SC-300 Question #213: Real Exam Question with Answer & Explanation

Question

Hotspot Question Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant. You need to ensure that user authentication always occurs by validating passwords against the AD DS domain. What should you configure, and what should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

To ensure user authentication always validates passwords against the on-premises AD DS domain, configure Pass-through authentication using Azure AD Connect.

Approach. The core requirement is that 'user authentication always occurs by validating passwords against the AD DS domain'. This means Azure AD should not store or perform the authentication itself, but rather delegate it to the on-premises Active Directory.

1. For 'Configure':

   • Pass-through authentication is the correct choice. It allows users to sign in to both on-premises and cloud-based applications using the same passwords. When users attempt to sign in to Azure AD, Pass-through authentication agents (installed on-premises) validate the user's password directly against the on-premises Active Directory. This perfectly matches the requirement for passwords to always be validated by the AD DS domain.

2. For 'Use':

   • Azure AD Connect is the primary tool used to synchronize identities from on-premises Active Directory to Azure AD, and it also allows you to configure and enable various authentication methods, including Password Hash Synchronization and Pass-through Authentication. Therefore, to configure Pass-through authentication, Azure AD Connect is the essential tool.

Common mistakes.

• common_mistake. A common mistake is confusing Pass-through authentication with Password hash synchronization (PHS). While PHS is a very common and robust authentication method for hybrid identities, it involves syncing a hash of the user's on-premises password to Azure AD. With PHS, Azure AD itself validates the password using the synced hash, meaning the validation does not always occur against the on-premises AD DS domain. The question specifically states 'always occurs by validating passwords against the AD DS domain', which rules out PHS.

Other incorrect choices and their reasons:

• Azure AD Password protection: This feature helps prevent users from creating weak or compromised passwords but does not dictate where the password validation occurs.
• Cross-tenant synchronization: Used for syncing users between different Azure AD tenants, not for connecting on-premises AD DS.
• Microsoft Identity Manager (MIM): While a powerful identity management solution, Azure AD Connect is the standard and simpler tool for synchronizing AD DS with Azure AD and configuring these authentication methods.
• The Microsoft Entra admin center: This portal is used to manage and monitor Azure AD settings and identities, but the initial configuration and enabling of Pass-through Authentication agents are done via Azure AD Connect.
• The Microsoft Purview compliance portal: This portal is for compliance, data governance, and risk management, completely unrelated to user authentication methods.

Concept tested. Azure AD Connect synchronization options, specifically the difference between Pass-through Authentication (PTA) and Password Hash Synchronization (PHS) for hybrid identity authentication, and understanding which tool is used for their configuration.

Reference. null

No community discussion yet for this question.