HOTSPOT -
Your network contains an on-premises Active Directory domain named adatum.com that syncs to Azure Active Directory (Azure AD).
The Azure AD tenant contains the users shown in the following table.
You configure the Authentication methods `" Password Protection settings for adatum.com as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad
NO,YES,YES. 3)Audit mode Audit mode is intended as a way to run the software in a "what if" mode. Each Azure AD Password Protection DC agent service evaluates an incoming password according to the currently active policy. If the current policy is configured to be in audit mode, "bad" passwords result in event log messages but are processed and updated. This behavior is the only difference between audit and enforce mode. All other operations run the same.
audit only applies to the local AD, not azure ad
But Password protection is an AAD feature.
my Answer : No , Yes , Yes
and it's wrong
1 - No: Of course, nothing can evaluate existing passwords since they are stored hashed and not clear-text. And it says here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy "It is important to note that Azure AD Password Protection can only validate passwords during password change or set operations. Passwords that were accepted and stored in Active Directory prior to the deployment of Azure AD Password Protection will never be validated and will continue working as-is. Over time, all users and accounts will eventually start using Azure AD Password Protection-validated passwords as their existing passwords expire normally. Accounts configured with "password never expires" are exempt from this." 2 - No "Enforce custom list" in effect. (The Audit mode is under the title sub-title "Password protection for Windows Server Active Directory" and applies only to that.) Yes Even though "Enforce custom list" is in effect, the subordinate setting for "Password protection for Windows Server Active Directory" is in Mode = Audit.
And in fact, I tested case 2 in portal, and was denied password change due to banned words (had Mode = Audit)
YES - User 1 is Azure AD hence his Adatum123 is now consider a bad password and must change it NO - User 2 cannot change his password as suggested cause it contains a reference to Adatum (replacing A with @ will not bypass it) YES - In audit mode so the policy does not enforce
yes, right explanation YES,NO,YES
Why did you just Apply Audit mode to User3 and not User1 and User3? Because it's in audit mode policies will not be enforced so answers are NO, YES, YES.
Correction: I meant to say...Why did you just Apply Audit mode to User3 and not User1 and User2?
I think its because the audit only applies to on Prem Accounts which user 3 is. It does not apply to the other cloud accounts. But i am not 100% sure.
I think it is NO NO YES. Because the documenation say nothing about current password evaluations. Only when the user will change or reset the password the evaluation will happen
Update: I tested it in lab. The behaviour is like I said.
1. NO. Password protection does not prompt a user to change the password during logon, it only works during a password change/reset. 2. YES. Policy is in Audit mode so no enforcement. 3. YES. Policy in Audit mode so no enforcement.
you are not correct, the audit mode is only for on-prem accounts and not for azure ad accounts. answer should be no no yes https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations
agree, N N Y when "Enable password protection on Windows Server Active Directory" is set to "No", Mode options "Enforced" and "Audit" are greyed out.
Box 1 is No - In Audit mode when a bad password is used for login or changed into, an event is logged, but the change still happens.
On exam 7/8/23. Answers are correct.
N-Y-Y when in audit mode. N-Y-Y when in enforced mode; 1; passwords are only checked when changed, no forced change when PP is enabled. 2; @d@tum_C0mpleX123. will be normalized to; adatum_complex123. ( so one point for adatum, one point for _, if complex is on default list then one point, one point for 1, one point for 2, one point for 3, one point for dot = 7 points, so valid pass 3; Adatum123!. will be normalized to; adatum123!. (so one point for adatum, one point for 1, one point for 2, one point for 3, one point for exclamation, one point for dot = 6 points, so valid pass. Could someone confirm in lab? https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#score-calculation https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#how-are-passwords-evaluated
Given that the policy is set to Audit mode, the enforcement of the custom banned password list is not active; instead, it will log any occurrences where a banned password would have been used if the policy were in Enforced mode. 1. User1 will be prompted to change the password on the next sign-in. No. There is no indication that User1 is required to change their password on the next sign-in due to a password policy. Audit mode does not enforce password changes; it only logs events. 2. User2 can change the password to @d@tum_C0mpleX123. Yes. In Audit mode, User2 would be able to change their password to this since the policy is not actively blocking the use of banned passwords but will log an event stating that this password would have been banned if the policy was in Enforced mode. 3. User3 can change the password to Adatum123. Yes. Similar to User2, User3 would be able to change their password to Adatum123, and an event would be logged due to the policy being in Audit mode, not Enforced mode.
The mode of password protection is only audit which means it will only flag out in logs that there is a violation but doesn’t mandate an enforcement. So the answer is No Yes Yes
NYY is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy#deployment-strategy We recommend that you start deployments in audit mode. Audit mode is the default initial setting, where passwords can continue to be set. Passwords that would be blocked are recorded in the event log. After you deploy the proxy servers and DC agents in audit mode, monitor the impact that the password policy will have on users when the policy is enforced.
No : user is not changing password AND auditing is on YES: password has more than 5 points after rules check YES: same as above Onprem password protection is also enabled and uses the global and custom lists also. I assume that the necessairy components are installed on-prem as the option is activated
On exam 1/2/24
If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged. this is the explanation of Mode We recommend that you start deployments in audit mode. Audit mode is the default initial setting, where passwords can continue to be set. Passwords that would be blocked are recorded in the event log. After you deploy the proxy servers and DC agents in audit mode, monitor the impact that the password policy will have on users when the policy is enforced. During the audit stage, many organizations find that the following situations apply: They need to improve existing operational processes to use more secure passwords. Users often use unsecure passwords. They need to inform users about the upcoming change in security enforcement, possible impact on them, and how to choose more secure passwords.
N, Y, Y
Test on lab. N, N, N
Correct answer. Policy is in Audit mode. It says " If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged."
YES NO YES https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-faq Why is Azure AD still rejecting weak passwords even though I've configured the policy to be in Audit mode? Audit mode is only supported in the on-premises Active Directory environment. Microsoft Entra ID is implicitly always in "enforce" mode when it evaluates passwords.
Since Adatum is banned word for password any possible version of it is banned as well so the answer is yes, no, no bcz @d@tum is counted in the banned list
NO, NO, YES
Should be NO, NO, YES. As per Authentication methods (Password Protection) Blade: [QUOTE] If set to Enforce, users will be prevented from setting banned passwords and the attempt will be logged. If set to Audit, the attempt will only be logged. [END QUOTE]