Exam MS-100 topic 2 question 59 discussion

User1 can authenticate by on-prem AD. YNN

Correct

In Active Directory, each user has two UPN's: Explicit UPN (eUPN): This is the value of the user object's userPrincipalName attribute. This can be changed to any value, regardless of any alternate UPN suffixes you have configured in the forest. Implicit UPN (iUPN): This is constructed by concatenating the value of the user object's samAccountName attribute with the value of the domain's FQDN. The FQDN is stored as the value of the dnsRoot attribute of the domain's crossRef object stored at LDAP://CN=DOMAIN_NETBIOS_NAME,CN=Partitions,CN=Configuration,DC=DOMAIN) If PtA uses AD to find user it will work for 'root domain' and 'any subdomain' within forest added as alternative suffix domain.

[email protected] (Autentícate) -> UPN contoso.com -> SI [email protected] (Autentícate) -> UPN East.contoso.com -> NO [email protected] (Autentícate) -> UPN Fabrikam.com -> NO

Was in my exam today 05/08/22.

I believe the answer provided is correct as from the question it appears that contoso.com is setup in AzureAD and Microsoft 365 however because the users still have their east.contoso.com and fabrikam.com set as their UPNs in Active Directory when they synchronise to AzureAD they will likely have a UPN like the bellow: %username%@contoso.onmicrosoft.com Because of this they would need to use the above username to sign in succesfully or on Active Directory they would need their UPN suffix changing to contoso.com before actioning a delta sync to update their AzureAD profiles with the correct domain for their username

i agree with the ans provided YNN. Box 2: No – (need to use east.contoso.com) Box 3: No – (not configured as domain on on-prem AD)

The default configuration in Azure AD Connect sync assumes: Each user has only one enabled account, and the forest where this account is located is used to authenticate the user. This assumption is for password hash sync, pass-through authentication and federation. UserPrincipalName and sourceAnchor/immutableID come from this forest. Each user has only one mailbox. The forest that hosts the mailbox for a user has the best data quality for attributes visible in the Exchange Global Address List (GAL). If there's no mailbox for the user, any forest can be used to contribute these attribute values. If you have a linked mailbox, there's also an account in a different forest used for sign-in. So user 1 default user 2 and user 3 default, user 2 and 3 can not login without change their UPN

the answer for this exam is YNN But you could actually sync the 3 users with sync rule that would set all cloud UPN accounts to @contoso.com and they all will be able to sign-in that way

All answers should be NO. Password Hash Sync is disabled so user1 cannot authenticate to Azure only Pass Thru is working so has to Authenticate to On Prem AD