MS-900 · Question #159
MS-900 Question #159: Real Exam Question with Answer & Explanation
The correct answer is A: Users have the same passwords in the cloud and on-premises. - Yes. Hybrid Cloud Identity — Exam Question Breakdown This question tests knowledge of Azure AD hybrid identity methods: Password Hash Sync (PHS), Pass-Through Authentication (PTA), and Federated Authentication (ADFS). --- Statement 1: "Users have the same passwords in the cloud and
Question
Drag and Drop Question A company plans to migrate to a hybrid cloud infrastructure. You need to determine where to manage the different features after the hybrid deployment is complete. Match each item to the location where it will be managed. To answer, drag the appropriate item from the column on the left to its location on the right. Each item may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point. Answer:
Options
- AUsers have the same passwords in the cloud and on-premises. - Yes
- BUsers have the same passwords in the cloud and on-premises. - No
- CUsers sign in again to access Microsoft 365. - Yes
- DUsers sign in again to access Microsoft 365. - No
- EYou can configure federated authentication to require a smart card. - Yes
- FYou can configure federated authentication to require a smart card. - No
Explanation
Hybrid Cloud Identity — Exam Question Breakdown
This question tests knowledge of Azure AD hybrid identity methods: Password Hash Sync (PHS), Pass-Through Authentication (PTA), and Federated Authentication (ADFS).
Statement 1: "Users have the same passwords in the cloud and on-premises."
Answer: Yes (A)
Why: With Password Hash Synchronization (PHS), Azure AD Connect syncs a hash of the on-premises AD password hash up to Azure AD. The user authenticates with the same credential in both environments.
Memory tip: PHS = "copy the password fingerprint to the cloud." Same password, both places.
Statement 2: "Users sign in again to access Microsoft 365."
Answer: No (D)
Why: Hybrid identity methods (PHS with Seamless SSO, PTA, or ADFS) all support Single Sign-On (SSO). Once authenticated on a domain-joined machine, users are not prompted again for Microsoft 365 credentials.
Memory tip: The whole point of hybrid identity is SSO — no double sign-in.
Statement 3: "You can configure federated authentication to require a smart card."
Answer: Yes (E)
Why: Active Directory Federation Services (ADFS) supports advanced authentication policies, including certificate-based/smart card authentication. This is a key differentiator of federated auth — it gives you fine-grained MFA and conditional access control that PHS alone cannot provide.
Memory tip: ADFS = full control. If you need smart cards, hardware tokens, or complex claims rules, only federation gives you that flexibility.
Quick Comparison Table
| Feature | PHS | PTA | ADFS/Federation |
|---|---|---|---|
| Same password cloud + on-prem | Yes | Yes | No |
| Re-sign-in required | No (SSO) | No (SSO) | No (SSO) |
| Smart card support | No | No | Yes |
The core exam trap: PHS syncs passwords (same credential), but ADFS federates identity (no password in cloud, but maximum auth flexibility).
Topics
Community Discussion
No community discussion yet for this question.