AZ-801 Question #187: Real Exam Question with Answer & Explanation

Question

Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that hosts an app named App1. App1 uses Active Directory authentication. You have a Microsoft Entra tenant that contains a user named User1. You deploy Microsoft Entra Connect sync and configure password synchronization. User1 fails to authenticate to App1. You need to ensure that User1can authenticate to App1. What should you do?

Options

• AFor Microsoft Entra Connect sync, enable the BlockCloudAccountTakeoverThroughHardMatch feature.
• BFor Microsoft Entra Connect sync, enable password writeback.
• CFrom the AD DS domain, create a new user account named User1.
• DFor Microsoft Entra Connect sync, disable soft match.

Explanation

To enable a Microsoft Entra-only user to authenticate to an on-premises Active Directory application after password synchronization is configured, you must enable password writeback.

Common mistakes.

• A. The BlockCloudAccountTakeoverThroughHardMatch feature is designed to prevent specific account takeover scenarios during hard matching, not to enable authentication for cloud-originated users to on-premises AD DS apps.
• C. While User1 needs an account in AD DS, simply creating it manually doesn't ensure its password will synchronize from Microsoft Entra ID or resolve password consistency issues if the user's password is managed in the cloud.
• D. Disabling soft match would affect how Microsoft Entra Connect matches objects, but it does not enable a cloud-only user's password to be available for on-premises AD DS authentication.

Concept tested. Microsoft Entra Connect password writeback

Reference. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-password-writeback

No community discussion yet for this question.