Exam MS-500 topic 1 question 75 discussion

Here, the answer will be N, Y, Y Audit mode is the default initial setting, where passwords can continue to be set. Passwords that would be blocked are recorded in the event log. After you deploy the proxy servers and DC agents in audit mode, monitor the impact that the password policy will have on users when the policy is enforced. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

Pretty sure it is N N Y Let me explain: First NO: Password protection only applies when the user changes his password, so in this case the user will not be prompted to change the password. Second NO: The banned word can not be used and Password protection will change the dollar symbol to an S. For people saying the policy is in audit mode: Audit mode only applies when you enable on prem password protection. When you click 'no' for on prem password, this audit mode will be greyed out. For Azure AD this policy will be applied. Third YES: Password protection for on prem is in audit mode, so password can be changed to whatever.

Why is Azure AD still rejecting weak passwords even though I've configured the policy to be in Audit mode? Audit mode is only supported in the on-premises Active Directory environment. Azure AD is implicitly always in "enforce" mode when it evaluates passwords. Source: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq

Correct Answer should be 1. No : as given policy applies when changing password not authenticating 2. No : tested in Lab environment and it fails to update the given password with this message ("Unfortunately, your password contains a word, phrase, or pattern that is banned by your organization. Please try again with a different password") 3. Yes : as the on-prem servers are not enforced

The correct answer here should be N, Y, Y The key point here Audit mode "Audit mode Audit mode is intended as a way to run the software in a "what if" mode. Each Azure AD Password Protection DC agent service evaluates an incoming password according to the currently active policy. If the current policy is configured to be in audit mode, "bad" passwords result in event log messages but are processed and updated. This behavior is the only difference between audit and enforce mode. All other operations run the same." - First NO: Password protection only applies when the user changes his password, so in this case the user will not be prompted to change the password.

Audit mode only applies to On Premises AD. The documentation is here (under the question "Why is Azure AD still rejecting weak passwords even though I've configured the policy to be in Audit mode?"): https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq

Shouldn't it be N, Y, Y? It is set to audit mode, i.e it's not actually enabled so the settings aren't enforced?

its quite simple.. 1 - only happens when he actually changes it.. not when authenticates. 2 - user2 is azure AD so policy is in effect but he changes it to C0NT0$0 - not contoso no effect there. So he can change it. 3 - User is on prem and the policy is in audit so he can do whatever. TL;DR 1 - N 2 - Y 3 - Y

N,N,Y Regarding User2, it's not possible to use the suggested password, because the following: 1. The sign "$" will be substituted to "s" during the normalization step of password evaluation. See here https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#step-1-normalization 2. In the normalized password "contosocontoso" there are two banned substrings "contoso", thus on the Score Calculation step the score will be 2. But for accepting a new password we need a score 5. So, User2 will not be able to change the password to suggested one. See here about scoring: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#score-calculation

I go for NNY. See explanation of Broesweelies

Answer is N, N, Y

N, y, y due to audit mode. Regarding the statement in the posted answer on limitations, there is no limit to password length in custom banned password list, so answer 3 is fine regardless of whether audit mode is enabled or not.

I believe it's N/Y/Y The key thing is (Audit) which will only monitor the passwords and thus will not use the banned password list. While there is password protection on Windows Server Active Directory - it's will require an agent to run on the server, which has its own requirements. You can't assume that this has been completed.

N/Y/Y This is a helpful link. The banned list doesn't just ban passwords 1:1. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#how-are-passwords-evaluated

N,Y,Y is right. why should User1 change the Password next time he signs in ? is the Password in the List ? No it isnt and the other users CAN change the desired Password if they want to.