MS-900 Question #119: Real Exam Question with Answer & Explanation

Question

Hotspot Question You are the Microsoft Office 365 administrator for a company. The company has the following requirements: - Users must be able to use incompatible applications on a Windows 10 device. - Cloud-based applications must use the same credentials as on-premises applications. - Users must be prevented from copying company data from managed applications installed on unmanaged devices. You need to determine which technologies should be used for each requirement. Which technologies should be used? To answer, select the appropriate options in the answer area. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

The question requires matching specific IT requirements related to application compatibility, identity synchronization, and data loss prevention to the appropriate Microsoft 365/Azure services: Azure Virtual Desktop for incompatible applications, Azure AD Connect for unified cloud/on-premises credentials, and Microsoft Intune for preventing data copying from managed applications on unmanaged devices.

Approach. The correct interaction involves selecting the appropriate service from each dropdown menu to fulfill the stated requirement:

1. Requirement: 'Users must be able to use incompatible applications on a Windows 10 device.'

   • Correct Selection: Windows Virtual Desktop (now Azure Virtual Desktop - AVD).
   • Reasoning: AVD is a desktop and app virtualization service that allows users to access full Windows desktops or specific applications remotely from virtually any device. This is ideal for running legacy or incompatible applications in a virtualized environment, separate from the local Windows 10 OS, thereby resolving compatibility issues. The applications run in the cloud, and only the display is streamed to the local device.

2. Requirement: 'Cloud-based applications must use the same credentials as on-premises applications.'

   • Correct Selection: Azure AD Connect.
   • Reasoning: Azure AD Connect is the tool designed to synchronize user identities, passwords (or enable pass-through authentication/federation), and groups from an on-premises Active Directory to Azure Active Directory. This creates a hybrid identity environment, allowing users to use their existing on-premises credentials for authentication to cloud-based applications that are integrated with Azure AD, thus achieving single sign-on (SSO).

3. Requirement: 'Users must be prevented from copying company data from managed applications installed on unmanaged devices.'

   • Correct Selection: Microsoft Intune.
   • Reasoning: Microsoft Intune provides Mobile Application Management (MAM) policies. MAM allows administrators to manage and protect organizational data within specific applications (e.g., Office 365 apps) on both managed and unmanaged devices (BYOD scenarios). With MAM policies, you can enforce restrictions like preventing 'save as' to personal storage, 'copy/paste' of company data to personal applications, or printing from managed apps, even if the device itself is not enrolled and fully managed by Intune.

Common mistakes.

• common_mistake. Selecting services based on a superficial understanding of their capabilities rather than their primary function for the specific requirement:

• Azure AD Application Proxy: This service is primarily used to provide secure remote access to on-premises web applications for external users. While it uses Azure AD for authentication, it does not address application compatibility, identity synchronization (it consumes identities synchronized by Azure AD Connect), or general data loss prevention on client devices.

  • Mistake for Requirement 1: It doesn't virtualize applications.
  • Mistake for Requirement 2: It doesn't synchronize identities; it uses existing Azure AD identities for on-premises app access.
  • Mistake for Requirement 3: It doesn't manage data leakage on client devices.

• Windows Virtual Desktop (AVD): While a powerful virtualization tool, its purpose is specifically for providing virtual desktops and applications.

  • Mistake for Requirement 2: It doesn't synchronize identities.
  • Mistake for Requirement 3: It's not a tool for managing application data policies on local devices.

• Azure AD Connect: Its core function is identity synchronization.

  • Mistake for Requirement 1: It doesn't resolve application compatibility issues.
  • Mistake for Requirement 3: It doesn't manage application data protection policies.

• Microsoft Intune: While it offers Mobile Device Management (MDM) and Mobile Application Management (MAM), it's not designed for application virtualization or core identity synchronization.

  • Mistake for Requirement 1: It doesn't virtualize applications for compatibility.
  • Mistake for Requirement 2: It doesn't synchronize on-premises identities to Azure AD; it leverages identities already in Azure AD (often synchronized by Azure AD Connect) for device/app management.

Concept tested. This question tests the understanding of key Microsoft 365 and Azure identity, desktop virtualization, and device/application management services, specifically:

• Application Virtualization (Azure Virtual Desktop/WVD): For running legacy or incompatible applications.
• Hybrid Identity (Azure AD Connect): For synchronizing on-premises Active Directory identities with Azure Active Directory to enable single sign-on for cloud resources.
• Mobile Application Management (MAM) via Microsoft Intune: For data protection and policy enforcement within applications, particularly on unmanaged devices (BYOD scenarios), to prevent data leakage.

No community discussion yet for this question.