MS-100 Microsoft 365 Identity and Services Questions and Answers

During Project1, some users will have mailboxes in Microsoft 365 and some users will have mailboxes in Exchange on-premises. To enable users be able to exchange email messages successfully during Project1 by using their current email address, we’ll need to configure hybrid Exchange.

To migrate mailboxes in a hybrid Exchange configuration, you use Exchange admin center perform Remote move migrations.

Depending on what your organization's Office 365 subscription includes, the Dashboard in Security & Compliance includes several widgets, such as Threat Management Summary, Threat Protection Status, Global Weekly Threat Detections, Malware, etc. The Compliance admin center in Microsoft 365 contains much of the same information but also includes additional entries focusing on alerts, data insights.

The Monitoring and reports section from the Compliance admin center does not display a list of the features that were recently updated in the tenant so this solution does not meet the goal.

To meet the goal, you need to use Message center in the Microsoft 365 admin center.

In the exhibit, seamless single sign-on (SSO) is disabled. Therefore, as SSO is disabled in the cloud, the Sales department users can access only on-premises applications by using SSO.

In the exhibit, directory synchronization is enabled and active. This means that the on-premises Active Directory user accounts are synchronized to Azure Active Directory user accounts. If the on-premises Active Directory becomes unavailable, the users can access resources in the cloud by authenticating to Azure Active Directory. They will not be able to access resources on-premises if the on-premises Active Directory becomes unavailable as they will not be able to authenticate to the on-premises Active Directory.

• An on-premises web application named App1 must allow users to complete their expense reports online.

Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Azure AD, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application.

In this question, we need to add an enterprise application in Azure and configure a Microsoft AAD Application Proxy connector to connect to the on-premises web application (App1).

Fabrikam plans to create a group named UserLicenses that will manage the allocation of all Microsoft 365 bulk licenses.

The memberships of UserLicenses must be validated monthly. Unused user accounts must be removed from the group automatically.

The group needs to be a Security group.

Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access.

• Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to Microsoft 365.

• Project2: After the successful completion of Project1, Microsoft Teams & Skype for Business will be enabled in Microsoft 365 for the sales department users.

• After the planned migration to Microsoft 365, all users must be signed in to on-premises and cloud-based applications automatically.

• Fabrikam does NOT plan to implement identity federation.
• After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.

You need to enable password hash synchronization to enable the users to continue to authenticate to their mailbox and to SharePoint sites by using their UPN.

You need to enable SSO to enable all users to be signed in to on-premises and cloud-based applications automatically.

ATP Safe Links, a feature of Office 365 Advanced Threat Protection (ATP), can help protect your organization from malicious links used in phishing and other attacks. If you have the necessary permissions for the Office 365 Security & Compliance Center, you can set up ATP Safe Links policies to help ensure that when people click web addresses (URLs), your organization is protected. Your ATP Safe Links policies can be configured to scan URLs in email and URLs in Office documents.

Graphical user interface, text, application, email Description automatically generated

Box 1: "autoInvokeaction"{

With the autoInvokeAction property on actionable messages, you can provide an HTTP endpoint to retrieve an up-to-date Adaptive Card payload with the latest information when the user opens the email in Outlook.

Box 2: "method": ";POST",

With the autoInvokeAction property on actionable messages, you can provide an HTTP endpoint to retrieve an up-to-date Adaptive Card payload with the latest information when the user opens the email in Outlook.

Fabrikam plans to implement a Microsoft 365 Enterprise subscription and move all email and shared documents to the subscription.

All users must be able to exchange email messages successfully during Project1 by using their current email address.

After the planned migration to Microsoft 365, all users must continue to authenticate to their mailbox and to SharePoint sites by using their UPN.

This configuration requires a hybrid Exchange configuration during the pilot phase. This means that you will have mailboxes hosted in Exchange Online and mailboxes hosted in Exchange on-premise.

The first steps to configure Exchange hybrid are to Create the Azure AD tenant, add the Fabrikam.com domain as a custom domain, then configure directory synchronization to replicate the on-prem Active Directory user accounts to Azure Active Directory.

Project1: During Project1, the mailboxes of 100 users in the sales department will be moved to Microsoft 365.

Fabrikam does NOT plan to implement identity federation.

All users must be able to exchange email messages successfully during Project1 by using their current email address.

During Project1, some users will have mailboxes in Microsoft 365 and some users will have mailboxes in Exchange on-premises. To enable users to be able to exchange email messages successfully during Project1 by using their current email address, we’ll need to configure hybrid Exchange.

A new way to migrate mailboxes in a hybrid Exchange configuration is to use the Microsoft 365 data migration service. The data migration service can migrate Exchange, SharePoint and OneDrive. Therefore, we need to start a data migration and click Exchange as the service to be migrated.

When you choose this federation as the authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password. AD FS can use on-premise Active Directory as an authentication provider. AD FS can also provide SSO when using Active Directory as an authentication provider.

Graphical user interface, text, application Description automatically generated

Box 1: Office Add-ins

Scenario: SalesApp must be integrated with Microsoft Word and must combine images and text from multiple sources to create a quotation as a DOCX file.

You can use the Office Add-ins platform to build solutions that extend Office applications and interact with content in Office documents.

Box 2: Microsoft Visual Studio

Visual Studio can be used to create Office Add-ins for Excel, Outlook, Word, and PowerPoint. An Office Add-in project gets created as part of a Visual Studio solution and uses HTML, CSS, and JavaScript.

Box 3: Fluent UI

Fluent UI is the upcoming and continually evolving design system for Microsoft 365. Currently, there is an ongoing merge in the process to have one consistent UI Framework across the Microsoft ecosystem.

A service request is a support ticket. Therefore, the View service requests option in the Microsoft 365 admin center displays a list of support tickets. It does not display a list of the features that were recently updated in the tenant so this solution does not meet the goal.

To meet the goal, you need to use Message center in the Microsoft 365 admin center.

Graphical user interface, text, application Description automatically generated

Graphical user interface, text, application Description automatically generated

• User2 must be able to view reports and schedule the email delivery of security and compliance reports.

The Security Administrator role can view reports but not schedule the email delivery of security and compliance reports.

The View-Only Organization Management role cannot schedule the email delivery of security and compliance reports.

Graphical user interface, application Description automatically generated

Sending actionable messages via email is supported. You use actionable message cards.

Scenario:

Create an email workflow solution for expense claims. Users will submit their expense claims and the system will email an approval request to their manager.

The expense claims solution must provide managers with claim information and the ability to manage the claim by using Microsoft Outlook, Outlook on the web, or Outlook for iOS and Android.

Graphical user interface, text, application Description automatically generated

Step 1: Create a bot registration..

Step 2: In the HRApp manifest, configure the botId value in the ComposeExtensions section to match the botId value of the bot registration.

Scenario: HRApp must include a messaging extension that enables users to search jobs by job title or job ID.

Step 3: Implement a handler

• User3 must be able to manage Office 365 connectors.
• The principle of least privilege must be used whenever possible.

Office 365 connectors are configured in the Exchange Admin Center.

You need to assign User3 the Organization Management role to enable User3 to manage Office 365 connectors.

A Global Admin could manage Office 365 connectors but the Organization Management role has less privilege.

• Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.

You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.

The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the vendors already have Microsoft accounts so they can authenticate using them.

• User2 must be able to view reports and schedule the email delivery of security and compliance reports.

The Security Reader role can view reports.

The Compliance Management role can schedule the email delivery of security and compliance reports.

• User2 must be able to view reports and schedule the email delivery of security and compliance reports.

The Security Reader role can view reports but not schedule the email delivery of security and compliance reports.

The Help Desk role cannot schedule the email delivery of security and compliance reports.

Contoso plans to provide email addresses for all the users in the following domains:

• East.adatum.com
• Contoso.adatum.com
• Humongousinsurance.com

To verify three domain names, you need to add three TXT records.

• Vendors must be able to authenticate by using their Microsoft account when accessing Contoso resources.

You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.

The invitation will include a link to create a Microsoft account. The user can then authenticate using their Microsoft account. In this question, the vendors already have Microsoft accounts so they can authenticate using them.

In this solution, we are creating guest account invitations by using the New-AzureADMSInvitation cmdlet and specifying the –InvitedUserEmailAddress parameter.

• User2 must be able to view reports and schedule the email delivery of security and compliance reports.

The Security Reader role can view reports but not schedule the email delivery of security and compliance reports.

The Exchange Online Compliance Management role can schedule the email delivery of security and compliance reports.

• User4 must be able to reset User3 password.

User3 is assigned the Customer Lockbox Access Approver role. Only global admins can reset the passwords of people assigned to this role as it’s considered a privileged role.

References:

• The members of Group1 must be required to answer a security question before changing their password.

If SSPR (Self Service Password Reset) is enabled, you must select at least one of the following options for the authentication methods. Sometimes you hear these options referred to as "gates."

Mobile app notification

Mobile app code

Email

Mobile phone

Office phone

Security questions

You can specify the required authentication methods in the Password reset properties of the Azure AD tenant. In this case, you should set the required authentication method to be ‘Security questions’.

All new users must be assigned Office 365 licenses automatically.

To enable Microsoft 365 license assignment, the users must have a username. This is also the UPN. The users must also have a Usage Location.