Microsoft MS-100 시험

Question No : 1

Your company has a Microsoft 365 subscription. All identities are managed in the cloud.
The company purchases a new domain name.
You need to ensure that all new mailboxes use the new domain as their primary email address.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

• A.From Microsoft Exchange Online PowerShell, run the Update-EmailAddressPolicy policy command.
• B.From the Exchange admin center, click mail flow, and then configure the email address policies.
• C.From the Microsoft 365 admin center, click Setup, and then configure the domains.
• D.From Microsoft Exchange Online PowerShell, run the Set-EmailAddressPolicy policy command.
• E.From the Azure Active Directory admin center, configure the custom domain names.

답을 확인하기

정답:
Explanation:
Email address policies define the rules that create email addresses for recipients in your Exchange organization whether this is Exchange on-premise or Exchange online.
You can configure email address policies using the graphical interface of the Exchange Admin Center or by using PowerShell with the Set-EmailAddressPolicy cmdlet.
The Set-EmailAddressPolicy cmdlet is used to modify an email address policy. The Update-EmailAddressPolicy cmdlet is used to apply an email address policy to users.
Reference: https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/email-address-policies/email-address-policies?view=exchserver-2019

Question No : 2

You have a Microsoft 365 subscription.
You need to prevent phishing email messages from being delivered to your organization.
What should you do?

• A.From the Exchange admin center, create an anti-malware policy.
• B.From Security & Compliance, create a DLP policy.
• C.From Security & Compliance, create a new threat management policy.
• D.From the Exchange admin center, create a spam filter policy.

답을 확인하기

정답:
Explanation:
Anti-phishing protection is part of Office 365 Advanced Threat Protection (ATP). To prevent phishing email messages from being delivered to your organization, you need to configure a threat management policy.
ATP anti-phishing is only available in Advanced Threat Protection (ATP). ATP is included in subscriptions, such as Microsoft 365 Enterprise, Microsoft 365 Business, Office 365 Enterprise E5, Office 365 Education A5, etc.
Reference: https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies

Question No : 3

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has a Microsoft Office 365 tenant.
You suspect that several Office 365 features were recently updated.
You need to view a list of the features that were recently updated in the tenant.
Solution: You review the Security & Compliance report in the Microsoft 365 admin center.
Does this meet the goal?

• A.Yes
• B.No

답을 확인하기

정답:
Explanation:
The Security & Compliance reports in the Microsoft 365 admin center are reports regarding security and compliance for your Office 365 Services. For example, email usage reports, Data Loss Prevention reports etc. They do not display a list of the features that were recently updated in the tenant so this solution does not meet the goal.
To meet the goal, you need to use Message center in the Microsoft 365 admin center.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/download-existing-reports

Question No : 4

Your network contains three Active Directory forests.
You create a Microsoft Azure Active Directory (Azure AD) tenant.
You plan to sync the on premises Active Directory (Azure AD).
You need to recommend a synchronization solution. The solution must ensure that the synchronization can complete successfully and as quickly as possible if a single server fails.
What should you include in the recommendation?

• A.Three Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode
• B.One Azure AD Connect sync servers one Azure AD Connect sync servers in staging mode
• C.Three Azure AD Connect sync servers and one Azure AD Connect sync servers in staging mode
• D.six Azure AD Connect sync servers and three Azure AD Connect sync servers in staging mode

답을 확인하기

정답:
Explanation:
Azure AD Connect can be active on only one server. You can install Azure AD Connect on another server for redundancy but the additional installation would need to be in Staging mode. An Azure AD connect installation in Staging mode is configured and ready to go but it needs to be manually switched to Active to perform directory synchronization.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom

Question No : 5

HOTSPOT
Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.
You implement directory synchronization for all 10.000 users in the organization.
You automate the creation of 100 new user accounts.
You need to ensure that the new user accounts synchronize to Azure AD as quickly as possible
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct select ion is worth one point.

답을 확인하기

정답:


Explanation:
Azure AD Connect synchronizes Active Directory to Azure Active Directory on a schedule. The minimum time between synchronizations is 30 minutes.
If you want to synchronize changes to Active Directory without waiting for the next sync cycle, you can initiate a sync by using the Start-AdSyncSyncCycle. The Delta option synchronizes changes to Active Directory made since the last sync. The Full option synchronizes all Active Directory objects including those that have not changed.
Reference: https://blogs.technet.microsoft.com/rmilne/2014/10/01/how-to-run-manual-dirsync-azure-active-directory-sync-updates/

Question No : 6

You have a Microsoft 365 subscription that contains a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. The tenant includes a user named User1
You enable Azure AD Identity Protection.
You need to ensure that User1 can review the list in Azure AD Identity Protection of users nagged for risk. The solution must use the principle of least privilege.
To which role should you add User1?

• A.Security reader
• B.Compliance administrator
• C.Reports reader
• D.Global administrator

답을 확인하기

정답:
Explanation:
The risky sign-ins reports are available to users in the following roles:
✑ Security Administrator
✑ Global Administrator
✑ Security Reader
Of the three roles listed above, the Security Reader role has the least privilege.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risky-sign-ins

Question No : 7

HOTSPOT
You company has a Microsoft Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.



The tenant includes a security group named Admin1. Admin1 will be used to manage administrative accounts.
You need to identify which users can perform the following administrative tasks:
✑ Create guest user accounts.
✑ Add User3 to Admin1.
Which users should you identify for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:
A User Administrator is the only role listed that can create user accounts included Guest user accounts. A Global Administrator can also create user accounts.
A User Administrator is also the only role listed that can modify the group membership of users.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Question No : 8

Your network contains an Active Directory domain named .Ki.ituin.com that is synced to Microsoft Azure Active Directory (Azure AD).
The domain contains 10O user accounts.
The city attribute for all the users is set to the city where the user resides.
You need to modify the value of the city attribute to the three letter airport code of each city.
What should you do?

• A.from Active Directory Administrative Center, select the Active Directory users, and then modify the Property settings.
• B.From the Microsoft 365 admin center, select the users, and then use the Bulk actions option.
• C.From Azure Cloud Shell, run the Get-AzureADUsers, and then use the Bulk actions option.
• D.From Azure Cloud Shell, run the Get-AzureADUser and set-AzureADUser cmdlets.
• E.From Windows PowerShell on a domain controller, run the Get-AzureADUser and Set-AzureADUser cmdlets.

답을 확인하기

정답:
Explanation:
The user accounts are synced from the on-premise Active Directory to the Microsoft Azure Active Directory (Azure AD). Therefore, the city attribute must be changed in the on-premise Active Directory.
You can use Windows PowerShell on a domain controller and run the Get-ADUser cmdlet to get the required users and pipe the results into Set-ADUser cmdlet to modify the city attribute.
Reference: https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-aduser?view=win10-ps

Question No : 9

HOTSPOT
Your company has offices in several cities and 100.000 users.
The network contains an Active Directory domain contoso.com.
You purchase Microsoft 365 and plan to deploy several Microsoft 365 services.
You are evaluating the implementation of pass-through authentication and seamless SSO. Azure AD Connect will NOT be in staging mode.
You need to identify the redundancy limits for the planned implementation.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:
Azure AD Connect can be active on only one server. You can install Azure AD Connect on another server for redundancy but the additional installation would need to be in Staging mode. An Azure AD connect installation in Staging mode is configured and ready to go but it needs to be manually switched to Active to perform directory synchronization.
Azure authentication agents can be installed on as many servers as you like.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start

Question No : 10

HOTSPOT
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.



You need to identify which users can perform the following administrative tasks:
✑ Reset the password of User4.
✑ Modify the value for the manager attribute of User4.
Which users should you identify for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:
Box 1:
A Password Administrator or a User Administrator can reset the password non-administrative users.
Box 2:
A User Administrator can configure other attributes such as the Manager attribute of non-administrative users.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Question No : 11

HOTSPOT
Your network contains an on-premises Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD) as shown in the following exhibit.



An on-premises Active Directory user account named Allan Yoo is synchronized to Azure AD. You view Allan’s account from Microsoft 365 and notice that his username is set to [email protected].
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:
Allan Yoo’s user account is synchronized from the on-premise Active Directory. This means that most user account settings have to be configured in the on-premise Active Directory.
In the exhibit, Password Writeback is disabled. Therefore, you cannot reset the password of Allan Yoo from the Azure portal.
You also cannot change Allan Yoo’s job title in the Azure portal because his account is synchronized from the on-premise Active Directory.
One setting that you can configure for synchronized user accounts I the usage location. The usage location must be configured on a user account before you can assign licenses to the user.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

Question No : 12

Your network contain*, an on-premises Active Directory forest.
You are evaluating the implementation of Microsoft 365 and the deployment of authentication strategy.
You need to recommend an authentication strategy that meets the following requirements:
• Allows users to sign in by using smart card-based certificates
• Allows users to connect to on premises and Microsoft 365 services by using SSO
Which authentication strategy should you recommend?

• A.password hash synchronization and seamless SSO
• B.federation with Active Directory Federation Services (AD FS)
• C.pass-through authentication and seamless SSO

답을 확인하기

정답:
Explanation:
Federation with Active Directory Federation Services (AD FS) is required to allow users to sign in by using smart card-based certificates.
Federated authentication
When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password.
The authentication system can provide additional advanced authentication requirements. Examples are smartcard-based authentication or third-party multifactor authentication.
Reference: https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

Question No : 13

Your network contains an Active Directory domain and a Microsoft Azure Active Directory (Azure AD) tenant.
The network uses a firewall that contains a list of allowed outbound domains.
You began to implement directory synchronization.
You discover that the firewall configuration contains only the following domain names in the list of allowed domains:
• *.microsof.com
• *.office.com
Directory synchronization fails.
You need to ensure that directory synchronization completes successfully.
What is the best approach to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.

• A.From the firewall, allow the IP address range of the Azure data center for outbound communication.
• B.From Azure AD Connect, mo dify the Customize synchronization options task
• C.Deploy an Azure AD Connect sync server in staging mode.
• D.From the firewall, create a list of allowed inbound domains.
• E.From the firewall, modify the list of allowed outbound domains.

답을 확인하기

정답:
Explanation:
Azure AD Connect needs to be able to connect to various Microsoft domains such as login.microsoftonline.com. Therefore, you need to modify the list of allowed outbound domains on the firewall.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports

Question No : 14

Your network contains two Active Directory forests. Each forest contains two domains. All client computers run Windows 10 and are domain-joined.
You plan to configure Hybrid Azure AD join for the computers.
You create Microsoft Azure Active Directory (Azure AD) tenant.
You need to ensure that the computers can discover the Azure AD tenant.
What should you create?

• A.a new computer account for each computer
• B.a new service connection point (SCP) for each domain
• C.a new trust relationship for each forest
• D.a new service connection point (SCP) for each forest

답을 확인하기

정답:
Explanation:
Your devices use a service connection point (SCP) object during the registration to discover Azure AD tenant information. In your on-premises Active Directory instance, the SCP object for the hybrid Azure AD joined devices must exist in the configuration naming context partition of the computer's forest. There is only one configuration naming context per forest. In a multi-forest Active Directory configuration, the service connection point must exist in all forests that contain domain-joined computers.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual

Question No : 15

You have a Microsoft 365 subscription.
Your company deploys an Active Directory Federation Services (AD FS) solution.
You need to configure the environment to audit AD FS user authentication.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

• A.From all the AD FS servers, run audltpol.exe.
• B.From all the domain controllers, run the set-AdminAuditLogConfig cmdlet and specify the CLogiLevel parameter.
• C.On a domain controller install Azure AD Connect Health for AD D
• D.From the Azure AO Connect server, run the Register-AzureADCConnectHealthSyncAgent cmdlet.
• E.On an server, install Azure AD Connect Health for AD F

답을 확인하기

정답:
Explanation:
To audit AD FS user authentication, you need to install Azure AD Connect Health for AD FS. The agent should be installed on an AD FS server. After the installation, you need to register the agent by running the Register-AzureADConnectHealthSyncAgent cmdlet.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-agent-install
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-adfs