Suggested Answer:
Box 1: Server2 - Incorrect: Not Server 1: If you've deployed Azure AD Password Protection Proxy, do not install Azure AD Application Proxy and Azure AD Password Protection Proxy together on the same machine. Azure AD Application Proxy and Azure AD Password Protection Proxy install different versions of the Azure AD Connect Agent Updater service. These different versions are incompatible when installed together on the same machine. Server1 runs the Azure AD application Proxy connector. To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You'll install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish. Scenario: Requirements. Authentication Requirements include: Enforce MFA when accessing on-premises applications. Existing Environment. On-premises Environment The on-premises network contains the servers shown in the following table. Existing Environment. Identity Environment The network contains an Active Directory forest named litware.com that is linked to an Azure Active Directory (Azure AD) tenant named litware.com. Azure AD Connect uses pass-through authentication and has password hash synchronization disabled. Litware.com contains a user named User1 who oversees all application development.
Box 2: DC1 - The Azure AD Password Protection proxy service is typically on a member server in your on-premises AD DS environment. Once installed, the Azure AD Password Protection proxy service communicates with Azure AD to maintain a copy of the global and customer banned password lists for your Azure AD tenant. Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application
Correct answer is Server 2, then Azure AD. The password protection proxy is installed on a member server. You enable the banned p/w list in Azure AD, the proxy downloads it and passes it to the DCs in the domain.
Agree with the majority here: Custom banned password list is configured on Azure AD, now Entra ID portal
BTW the first part is very suspect, because AD Connect also has the "Microsoft Entra Connect Agent Updater" service as part of its installation routine. In real life you'd prefer a separate, additional member server.
https://learn.microsoft.com/en-us/entra/identity/hybrid/verify-sync-tool-version
Answer should be SERVER2 and Azure AD
Configure the password list in Azure AD, the password protection proxy makes it available on you on prem DC, refer to the diagram in the link:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy
The password lists is created in Azure AD and then copied to the sysvol on the Domain Controller.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-ban-bad-on-premises-operations
And... "The DC Agent service is responsible for initiating the download of a new password policy from Microsoft Entra ID. "
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad-on-premises
Look at this page
https://learn.microsoft.com/en-us/training/modules/manage-user-authentication/6-deploy-manage-password-protection
First one should be server 2
It is a SERVER 2 answer ! Here is written very clear :
!! Warning !!!
Azure AD Password Protection proxy and Azure AD Application Proxy install different versions of the Microsoft Azure AD Connect Agent Updater service, which is why the instructions refer to Application Proxy content. These different versions are incompatible when installed side by side and doing so will prevent the Agent Updater service from contacting Azure for software updates, so you should never install Azure AD Password Protection Proxy and Application Proxy on the same machine.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy
Reasons why we need Password protection service on Server 2:
DC1: this usually doesnt have connectivity to internet, so not an viable option
Server1: please keep in mind that AAD password protection service and AAD Application proxy uses different versions of AAD. Gives rise to compatiblity issue
Server2: only possible option left
The correct answer is Server2 and Azure AD.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection
https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection#configure-custom-banned-passwords . Point 1 Sign in to the Azure portal using an account with global administrator permissions.
The question says: "Connect uses pass-through authentication and has password hash synchronization disabled."
It means that ADDS is doing the authentication. How the Azure AD will be asked if the password is in banned list? Your link says nothing about hybrid environment as we have here. The link in the answer has the information.
Check this link,
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
Under "How Azure AD PP works" you will find this,
The DC Agent service is responsible for initiating the download of a new password policy from Azure AD. The first step is to locate an Azure AD Password Protection Proxy service by querying the forest for proxy serviceConnectionPoint objects.
and if you keep reading, you will find that there is no such thing as a password banned listed on-prem for modification. Everything is downloaded from Azure AD
With that, I will stay with
-Server2
-Azure AD
If you read their reasoning for choosing The DC, it is still clear that the list is downloaded from Azure
Box 2: DC1 -
The Azure AD Password Protection proxy service is typically on a member server in your on-premises AD DS environment. Once installed, the Azure AD
Password Protection proxy service communicates with Azure AD to maintain a copy of the global and customer banned password lists for your Azure AD tenant.
This section is not available anymore. Please use the main Exam Page.SC-300 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Mriji
Highly Voted 1 year, 11 months agoNyamnyam
11 months, 2 weeks agoFaheem2020
Highly Voted 2 years agod1e85d9
Most Recent 1 month agoHartMS
6 months, 2 weeks agoOdy
8 months agohw121693
1 year, 3 months agodule27
1 year, 3 months agoikidreamz
1 year, 4 months agodobriv
1 year, 6 months agochikorita
1 year, 6 months agojack987
1 year, 10 months agomartinods
2 years, 1 month agogeobarou
2 years agomartinods
2 years agogeobarou
2 years agoHot_156
2 years agoHot_156
2 years ago