Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that hosts an app named App1. App1 uses Active Directory authentication.You have a Microsoft Entra tenant that contains a user named User1.You deploy Microsoft Entra Connect sync and configure password synchronization.User1 fails to authenticate to App1.You need to ensure that User1can authenticate to App1.What should you do?
Answer(s): B
We assume the App works fine with other users, just that User1 has a problem.The password of User1 might have changed in Microsoft Entra after the initial synchronization.Note: Microsoft Entra Connect sync password writeback is a feature that synchronizes password changes made in Microsoft Entra ID (the cloud) back to your on-premises Active Directory Domain Services (AD DS).When a user resets or changes their password using a cloud-based self-service password reset (SSPR) tool, the new password is written back to the on-premises directory, ensuring it's applied to their local account and respecting on-premises password policies.Incorrect:[Not A]The BlockCloudObjectTakeoverThroughHardMatch feature in Microsoft Entra Connect sync is a security mechanism that prevents accidental or unintended takeover of cloud-based objects by an on-premises Active Directory object during a "hard-match" process. A hard match occurs when Entra Connect creates or updates an object based on a matching ImmutableId (sourceAnchor) from the cloud to the on-premises directory, and this feature blocks this takeover to avoid corrupting cloud-managed objects. It is encouraged to enable this feature to prevent unintended matches and only disable it temporarily for specific matching procedures.[Not D]When to Use Soft MatchExisting Cloud UsersThis feature is useful when you need to sync on-premises AD accounts with users that were initially created in Microsoft Entra ID and don't have the on-premises sourceAnchor attribute.
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization
You have an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server.You need to prevent the registration of specific COM objects on Server1.What should you use?
Answer(s): A
Windows Defender Application Control (WDAC) is a Microsoft security feature that creates a software-based security layer to prevent unauthorized and malicious code from running on Windows devices. It functions as an application whitelisting solution, allowing administrators to define which applications and drivers are explicitly approved to execute, rather than relying on a default "trust all" model. By enforcing these code integrity policies, WDAC significantly reduces the attack surface and mitigates risks from malware and untrusted software.How to Implement WDAC for Preventing COM Objects:1. Define a Policy: Create a WDAC policy using tools such as the WDAC Wizard or by manually defining a policy XML file that specifies the allowed applications and object registrations.2. Deploy the Policy: Implement the policy on Server1 using the tools provided by Windows Server, like Group Policy or Microsoft Endpoint Manager.3. Monitor and Audit: After deployment, regularly monitor the system to ensure that only allowed COM objects are being used and serve audit logs preventively to enforce security policies.Using WDAC in this scenario will provide a controlled environment where unauthorized COM objects can't be registered, thus enhancing the security posture of the server.
https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/manage-application- control-infrastructure
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains a user named User1.You deploy a read-only domain controller (RODC) named RODC1.You need to ensure that User1 is a local administrator on RODC1. The solution must use the principle of least privilege.What should you use?
Answer(s): C
Correct:* Computer Management* Local Users and GroupsNote: See Step 6 below.1. Click Start > Computer Management2. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Users3. In Actions menu click More Actions > New user4. Fill in the user information and adjust password settings.5. Click Create and then click Close*-> 6. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Groups7. Right-click Administrators. Select Properties8. Click Add9. Enter the name of the User created in Step 510. Click Check Names. Then click OK > OKIncorrect:* Active Directory Sites and ServicesActive Directory Sites and Services is used for managing replication topology and site configuration, not for granting local administrator access to a read-only domain controller (RODC).Active Directory Users and Computers could be used.* dsamain.exe dsamain.exe is the Active Directory Database Mounting Tool on Windows Servers, used to mount a snapshot or backup of the Active Directory (AD) or AD LDS database. It exposes the database as an LDAP server, allowing administrators to access and analyze the data offline without affecting the live environment, which is useful for data recovery, auditing, and forest recovery purposes.* dsmgmt.exe dsmgmt.exe is an interactive, command-line tool included in Windows Server that facilitates the management of Active Directory Lightweight Directory Services (AD LDS) and related features, such as FSMO roles, partitioning, and metadata cleanup. It requires an elevated command prompt and provides a text-based interface for various tasks related to AD LDS and abandoned domain controller cleanup.* net userThe net user command allows you to add, modify, or delete user accounts, and display detailed information about user accounts on a local computer or domain.This solution does not use the principle of least privilege.* Ntdsutil.exeNtdsutil.exe is a command-line utility for experienced Windows Server administrators to manage and maintain Active Directory (AD) and Active Directory Lightweight Directory Services (AD LDS), providing tools for database maintenance, role management, and metadata cleanup. It allows for tasks such as repairing and defragmenting the AD database, seizing and transferring FSMO roles (Flexible Single Master Operations) from domain controllers, removing metadata of improperly decommissioned servers, and performing database analysis.* Local Users and Groups* System Configuration
https://support.intermedia.com/app/articles/detail/a_id/10375/~/how-do-i-create-a-local-administrator%3F https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-user
You have a server named Server1 that runs Windows Server.You install a custom app named App1 that is accessed by using TCP port 52310.Users report that they cannot access App1.You confirm that App1 is running on Server1.You need to ensure that the users can access App1. The solution must only provide access to App1 on Server1.What should you do in Windows Defender Firewall with Advanced Security?
To provide secure access to an app using Windows Defender Firewall with Advanced Security, open the tool, select Inbound Rules, create a New Rule, choose Port as the rule type, select TCP, enter the app's specific port number in Specific local ports, choose to Allow the connection, and then select the appropriate network profiles.Finally, give the rule a descriptive name and click Finish to apply it.
https://learn.microsoft.com/en-us/sql/sql-server/install/configure-the-windows-firewall-to-allow-sql-server-access
HOTSPOT (Drag and Drop is not supported)You have an Azure subscription that contains an Azure key vault named Vault1.You deploy Azure Disk Encryption.You configure Vault1 to support Azure Disk Encryption.You need to ensure that you can encrypt Azure Disk Encryption artifacts before they are written to Vault1. The solution must provide the highest level of encryption.How should you complete the command? To answer, select the appropriate options in the answer area.Note: Each correct selection is worth one point.Hot Area:
Box 1: keyCreate and configure a key vault for Azure Disk Encryption on a Windows VMSet up a key encryption key (KEK)If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096Box 2: RSA-HSMFor 4096-bit encryption choose RSA-HSM.Note: Which to chooseFor maximum key security: Always use an HSM (like EC-HSM or RSA-HSM) to protect your keys, regardless of the algorithm you choose.Key types and protection methodsKey Vault Premium and Standard support RSA and EC keys. Managed HSM supports RSA, EC, and symmetric keys.HSM-protected keys
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys
Post your Comments and Discuss Microsoft AZ-801 exam dumps with other Community members:
Ernest Commented on October 27, 2025 some answers seem to be wrong. students are advised to review any questions that they are unsure of using MS Learn. Anonymous
Mav Commented on June 10, 2025 Question 29 is missing the answers in the reveal answers section. Anonymous
BitShifter Commented on May 05, 2025 AZ-801 practice questions got updated, makin' studyin' way easier. Finland
Philippe Commented on January 22, 2023 Iam impressed with the quality of these dumps. They questions and answers were easy to understand and the Xengine App was very helpful to use. CANADA
Philippe Commented on January 22, 2023 iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use. CANADA
Our website is free, but we have to fight against AI bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the AZ-801 content, but please register or login to continue.