Exam MS-100 topic 4 question 3 discussion

If connectivity between on-premises Active Directory and the internet is lost, users who have their password hash synchronized to Azure AD or are using pass-through authentication will be able to authenticate to Azure AD. Based on the information provided, both password hash synchronization and pass-through authentication are enabled in Azure AD Connect. Therefore, all users in the table will be able to authenticate by using Azure AD if connectivity between on-premises Active Directory and the internet is lost. So the correct answer is: D. User1, User2, and User3.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.

Password Hash is a fallback option to PTA. All in-scope users are synced during. All users can authenticate via PHS even if On-Prem connectivity is down.

https://www.examtopics.com/discussions/microsoft/view/54785-exam-sc-300-topic-1-question-16-discussion/ similar question on another exam

The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password. The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords that you want to synchronize. However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the Set-ADSyncAADPasswordSyncConfiguration cmdlet.

PtA requires connectivity from on-premises AADC to Azure to authenticate users. Only cloud users will authenticate during connectivity issues.

Lol @ some of the explanations here. PHS does not matter. PTA always forces onprem users to authenticate onprem when logging into AAD (hence passthrough). Only the cloud-user can sign in.

PHS is not a fallback for PTA (As per xyz213)

See BoxGhost and xyz213 below.

Not sure, but probably go for D. User3 will be able to log in according to "The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users." https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

why not c? since the user 3 never signed in.

Surely the answer is B? The article linked specifically mentions you would have to re-run the wizard manually to disable PTA if connectivity is lost! https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#cloud-authentication-pass-through-authentication Considerations. You can use password hash synchronization as a backup authentication method for pass-through authentication, when the agents can't validate a user's credentials due to a significant on-premises failure. Fail over to password hash synchronization doesn't happen automatically and you must use Azure AD Connect to switch the sign-on method manually.