A financial services company, Woodgrove Bank, is implementing Microsoft Entra Privileged Identity Management (PIM) to manage access to sensitive Azure resources. They have a requirement that any activation of the 'Subscription Owner' role must be approved by at least two members of the 'IT Security Leads' group. Additionally, the activation request must include a mandatory ticket number from their ServiceNow instance. How should you configure the PIM role settings to meet these requirements?
A manufacturing company uses Microsoft Entra Connect cloud sync to provision users from a disconnected on-premises Active Directory forest. After a successful initial deployment, a new organizational unit (OU) named 'Robotics Division' was created in the on-premises AD, and new user accounts were added to it. However, these new users are not appearing in Microsoft Entra ID. Existing users are syncing correctly. What is the most likely cause of this issue?
A global logistics company has registered a custom line-of-business application in their Microsoft Entra tenant. The application requires access to read user profiles and send emails on behalf of the signed-in user. To adhere to the principle of least privilege, which TWO API permissions should be granted to this application? (Select TWO)
True or False: When configuring a Microsoft Entra access review for a dynamic group, if a user's attributes change during the review period causing them to be removed from the group by the dynamic membership rule, their access is immediately revoked regardless of the reviewer's decision.
To deploy Microsoft Entra pass-through authentication (PTA), you must install an Authentication Agent on a domain-joined server. To ensure high availability, you plan to install agents on three different servers. The PowerShell command to register the first agent is `Register-AzureADConnectAuthenticationAgent`. What is the value for the `____` parameter when registering the second and third agents to ensure they are part of the same agent group for load balancing and failover?
**Case Study: Litware, Inc. Identity Modernization** **Company Background:** Litware, Inc. is a software development company with 2,000 employees. They have a hybrid identity environment using Microsoft Entra Connect to synchronize their on-premises Active Directory (ad.litware.com) with Microsoft Entra ID. They currently use Password Hash Synchronization and have an Azure AD Premium P2 license for all users. **Current Situation:** Litware has a critical on-premises legacy application called 'CodeVault' that uses Kerberos authentication. Remote developers need to access CodeVault, but the company wants to avoid using a traditional VPN. Litware has recently acquired a smaller company that uses Google Workspace as their identity provider. Litware needs to grant these newly acquired employees access to a specific set of SaaS applications managed in the Litware Microsoft Entra tenant. **Requirements:** 1. Provide remote access to the on-premises 'CodeVault' application without a VPN. 2. The solution for 'CodeVault' must support Kerberos authentication and enforce Microsoft Entra Conditional Access policies. 3. Allow the acquired company's employees to use their existing Google Workspace credentials to access designated SaaS apps in the Litware tenant. 4. Minimize administrative overhead for managing the acquired users' identities. **Problem:** You are an Identity Architect tasked with designing a solution that meets all of Litware's requirements. Which of the following solutions is the most effective? ```mermaid graph TD subgraph Internet RemoteDev[Remote Developer] AcquiredUser[Acquired Co. User] end subgraph Litware Azure EntraID[Microsoft Entra ID] AppProxy[Application Proxy] SaaSApps[SaaS Apps] CAPolicy[CA Policies] end subgraph Litware On-Premises AD[ad.litware.com] CodeVault[CodeVault App] Connector[App Proxy Connector] end subgraph Acquired Co. Google[Google Workspace] end RemoteDev -->|1. Access Request| EntraID EntraID -->|2. Enforce CA| CAPolicy CAPolicy -->|3. Authenticate| EntraID EntraID -->|4. Forward to Proxy| AppProxy AppProxy -->|5. To Connector| Connector Connector -->|6. KCD| AD AD -->|7. Kerberos Ticket| Connector Connector -->|8. Access App| CodeVault AcquiredUser -->|1. Access Request| SaaSApps SaaSApps -->|2. Redirect to Entra| EntraID EntraID -->|3. Redirect to Google| Google Google -->|4. Authenticate User| AcquiredUser Google -->|5. SAML Token| EntraID EntraID -->|6. Grant Access| SaaSApps ```
A security administrator is reviewing sign-in logs and notices several 'unfamiliar sign-in properties' risk detections. To automate the response, the administrator wants to configure a policy that forces users with a medium or high user risk level to perform a secure password change. Which two services should be configured to achieve this? (Select TWO)
An organization is using group-based licensing to assign Microsoft 365 E5 licenses to all users in the 'Marketing' department. A new user, User1, is added to the 'Marketing' group. However, after 24 hours, User1 still does not have an E5 license. An administrator checks the group's licensing status and sees a processing error stating, 'License assignment failed for one or more users.' What is the most common reason for this specific error?
A company is configuring a Conditional Access policy to protect a critical application. The policy must block access from all countries except for Canada and the United States. Which configuration for the 'Locations' condition is the correct way to implement this?
A developer at your company has created an Azure Function App that needs to read secrets from an Azure Key Vault. To follow security best practices, you want to avoid storing any credentials or secrets in the Function App's configuration. What is the most secure and recommended method for the Function App to authenticate to the Key Vault?