nerdexam
ExamsMS-102Questions#142
MicrosoftMicrosoft

MS-102 · Question #142

MS-102 Question #142: Real Exam Question with Answer & Explanation

The correct answer is A: From a domain controller, install the Azure AD Password Protection Proxy.. To enforce Azure AD Password Protection's banned password list for on-premises Active Directory users with pass-through authentication, you must deploy the necessary agents and proxy, then configure the enforcement mode.

Submitted by daniela_cl· Apr 18, 2026Implement and manage Microsoft Entra identity and access

Question

Your network contains an on-premises Active Directory domain. You have a Microsoft 365 subscription. You implement a directory synchronization solution that uses pass-through authentication. You configure Azure AD smart lockout as shown in the following exhibit. You discover that Active Directory users can use the passwords in the custom banned passwords list. You need to ensure that banned passwords are banned for all users. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options

  • AFrom a domain controller, install the Azure AD Password Protection Proxy.
  • BFrom Active Directory, modify the Default Domain Policy.
  • CFrom a domain controller, install the Azure AD Application Proxy connector.
  • DFrom all the domain controllers, install the Azure AD Password Protection DC Agent.
  • EFrom Password protection for Windows Server Active Directory, modify the Mode setting.
  • FFrom Custom banned passwords, modify the Enforce custom list setting.

Explanation

To enforce Azure AD Password Protection's banned password list for on-premises Active Directory users with pass-through authentication, you must deploy the necessary agents and proxy, then configure the enforcement mode.

Common mistakes.

  • B. Modifying the Default Domain Policy controls traditional Active Directory password settings and does not integrate with or extend Azure AD Password Protection's banned password list enforcement.
  • C. The Azure AD Application Proxy connector provides secure remote access to on-premises web applications and is unrelated to enforcing password policies for Active Directory users.
  • F. The 'Enforce custom list' setting within Azure AD applies to cloud password policies; it does not enable enforcement for on-premises Active Directory without the deployment of the Azure AD Password Protection DC Agent and Proxy, and setting the on-premises mode to 'Enforced'.

Concept tested. Azure AD Password Protection for on-premises AD

Reference. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-protection-on-premises

Topics

#Azure AD Password Protection#Hybrid Identity#Pass-through Authentication#Active Directory

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full MS-102 PracticeBrowse All MS-102 Questions