ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-100 All Questions

View all questions & answers for the MS-100 exam
Go to Exam

Exam MS-100 topic 3 question 69 discussion

Actual exam question from Microsoft's MS-100
Question #: 69
Topic #: 3
[All MS-100 Questions]

HOTSPOT -
Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD) by using the Azure AD
Connect Express Settings. Password writeback is disabled.
You create a user named User1 and enter Pass in the Password field as shown in the following exhibit.

The Azure AD password policy is configured as shown in the following exhibit.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Yes -
The question states that User1 is synced to Azure AD. This tells us that the short password (Pass) meets the on-premise Active Directory password policy and you were able to create the on-premise account for User1. The on-premise Active Directory password policy applies over the Azure AD password policy for synced user accounts.

Box 2: No -
Self-Service Password Reset would need to be configured.

Box 3: Yes -
The password for the Azure AD User1 account will expire after 90 days according to the Azure AD password policy. If the on-premise password policy has a shorter password expiration period, User1 would have the change his/her on-premise AD password. The new password would then sync to Azure AD.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express
by TheWallPTA at April 3, 2021, 9:06 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TheWallPTA
Highly Voted 4 years, 2 months ago
Should this not be YNN? On-prem Password policy should apply...
upvoted 29 times
BoxGhost
3 years, 2 months ago
I think cloud password expiration for a synced account would be ignored unless you enable a specific feature. So I would be inclined to go for YNN https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#enforcecloudpasswordpolicyforpasswordsyncedusers When EnforceCloudPasswordPolicyForPasswordSyncedUsers is disabled (which is the default setting), Azure AD Connect sets the PasswordPolicies attribute of synchronized users to "DisablePasswordExpiration". This is done every time a user's password is synchronized and instructs Azure AD to ignore the cloud password expiration policy for that user.
upvoted 5 times
...
...
adaniel89
Highly Voted 4 years ago
There is no second exhibit! How can you guys answer this question ?
upvoted 28 times
Bobalo
3 years, 11 months ago
Guessing that the policy is fairly default. An on prem policy would win over a policy in AzureAD and password writeback is disabled, that already tells you a lot about the possible answers.
upvoted 1 times
...
...
Amir1909
Most Recent 1 year, 4 months ago
- Yes - No - No
upvoted 1 times
...
Meebler
2 years, 3 months ago
If password writeback is disabled, the password policies in Azure AD and on-premises Active Directory will be enforced independently. By default, the Azure AD password policy requires users to change their passwords every 90 days. However, if you have a hybrid environment and are synchronizing passwords from on-premises Active Directory to Azure AD, the on-premises password policy will apply to your users. In this case, the password expiration period will be determined by your on-premises Active Directory policy settings, not by Azure AD. If you want to enforce a consistent password expiration policy for both on-premises and cloud users, you should configure the password policies in both environments to have the same settings.
upvoted 1 times
...
Everlastday
2 years, 5 months ago
On Exam 03.01.2023
upvoted 4 times
...
Moderator
2 years, 10 months ago
Valid question (30th July 2022).
upvoted 3 times
...
Moderator
2 years, 11 months ago
Still a valid question (July 30th 2022).
upvoted 1 times
...
Contactfornitish
2 years, 11 months ago
I would go ynn since the wording says #from Azure ad#. You can't reset from Azure ad without write back
upvoted 1 times
...
TechMinerUK
3 years ago
Based on the information provided (Where we can't see the ADDS password policy which means we must assume it is set to no expiry) the answer is Y, N, N This is because: 1. The users password is still valid as it is enabled in ADDS as we do not know if a password policy is applied in ADDS 2. Password writeback is not enabled so the user cannot reset their password in AzureAD 3. Microsoft 365 Password Expiry policies do not apply to on-premises synchronised accounts as stated here https://docs.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide under "Synchronize user passwords hashes from an on-premises Active Directory to Azure AD (Microsoft 365)"
upvoted 1 times
...
trexar
3 years, 2 months ago
1.y 2.n 3.n Express installation just perform PHS it means just send the hash.
upvoted 1 times
...
KSvh53
3 years, 3 months ago
Where is the 2nd photo? I believe it is missing, which is very important for understanding the question....
upvoted 1 times
...
Durden871
3 years, 4 months ago
This is why I have trust issues: Password expiry duration (Maximum password age) Default value: 90 days. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#:~:text=Default%20value%3A%2014%20days%20(before,using%20the%20Set%2DMsolPasswordPolicy%20cmdlet. As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire. By default, passwords are set to never expire for your organization. Current research strongly indicates that mandated password changes do more harm than good. https://docs.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide
upvoted 1 times
Durden871
3 years, 4 months ago
From another source on this very question: Box 3: Yes - The password for the Azure AD User1 account will expire after 90 days according to the Azure AD password policy. If the on-premise password policy has a shorter password expiration period, User1 would have the change his/her on-premise AD password. The new password would then sync to Azure AD. Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express I looked at the provided article, but see no mention of password policy in the article. Again, I think there's a missing image. Default is set to 90 days in AzureAD, the policy doesn't apply to accounts synchronized from AD DS unless the enforced cloud password policy is applied. Really hate this question.
upvoted 2 times
...
Durden871
3 years, 4 months ago
Looking at the first link further: The Azure AD password policy doesn't apply to user accounts synchronized from an on-premises AD DS environment using Azure AD Connect, unless you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. So, let's look at it this way: 1. Yes. The user is created on-prem and it will sync to Azure AD 2. No. Password write-back is disabled. 3. Probably No. There is no second exhibit, password write-back is disabled and most importantly, if the user is created on-prem and sync'd to AzureAD, then the password defaults in Azure should not be applicable to the sync'd users. Doesn't matter if the default policy is 90 days if the directory is sync'd to Azure, and again, how would that even work if writeback is disabled? This, of course, is assuming EnforceCloudPasswordPolicyForPasswordSyncedUsers wasn't enabled. Since we don't have an image for exhibit 2, who knows?
upvoted 3 times
...
...
Storm
3 years, 5 months ago
Default AAD Policy is password never expires (not enabled)... but lets guess that the missing exhibit shows that this is set to 90 days. Password Writeback is disabled, which means that if the user tries to change password in Azure he will be told that this is not possible... To be able for him to change his password in the cloud, he would have to register for SSPR (Self Service Password Reset), whitch he cannot, as password Writeback is disabled. Box3 is 100% No
upvoted 3 times
...
jkklim
3 years, 6 months ago
YNY is correct. For item 3, if no one make any changes (forget about whatever exhibit), azure ad default password policy is 90 days
upvoted 1 times
...
lengySK
3 years, 10 months ago
If Password Write-Back is disabled, Azure password protection policies won't affect any users that are synced from your directory. Y, N, N
upvoted 2 times
...
emilianogalati
3 years, 10 months ago
YNY. Password is by default set on 90 days before expiration and with a reminder 14 days before.
upvoted 2 times
emilianogalati
3 years, 9 months ago
Also YNN if you consider writeback is disabled.
upvoted 2 times
...
...
AZalan
3 years, 11 months ago
Y,N,N. There is no password Writeback & by default Password expiration policy is disabled on MS365 admin center. Microsoft recommendation is to have strong password with no expiration policy.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel