Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table.
All the users work remotely.
Azure AD Connect is configured in Azure AD as shown in the following exhibit.
Connectivity from the on-premises domain to the internet is lost.
Which users can sign in to Azure AD?
In the given scenario, User2 cannot sign in because Pass-through Authentication (PTA) requires connectivity to the on-premises domain, which is currently lost. Password Hash Synchronization (PHS) is enabled but switching the authentication method from PTA to PHS is not automatic and requires manual intervention through Azure AD Connect. In the absence of this manual switch, User2 will not be able to authenticate. User1 and User3, however, are not synced with the on-premises domain and can authenticate directly with Azure AD. Therefore, User1 and User3 only can sign in.
I think the answer is correct. When the connection to on-premise is lost, PTA will not work anymore. The failover to Password Hash Synchronization is not automatic and needs to be configured manually in AD Connect. If the connection to on-premise is lost, and the AD Connect server runs un-premise, user 2 cannot login. -~~~~~- Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
Pass-through authentication is configured, Sync user will try to authenticate on local AD and unable to authenticate due to internet outage only cloud users ( User 1 and User 3) can be authenticated Correct Answer : A
C. Per https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations, Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. The diagram shows Pasword Hash Synchronization is enabled.
I agree with that. Since the Password Hash Synchronization is enabled, it must have been synched an hour ago, and also the password is saved in Azure AD. It remains when the on-premise AD lost the connection to the internet. See below article. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-faq When you use Microsoft Entra Connect to switch the sign-in method from password hash synchronization to Pass-through Authentication, Pass-through Authentication becomes the primary sign-in method for your users in managed domains. All users' password hashes that are previously synchronized by password hash synchronization remain stored on Microsoft Entra ID.
If password hash synchronization is enabled, all synced users can login with an AD pwd hash value if DC connectivity is lost, and if any user changes their pwd during this period, the hash will remain until the connection is restored. If you have enabled PTA earlier or have installed the PTA DC agent, it will show the pass-through authentication. Enabled 1 or 2 agents under User Sign-In status in azure ad portal.
If password hash synchronization is enabled, all synced users can login with an AD pwd hash value if DC connectivity is lost, and if any user changes their pwd during this period, the hash will remain until the connection is restored. If you have enabled PTA earlier or have installed the PTA DC agent, it will show the pass-through authentication. Enabled 1 or 2 agents under User Sign-In status in azure ad portal.
Correct Answer : A
I must be missing something here? As only User 2 is synced to AAD with password has then sure this is the only user who can logon?
User2's authentication still involves the AD. And as the connection is lost he is the only one who wouldn't be able to login as both the other users are cloud only
Ah yes! I was reading 'not synced' the wrong way round and assumed they were on-prem users. Thanks yaniys!
They have to sign in through on-prem, on-prem is down so they cannot sign in. Pass Hash sync and Pass through enabled.
Ah yes! I was reading 'not synced' the wrong way round and assumed they were on-prem users. Thanks yaniys!
correct; both password hash sync and passthrough are enabled, but no mention of failover initiated; thus user2 can't authenticate https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication
A is right. For the synced User no authentication will take place. Password hash synchronization does not act as a fallback to Pass-through Authentication. Pass-through Authentication does not apply to cloud-only users. So they can login.
A. User1 and User3 only
Does password hash synchronization act as a fallback to Pass-through Authentication? No. Pass-through Authentication does not automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations#unsupported-scenarios Read the Note: Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication. Since the Password Hash sync failover is not automatic, in this case the answer is A. User2 that is directory sync will need Pass-Through Authentication, which will be unavailable at that moment.
Answer A is correct. PTA cannot be used for directory synchronised objects when the connectivity is lost.
Connectivity to on-prems directory to the internet is lost, not the users' connectivity to the internet. I think User 1 and User 3 are not syncing with the on-prems directory. They are on the Azure AD. Only User 2 will have difficulty to sign in to Azure AD because of the Password Hash Sync btw on-prems and Azure AD. Answer is A
According to https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-current-limitations: Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Microsoft Entra Connect. If the server running Microsoft Entra Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication.
By enabling Password Hash sync, you ensure that password hashes are synchronized to Azure AD, allowing users to authenticate even if the on-premises environment is unavailable. Password Hash sync is enabled, so answer is C.
if your Azure AD Connect sync status shows "Password Hash Sync Enabled" and "Pass-Through Authentication Enabled," it means that users can still log on to Microsoft 365 even if the on-premises Active Directory loses internet connection.
User1: Can sign in because they are not directory-synced and their account exists solely in Azure AD. User2: Can sign in because Password Hash Sync is enabled, allowing authentication to Azure AD even without on-premises connectivity. User3: Can sign in because guest accounts authenticate directly with their own identity provider and do not rely on the on-premises domain.
Correct - pass hash sync enable so # 2 won’t authenticate
only cloud users ( User 1 and User 3) can be authenticated
Correct. Only domain-synced users will be affected. Cloud users can still access cloud resources.
Agree .A
Correct A. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations
Answer A is correct. PTA is enabled which means no AD synced user auth will work until the issue is resolved. If both PHS and PTA are enabled (as per config) it is still a manual process (not mentioned in the question) to roll back to PHS. Microsoft: "Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication."
A. User1 and User3 only correct ans.
Sorry, The correct ans will be C. User1, User2, and User3.
I got correct answer, but maybe my logic is off? All users work remotely, so wouldnt they log in to AAD, not on prem? Assuming User 2 uses a VPN to login through AD on-prem, I read it as User 2 is already synced. Therefore, A.
Answer C Both password hash sync and pass-through are enabled, no password change in the question, just login Only on-premises domain to the internet is lost User1 and User 3 are users that will log in with their hash in AAD, User3 is an AAD guest will log with his own credentials created guest on AAD, so IMHO answer must be C Pass-through Authentication does not automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability. The password hash synchronization process runs every 2 minutes. When a user attempts to sign into Azure AD and enters their password, the password is run through the same MD4+salt+PBKDF2+HMAC-SHA256 process. If the resulting hash matches the hash stored in Azure AD, the user has entered the correct password and is authenticated.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations "Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You'll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you'll require help from Microsoft Support to turn off Pass-through Authentication."
Reponse C. 1 - The password is sync 2 - TPHS ensures that users can authenticate to cloud services even if the on-premises AD is down. 3 - The tenant is not Federate, that means that tenant is Managed. Like that, you can directly authenticate with Entra.
Pass-through Authentication (PTA) validates users' passwords directly against on-premises Active Directory. It ensures on-premises security policies are enforced and does not store passwords in the cloud. Password Hash Synchronization (PHS) synchronizes a hash of user's password from on-premises Active Directory to Azure AD. It allows users to sign in to Azure AD using the same password they use on-premises. If both methods are enabled, PTA will take precedence for authentication. PHS can act as a backup, allowing users to sign in even if the PTA agent is temporarily unavailable.
Microsoft FAQ states: "No. Pass-through Authentication doesn't automatically failover to password hash synchronization. To avoid user sign-in failures, you should configure Pass-through Authentication for high availability." https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta-faq#does-password-hash-synchronization-act-as-a-fallback-to-pass-through-authentication-
User1 (Cloud-only user): Authenticates directly against Azure AD (no dependency on on-premises infrastructure). Can sign in. User2 (Synced user): Normally authenticates via PTA, which fails due to lost connectivity. Cannot sign in (unless PHS is used as a fallback, but PTA takes precedence here). User3 (Guest user): Authenticates via their home tenant (no dependency on on-premises infrastructure). Can sign in.