Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-801

Microsoft AZ-801 Exam Questions
Configuring Windows Server Hybrid Advanced Services (Page 17 )

Updated On: 19-Feb-2026
Page 11 of 57
PDF with 313 Questions

Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that hosts an app named App1. App1 uses Active Directory authentication.

You have a Microsoft Entra tenant that contains a user named User1.

You deploy Microsoft Entra Connect sync and configure password synchronization.

User1 fails to authenticate to App1.

You need to ensure that User1can authenticate to App1.

What should you do?

  1. For Microsoft Entra Connect sync, enable the BlockCloudObjectTakeoverThroughHardMatch feature.
  2. For Microsoft Entra Connect sync, enable password writeback.
  3. From the AD DS domain, create a new user account named User1.
  4. For Microsoft Entra Connect sync, disable soft match.

Answer(s): B

Explanation:

We assume the App works fine with other users, just that User1 has a problem.
The password of User1 might have changed in Microsoft Entra after the initial synchronization.
Note: Microsoft Entra Connect sync password writeback is a feature that synchronizes password changes made in Microsoft Entra ID (the cloud) back to your on-premises Active Directory Domain Services (AD DS).
When a user resets or changes their password using a cloud-based self-service password reset (SSPR) tool, the new password is written back to the on-premises directory, ensuring it's applied to their local account and respecting on-premises password policies.
Incorrect:
[Not A]
The BlockCloudObjectTakeoverThroughHardMatch feature in Microsoft Entra Connect sync is a security mechanism that prevents accidental or unintended takeover of cloud-based objects by an on-premises Active Directory object during a "hard-match" process. A hard match occurs when Entra Connect creates or updates an object based on a matching ImmutableId (sourceAnchor) from the cloud to the on-premises directory, and this feature blocks this takeover to avoid corrupting cloud-managed objects. It is encouraged to enable this feature to prevent unintended matches and only disable it temporarily for specific matching procedures.
[Not D]
When to Use Soft Match
Existing Cloud Users
This feature is useful when you need to sync on-premises AD accounts with users that were initially created in Microsoft Entra ID and don't have the on-premises sourceAnchor attribute.


Reference:

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization



You have an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server.

You need to prevent the registration of specific COM objects on Server1.

What should you use?

  1. Windows Defender Application Control (WDAC)
  2. exploit protection
  3. Smart App Control

Answer(s): A

Explanation:

Windows Defender Application Control (WDAC) is a Microsoft security feature that creates a software-based security layer to prevent unauthorized and malicious code from running on Windows devices. It functions as an application whitelisting solution, allowing administrators to define which applications and drivers are explicitly approved to execute, rather than relying on a default "trust all" model. By enforcing these code integrity policies, WDAC significantly reduces the attack surface and mitigates risks from malware and untrusted software.
How to Implement WDAC for Preventing COM Objects:
1. Define a Policy: Create a WDAC policy using tools such as the WDAC Wizard or by manually defining a policy XML file that specifies the allowed applications and object registrations.
2. Deploy the Policy: Implement the policy on Server1 using the tools provided by Windows Server, like Group Policy or Microsoft Endpoint Manager.
3. Monitor and Audit: After deployment, regularly monitor the system to ensure that only allowed COM objects are being used and serve audit logs preventively to enforce security policies.
Using WDAC in this scenario will provide a controlled environment where unauthorized COM objects can't be registered, thus enhancing the security posture of the server.


Reference:

https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/manage-application- control-infrastructure



Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains a user named User1.

You deploy a read-only domain controller (RODC) named RODC1.

You need to ensure that User1 is a local administrator on RODC1. The solution must use the principle of least privilege.

What should you use?

  1. System Configuration
  2. dsmgmt.exe
  3. Computer Management
  4. Active Directory Sites and Services

Answer(s): C

Explanation:

Correct:
* Computer Management
* Local Users and Groups
Note: See Step 6 below.
1. Click Start > Computer Management



2. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Users
3. In Actions menu click More Actions > New user
4. Fill in the user information and adjust password settings.
5. Click Create and then click Close



*-> 6. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Groups
7. Right-click Administrators. Select Properties
8. Click Add
9. Enter the name of the User created in Step 5
10. Click Check Names. Then click OK > OK



Incorrect:
* Active Directory Sites and Services
Active Directory Sites and Services is used for managing replication topology and site configuration, not for granting local administrator access to a read-only domain controller (RODC).
Active Directory Users and Computers could be used.
* dsamain.exe dsamain.exe is the Active Directory Database Mounting Tool on Windows Servers, used to mount a snapshot or backup of the Active Directory (AD) or AD LDS database. It exposes the database as an LDAP server, allowing administrators to access and analyze the data offline without affecting the live environment, which is useful for data recovery, auditing, and forest recovery purposes.
* dsmgmt.exe dsmgmt.exe is an interactive, command-line tool included in Windows Server that facilitates the management of Active Directory Lightweight Directory Services (AD LDS) and related features, such as FSMO roles, partitioning, and metadata cleanup. It requires an elevated command prompt and provides a text-based interface for various tasks related to AD LDS and abandoned domain controller cleanup.
* net user
The net user command allows you to add, modify, or delete user accounts, and display detailed information about user accounts on a local computer or domain.
This solution does not use the principle of least privilege.
* Ntdsutil.exe
Ntdsutil.exe is a command-line utility for experienced Windows Server administrators to manage and maintain Active Directory (AD) and Active Directory Lightweight Directory Services (AD LDS), providing tools for database maintenance, role management, and metadata cleanup. It allows for tasks such as repairing and defragmenting the AD database, seizing and transferring FSMO roles (Flexible Single Master Operations) from domain controllers, removing metadata of improperly decommissioned servers, and performing database analysis.
* Local Users and Groups
* System Configuration


Reference:

https://support.intermedia.com/app/articles/detail/a_id/10375/~/how-do-i-create-a-local-administrator%3F https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-user



You have a server named Server1 that runs Windows Server.

You install a custom app named App1 that is accessed by using TCP port 52310.

Users report that they cannot access App1.

You confirm that App1 is running on Server1.

You need to ensure that the users can access App1. The solution must only provide access to App1 on Server1.

What should you do in Windows Defender Firewall with Advanced Security?

  1. Create an isolation connection security rule.
  2. Create an outbound rule.
  3. Create an inbound rule.
  4. For the current profile, allow all inbound connections.

Answer(s): C

Explanation:

To provide secure access to an app using Windows Defender Firewall with Advanced Security, open the tool, select Inbound Rules, create a New Rule, choose Port as the rule type, select TCP, enter the app's specific port number in Specific local ports, choose to Allow the connection, and then select the appropriate network profiles.
Finally, give the rule a descriptive name and click Finish to apply it.


Reference:

https://learn.microsoft.com/en-us/sql/sql-server/install/configure-the-windows-firewall-to-allow-sql-server-access



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains an Azure key vault named Vault1.

You deploy Azure Disk Encryption.

You configure Vault1 to support Azure Disk Encryption.

You need to ensure that you can encrypt Azure Disk Encryption artifacts before they are written to Vault1. The solution must provide the highest level of encryption.

How should you complete the command? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: key
Create and configure a key vault for Azure Disk Encryption on a Windows VM

Set up a key encryption key (KEK)
If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault.
When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.

az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096

Box 2: RSA-HSM
For 4096-bit encryption choose RSA-HSM.

Note: Which to choose

For maximum key security: Always use an HSM (like EC-HSM or RSA-HSM) to protect your keys, regardless of the algorithm you choose.

Key types and protection methods
Key Vault Premium and Standard support RSA and EC keys. Managed HSM supports RSA, EC, and symmetric keys.

HSM-protected keys


Reference:

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys






Post your Comments and Discuss Microsoft AZ-801 exam dumps with other Community members:

Join the AZ-801 Discussion