AZ-100: Microsoft Azure Infrastructure and Deployment - Authentication Requirements

Prepare Environment for Authentication Requirements

Question

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an

All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -

Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each office has 5.000 users.

Existing Environment -

Active Directory Environment -

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The functional level of the forest is Windows Server 2012.

You recently provisioned an Azure Active Directory (Azure AD) tenant.

Network Infrastructure -

Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.

Each office has several link load balancers that provide access to the servers.

Active Directory Issue -

Several users in humongousinsurance.com have UPNs that contain special characters.

You suspect that some of the characters are unsupported in Azure AD.

Licensing Issue -

You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement failed for one user."

You verify that the Azure subscription has the available licenses.

Requirements -

Planned Changes -

Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months. All the resources used by the Paris office users will be hosted in Azure.

Planned Azure AD Infrastructure -

The on-premises Active Directory domain will be synchronized to Azure AD.

All client computers in the Paris office will be joined to an Azure AD domain.

Planned Azure Networking Infrastructure

You plan to create the following networking resources in a resource group named All_Resources:

Default Azure system routes that will be the only routes used to route traffic

A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2

A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet

A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4

You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.

You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual network.

Planned Azure Computer Infrastructure

Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.

Department Requirements -

Humongous Insurance identifies the following requirements for the company's departments:

Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.

During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.

Authentication Requirements -

Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.

You need to prepare the environment to meet the authentication requirements.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE Each correct selection is worth one point.

Introductory Info

Question

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

BD

D: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be enabled via Azure

AD Connect.

B: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using

Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com

Incorrect Answers:

A: Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Azure AD Joined.

C: Azure AD connect does not port 8080. It uses port 443.

E: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).

Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.

Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be synchronized to Azure AD.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start

To enable Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) for users in the Miami office, you need to perform the following two actions:

A. Join the client computers in the Miami office to Azure AD.

This action involves joining the client computers in the Miami office to Azure AD using Azure AD Connect. This will enable the client computers to authenticate against Azure AD instead of the on-premises Active Directory. This is important because Azure AD Seamless SSO requires the client computer to be joined to Azure AD.

B. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.

This action involves adding http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office using Group Policy or manually. This is important because Azure AD Seamless SSO uses this URL to authenticate users to Azure AD without prompting for credentials. By adding this URL to the intranet zone, you are telling the client computers to trust this URL and to send the user's credentials automatically.

C. Allow inbound TCP port 8080 to the domain controllers in the Miami office.

This action is not required for enabling Azure AD Seamless SSO. Inbound TCP port 8080 is used by some applications and services, but it is not related to Azure AD Seamless SSO.

D. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication.

This action is related to Azure AD authentication but it is not required for enabling Azure AD Seamless SSO. Azure AD Connect is used to synchronize on-premises Active Directory users and groups to Azure AD. Pass-through Authentication is a feature of Azure AD Connect that enables users to authenticate against on-premises Active Directory instead of Azure AD. However, this is not required for enabling Azure AD Seamless SSO.

E. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office.

This action is also related to Azure AD authentication but it is not required for enabling Azure AD Seamless SSO. AD FS is a feature of Windows Server that provides single sign-on across multiple applications or systems. However, this is not required for enabling Azure AD Seamless SSO.