Exam MS-500 topic 1 question 34 discussion

for me the correct answers are: option 2 for the first question : azure ad account (cloud only) can also authenticate on Azure AD option 2 for the secondo question.

PTA authentication is used, so whenever account is synced from local AD, logon process for them requires active PTA agent to contact domain controller. So only Azure AD users are able to log in while PTA agent is not working properly. Am I missing something?

Correct answer is 1-1 and 2-2 because it says that it did not sync for 4h, which means that if Azure AD Connect stops syncing, PTA functionality may be impacted. Users may experience issues logging in to Microsoft 365 as the authentication requests won't be processed against the on-premises directory.

Valid on 28/01/2023

PTA is not now working due to 4 hours last time sync when the interval is only 30 minutes. At the same time, Pass-through Authentication does not automatically failover to password hash synchronization, look here https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication- In this case, only AAD users can authenticate. This is 1st answer to the 1st question. Regarding the 2nd question, we need to fix a problem and add an additional agent for HA to avoid warning. So the answer here is 2. Eventually: 1 - 1 2 - 2

I see no reason whatsoever why an Azure AD account would not be able to sign in if there were any issues on-prem. I'm going with 2 and 2.

Only on prem synced ac can authenticate as it uses passthrough auth instead of PHS. Agent status has warning which is a key service for PTA. Ans is correct.

Valid on exam October 14, 2022

According to the screenshot the AAD Connect sync stopped working but it synced before so the on-prem user and password databse were synced to AAD. Users who were already synced to AAD and all AAD users can still login to Azure AD. PTA agent is still running and can validate the password policies. I would pick option 2 for Q1.

3 ways of connecting your workstations to Microsoft Azure * Azure AD Registered - BYOD concept, user can use a local account to log in and still use corporate 365 services with SSO * Azure AD Joined - when configured users have to use [email protected] to login to their PC * Hybrid Azure AD Joined - user has to provide a local domain username to access the PC. So the question is, which employees can authenticate by using Azure AD? according to the screenshot, we can see this is a hybrid setup, so the on-prem DC will be the primary authentication point. So the answer is Only employees who have an on-premises account. Note: they can also use Aure AD creds to access portal.office.com when they log in to the workstation inside.

I make it option 2 for both answers and even though I have worked with this for years I had to Lab it up to be sure (and still the MS wording is tricky!) Firstly, even tho the sync server hasn't synced for hours the PTA agent still works ( i tested this) so users with an AD synced a/c can still authenticate by logging in via AAD. The agent will still pick up their creds from the service bus. AAD users authenticate directly against AAD anyway so they can as well. Second Question - Adding a second PTA authentication agent does fix the warning as everyone has said (tested). However, running start-AdSyncSyncCycle give an error if the AAD config wizard has been left open(the most likely problem and also tested) so only option 2 is correct.

Azure AD account ( cloud only) and synced account can authenticate

Question 1 = Answer 3, Only Synced On-Prem accounts can authenticate with Azure AD to sign into their On-Prem domain. Answer 2 is incorrect because it states that they also need an Azure account on top of their synced On-Prem account, when they only require the latter, not both. Question 2 (and it's answers) didn't make the most sense for me, so I'm going with the flow for that one and going with their answer.

Q1 = Answer 2, because no information we have regarding the PTA agent malfunction. the only information is 1 PTA agent is present, the warning means no other PTA agent ( 2 agent are required for HA)

Vague question. If user has 2 accounts: AAD and synced on-perm he/she can use any of this account lo login.

If password hash sync is enabled then i'm pretty sure that azure ad is the authenticating local ad accounts on its own so i believe the given answers here are correct

1st: 1st answer 2nd: 2nd answer