###BeginCaseStudy###
Topic 1, Fabrikam, Inc
OverView
Fabrikam, inc is a financial services organization.
Fabrikam recently purchased another financial services organization named Contoso, Ltd.
Fabrikam has 2000 users. Contoso has 500 users.
Windows 10 and office 2016 are deployed to all computers.
Physical Location:
Fabrikam has an office in the United States. Contoso has an office in the United Kingdom.
The offices connect to each other by using a WAN link. Each office also connects directly to the internet.
Existing Environment:
Active Directory:
The network Fabrikam contains an Active Directory forest.
The Active Directory environment of Contoso was migrated to the Active Directory forest of Fabrikam.
The forest contains three domains named fabrikam.com , contractor.fabrikam.com, and contoso.com.
All domain controllers run Windows Server 2008 R2.
All contractors outsourced by fabrikam use the user principal name (UPN) suffix of
contractor.fabrikam.com. If fabrikam hires the contractor as a permanenet employee, the UPN suffix
changes to fabrikam.com.
Network
The network has the following configurations:
* External IP address for the United States office: 192.168.1.100
* External IP address for the United Kingdom office: 192.168.2.100
* Internal IP address range for the United States office: 10.0.1.0/24
* Internal IP address range for the United Kingdom office : 10.0.2.0/24Active Directory Federation Services (ADFS)
AD FS and web Application Proxies are deployed to support an app for the sales department. The app is
accessed from the Microsoft Azure Portal.
Office 365 Tenant
You have an Office 365 subscription that has the following configurations:
* Organization name: Fabrikam Financial Services.
* Vanity domain: Fabrikamfinancialservices.onmicrosoft.com
* Microsoft SharePoint domain: Fabrikamfinancialservices .sharepoint.com
* Additional domain added to the subscription: Contoso.com and fabrikam.com
Requirements:
Planned Changes:
* Deploy Azure AD connect.
* Move mailboxes from Microsoft Exchange 2016 to Exchange Online.
* Deploy Azure multi-factor authentication for devices that connect from untrusted networks only.
* Customize the AD FS sign-in webpage to include the Fabrikam logo, a helpdesk phone number, and a
sign=in description.
* Once all of the Fabrikam users are replicated to Azure Active Directory (Azure AD), assign an E3 license
to all of the users in the United States office.
Technical Requirements:
Contoso identifies the following technical requirements:
* When a device connects from an untrusted network to https://outlook.office.com, ensure that users
must type a verification code generated from a mobile app.
* Ensure that all users can access office 365 services from a web browser by using either a UPN or their
primary SMTP email address.
* After Azure AD connect is deployed, change the UPN suffix if all the users in the Contoso sales
department to fabrikam.com.
* Ensure that administrator are notified when the health information of Exchange Online changes.
* User Office 365 reports to review previous tasks performed in Office 365.
###EndCaseStudy###
You need to modify the Office 365 subscription to support the planned changes for the devices that
connect from untrusted networks.
You enable Azure multi-factor authentication for all of the users in the subscription. What should you
do next from the Office 365 portal?
A.
Add a trusted domain.
B.
Set the Trusted IPs to 10.0.1.0/24 and 10.0.2.0/24.
C.
Set the Trusted IPs to 192.168.1.100/32 and 192.168.2.100/32
D.
Convert the fabrikam.com domain to a federated domain.
Answer C
Answer is C
I agree it is C
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next
Hello,
Why not B?
MFA must applied to external range, not to internal range, isn’t it?.
Could you explain that?. Thank you.
Answer C. For explanation see https://docs.microsoft.com/nl-nl/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips
Adding trusted IP’s is excluding a set of addresses from MFA. MFA is hosted outside your LAN so you communicate with the service using your public IP’s. The case tells us that the external IP’s are 192.168.1.100 and 192.168.2.100 so these should be added as trusted IP’s in MFA.
This is exactly why the Answer is B.
You add the internal IPs as trusted, that link does specify that only IPs on the intranet can be added as a Trusted IP. That means the trusted IPs bypass 2 step-verification but the external does not. You are supposed to deploy MFA for external connections only.
Passed 70-346 exam last week! 930/1000 points!
Lots of questions regarding ADFS 3.0 and related powershell commands.
And, there were lot of Yes/No questions and Case studies in my actual 70-346 test.
Many new questions about monitoring, managing, provisionning.
…etc.
I do recommend you to read entire books and learn valid 70-346 dumps here: http://www.passleader.com/70-346.html (203Q), all new questions are available in it now!
By the way, part of that 203Q dumps can be downloaded for free here:
https://doc.co/sFn6M5
Best Regards!
Guys, arn’t 10.0.0.0 and 192.168.0.0 are private IP Address range? cant be routable on the internet. so the only option is A I believe.
I have seen from other study guides the answer to this question being ‘A’ “Add a trusted domain.” I have been confused by this for awhile but I believe I understand the answer now. The last sentence of the question states “What should you do next from the Office 365 portal?” meaning you need to log into the O365 portal and add a trusted domain. The answer ‘C’ would be correct if the question was asking what should be done on the AD FS server. This questions appears to be a trick question. Please let me know if you agree or not.
“Add a trusted domain” is applicable to Exchange email only. (That is, emails from a trusted domain will by pass all virus/spam filters.) It has nothing to do with MFA.
Answer C (Set the Trusted IPs to 192.168.1.100/32 and 192.168.2.100/32) is correct and you can add trusted IPs in Office 365 as follows:
To enable Trusted IPs
1.Sign in to the Azure classic portal.
2.Navigate to the MFA Service Settings page per the instructions at the beginning of this article.
3.On the Service Settings page, under Trusted IPs, you have two options:
•For requests from federated users originating from my intranet – Check the box. All federated users who are signing in from the corporate network will bypass two-step verification using a claim issued by AD FS.
•For requests from a specific range of public IPs – Enter the IP addresses in the text box provided using CIDR notation. For example: xxx.xxx.xxx.0/24 for IP addresses in the range xxx.xxx.xxx.1 – xxx.xxx.xxx.254, or xxx.xxx.xxx.xxx/32 for a single IP address. You can enter up to 50 IP address ranges. Users who sign in from these IP addresses bypass two-step verification.
4.Click Save.
5.Once the updates have been applied, click Close.
https://docs.microsoft.com/nl-nl/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips
Answer is A: I went through https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips
and I believe this is in fact a typo. instead it means add a trusted “location” not ” domain”
Enable named locations by using conditional access
Sign in to the Azure portal.
On the left, select Azure Active Directory > Conditional access > Named locations.
Select New location.
Enter a name for the location.
Select Mark as trusted location.
Enter the IP Range in CIDR notation like 192.168.1.1/24.
Select Create.