1. What are the two primary authentication models in Microsoft 365 for managing user accounts?
The two main models are Cloud Authentication and Federated Authentication. Cloud authentication includes cloud-only identities, where the identity exists only in Azure AD, and Directory Synchronization with Pass-through Authentication (PTA), where password validation happens against the on-premises directory.
Federated Authentication uses services like Active Directory Federation Services (AD FS) to hand over authentication control to an on-premises directory service.
2. What happens when a user account is deleted in Microsoft 365, and for how long can it be restored?
When a user account is deleted, it becomes inactive, and its license becomes available for another user. Microsoft 365 retains the account in a “soft deleted” state for 30 days, during which time an administrator can restore the account. This can be done through the “Deleted users” page in the Microsoft 365 admin center or by using the Restore-MsolUser cmdlet in PowerShell.
3. What is the principle of “Just-in-Time” (JIT) administrator access, and which Azure AD feature enables it?
JIT access is a security practice where users are granted privileged administrative access only for a predetermined amount of time when needed. This is enabled by Azure AD Privileged Identity Management (PIM). PIM introduces the concept of an “eligible admin,” whose role is inactive until they complete an activation process, reducing the risks associated with permanent admin access.
4. What are the key differences between an Microsoft 365 group and a Distribution list?
Different type of Groups are available in Microsoft 365.
Microsoft 365 Group: This is the best option for teamwork and collaboration. It provides members with a shared workspace that includes a shared mailbox, calendar, files, and conversations. It functions similarly to a distribution group for email but adds extensive collaboration features.
Distribution List: This group type is used solely for distributing emails to a list of members. An email sent to a distribution list is delivered to all members of that group. In the Exchange admin center, this is referred to as a “distribution group”.
Mail-enabled Security Group: This is a hybrid group that can be used for both sending emails to its members and assigning permissions to resources like Exchange Public Folders or OneDrive. This is ideal when you need a single group for both communication and access control.
Security Group: The primary purpose of a security group is to grant access permissions to resources such as SharePoint sites and OneDrive. For example, you can create a security group for the Marketing department to give them “Full Control” access to a marketing SharePoint site.
Dynamic Distribution Group: This group type uses recipient filters and conditions to dynamically determine its membership, meaning it doesn’t have a predefined list of members. Membership changes automatically based on the rules you define. These groups are created in the Exchange admin center.
In addition to these, SharePoint Online has its own built-in groups (e.g., Team Site Visitors, Members, Owners) which are collections of users with the same permission level for a SharePoint site. It is recommended to add security groups to these SharePoint groups rather than adding individual users
Key difference is, A Distribution list is used solely for sending emails to all its members. Microsoft 365 group not only provides email distribution capabilities but also offers a shared collaborative workspace, including a shared mailbox, files, calendar, and conversations. It is considered the best option for teamwork.
5. How do you assign an administrator role, such as the Exchange administrator, to a user with Windows PowerShell?
You first use the Get-MsolRole cmdlet to find the exact name of the role. Then, you use the Add-MsolRoleMember cmdlet to assign it. For example: Add-MsolRoleMember -RoleName “Exchange Service Administrator” -RoleMemberEmailAddress “user@adatum.com”.
6. Can a deleted security group be restored in Microsoft 365?
No. Unlike user accounts, when a security group is deleted, it is permanently deleted and cannot be restored. The user accounts that were members of the group remain intact.
7. What is Multi-Factor Authentication (MFA) in Microsoft 365, and what are some of the available second-factor methods?
MFA adds a layer of security by requiring a second authentication method in addition to a password. The available second-factor methods include a phone call, a text message with a code, a notification through a mobile app, or a verification code from a mobile app.
8. What is Self-Service Password Reset (SSPR), and what is required to allow password changes in the cloud to be written back to an on-premises Active Directory?
SSPR allows users to reset their own passwords without administrator intervention. For users with synchronized or federated identities, the password writeback feature is required to synchronize password changes from the cloud back to the on-premises directory. This capability requires an Azure AD Premium license.
9. What is Windows Hello for Business?
Windows Hello for Business is a feature in Windows 10 that replaces passwords with strong two-factor authentication on PCs and mobile devices. It uses a credential that is tied to a specific device and requires a biometric factor (face, iris, fingerprint) or a PIN to authenticate to an Active Directory or Azure AD account.
10. What is Azure AD Identity Protection and what are some risk events it can detect?
Azure AD Identity Protection is a feature that uses machine learning and heuristics to detect potential vulnerabilities and suspicious actions related to user identities. It can detect six types of risk events: users with leaked credentials, sign-ins from anonymous IP addresses, impossible travel to atypical locations, sign-ins from infected devices, sign-ins from IP addresses with suspicious activity, and sign-ins from unfamiliar locations.
11. How can an administrator use Azure AD Identity Protection to automatically respond to a high-risk sign-in?
Administrators can configure risk-based Conditional Access policies. For example, a policy can be set to trigger when a sign-in risk is detected. The policy can then automatically enforce an action, such as blocking the sign-in, issuing an MFA challenge, or requiring the user to change their password.
12. What is Azure AD Connect and what are its three main components?
Azure AD Connect is the recommended tool for connecting an on-premises Active Directory with Azure AD. Its three main components are the synchronization services, an optional Active Directory Federation Services (AD FS) component for federation, and Azure AD Connect Health for monitoring.
13. What are some key cleanup tasks that should be performed in an on-premises Active Directory before implementing directory synchronization?
Key cleanup tasks include removing duplicate proxyAddresses and userPrincipalName attributes, updating blank or invalid userPrincipalName attributes, and removing invalid characters from attributes like displayName and mail. The Microsoft 365 IdFix tool is recommended for identifying and remediating these object synchronization errors.
14. In a multi-forest Azure AD Connect scenario, why is planning the sourceAnchor attribute critical?
The sourceAnchor attribute uniquely identifies an object as being the same in both the local Active Directory and in Azure AD. In a multi-forest environment, especially if users might be moved between forests, it is critical to use an attribute that does not change, such as msDs-ConsistencyGuid or a custom synthetic attribute, to prevent duplicate accounts or sync issues.
15. What is the purpose of running an Azure AD Connect server in “staging mode”?
A server in staging mode provides a failover or backup scenario. It reads data from all connected directories and has an updated copy of the identity data, but it does not write anything to those directories. If the primary server fails, an administrator can fail over to the staging server.
16. What is the fundamental difference in the authentication process between AD FS and Password Hash Synchronization (PHS)?
With AD FS (Federated Identity), user password verification is delegated to the on-premises AD FS servers; the password is never stored or checked in the cloud. With Password Hash Synchronization (PHS), a hash of the user’s on-premises password hash is synchronized to Azure AD, and authentication for cloud services happens directly against Azure AD.
17. In an AD FS deployment for Microsoft 365, what is the role of the Web Application Proxy (WAP) server?
The WAP server acts as an intermediary proxy service between internet clients and the internal federation service. It is typically placed in a perimeter network (DMZ) to securely publish the internal AD FS service to external users without exposing the federation servers directly to the internet.
18. An organization using AD FS has an outage and users cannot sign in. How can you switch authentication to a backup method?
If Password Hash Synchronization was also enabled in Azure AD Connect, you can switch the domain’s authentication method from “Federated” to “Managed”. This is done using the PowerShell cmdlet: Set-MsolDomainAuthentication -DomainName yourdomain.com -Authentication Managed. This will cause Azure AD to start authenticating users via their synchronized password hashes.
19. What is the IdP Initiated Sign-on page in AD FS, and how is it useful for troubleshooting?
The Identity Provider (IdP) Initiated Sign-on page is a built-in webpage that allows a user to sign in directly through AD FS and then select a relying party application. It provides a simple way to validate that login through AD FS is working correctly, independent of redirection from a specific application like Microsoft 365. In Windows Server 2016, it is disabled by default and can be enabled with the Set-AdfsProperties -EnableIdPInitiatedSignonPage $True cmdlet.
20. What are the core components of an Azure AD Conditional Access policy?
Conditional Access policy is an “if-then” statement. The core components are Assignments (the “if” part), which define the conditions like users, groups, cloud apps, location, and device platform. The other component is Access Controls (the “then” part), which define the response, such as granting access but requiring MFA, requiring a compliant device, or blocking access entirely.
21. How can you ensure that users can only access Microsoft 365 services from devices that meet corporate security standards?
This can be achieved by using a combination of Intune and device-based Conditional Access. First, you create an Intune device compliance policy that defines the security requirements (e.g., encryption, minimum OS version). Then, you create a Conditional Access policy in Azure AD that grants access to the services only if the “device is marked as compliant”.
22. What is Role-Based Access Control (RBAC) in Azure, and what three elements make up a role assignment?
RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources. A role assignment consists of three elements: a security principal (user, group, or service principal), a role definition (a collection of permissions like Owner or Contributor), and a scope (the boundary the access applies to, such as a subscription or resource group).
23. What is the difference between an Azure RBAC role and an Azure AD administrator role?
Azure RBAC roles are used to manage access to Azure resources like virtual machines, storage, and networks through Azure Resource Manager. Azure AD administrator roles are used to manage resources within Azure AD itself, such as creating users, managing groups, and assigning licenses.
24. What is Azure AD B2B collaboration, and how are guest users licensed for paid Azure AD features?
Azure AD B2B collaboration allows organizations to securely provide access to applications and resources to users from other organizations, with or without Azure AD. For licensing, an inviting tenant with a paid Azure AD license has rights for up to five B2B guest users for each paid license it owns. For example, to provide 60 B2B users with Premium P1 features, the tenant would need to have at least 12 Premium P1 licenses.
25. How does Azure AD Pass-through Authentication (PTA) work to validate a user’s credentials without storing password hashes in the cloud?
Azure AD Pass-through Authentication works by using an on-premises software agent that listens for password validation requests. The process is as follows:
- A user attempts to sign in to a cloud service like Microsoft 365.
- Azure AD receives the username and password and checks if the domain is configured for PTA. If it is, Azure AD places the credentials (in an encrypted queue) for the on-premises connector agent to retrieve.
- The agent, running on a server inside the corporate network, retrieves the credentials and validates them directly against the on-premises Active Directory.
- The on-premises Active Directory returns a response (success or failure) to the agent, which then passes this response back to Azure AD.
- Azure AD completes the authentication process based on this response. This entire process ensures that password validation occurs on-premises, and no password hashes are sent to or stored in the cloud.
26. How does a federated trust with AD FS work to allow a user from one organization to access resources in another without a separate login?
A federated trust works by using claims-based authentication, where one organization’s identity provider (the “account partner”) vouches for a user’s identity by issuing a security token to another organization (the “resource partner”). The process works like this:
- A user from the account organization tries to access a claims-aware application in the resource organization.
- The application redirects the user back to their own organization’s AD FS server (the account federation server) for authentication.
- The account federation server authenticates the user against its local Active Directory and issues a security token containing “claims” about the user (e.g., username, group memberships).
- The user’s browser sends this token to the resource organization’s federation server.
- The resource federation server, which has a pre-established trust with the account federation server, validates the token. If valid, it issues a new token that its local applications can understand and accept.
- This new token is used to grant the user access to the application. This allows the user to be authenticated by their home organization while being authorized to access resources in the partner organization.
27. How does Azure AD Seamless Single Sign-On (SSO) work to automatically sign in users on corporate devices?
Azure AD Seamless SSO uses Kerberos authentication to provide a true single sign-on experience for users on domain-joined devices connected to the corporate network. Here is how it works:
- When Seamless SSO is enabled via Azure AD Connect, a computer account named AZUREADSSOACCT is created in the on-premises Active Directory. Its Kerberos decryption key is securely shared with Azure AD.
- A user tries to access a Microsoft 365 resource. Azure AD challenges the client browser to provide a Kerberos ticket.
- The client requests a Kerberos ticket for the Azure AD service from the on-premises Active Directory, using the AZUREADSSOACCT computer account as the target.
- Active Directory returns an encrypted Kerberos ticket to the client.
- The client sends this ticket to Azure AD.
- Azure AD decrypts the ticket using the pre-shared key. If successful, it recognizes the user’s identity and grants access, often without the user needing to enter their password.
28. How does Azure AD Identity Protection work to detect a risk event like “Impossible Travel”?
Azure AD Identity Protection uses adaptive machine learning algorithms and heuristics to detect suspicious activities. The “Impossible travel to atypical locations” risk event works by analyzing two sign-ins from the same user that occur in geographically distant locations.
- The machine learning algorithm takes multiple factors into account, primarily the time between the two sign-ins and the time it would physically take to travel between the two locations.
- If the second sign-in occurs in a timeframe that would make travel between the locations impossible, it indicates that a different user is likely using the same credentials, and a risk event is triggered.
- The algorithm is designed to ignore obvious “false positives,” such as sign-ins from known VPNs or locations regularly used by other users in the organization to reduce incorrect alerts. It also has an initial 14-day learning period to understand a new user’s typical sign-in behavior.
29. How does an Azure AD Conditional Access policy work to control user access?
A Conditional Access policy works as an “if-then” statement that evaluates access requests in real-time and enforces organizational policies. The process has two main parts:
- Assignments (The “If” condition): When a user tries to sign in, the policy first checks the conditions of the access attempt. These are the “assignments” and include mandatory conditions like who the user is (users and groups) and what they are trying to access (cloud apps). It also evaluates other conditions like the user’s network location, the device platform (e.g., iOS, Windows), sign-in risk level, and the client application being used.
- Access Controls (The “Then” action): If the conditions are met, the policy then applies the specified “access controls”. This is the action that is enforced. This could be to grant access but require an additional step like Multi-Factor Authentication (MFA) or require the device to be marked as compliant by Intune. In its most restrictive form, the policy can block access completely. Essentially, a conditional access policy allows organizations to implement automated, context-aware access control decisions for their cloud applications.
30. What are the authentication methods enabled by Entra Connect?
Entra Connect allows you to choose how users authenticate to Microsoft 365. The main options include:
Password Hash Synchronization (PHS): This is the simplest method. Azure AD Connect synchronizes a cryptographic hash of the user’s password hash from on-premises AD to Azure AD. When a user signs in, Azure AD validates their password against this stored hash. This enables “same sign-on,” where users must re-enter their credentials but can use the same password for both local and cloud resources.
Pass-through Authentication (PTA): With PTA, password validation happens directly against your on-premises Active Directory in real-time. An agent installed on-premises listens for validation requests from Azure AD, verifies the credentials locally, and sends the result back to the cloud. This method ensures that password hashes are never sent to or stored in the cloud.
Federation with AD FS: This is the most complex option, used by large organizations with advanced authentication needs. AD FS handles the entire authentication process. When a user tries to sign in to a Microsoft 365 service, they are redirected to an on-premises AD FS server to enter their credentials. The AD FS server validates the credentials against the local AD and issues a security token to Azure AD, granting the user access. This provides a true “single sign-on” experience for users on the corporate network
