Free Microsoft AZ-801 Exam Questions (page: 13)

You have an on-premises server named Server1 that runs Windows Server.

You have an Azure subscription.

You need to onboard Server1 to Microsoft Defender for Cloud.

What should you install on Server1?

  1. the Azure File Sync agent
  2. the Microsoft Entra provisioning agent
  3. the Device Health Attestation role
  4. the Azure Connected Machine agent

Answer(s): D

Explanation:

To onboard an on-premises server like Server1 to Microsoft Defender for Cloud, you need to install the Azure Connected Machine agent. This agent connects on-premises or other cloud servers to Azure services, enabling you to monitor and secure the server using Azure features like Microsoft Defender for Cloud.



You have a management group named MG1 that contains an Azure subscription named Sub1. Sub1 contains the resources shown in the following table.



You need to enable Microsoft Defender for Servers.

From the Azure portal, on which two resources can you enable Defender for Servers? Each correct answer presents a complete solution.

Note: Each correct selection is worth one point.

  1. RG1
  2. Workspace1
  3. Sub1
  4. MG1
  5. VNet1
  6. VM1

Answer(s): B,C



HOTSPOT (Drag and Drop is not supported)

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains an organizational unit (OU) named OU1 and a user named User1.

You plan to deploy a Hyper-V failover cluster named Cluster1.

You need to prestage the account for Cluster1 and ensure that User1 can deploy Cluster1. The solution must follow the principle of least privilege.

Which action should you perform, and which permissions should you grant to User1 for Cluster1? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Action: Create a new computer account named Cluster1.
When deploying a failover cluster, a computer account is needed for the cluster itself. Creating a new computer account named Cluster1 is the appropriate step.

Permissions: Full control.
User1 needs Full control over the computer account for Cluster1 to ensure they can create and manage the cluster.



HOTSPOT (Drag and Drop is not supported)

You have an Active Directory Domain Services (AD DS) domain that contains 1,000 users.

The domain has the following password requirements:

The minimum password length must be 12 characters.
Passwords must expire in 90 days.
Passwords must be complex.

You need to ensure that the members of a security team have passwords that meet the following requirements:

The minimum password length must be 16 characters.
Passwords must expire in 60 days.
Passwords must be complex.

The solution must minimize the impact on users who are NOT members of the security team.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: Fine Grained Password Policies
Implement

Configure fine grained password policies for Active Directory Domain Services Fine Grained Password Policies provide you with a way to define different password and account lockout policies for different sets of users in a domain. You can use fine grained password policies to specify multiple password policies within a single domain. You can also apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users.

Fine-grained password policies apply only to global security groups and user objects. By default, only members of the Domain Admins group can set fine grained password policies. However, you can also delegate the ability to set these policies to other users.

Box 2: Active Directory Administrative Center
By using

Create a fine grained password policy

Here's how to create a fine grained password policy using ADAC:

-> 1. Open Active Directory Administrative Center, either from the Tools menu of the Server Manager console or by running an elevated PowerShell session and typing dsac.exe.

2. If the appropriate target domain isn't selected, choose Manage, choose Add Navigation Nodes, and select the appropriate target domain in the Add Navigation Nodes dialog box and then choose OK.

3. In the ADAC navigation pane, open the System container, and then choose Password Settings Container.

4. In the Tasks pane, choose New, and then choose Password Settings.

5. Fill in or edit fields inside the property page to create a new Password Settings object. The Name and Precedence fields are required.

6. Under Directly Applies To, choose Add, type the name of the group to which the fine grained password policy, and then choose OK.

7. Choose OK to submit the creation.


Reference:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/fine-grained-password-policies



You have 500 on-premises servers that run Windows Server.

You have an Azure subscription that contains a Log Analytics workspace named Workspace1.

You plan to use VM insights in Azure Monitor to monitor the on-premises servers.

You need to onboard the servers to Azure Arc by using the template script. The solution must meet the following requirements:

Follow the principle of least privilege.
Minimize administrative effort.

What should you do first?

  1. Create a group managed service account (gMSA).
  2. Generate a Log Analytics key.
  3. Create a Microsoft Entra service principal.
  4. Download the Log Analytics workspace I

Answer(s): C

Explanation:

Connect hybrid machines to Azure at scale
You can enable Azure Arc-enabled servers for multiple Windows or Linux machines in your environment with several flexible options depending on your requirements. Using the template script we provide, you can automate every step of the installation, including establishing the connection to Azure Arc.
One method to connect the machines to Azure Arc-enabled servers is to use a Microsoft Entra service principal. This service principal method can be used instead of your privileged identity to interactively connect the machine. This service principal is a special limited management identity that has only the minimum permission necessary to connect machines to Azure using the azcmagent command. This method is safer than using a higher privileged account like a Tenant Administrator and follows our access control security best practices. The service principal is used only during onboarding; it is not used for any other purpose.


Reference:

https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal



Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that hosts an app named App1. App1 uses Active Directory authentication.

You have a Microsoft Entra tenant that contains a user named User1.

You deploy Microsoft Entra Connect sync and configure password synchronization.

User1 fails to authenticate to App1.

You need to ensure that User1can authenticate to App1.

What should you do?

  1. For Microsoft Entra Connect sync, enable the BlockCloudObjectTakeoverThroughHardMatch feature.
  2. For Microsoft Entra Connect sync, enable password writeback.
  3. From the AD DS domain, create a new user account named User1.
  4. For Microsoft Entra Connect sync, disable soft match.

Answer(s): B

Explanation:

We assume the App works fine with other users, just that User1 has a problem.
The password of User1 might have changed in Microsoft Entra after the initial synchronization.
Note: Microsoft Entra Connect sync password writeback is a feature that synchronizes password changes made in Microsoft Entra ID (the cloud) back to your on-premises Active Directory Domain Services (AD DS).
When a user resets or changes their password using a cloud-based self-service password reset (SSPR) tool, the new password is written back to the on-premises directory, ensuring it's applied to their local account and respecting on-premises password policies.
Incorrect:
[Not A]
The BlockCloudObjectTakeoverThroughHardMatch feature in Microsoft Entra Connect sync is a security mechanism that prevents accidental or unintended takeover of cloud-based objects by an on-premises Active Directory object during a "hard-match" process. A hard match occurs when Entra Connect creates or updates an object based on a matching ImmutableId (sourceAnchor) from the cloud to the on-premises directory, and this feature blocks this takeover to avoid corrupting cloud-managed objects. It is encouraged to enable this feature to prevent unintended matches and only disable it temporarily for specific matching procedures.
[Not D]
When to Use Soft Match
Existing Cloud Users
This feature is useful when you need to sync on-premises AD accounts with users that were initially created in Microsoft Entra ID and don't have the on-premises sourceAnchor attribute.


Reference:

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization



You have an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server.

You need to prevent the registration of specific COM objects on Server1.

What should you use?

  1. Windows Defender Application Control (WDAC)
  2. exploit protection
  3. Smart App Control

Answer(s): A

Explanation:

Windows Defender Application Control (WDAC) is a Microsoft security feature that creates a software-based security layer to prevent unauthorized and malicious code from running on Windows devices. It functions as an application whitelisting solution, allowing administrators to define which applications and drivers are explicitly approved to execute, rather than relying on a default "trust all" model. By enforcing these code integrity policies, WDAC significantly reduces the attack surface and mitigates risks from malware and untrusted software.
How to Implement WDAC for Preventing COM Objects:
1. Define a Policy: Create a WDAC policy using tools such as the WDAC Wizard or by manually defining a policy XML file that specifies the allowed applications and object registrations.
2. Deploy the Policy: Implement the policy on Server1 using the tools provided by Windows Server, like Group Policy or Microsoft Endpoint Manager.
3. Monitor and Audit: After deployment, regularly monitor the system to ensure that only allowed COM objects are being used and serve audit logs preventively to enforce security policies.
Using WDAC in this scenario will provide a controlled environment where unauthorized COM objects can't be registered, thus enhancing the security posture of the server.


Reference:

https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/manage-application- control-infrastructure



Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains a user named User1.

You deploy a read-only domain controller (RODC) named RODC1.

You need to ensure that User1 is a local administrator on RODC1. The solution must use the principle of least privilege.

What should you use?

  1. System Configuration
  2. dsmgmt.exe
  3. Computer Management
  4. Active Directory Sites and Services

Answer(s): C

Explanation:

Correct:
* Computer Management
* Local Users and Groups
Note: See Step 6 below.
1. Click Start > Computer Management



2. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Users
3. In Actions menu click More Actions > New user
4. Fill in the user information and adjust password settings.
5. Click Create and then click Close



*-> 6. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Groups
7. Right-click Administrators. Select Properties
8. Click Add
9. Enter the name of the User created in Step 5
10. Click Check Names. Then click OK > OK



Incorrect:
* Active Directory Sites and Services
Active Directory Sites and Services is used for managing replication topology and site configuration, not for granting local administrator access to a read-only domain controller (RODC).
Active Directory Users and Computers could be used.
* dsamain.exe dsamain.exe is the Active Directory Database Mounting Tool on Windows Servers, used to mount a snapshot or backup of the Active Directory (AD) or AD LDS database. It exposes the database as an LDAP server, allowing administrators to access and analyze the data offline without affecting the live environment, which is useful for data recovery, auditing, and forest recovery purposes.
* dsmgmt.exe dsmgmt.exe is an interactive, command-line tool included in Windows Server that facilitates the management of Active Directory Lightweight Directory Services (AD LDS) and related features, such as FSMO roles, partitioning, and metadata cleanup. It requires an elevated command prompt and provides a text-based interface for various tasks related to AD LDS and abandoned domain controller cleanup.
* net user
The net user command allows you to add, modify, or delete user accounts, and display detailed information about user accounts on a local computer or domain.
This solution does not use the principle of least privilege.
* Ntdsutil.exe
Ntdsutil.exe is a command-line utility for experienced Windows Server administrators to manage and maintain Active Directory (AD) and Active Directory Lightweight Directory Services (AD LDS), providing tools for database maintenance, role management, and metadata cleanup. It allows for tasks such as repairing and defragmenting the AD database, seizing and transferring FSMO roles (Flexible Single Master Operations) from domain controllers, removing metadata of improperly decommissioned servers, and performing database analysis.
* Local Users and Groups
* System Configuration


Reference:

https://support.intermedia.com/app/articles/detail/a_id/10375/~/how-do-i-create-a-local-administrator%3F https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-user



Viewing page 13 of 36



Post your Comments and Discuss Microsoft AZ-801 exam prep with other Community members:

AZ-801 Exam Discussions & Posts