Question 231
Open question ↗You have an Azure Active Directory (Azure AD) tenant named Contoso that contains a terms of use (Toll) named Terms1 and an access package. Contoso users collaborate with an external organization named Fabrikam. Fabrikam users must accept Terms1 before being allowed to use the access package.
You need to identify which users accepted or declined Terms1.
What should you use?
Question 232
Open question ↗You have an Azure Active Directory (Azure AD) tenant that contains three users named User1, User2, and User3.
You create a group named Group1. You add User2 and User3 to Group1.
You configure a role in Azure AD Privileged Identity Management (PIM) as shown in the Application Administrator exhibit. (Click the Application Administrator tab.)
Group1 is configured as the approver for the Application administrator role.
You configure User2 to be eligible for the Application administrator role.
For User1 you add an assignment to the Application administrator role as shown in the Assignment exhibit. (Click the Assignment tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 233
Open question ↗You have a Microsoft 365 E5 subscription.
You create an access review for Azure Active Directory (Azure AD) roles.
You need to ensure that users who do not respond to review requests are removed automatically from the roles. The solution must minimize administrative effort.
Which two settings should you modify? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 234
Open question ↗You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.
An administrator deletes User1.
You need to identify the following:
• How many days after the account of User1 is deleted can you restore the account?
• Which is the least privileged role that can be used to restore User1?
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 235
Open question ↗You have an Azure AD tenant that contains the groups shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Question 236
Open question ↗You have an Azure AD tenant that contains two users named User1 and User2.
You plan to perform the following actions:
• Create a group named Group1.
• Add User1 and User2 to Group1.
• Assign Azure AD roles to Group1.
You need to create Group1.
Which two settings can you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Question 237
Open question ↗You have a Microsoft 365 E5 subscription.
You need to perform the following tasks:
• Identify the locations and IP addresses used by Azure AD users to sign in.
• Review the Azure AD security settings and identify improvement recommendations.
• Identify changes to Azure AD users or service principals.
What should you use for each task? To answer, drag the appropriate resources to the correct requirements. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Question 238
Open question ↗Case Study
Overview
ADatum Corporation is a consulting company in Montreal.
ADatum recently acquired a Vancouver-based company named Litware, Inc.
Existing Environment. ADatum Environment
The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.
ADatum has a Microsoft 365 E5 subscription. The subscription contains a verified domain that syncs with the adatum.com AD DS domain by using Azure AD Connect.
ADatum has an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant has Security defaults disabled.
The tenant contains the users shown in the following table.
The tenant contains the groups shown in the following table.
Existing Environment. Litware Environment
Litware has an AD DS forest named litware.com
Existing Environment. Problem Statements
ADatum identifies the following issues:
• Multiple users in the sales department have up to five devices. The sales department users report that sometimes they must contact the support department to join their devices to the Azure AD tenant because they have reached their device limit.
• A recent security incident reveals that several users leaked their credentials, a suspicious browser was used for a sign-in, and resources were accessed from an anonymous IP address.
• When you attempt to assign the Device Administrators role to IT_Group1, the group does NOT appear in the selection list.
• Anyone in the organization can invite guest users, including other guests and non-administrators.
• The helpdesk spends too much time resetting user passwords.
• Users currently use only passwords for authentication.
Requirements. Planned Changes
ADatum plans to implement the following changes:
• Configure self-service password reset (SSPR).
• Configure multi-factor authentication (MFA) for all users.
• Configure an access review for an access package named Package1.
• Require admin approval for application access to organizational data.
• Sync the AD DS users and groups of litware.com with the Azure AD tenant.
• Ensure that only users that are assigned specific admin roles can invite guest users.
• Increase the maximum number of devices that can be joined or registered to Azure AD to 10.
Requirements. Technical Requirements
ADatum identifies the following technical requirements:
• Users assigned the User administrator role must be able to request permission to use the role when needed for up to one year.
• Users must be prompted to register for MFA and provided with an option to bypass the registration for a grace period.
• Users must provide one authentication method to reset their password by using SSPR. Available methods must include:
- Phone
- Security questions
- The Microsoft Authenticator app
• Trust relationships must NOT be established between the adatum.com and litware.com AD DS domains.
• The principle of least privilege must be used.
You need to resolve the issue of the guest user invitations.
What should you do for the Azure AD tenant?
Question 239
Open question ↗Case Study
Overview
ADatum Corporation is a consulting company in Montreal.
ADatum recently acquired a Vancouver-based company named Litware, Inc.
Existing Environment. ADatum Environment
The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.
ADatum has a Microsoft 365 E5 subscription. The subscription contains a verified domain that syncs with the adatum.com AD DS domain by using Azure AD Connect.
ADatum has an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant has Security defaults disabled.
The tenant contains the users shown in the following table.
The tenant contains the groups shown in the following table.
Existing Environment. Litware Environment
Litware has an AD DS forest named litware.com
Existing Environment. Problem Statements
ADatum identifies the following issues:
• Multiple users in the sales department have up to five devices. The sales department users report that sometimes they must contact the support department to join their devices to the Azure AD tenant because they have reached their device limit.
• A recent security incident reveals that several users leaked their credentials, a suspicious browser was used for a sign-in, and resources were accessed from an anonymous IP address.
• When you attempt to assign the Device Administrators role to IT_Group1, the group does NOT appear in the selection list.
• Anyone in the organization can invite guest users, including other guests and non-administrators.
• The helpdesk spends too much time resetting user passwords.
• Users currently use only passwords for authentication.
Requirements. Planned Changes
ADatum plans to implement the following changes:
• Configure self-service password reset (SSPR).
• Configure multi-factor authentication (MFA) for all users.
• Configure an access review for an access package named Package1.
• Require admin approval for application access to organizational data.
• Sync the AD DS users and groups of litware.com with the Azure AD tenant.
• Ensure that only users that are assigned specific admin roles can invite guest users.
• Increase the maximum number of devices that can be joined or registered to Azure AD to 10.
Requirements. Technical Requirements
ADatum identifies the following technical requirements:
• Users assigned the User administrator role must be able to request permission to use the role when needed for up to one year.
• Users must be prompted to register for MFA and provided with an option to bypass the registration for a grace period.
• Users must provide one authentication method to reset their password by using SSPR. Available methods must include:
- Phone
- Security questions
- The Microsoft Authenticator app
• Trust relationships must NOT be established between the adatum.com and litware.com AD DS domains.
• The principle of least privilege must be used.
You need to modify the settings of the User administrator role to meet the technical requirements.
Which two actions should you perform for the role? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Question 240
Open question ↗You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to ensure that User1 can create access reviews for Azure AD roles. The solution must use the principle of least privilege.
Which role should you assign to User1?