Exam MS-100 topic 4 question 37 discussion

Answer: A Explanation Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud.

"A" is correct answer. Reason: This solution is appropriate when your organization is constrained from allowing any form of password synchronization to the cloud. This may include being restricted from allowing cryptographic hashes of passwords to be stored in the cloud

Having 5 Domain controllers makes it highly available. I will go for A.

The correct answer is B. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn As a DR mode, Microsoft recommends Pass through Authentication + Password Sync...in case PTA Agents are not available, Password hash sync kicks in! I had a discussion with Microsoft guys and this is what they recommended

Disregard everything I've said. PtH w/ SSO is the way to go. All the others require some form of additional infrastructure. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

the word "highly available" is tripping me up. Technically, answer should be C because PHS is the only one that is referenced as "highly available" in MS docs: Use or enable password hash synchronization for whichever authentication method you choose, for the following reasons: High availability and disaster recovery. Pass-through Authentication and federation rely on on-premises infrastructure. For pass-through authentication, the on-premises footprint includes the server hardware and networking the Pass-through Authentication agents require. For federation, the on-premises footprint is even larger. It requires servers in your perimeter network to proxy authentication requests and the internal federation servers. PTA is more available than Federated, and PHS is more available than PTA - but at the same time, if this question is poorly worded and storing the hash in the cloud is considered as storing the password in the cloud, then PTA with SSSO would be the answer.

A for sure!

Ensure that users can access Microsoft 365 by using their on-premises credentials > Requires password hash sync Use the existing server infrastructure only > PTA (with installing authentication agent on DCs) Store all user passwords on-premises only > This is satisfied by password hash sync anyway as the passwords synced from on-prem AD to Azure AD are only hashes Be highly available > with password hash, you can login to Microsoft services even if the DC/PTA is not accessible and also PTA agent can be installed on multiple DCs to provide redundancy I think the answer is B

Option A- "pass-through authentication and seamless SSO" ticks all the boxes as per below link and there is no need to consider other solutions https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

I believe it's a tricky question, however the answer is B. It states 5 domain controllers and MS, says 3 or more servers with AD Connect is the best option for Pass-through, which is using their existing server configuration. Password Hash gives the High Availability, which doesn't store on Azure, it needs to be decrypted once more, but still only sees the hash which cannot be reverted.

Password Hash Sync. This was the recommendation from Microsoft for High availability or On-premises outage survival or Identity protection. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

Agree with Kazaki that C should be correct. From the link provided "Avoid outages by using password hash synchronization because the Microsoft Azure AD cloud authentication service scales globally and is always available."

i just passed the test today if high availability is mentioned then we need pass Hash sync https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

How does answer A meet the 'highly available' requirement? If O365 cannot forward authentication requests to the ADDS. For me the answers do not meet the requirements. In my opinion the answer should be PHS and SSO. Passwords are stored on-premise and the hash is syn'd which meets the requirements. Have I got this wrong?

with Adfs you can install ADFS server on DC so the solution for me is Federation https://docs.microsoft.com/en-us/previous-versions/azure/azure-services/dn151324(v=azure.100)?redirectedfrom=MSDN

Federation would be more highly avalailable than adconnect ... you can have Afds proxy + Adfs serverS you can have only ONE adconnect server, Adconnect is not a solution highly available

The real question here is, are MS counting a hash of the password the same as the password? I'd be inclined to say and go with A