Microsoft Entra ID is implicitly always in "enforce" mode when it evaluates passwords.
upvoted 1 times
...
IvanIco
1 year, 7 months ago
Since Adatum is banned word for password any possible version of it is banned as well so the answer is yes, no, no bcz @d@tum is counted in the banned list
upvoted 1 times
...
TheProfessor
1 year, 7 months ago
NO, NO, YES
upvoted 2 times
...
MichaelD_NZ
1 year, 8 months ago
Should be NO, NO, YES. As per Authentication methods (Password Protection) Blade: [QUOTE] If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged. [END QUOTE]
upvoted 2 times
...
Self_Study
1 year, 8 months ago
On exam 7/8/23. Answers are correct.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago