ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 1 question 4 discussion

Actual exam question from Microsoft's AZ-500
Question #: 4
Topic #: 1
[All AZ-500 Questions]

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has an Active Directory forest with a single domain, named weylandindustries.com. They also have an Azure Active Directory (Azure AD) tenant with the same name.
You have been tasked with integrating Active Directory and the Azure AD tenant. You intend to deploy Azure AD Connect.
Your strategy for the integration must make sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant, and that the amount of necessary servers are reduced.
Solution: You recommend the use of password hash synchronization and seamless SSO.
Does the solution meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Dushank at July 21, 2021, 8:54 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Dushank
Highly Voted 3 years, 9 months ago
Answer should be "No" password hash synchronization cannot support the password policies and user logon limitations For this you need to implement Pass-through authentication
upvoted 45 times
rawrkadia
3 years, 8 months ago
Correction, it does somewhat support password policies like complexity, (but does not support expiration) and does not support logon restrictions at all. There's about 20 versions of this question in the dump and I'm glad by this point people are arriving at the correct answer and realizing PHS doesn't work for the use case. :)
upvoted 8 times
...
...
kakakayayaya
Highly Voted 3 years, 8 months ago
There are 3 options for solution: 1) Password hash synchronization + Seamless SSO 2) Pass-through Authentication + Seamless SSO 3) Federation with AD FS 1 - doesn't support "password policies and user logon limitations".
upvoted 20 times
kakakayayaya
3 years, 8 months ago
So answer is NO
upvoted 9 times
...
...
stonwall12
Most Recent 2 months, 3 weeks ago
Selected Answer: B
Answer: B, No Reason: Password hash synchronization with seamless SSO doesn't meet the goal as it doesn't enforce on-premises password policies and logon restrictions since authentication happens in the cloud. Reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-password-hash-synchronization
upvoted 1 times
...
ITFranz
4 months, 1 week ago
Selected Answer: B
To Support the answer: Password hash synchronization (PHS) partially supports on-premises password policies and user logon limitations, but with some important caveats: Password policies: PHS respects the on-premises Active Directory password policies to some extent. When users change their passwords on-premises, these changes are synchronized to Azure AD, ensuring that the same password complexity and expiration rules apply14. User logon limitations: PHS does not fully support all on-premises user logon limitations. For example: If an account is expired but still active in on-premises AD, cloud authentication through Azure AD may still succeed, even though an on-premises sign-on would fail4. Not all Active Directory policies are respected in the cloud environment when using PHS Answer = B
upvoted 1 times
...
awfnewf1q243
7 months, 2 weeks ago
Selected Answer: B
B. No Correct path through the decision tree is Yes -> Yes -> No -> No, which results in "Pass-though Auth + Seamless SSO" The only reason we would want PHS is if we answered "No" to "Do you want to enforce user-level Active Directory security policies during sign in?" The stated objective is "make sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant" If you read footnote #3 of the decision tree it says "If you need to apply, user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components." Reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree
upvoted 2 times
...
pentium75
9 months, 1 week ago
Selected Answer: B
No because "[some] password policies [like expiration] and user logon limitations" are not supported by password hash sync
upvoted 1 times
...
b9e98e8
1 year, 3 months ago
PHS ensures that the password complexity policies from your on-premises AD instance override the complexity policies in the cloud for synchronized users1. For PHS If your AD enforces specific password complexity rules (e.g., minimum length, character requirements), those rules apply to synchronized users accessing Microsoft Entra services. For PHS if your on-premises AD enforces password expiration (e.g., passwords must be changed every 90 days), that policy remains in effect.
upvoted 2 times
...
wardy1983
1 year, 5 months ago
Answer: B Explanation: password hash synchronization cannot support the password policies and user logon limitations For this you need to implement Pass-through authentication
upvoted 1 times
...
[Removed]
1 year, 6 months ago
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/choose-ad-authn Use the decision making chart and answer is NO
upvoted 2 times
...
MeisAdriano
1 year, 6 months ago
Selected Answer: B
Absolutelly NO
upvoted 1 times
...
JunetGoyal
1 year, 7 months ago
NO, Coz of this line "make sure that password policies and user logon limitations " Example: Organisation has user policy that user can login for specific date & time which is example of "make sure that password policies and user logon limitations ", Sp we cannot use PHS. We need Pass through. Ans for all situations: Pass through -- yes ADFS- NO PHS-NO
upvoted 2 times
...
BigShot0
1 year, 7 months ago
Selected Answer: B
You cannot enforce logon requirements with this solution.
upvoted 1 times
...
ESAJRR
1 year, 10 months ago
Selected Answer: B
B. Answer is No
upvoted 1 times
...
jambarka
2 years ago
Selected Answer: A
hash sync simply syncs the hashes of passwords that already onprem ADDS policies. User logon limitations are reflected by account properties affecting its state, which get synced with the account and should be supported
upvoted 2 times
...
majstor86
2 years, 2 months ago
Selected Answer: B
B. Answer is No
upvoted 1 times
...
tichyrb
2 years, 3 months ago
The reference in the explanation is the PTA link (:
upvoted 2 times
...
Seelearndo
2 years, 3 months ago
Selected Answer: B
Password policy enforcement can be done only using Pass through authentication. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago