Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD)

HOTSPOT

Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).

You have users in contoso.com as shown in the following table.

The users have the passwords shown in the following table.

You implement password protection as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

View Answer

Answer:

Explanation:

Box 1: No

User1’s password contains the banned password ‘Contoso’. However, User1 will not berequired to change his password at next sign in. When the password expires or whenUser1 (or an administrator) changes the password, the password will be evaluated and willhave to meet the password requirements.

Box 2: Yes

Password evaluation goes through several steps including normalization and Substringmatching which is used on the normalized password to check for the user’s first and lastname as well as the tenant name. Normalization is the process of converting common lettersubstitutes into letters. For example, 0 converts to o. $ converts to s. etc.

The next step is to identify all instances of banned passwords in the user’s normalized new password. Then:

✑ Each banned password that is found in a user’s password is given one point.

✑ Each remaining unique character is given one point.

✑ A password must be at least five (5) points for it to be accepted.

‘C0nt0s0’ becomes ‘contoso’ after normalization. Therefore, C0nt0s0_C0mplex123 contains one instance of the banned password (contoso) so that equals 1 point. After ‘contoso’, there are 11 unique characters. Therefore, the score for ‘C0nt0s0_C0mplex123’ is 12. This is more than the required 5 points so the password is acceptable.

Box 3:

The ‘Password protection for Windows Server Active Directory’ is in ‘Audit’ mode. This means that the password protection rules are not applied. Audit mode is for logging policy violations before putting the password protection ‘live’ by changing the mode to ‘enforced’.