You manage an Active Directory Domain Services (AD DS) domain. Your company plans to move all of its resources to Office 365.
You must implement Active Directory Federation Services (AD FS). You place all internet-facing servers on a perimeter network.
You need to ensure that intranet and extranet users are authenticated before they access network resources.
Which three authentication methods should you provide for extranet users? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point. an encrypted ticket/message passed between a browser and a server.
A.
Windows Integrated Authentication using Negotiate for NTLM
Windows Integrated Authentication using Negotiate for NTLM is not a valid option.
References:
https://authenticationfactor.wordpress.com/2014/06/18/adfs-3-0-playing-with-authentication/
https://blogs.msdn.microsoft.com/benjaminperkins/2011/09/14/integrated-windows-authentication-with-
negotiate/
https://jorgequestforknowledge.wordpress.com/2017/03/29/why-you-should-turn-on-forms-based-
authentication-fba-for-the-intranet-in-adfs/
https://msdn.microsoft.com/en-us/library/bb742438.aspx
QUESTION 200
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other question on this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next sections of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question on this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent
tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
General Overview
Fabrikam, Inc. is a financial services organization.
Fabrikam recently purchased another financial services organization named Contoso, Ltd.
Fabrikam has 2,000 users. Contoso has 500 users.
Windows 10 and Office 2016 are deployed to all computers.
Physical Locations
Fabrikam has an office in the United States. Contoso has an office in the United Kingdom.
The offices connect to each other by using a WAN link. Each office also connects directly to the Internet.
Existing Environment
Active Directory
The network of Fabrikam contains an Active Directory forest.
The Active Directory Environment of Contoso was migrated to the Active Directory forest of Fabrikam. The
forest contains three domains name fabrikam.com, contractor.fabrikam.com, and contoso.com.
All domain controllers run Windows Server 2008 R2.
All contractors outsourced by Fabrikam use the user principal name (UPN) suffix of contractor.fabrikam.com. If
Fabrikam hires the contractor as a permanent employee, the UPN suffix changes to fabrikam.com.
Network
The network has the following configurations:
External IP address for the Unites States office: 192.168.1.100
External IP address for the United Kingdom office: 192.168.2.100
Internal IP address range for the Unites States office: 10.0.1.0/24
Internal IP address range for the United Kingdom office: 10.0.2.0/24
Active Directory Federation Services (AD FS)
AD FS and Web Application Proxies are deployed to support an app for the sales department. The app is
accessed from the Microsoft Azure portal.
Office 365 Tenant
You have an Office 365 subscription that has the following configurations:
Organization name: Fabrikam Financial Services
Vanity domain: Fabrikamfinancialservices.onmicrosoft.com
Microsoft SharePoint domain: Fabrikamfinancialservices.sharepoint.com
Additional domains added to the subscription: Contoso.com and fabrikam.com
Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Deploy Azure AD Connect.
Move mailboxes from Microsoft Exchange 2016 to Exchange Online.
Deploy Azure multi-factor authentication for devices that connect from untrusted networks only.
Deploy the Azure Authenticator app and the Company Portal app to all mobile devices.
Customize the AD FS sign-in webpage to include the Fabrikam logo, a helpdesk phone number, and a sign-
in description.
Once all of the Fabrikam users are replicated to Azure Active Directory (Azure AD), assign an E3 license to
all of the users in the United States office.
Technical Requirements
Contoso identifies the following technical requirements:
When a device connects from an untrusted network tohttps://outlook.office.com, ensure that users must
type a verification code generated from a mobile app.
Ensure that all users can access Office 365 services from a web browser by using either a UPN or their
primary SMTP email address.
After Azure AD Connect is deployed, change the UPN suffix of all the users in the Contoso sales
department to fabrikam.com.
Ensure that administrators are notified when the health information of Exchange Online changes.
Use Office 365 reports to review previous tasks performed in Office 365.
You need to configure the Office 365 subscription to ensure that Active Directory users can connect to Office
365 resources by using single sign-on (SSO).
Solution: You run Convert-MsolDomainToStandard for the fabrikam.com domain and the contoso.com domain.
Does this meet the goal?
Yes
B.
Windows Integrated Authentication using Negotiate for Kerberos
No
C.
Authentication with RADIUS
D.
Forms Authentication using username and passwords
E.
Certificate Authentication using certificates mapped to user accounts in AD DS
A.
Windows Integrated Authentication using Negotiate for NTLM
Windows Integrated Authentication using Negotiate for NTLM is not a valid option.
References:
https://authenticationfactor.wordpress.com/2014/06/18/adfs-3-0-playing-with-authentication/
https://blogs.msdn.microsoft.com/benjaminperkins/2011/09/14/integrated-windows-authentication-with-
negotiate/
https://jorgequestforknowledge.wordpress.com/2017/03/29/why-you-should-turn-on-forms-based-
authentication-fba-for-the-intranet-in-adfs/
https://msdn.microsoft.com/en-us/library/bb742438.aspx
QUESTION 200
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other question on this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next sections of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question on this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent
tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
General Overview
Fabrikam, Inc. is a financial services organization.
Fabrikam recently purchased another financial services organization named Contoso, Ltd.
Fabrikam has 2,000 users. Contoso has 500 users.
Windows 10 and Office 2016 are deployed to all computers.
Physical Locations
Fabrikam has an office in the United States. Contoso has an office in the United Kingdom.
The offices connect to each other by using a WAN link. Each office also connects directly to the Internet.
Existing Environment
Active Directory
The network of Fabrikam contains an Active Directory forest.
The Active Directory Environment of Contoso was migrated to the Active Directory forest of Fabrikam. The
forest contains three domains name fabrikam.com, contractor.fabrikam.com, and contoso.com.
All domain controllers run Windows Server 2008 R2.
All contractors outsourced by Fabrikam use the user principal name (UPN) suffix of contractor.fabrikam.com. If
Fabrikam hires the contractor as a permanent employee, the UPN suffix changes to fabrikam.com.
Network
The network has the following configurations:
External IP address for the Unites States office: 192.168.1.100
External IP address for the United Kingdom office: 192.168.2.100
Internal IP address range for the Unites States office: 10.0.1.0/24
Internal IP address range for the United Kingdom office: 10.0.2.0/24
Active Directory Federation Services (AD FS)
AD FS and Web Application Proxies are deployed to support an app for the sales department. The app is
accessed from the Microsoft Azure portal.
Office 365 Tenant
You have an Office 365 subscription that has the following configurations:
Organization name: Fabrikam Financial Services
Vanity domain: Fabrikamfinancialservices.onmicrosoft.com
Microsoft SharePoint domain: Fabrikamfinancialservices.sharepoint.com
Additional domains added to the subscription: Contoso.com and fabrikam.com
Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Deploy Azure AD Connect.
Move mailboxes from Microsoft Exchange 2016 to Exchange Online.
Deploy Azure multi-factor authentication for devices that connect from untrusted networks only.
Deploy the Azure Authenticator app and the Company Portal app to all mobile devices.
Customize the AD FS sign-in webpage to include the Fabrikam logo, a helpdesk phone number, and a sign-
in description.
Once all of the Fabrikam users are replicated to Azure Active Directory (Azure AD), assign an E3 license to
all of the users in the United States office.
Technical Requirements
Contoso identifies the following technical requirements:
When a device connects from an untrusted network tohttps://outlook.office.com, ensure that users must
type a verification code generated from a mobile app.
Ensure that all users can access Office 365 services from a web browser by using either a UPN or their
primary SMTP email address.
After Azure AD Connect is deployed, change the UPN suffix of all the users in the Contoso sales
department to fabrikam.com.
Ensure that administrators are notified when the health information of Exchange Online changes.
Use Office 365 reports to review previous tasks performed in Office 365.
You need to configure the Office 365 subscription to ensure that Active Directory users can connect to Office
365 resources by using single sign-on (SSO).
Solution: You run Convert-MsolDomainToStandard for the fabrikam.com domain and the contoso.com domain.
Does this meet the goal?
Yes
A.
Windows Integrated Authentication using Negotiate for NTLM
Windows Integrated Authentication using Negotiate for NTLM is not a valid option.
References:
https://authenticationfactor.wordpress.com/2014/06/18/adfs-3-0-playing-with-authentication/
https://blogs.msdn.microsoft.com/benjaminperkins/2011/09/14/integrated-windows-authentication-with-
negotiate/
https://jorgequestforknowledge.wordpress.com/2017/03/29/why-you-should-turn-on-forms-based-
authentication-fba-for-the-intranet-in-adfs/
https://msdn.microsoft.com/en-us/library/bb742438.aspx
QUESTION 200
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like
to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time
provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other question on this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next sections of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question on this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent
tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
General Overview
Fabrikam, Inc. is a financial services organization.
Fabrikam recently purchased another financial services organization named Contoso, Ltd.
Fabrikam has 2,000 users. Contoso has 500 users.
Windows 10 and Office 2016 are deployed to all computers.
Physical Locations
Fabrikam has an office in the United States. Contoso has an office in the United Kingdom.
The offices connect to each other by using a WAN link. Each office also connects directly to the Internet.
Existing Environment
Active Directory
The network of Fabrikam contains an Active Directory forest.
The Active Directory Environment of Contoso was migrated to the Active Directory forest of Fabrikam. The
forest contains three domains name fabrikam.com, contractor.fabrikam.com, and contoso.com.
All domain controllers run Windows Server 2008 R2.
All contractors outsourced by Fabrikam use the user principal name (UPN) suffix of contractor.fabrikam.com. If
Fabrikam hires the contractor as a permanent employee, the UPN suffix changes to fabrikam.com.
Network
The network has the following configurations:
External IP address for the Unites States office: 192.168.1.100
External IP address for the United Kingdom office: 192.168.2.100
Internal IP address range for the Unites States office: 10.0.1.0/24
Internal IP address range for the United Kingdom office: 10.0.2.0/24
Active Directory Federation Services (AD FS)
AD FS and Web Application Proxies are deployed to support an app for the sales department. The app is
accessed from the Microsoft Azure portal.
Office 365 Tenant
You have an Office 365 subscription that has the following configurations:
Organization name: Fabrikam Financial Services
Vanity domain: Fabrikamfinancialservices.onmicrosoft.com
Microsoft SharePoint domain: Fabrikamfinancialservices.sharepoint.com
Additional domains added to the subscription: Contoso.com and fabrikam.com
Requirements
Planned Changes
Fabrikam plans to implement the following changes:
Deploy Azure AD Connect.
Move mailboxes from Microsoft Exchange 2016 to Exchange Online.
Deploy Azure multi-factor authentication for devices that connect from untrusted networks only.
Deploy the Azure Authenticator app and the Company Portal app to all mobile devices.
Customize the AD FS sign-in webpage to include the Fabrikam logo, a helpdesk phone number, and a sign-
in description.
Once all of the Fabrikam users are replicated to Azure Active Directory (Azure AD), assign an E3 license to
all of the users in the United States office.
Technical Requirements
Contoso identifies the following technical requirements:
When a device connects from an untrusted network tohttps://outlook.office.com, ensure that users must
type a verification code generated from a mobile app.
Ensure that all users can access Office 365 services from a web browser by using either a UPN or their
primary SMTP email address.
After Azure AD Connect is deployed, change the UPN suffix of all the users in the Contoso sales
department to fabrikam.com.
Ensure that administrators are notified when the health information of Exchange Online changes.
Use Office 365 reports to review previous tasks performed in Office 365.
You need to configure the Office 365 subscription to ensure that Active Directory users can connect to Office
365 resources by using single sign-on (SSO).
Solution: You run Convert-MsolDomainToStandard for the fabrikam.com domain and the contoso.com domain.
Does this meet the goal?
Yes
B.
Windows Integrated Authentication using Negotiate for Kerberos
No
Explanation:
Windows Integrated Authentication makes use of Negotiate/Kerberos or NTLM to authenticate users based on
With Azure AD you need Forms-based authentication in ADFS for Azure AD/MSOnline PowerShell Module and
Azure AD Self-Service Password Reset.
In Active Directory mapping, when the IIS server receives a certificate from the user, it passes it on to Active
Directory, which maps it to a Windows user account. The IIS server then logs this account on.
Active directory mapping is most useful when the account mappings are the same on all IIS servers.
Administration is simplified because the mapping is done in only one place.
Incorrect Answers: