Implement an Azure Active Directory
- 3/9/2015
Answers
This section contains the solutions to the thought experiments and answers to the objective review questions in this chapter.
Objective 5.1: Thought experiment
- You should recommend the Directory Sync with single sign-on solution for Contoso. Because they already have Active Directory Federation Services (AD FS) installed and configured in their on-premises environment, much of the heavy work to implement this solution is already done. This solution also delivers a true single sign-on solution because users will not be challenged for credentials when accessing cloud applications if they are already authenticated in their on-premises environment. Finally, Contoso may find comfort in knowing that this solution does not sync hashes of user passwords to Azure AD because users will always authenticate using the AD FS endpoints running on-premises.
- The AAD Connect tool should be used to implement the solution. It provides an intuitive wizard that will download and install the prerequisites such as .NET Framework 3.5, Microsoft Online Services Sign-in Assistant, and the Azure Active Directory PowerShell module. This tool will also enable directory integration in your Azure Active Directory, install and configure the AAD Sync tool, and then verify that single sign-on is configured and working correctly between the on-premises directory and Azure Active Directory.
- For users to change their password or reset their password and have the new password persisted back to their on-premises directory, Azure Active Directory Premium edition is required.
Objective 5.1: Review
Correct answer: A
- Correct: A global administrator has full administrative access to the directory.
- Incorrect: A user administrator can manage users, groups, and reset password for other users in the directory.
- Incorrect: A password administrator can reset passwords for other users and other password administrators.
- Incorrect: A billing administrator can purchase services, manage service requests, and monitor service health.
Correct answer: C
- Incorrect: Assigning the global administrator role to the user would give the user full access to the directory, but would not allow the user to provision services in the Azure subscription.
- Incorrect: Assigning the user administrator role to the user would enable the user to manage users and groups in the directory, but would not allow the user to provision services in the Azure subscription.
- Correct: Adding the user as a co-administrator on the Azure subscription would allow the user to create a virtual machine in the Azure subscription and provision other resources as needed.
- Incorrect: Adding the user as a service administrator on the Azure subscription would allow the user to create a virtual machine and other resources in the Azure subscription. However, this would also give the user access to billing and other features beyond what is required.
Correct answers: B and C
- Incorrect: A CNAME record is used to map a domain name to another domain name.
- Correct: Azure supports custom domain verification for an Azure Active Directory using a TXT record entry in your domain name registrar.
- Correct: Azure supports custom domain verification for an Azure Active Directory using a MX record entry in your domain name registrar.
- Incorrect: An A (host) record is used to specify an IP address a domain name should resolve to.
Correct answer: D
- Incorrect: Enable-MSOnlinePasswordSync is the cmdlet used to enable the password synchronization feature for DirSync. It has the same effect as checking the option to enable password synchronization during installation of the DirSync tool.
- Incorrect: Enable-PasswordSyncLog is the cmdlet used to enable logging for the password synchronization extension of DirSync.
- Incorrect: Enable-DirSyncLog is the cmdlet used to enable logging for DirSync.
- Correct: Enable-OnlinePasswordWriteBack is the cmdlet used to enable the password write-back feature.
Correct answer: A
- Correct: Start-OnlineCoexistenceSync is the cmdlet used to perform an on-demand synchronization.
- Incorrect: Set-DirSyncConfiguration is used to apply configuration settings for directory synchronization.
- Incorrect: Enable-DirSyncLog is the cmdlet used to enable logging for DirSync.
- Incorrect: Set-FullPasswordSync is used to force a full sync the next time the synchronization service is started.
Correct answer: B
- Incorrect: DirSync is used for single-forest directory synchronization.
- Correct: AAD Sync is the tool that supports configuring directory synchronization in a multi-forest environment.
- Incorrect: The AAD Connect tool currently does not support multi-forest environments. This feature is on the roadmap for the tool though.
- Incorrect: The Synchronization Service Manager is a FIM client that can be used to monitor synchronization events.
Objective 5.2: Thought experiment
- You should add the SaaS application to the Contoso Azure Active Directory using the management portal. In the applications page for the Contoso directory, you can add an application from the application gallery simply by selecting it in the application gallery. The management portal then guides you through the steps necessary to configure the application.
- You should configure single sign-on using the Windows Azure AD Single Sign-On option in the wizard used to configure SSO. This establishes federation between Contoso’s Azure Active Directory and the SaaS application. Another alternative would be to use the Existing Single Sign-On option. However, this would only be advisable if Contoso already had Active Directory Federation Services installed and configured in their on-premises environment.
Objective 5.2: Review
Correct answers: C and D
- Incorrect: The management portal is where co-administrators of an Azure subscription can provision resources.
- Incorrect: The Active Directory Portal is where global administrators can manage users and is often used by administrators of Office 365 subscriptions.
- Correct: The Access Panel is where users can see and launch applications they have been assigned access to.
- Correct: The My Apps application from the Apple App Store can be used for users of iOS 7 devices.
Correct answers: A,B, and D
- Correct: Mobile phone is a valid contact method and can be configured to receive a text message or a phone call.
- Correct: Office phone is a valid contact method.
- Incorrect: Email is not a valid contact method when configuring Multi-Factor Authentication. It is used in the first leg of authentication though when authenticating using a username and password.
- Correct: Mobile application is a valid contact method. When choosing this option, you are prompted to download the application to a device and activate it using a passcode provided. The supported device types are Windows Phone, Android, and iOS devices.
Correct answers: B and D
- Incorrect: Automatic user provisioning is used to provision user accounts in the SaaS application because users are provisioned in Azure Active Directory.
- Correct: Password-based single sign-on uses the user’s credentials with the SaaS application to authenticate.
- Incorrect: Active Directory Federation Services can be a token provider in a single sign-on configuration, but it is not one of the single sign-on modes.
- Correct: Federation-based single sign-on uses the user’s credentials in Active Directory to authenticate when accessing the SaaS application.
Correct answer: A
- Correct: The URL https://myapps.microsoft.com is the URL for the Access Panel.
- Incorrect: The URL https://poral.azure.com is the URL for the management portal.
- Incorrect: The URL http://azure.microsoft.com/en-us/marketplace/active-directory is the URL for the Azure Active Directory applications gallery.
- Incorrect: The URL https://account.windowsazure.com/organization is the URL to sign up for an Azure Subscription as an organization rather than as an individual.
Objective 5.3: Thought experiment
- Use the management portal to add the application to Azure Active Directory. In the applications page of the management portal, click the Add button to start the Add Application Wizard. Add the web application using the type web application and/or web API. Repeat this for the web service so that you have two applications registered in Azure Active Directory. Provide the development team with the application endpoints for your Azure Active Directory and the application ID URI and reply URL for both applications.
- The web service will need to be exposed such that the web application can be configured to access it on behalf of the signed-in user, which can be done by adding the oauth2Permissions configuration to the application manifest for the web service.
- Using the management portal, configure the web application to access the graph API by assigning a delegated permission to read directory data for the existing Windows Azure Active Directory application. Add a second application permission setting for the web service and select the permission level that was added in the web service’s application manifest file.
Objective 5.3: Review
Correct answers: A, C, and D
- Correct: The WS-Federation endpoint is used often for browser-based web applications and provides user sign in and sign out support.
- Incorrect: The federation metadata document endpoint contains metadata for the Azure Active Directory tenant, such as the certificate used to sign the security tokens it issues.
- Correct: SAML-P provides support for the SAML 2.0 web browser single sign-on and sign-out profiles.
- Correct: Azure Active Directory supports the OAuth 2.0 protocol via the OAuth 2.0 token endpoint and the OAuth 2.0 authorization endpoint.
Correct answer: C
- Incorrect: The sign-on URL is the URL where clients can access the application using a browser or other web tool.
- Incorrect: The reply URL is where Azure Active Directory will redirect the user to after a client has been authenticated and authorized to access the application.
- Correct: The application ID URI is used to uniquely identify an application added to Azure Active Directory.
- Incorrect: The name setting is only a friendly name chosen for the application and can be any value. The name is displayed in the applications page of Azure Active Directory for each application.
Correct answer: A
- Correct: The URL https://sts.windows.net/<tenant> is a tenant-specific endpoint where SAML tokens are issued.
- Incorrect: The URL https://login.windows.net/<tenant>/saml2 is the application endpoint used to sign in and sign out users using the SAML-P protocol.
- Incorrect: The URL https://login.windows.net/<tenant>/wsfed is the application endpoint used to sign in and sign out users using the WS-Federation protocol.
- Incorrect: The URL https://graph.windows.net/<tenant> is the graph API application endpoint used by applications to perform CRUD operations on directory objects in Azure Active Directory.
Correct answer: D
- Incorrect: The WS-Federation sign-on endpoint is where unauthenticated users of an application configured for WS-Federation are redirected to sign in.
- Incorrect: The SAML-P sign-on endpoint is where unauthenticated users of an application configured for SAML-P are redirected at to sign in.
- Incorrect: The Graph API endpoint is used by applications to read and/or write data in the Azure Active Directory.
- Correct: The federation metadata document endpoint points to the metadata document for the Azure Active Directory, which contains the certificate used to sign SAML tokens.