Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-801

Microsoft AZ-801 Exam Questions
Configuring Windows Server Hybrid Advanced Services (Page 22 )

Updated On: 25-Apr-2026
Page 11 of 57
PDF with 313 Questions

Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that hosts an app named App1. App1 uses Active Directory authentication.

You have a Microsoft Entra tenant that contains a user named User1.

You deploy Microsoft Entra Connect sync and configure password synchronization.

User1 fails to authenticate to App1.

You need to ensure that User1can authenticate to App1.

What should you do?

  1. For Microsoft Entra Connect sync, enable the BlockCloudObjectTakeoverThroughHardMatch feature.
  2. For Microsoft Entra Connect sync, enable password writeback.
  3. From the AD DS domain, create a new user account named User1.
  4. For Microsoft Entra Connect sync, disable soft match.

Answer(s): B

Explanation:

We assume the App works fine with other users, just that User1 has a problem.
The password of User1 might have changed in Microsoft Entra after the initial synchronization.
Note: Microsoft Entra Connect sync password writeback is a feature that synchronizes password changes made in Microsoft Entra ID (the cloud) back to your on-premises Active Directory Domain Services (AD DS).
When a user resets or changes their password using a cloud-based self-service password reset (SSPR) tool, the new password is written back to the on-premises directory, ensuring it's applied to their local account and respecting on-premises password policies.
Incorrect:
[Not A]
The BlockCloudObjectTakeoverThroughHardMatch feature in Microsoft Entra Connect sync is a security mechanism that prevents accidental or unintended takeover of cloud-based objects by an on-premises Active Directory object during a "hard-match" process. A hard match occurs when Entra Connect creates or updates an object based on a matching ImmutableId (sourceAnchor) from the cloud to the on-premises directory, and this feature blocks this takeover to avoid corrupting cloud-managed objects. It is encouraged to enable this feature to prevent unintended matches and only disable it temporarily for specific matching procedures.
[Not D]
When to Use Soft Match
Existing Cloud Users
This feature is useful when you need to sync on-premises AD accounts with users that were initially created in Microsoft Entra ID and don't have the on-premises sourceAnchor attribute.


Reference:

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization



You have an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server.

You need to prevent the registration of specific COM objects on Server1.

What should you use?

  1. Windows Defender Application Control (WDAC)
  2. exploit protection
  3. Smart App Control

Answer(s): A

Explanation:

Windows Defender Application Control (WDAC) is a Microsoft security feature that creates a software-based security layer to prevent unauthorized and malicious code from running on Windows devices. It functions as an application whitelisting solution, allowing administrators to define which applications and drivers are explicitly approved to execute, rather than relying on a default "trust all" model. By enforcing these code integrity policies, WDAC significantly reduces the attack surface and mitigates risks from malware and untrusted software.
How to Implement WDAC for Preventing COM Objects:
1. Define a Policy: Create a WDAC policy using tools such as the WDAC Wizard or by manually defining a policy XML file that specifies the allowed applications and object registrations.
2. Deploy the Policy: Implement the policy on Server1 using the tools provided by Windows Server, like Group Policy or Microsoft Endpoint Manager.
3. Monitor and Audit: After deployment, regularly monitor the system to ensure that only allowed COM objects are being used and serve audit logs preventively to enforce security policies.
Using WDAC in this scenario will provide a controlled environment where unauthorized COM objects can't be registered, thus enhancing the security posture of the server.


Reference:

https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/manage-application- control-infrastructure



Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains a user named User1.

You deploy a read-only domain controller (RODC) named RODC1.

You need to ensure that User1 is a local administrator on RODC1. The solution must use the principle of least privilege.

What should you use?

  1. System Configuration
  2. dsmgmt.exe
  3. Computer Management
  4. Active Directory Sites and Services

Answer(s): C

Explanation:

Correct:
* Computer Management
* Local Users and Groups
Note: See Step 6 below.
1. Click Start > Computer Management



2. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Users
3. In Actions menu click More Actions > New user
4. Fill in the user information and adjust password settings.
5. Click Create and then click Close



*-> 6. In the console tree navigate to Computer Management > System Tools > Local Users and Groups > Groups
7. Right-click Administrators. Select Properties
8. Click Add
9. Enter the name of the User created in Step 5
10. Click Check Names. Then click OK > OK



Incorrect:
* Active Directory Sites and Services
Active Directory Sites and Services is used for managing replication topology and site configuration, not for granting local administrator access to a read-only domain controller (RODC).
Active Directory Users and Computers could be used.
* dsamain.exe dsamain.exe is the Active Directory Database Mounting Tool on Windows Servers, used to mount a snapshot or backup of the Active Directory (AD) or AD LDS database. It exposes the database as an LDAP server, allowing administrators to access and analyze the data offline without affecting the live environment, which is useful for data recovery, auditing, and forest recovery purposes.
* dsmgmt.exe dsmgmt.exe is an interactive, command-line tool included in Windows Server that facilitates the management of Active Directory Lightweight Directory Services (AD LDS) and related features, such as FSMO roles, partitioning, and metadata cleanup. It requires an elevated command prompt and provides a text-based interface for various tasks related to AD LDS and abandoned domain controller cleanup.
* net user
The net user command allows you to add, modify, or delete user accounts, and display detailed information about user accounts on a local computer or domain.
This solution does not use the principle of least privilege.
* Ntdsutil.exe
Ntdsutil.exe is a command-line utility for experienced Windows Server administrators to manage and maintain Active Directory (AD) and Active Directory Lightweight Directory Services (AD LDS), providing tools for database maintenance, role management, and metadata cleanup. It allows for tasks such as repairing and defragmenting the AD database, seizing and transferring FSMO roles (Flexible Single Master Operations) from domain controllers, removing metadata of improperly decommissioned servers, and performing database analysis.
* Local Users and Groups
* System Configuration


Reference:

https://support.intermedia.com/app/articles/detail/a_id/10375/~/how-do-i-create-a-local-administrator%3F https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-user



You have a server named Server1 that runs Windows Server.

You install a custom app named App1 that is accessed by using TCP port 52310.

Users report that they cannot access App1.

You confirm that App1 is running on Server1.

You need to ensure that the users can access App1. The solution must only provide access to App1 on Server1.

What should you do in Windows Defender Firewall with Advanced Security?

  1. Create an isolation connection security rule.
  2. Create an outbound rule.
  3. Create an inbound rule.
  4. For the current profile, allow all inbound connections.

Answer(s): C

Explanation:

To provide secure access to an app using Windows Defender Firewall with Advanced Security, open the tool, select Inbound Rules, create a New Rule, choose Port as the rule type, select TCP, enter the app's specific port number in Specific local ports, choose to Allow the connection, and then select the appropriate network profiles.
Finally, give the rule a descriptive name and click Finish to apply it.


Reference:

https://learn.microsoft.com/en-us/sql/sql-server/install/configure-the-windows-firewall-to-allow-sql-server-access



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains an Azure key vault named Vault1.

You deploy Azure Disk Encryption.

You configure Vault1 to support Azure Disk Encryption.

You need to ensure that you can encrypt Azure Disk Encryption artifacts before they are written to Vault1. The solution must provide the highest level of encryption.

How should you complete the command? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: key
Create and configure a key vault for Azure Disk Encryption on a Windows VM

Set up a key encryption key (KEK)
If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault.
When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.

az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096

Box 2: RSA-HSM
For 4096-bit encryption choose RSA-HSM.

Note: Which to choose

For maximum key security: Always use an HSM (like EC-HSM or RSA-HSM) to protect your keys, regardless of the algorithm you choose.

Key types and protection methods
Key Vault Premium and Standard support RSA and EC keys. Managed HSM supports RSA, EC, and symmetric keys.

HSM-protected keys


Reference:

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys



Viewing page 22 of 57
Viewing questions 106 - 110 out of 313 questions
Share your experience with other


AZ-801 Exam Discussions & Posts

What the AZ-801 Exam Tests and How to Pass It

The AZ-801: Configuring Windows Server Hybrid Advanced Services exam is designed for IT professionals who are responsible for managing and maintaining Windows Server workloads in hybrid environments. This certification validates the technical skills required to secure, monitor, and troubleshoot Windows Server infrastructures, as well as the ability to implement high availability and disaster recovery solutions. Organizations hiring for roles such as Windows Server Administrator, Hybrid Cloud Administrator, or Infrastructure Engineer prioritize this certification because it demonstrates a candidate's proficiency in bridging on-premises server environments with Microsoft Azure services. By passing this exam, professionals prove they can handle complex migration scenarios and maintain operational continuity across diverse, modern IT landscapes.

What the AZ-801 Exam Covers

The exam evaluates your ability to manage critical infrastructure components, starting with the foundational requirement to secure Windows Server on-premises and hybrid infrastructures against modern threats. Candidates must demonstrate proficiency in implementing and managing Windows Server high availability, which involves configuring failover clustering and storage replication to ensure service uptime. Furthermore, the exam tests your knowledge of disaster recovery strategies, requiring you to plan for and execute recovery operations effectively. You will also be assessed on your capability to migrate servers and workloads, a task that demands a deep understanding of both legacy on-premises configurations and cloud-native migration tools. Finally, the ability to monitor and troubleshoot Windows Server environments is essential, as you must be able to identify performance bottlenecks and resolve connectivity issues using native Microsoft tools, all of which are covered extensively in our practice questions.

Among these domains, implementing and managing Windows Server high availability often proves to be the most technically demanding area for many candidates. This section requires more than just theoretical knowledge; it necessitates a practical understanding of how quorum configurations, cluster networking, and storage spaces direct interact within a production environment. You must be able to troubleshoot complex cluster failures and understand the nuances of implementing disaster recovery solutions that span across hybrid boundaries. Success in this area relies on your ability to synthesize information about network latency, storage throughput, and service dependencies, making it a critical focus for your exam preparation.

Are These Real AZ-801 Exam Questions?

Our platform provides practice questions that are sourced and verified by the community, ensuring they reflect the types of challenges you will encounter on the actual Microsoft certification exam. Because our content is community-verified, it is shaped by IT professionals and recent test-takers who have sat for the exam and understand the specific technical hurdles involved. If you've been searching for AZ-801 exam dumps or braindump files, our community-verified practice questions offer something more valuable, each question is verified and explained by IT professionals who recently passed the exam. We do not provide leaked or confidential content; instead, our questions reflect what appears on the real exam because they are sourced from the community's collective experience and understanding of the official exam objectives.

The community verification process is a collaborative effort where users actively participate in refining the accuracy of the study material. When a user encounters a question, they can discuss the answer choices, flag potentially incorrect information, and provide context based on their own recent exam experience. This peer-review mechanism ensures that the explanations remain current and technically accurate, which is vital for a certification exam that covers evolving hybrid technologies. By engaging with these discussions, you gain insights into the logic behind the correct answers, which is far more effective than simply memorizing patterns.

How to Prepare for the AZ-801 Exam

Effective exam preparation for the AZ-801 requires a balanced approach that combines hands-on experience with rigorous study of official Microsoft documentation. You should prioritize setting up a sandbox environment where you can practice configuring failover clusters, testing disaster recovery scenarios, and performing workload migrations to Azure. Understanding the underlying concepts is far more important than rote memorization, as the exam is designed to test your ability to apply knowledge to specific, scenario-based problems. Every practice question includes a free AI Tutor explanation that breaks down the reasoning behind the correct answer, so you understand the concept, not just the answer. Building a consistent study schedule that allocates time for both reading technical documentation and working through practice questions will help you retain complex information more effectively.

A common mistake candidates make is relying solely on theoretical study without ever touching the actual Windows Server or Azure interfaces. This approach often leads to failure because the AZ-801 exam frequently presents scenario-based questions that require you to identify the most efficient solution among several technically viable options. Another pitfall is poor time management during the exam, which can be mitigated by using our practice questions to simulate the pressure of a timed environment. By focusing on understanding the "why" behind each configuration step, you will be better equipped to handle the nuanced questions that appear on the actual Microsoft certification exam.

What to Expect on Exam Day

On the day of your exam, you should be prepared for a variety of question formats designed to test your practical application of Windows Server hybrid services. Microsoft certification exams typically include multiple-choice questions, scenario-based questions that require you to select the best solution for a given infrastructure problem, and potentially drag-and-drop or interactive elements. The exam is administered through a secure testing environment, often via Pearson VUE, where you will be monitored to ensure the integrity of the testing process. You will have a set amount of time to complete the exam, so it is important to pace yourself carefully, especially when encountering complex scenarios that require detailed analysis. Familiarizing yourself with the interface and the types of questions beforehand will help reduce anxiety and allow you to focus entirely on demonstrating your technical expertise.

Who Should Use These AZ-801 Practice Questions

These practice questions are intended for IT professionals who have experience managing Windows Server environments and are looking to validate their skills in hybrid cloud management. Typically, candidates for this certification exam have at least a few years of experience in server administration, networking, and virtualization, and are now seeking to formalize their expertise in Microsoft's hybrid ecosystem. Whether you are an administrator looking to advance your career or an engineer tasked with modernizing your organization's infrastructure, this exam preparation will help you identify knowledge gaps. Passing the AZ-801 is a significant milestone that demonstrates your ability to handle the advanced, real-world challenges of modern hybrid IT operations.

To get the most out of these practice questions, treat each one as a learning opportunity rather than a simple test of your current knowledge. Do not just read the answer; engage with the AI Tutor explanation to understand the underlying logic, and read the community discussions to see how other professionals approach the same problem. If you get a question wrong, flag it and revisit it later to ensure you have mastered the concept. Browse the questions above and use the community discussions and AI Tutor to build real exam confidence.

Updated on: 27 April, 2026

AI Tutor AI Tutor 👋 I’m here to help!