AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 3

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

Your company has an Active Directory forest with a single domain, named weylandindustries.com. They also have an Azure Active Directory (Azure AD) tenant with the same name.

You have been tasked with integrating Active Directory and the Azure AD tenant. You intend to deploy Azure AD Connect.

Your strategy for the integration must make sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant, and that the amount of necessary servers are reduced.

Solution: You recommend the use of federation with Active Directory Federation Services (AD FS).

Does the solution meet the goal?

Show Answer
Correct Answer: B

Federation with Active Directory Federation Services (AD FS) requires multiple servers for setup and maintenance, including AD FS servers and Web Application Proxy (WAP) servers. This solution does not satisfy the requirement of reducing the number of necessary servers. Additionally, AD FS handles authentication externally, which may complicate enforcement of password policies and user logon limitations directly in Azure AD. Therefore, this solution does not meet the goal of integrating Active Directory and the Azure AD tenant while maintaining password policies, user logon limitations, and minimizing the number of servers required.

Discussion

23 comments
Sign in to comment
trevax
Aug 18, 2021

- "password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant" → Federation or PTA - "the amount of necessary servers are reduced" → Federation > PTA > PHS (number of server) So the answer is PTA.

Shahrezza
Oct 2, 2021

Agreed answer is : PTA

cometoit
Oct 24, 2021

Agreed, while federation would force user logon limitations it would require minimum 4 servers (2 ADFS/2 WAP).

cometoit
Oct 24, 2021

Agreed, while federation would force user logon limitations it would require minimum 4 servers (2 ADFS/2 WAP).

LeDefatman
Oct 1, 2021

the phrase ...amount of necessary servers is reduced eliminate Federation as an answer choice.

Rume
Jul 1, 2021

must make sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant .... This point to PTA amount of necessary servers are reduced...Suggest to use PHS. My vote would be B: NO. Ref:https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead

TheLegendPashaOption: B
Apr 7, 2022

Less server means instantly not federation.

Ruffyit
Apr 4, 2024

A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the authentication load.

rysano
Aug 11, 2024

the phrase ...amount of necessary servers is reduced eliminate Federation as an answer choice. Guide: https://sites.google.com/view/learnmicrosoftcomenustrainingm/home

mjsmOption: B
Nov 22, 2021

no additional server

rohitmedi
Nov 28, 2021

correct answer

AS179
Dec 13, 2021

correct answer is NO

EltoothOption: B
Mar 14, 2022

B is correct

Arpilinde92Option: B
Mar 21, 2022

No is correct answer

MarcusPlexus
Sep 29, 2022

The 'correct answer' misses the point. You have recommended (in a badly stated fashion) 2 options: (1) PTA and (2) PHS with SSO. Option 2 does not care about your on prem settings, but option 1 does. Since you recommend both options and only one does the job, mission failed. This answer is incorrect (but not for the reason mentioned in 'correct answer').

God2029
Dec 2, 2022

Can go with PTA and Standby PHS. Need to think of ADFS only when third party application authentication is required. Question doesn't speak about third-party apps. So you don't need ADFS.

salmantarik
Dec 5, 2022

The correct answer is B However, correct answer is SSO + PHS as it enforces two password policies (Password complexity policy and Password expiration policy also User Logon Restrictions) and it doesnt require any agents.

AZ5cert
Dec 10, 2022

B. No AD FS will trust third party trusted domains across the enterprise for seamless authentication

Fal991l
Feb 16, 2023

the solution of using federation with Active Directory Federation Services (AD FS) meets the goal of integrating Active Directory and the Azure AD tenant while making sure that password policies and user logon limitations affect user accounts that are synced to the Azure AD tenant, and reducing the number of necessary servers. Federation with AD FS allows for a single sign-on (SSO) experience for users, where they can authenticate with their on-premises Active Directory credentials and gain access to resources in both the on-premises environment and in the cloud. This ensures that password policies and user logon limitations applied to on-premises Active Directory also apply to Azure AD.(ChatGPT)

majstor86Option: B
Mar 2, 2023

B. Answer is No

zellckOption: B
May 7, 2023

B is the answer. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/choose-ad-authn#cloud-authentication What are the on-premises server requirements beyond the provisioning system: Azure AD Connect? Federation with AD FS - Two or more AD FS servers - Two or more WAP servers in the perimeter/DMZ network

ESAJRROption: B
Jul 4, 2023

B. Answer is No

pentium75Option: B
Jul 29, 2024

No because ADFS does anything but 'reduce the amount of necessary servers'.

Vaibhav39Option: B
Jan 6, 2025

No password write back is needed

stonwall12Option: B
Feb 13, 2025

Answer: B, No Reason: Federation with AD FS doesn't meet the requirement to reduce server count as it requires additional infrastructure including multiple AD FS servers and web application proxies for high availability. Reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/choose-ad-authn#federation-authentication-with-ad-fs

Tessy25Option: B
Apr 17, 2025

While federation with AD FS enforces real-time password policies, it increases server count, violating the "reduce number of servers" requirement