Exam MS-100 All Questions

View all questions & answers for the MS-100 exam

Exam MS-100 topic 4 question 41 discussion

Actual exam question from Microsoft's MS-100

Question #: 41
Topic #: 4

HOTSPOT -
You have a Microsoft 365 Enterprise E5 subscription.
You create a password policy as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer

Suggested Answer:

By default, smart lockout locks the account from sign-in attempts for one minute after 10 failed attempts. In this question, the lockout threshold if 5 failed attempts.
The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts.
Password evaluation goes through several steps including normalization and Substring matching which is used on the normalized password to check for the user's first and last name as well as the tenant name.
The next step is to identify all instances of banned passwords in the user's normalized new password. Then:
1. Each banned password that is found in a user's password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.
Conto$01Pa$$word contains two banned passwords and no remaining unique characters so is given a score of 2 points. This is less than the required 5 points so will be rejected.
Pa$$w0rd contains a banned password and no remaining unique characters so is given a score of 1 point. This is less than the required 5 points so will be rejected.
AzureAD!!111 contains a banned password (AzureAD!!) and has three remaining characters. However, the remaining characters are all the same (they're all 1s) so that is only one unique character. So that password will be given a score of 2. One for the banned password and 1 for the unique character. This is less than the required 5 points so will be rejected.
PasswordPa55w.rd does not contain a banned password. PasswordPa55w.rd contains 16 characters. However, there are two 'P', two 'a', two 's', two 'w', two 'r', two 'd', and two '5' so there are 9 unique characters. Therefore, the password will be given a score of 9 points. This is more than the required 5 points so the password will be accepted.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

by TheWallPTA at April 15, 2021, 5:05 a.m.

Comments

Submit Cancel

Moderator

2 years, 10 months ago

Still a valid question (July 30th 2022).

upvoted 3 times

...

JakeH

3 years, 7 months ago

In exam today

upvoted 4 times

...

Eggsamine

3 years, 7 months ago

Agree with the answer, just thought I would add that the custom banned passwords list is case-insensitive, so Pa$$w0rd is the same as pa$$w0rd: https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection#:~:text=The%20custom%20banned%20password%20list%20is%20case-insensitive

upvoted 3 times

...

TimurKazan

3 years, 9 months ago

correct

upvoted 2 times

...

Azreal_75

3 years, 9 months ago

I have a query, in the given answer it says: "PasswordPa55w.rd does not contain a banned password." Am I being thick or is that incorrect? The first part of the p/w is Password - in the banned passwords list is Pa$$w0rd. After normalisation would that not equate to Password? Or is normalisation only done on the entered passwords and not the ones in the banned password list?

upvoted 4 times

Paolo2022

2 years, 7 months ago

You are correct - NONE of the passwords given here would be eligible to be chosen! Normalisation is exactly what prevents that, see: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#step-1-normalization Thankfully the rules are rather clear - otherwise this lack of a correct option would be a problem...

upvoted 1 times

...

MigrationEndpoint

4 years, 2 months ago

"If the first sign-in after a lockout also fails, the account locks out again. If an account locks repeatedly, the lockout duration increases." - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

upvoted 2 times

...

Gus01

4 years, 2 months ago

Yes 5 Sign in Attempts after every minute is the correct answer

upvoted 3 times

dsiisus

4 years ago

vikingSWE is correct https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

upvoted 1 times

...

VikingSWE

4 years ago

No it is not. After the first lockout, the user gets only one try per lockout duration.

upvoted 6 times

...

joergsi

3 years, 4 months ago

one sign-in attempt every minute, after 5 fails the account will be blocked! In your case, the user can sign in 5 times within 1 Minute!

upvoted 1 times

...

TheWallPTA

4 years, 2 months ago

Lockout Threshold = How many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again. Lockout duration in seconds = The minimum length in seconds of each lockout. If an account locks repeatedly, this duration increases. So I think it should be: 5 Signin Attempts each Minute.

upvoted 1 times

VikingSWE

4 years ago

No. After the first lockout, the user gets only one try per lockout duration.

upvoted 5 times

subbuhotmail

3 years, 10 months ago

S0 basically, 1. If users attempts 5 wrong password then it will lock. --> Locked 2. After 60 seconds, lock released. 3. If user enter wrong password , then in the 1st attempt after lockout ---> it will lock again. 4. If user enter correct password then all reset to normal again.

upvoted 9 times

...