Updated 70-346 Guidance 2021

NEW QUESTION 1

You are an administrator for a company. You are planning an Office 365 pilot. The current environment has servers that run Windows Server 2012. There is no budget to upgrade the servers.
You add an external DNS record for Active Directory Federation Services (AD FS). You must implement a single sign-on (SSO) solution for users to access the Office 365 resources. You must deploy the AD FS components with the following requirements:
Loss of a single server must not prevent any authentication request or management function.
Users must be able to access the Office 365 environment from their home computers by using their corporate credentials.
Any modifications to service configurations must be made after servers are deployed. You need to deploy AD FS.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
References:
https://blogs.technet.microsoft.com/canitpro/2015/09/11/step-by-step-setting-up-ad-fs-and-enabling-single-sign-

NEW QUESTION 2

A company plans to synchronize users in an existing Active Directory organizational unit with Office 365. You must configure the Azure Active Directory Connect with password sync
You need to ensure that the service account has the minimum level of permissions required.
Which two permission levels should you assign to the account for each task? To answer, select the appropriate permission level from each list in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Password Write-Back
For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest.
Permissions for password synchronization
If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following permissions to the account that is used by Azure AD Sync to connect to your AD DS:

NEW QUESTION 3

You manage the Office 365 tenant for Contoso, Ltd.
You need to implement the following requirements for a user named john@contoso.com:
Must use app passwords for mobile Office applications.
Existing apps must continue to work until apps are configured to use app passwords.
Must not experience an interruption in service when using apps that are not browser-based.
How should you complete the Microsoft Azure PowerShell commands? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

NEW QUESTION 4

An organization has over 10,000 users and uses a SQL-based Active Directory Federation Services (AD FS) 2.1 server farm.
You need to change the AD FS 2.0 service account password.
What should you do? Select the correct answer from each list in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
We must update the domain password for the AD FS 2.0 service account in Active Directory Domain Services (AD DS) and then update the AD FS AppPool and the AD FS service account on all federation servers in the federation server farm to mirror the new domain password.
The AD FS AppPool is configured through Internet Information Services (IIS) Manager.
The AD FS 2.0 Windows Service Properties is configured through the Windows Services snap-in. References:
https://technet.microsoft.com/en-us/library/hh344806%28v=ws.10%29.aspx

NEW QUESTION 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series holds a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are the Office 365 administrator for a company. You plan to deploy Microsoft Skype for Business Online for all employees.
You need to verify domain ownership. Solution: Add a TXT record.
Does the solution meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 6

Contoso, Ltd. has an Office 365 Tenant. The company plans to implement single sign-on (SSO). You install Active Directory Federation Services.
You need to enable the use of SSO.
How should you complete the relevant Windows PowerShell commands? To answer, select the appropriate Windows PowerShell segment from each list in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
See step 2) and step 5) below.
To convert an existing domain to a single sign-on domain, follow these steps. References: https://msdn.microsoft.com/en-us/library/azure/jj205461.aspx

NEW QUESTION 7

A company deploys an Office 365 tenant.
All employees in the human resources (HR) department must use multi-factor authentication. They must use only the Microsoft Outlook client to access their email messages. User1 joins the HR department.
You need to help User1 configure his account.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Enable multi-factor authentication for User1.
Box 2: Instruct User1 to use a mobile phone to complete the registration process. Box 3: Instruct User1 to create an app password.
(Step 1) First we need to enable multi-factor authentication for this Office 365 users.
(Step 2) After being enrolled for multi-factor authentication, the next time a user signs in, they see a message asking them to set up their second authentication factor.
Any of the following may be used for the second factor of authentication: Mobile Phone Call, Mobile Phone Text Message, Office Phone Call, or Mobile App.
(Step 3) Configure app passwords for non-browser apps (such as …Outlook etc.).
User1 should create an app password. The app password should then be used to set up Microsoft Outlook.
After the registration process (step 2) has been completed, users can setup application passwords for
non-browser apps (such as …Outlook etc.). This is required because the non-browser apps (such as …Outlook etc.) do not support multi-factor authentication and you will be unable to use them unless an app password is configured.
References:
http://msdn.microsoft.com/en-us/library/azure/dn383636.aspx#enablemfaoffice365

NEW QUESTION 8

The sales manager wants a resource configured in Office 365. You need to configure scheduling services.
What should you configure?

• A. SharePoint Online site with a notification web part
• B. Microsoft Flow using the StaffHub to Office 365 Outlook template
• C. StaffHub with a connection to Kronos
• D. Microsoft Teams with a Kronos channel

Answer: C

NEW QUESTION 9

A company has an Office 365 tenant. You need to verify domain ownership.
What two options can you use? Each correct answer presents a complete solution.

• A. Create an MX record.
• B. Create a CNAME record.
• C. Create an A record.
• D. Create an SRV record.
• E. Create an TXT record.

Answer: AE

Explanation:
Add a TXT or MX record for DNS verification. References:

NEW QUESTION 10

You plan to import several user accounts to an Office 365 subscription by using a CSV file. You download a sample CSV file from the Office 365 admin center.
You need to prepare the file for the planned import.
What should you do?

• A. Add a column named Managed By.
• B. Add values to the UserName and Country columns.
• C. Add values to the UserName and DisplayName columns.
• D. Add a column named Password.

Answer: C

Explanation:
Example of CSV file content:

References:http://community.bamboosolutions.com/blogs/office-365/archive/2014/12/29/how-to-import-bulk-us

NEW QUESTION 11

An organization plans to deploy an Office 365 tenant. The company has two servers named SERVER1 and SERVER2. SERVER1 is a member server of the Active Directory forest that you are synchronizing. SERVER2 is a standalone server. Both servers run Windows Server 2012.
You need to use the Azure Active Directory Connect to provision users
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

You must activate directory synchronization before you install the Directory Sync tool.
The Directory Sync tool must be installed on a computer that is joined to the Active Directory forest that you plan to synchronize. As SERVER2 is a standalone server, it is not joined to the Active Directory forest and
cannot be used for synchronization.
Finally, assign license to activate services for the synchronized users.

NEW QUESTION 12

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy Office 365 for all company users. You use Microsoft Exchange Online for company email. You must develop a process to assign licenses to new users in your company.
You need to implement the licensing process.
Solution: Run the Set-MsolUserLicense Windows PowerShell cmdlet.
Does the solution meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 13

You need to troubleshoot the issues for user Alex.Simmons. What should you run?

• A. hybrid environment free/busy troubleshooter
• B. Microsoft Office Outlook Connectivity Tests
• C. Microsoft Office Configuration Analyzer Tool
• D. Microsoft Office 365 Client Performance Analyzer

Answer: C

NEW QUESTION 14

You are the Office 365 administrator Contoso, Ltd. You synchronize Active Directory Domain Services (AD DS) user accounts with an Office 365 environment by using Microsoft Azure Active Directory (Azure AD) Connect. You use a test account named Test1@contoso.com to perform configuration testing. The account currently accesses on-premises resources.
The Test1@contoso.com account experiences issues with Microsoft Exchange Online and SharePoint Online. You need to quickly recreate the account and prevent interruption in access to the on-premises resources. What should you do?

• A. Run the Remove -SPOUser cmdlet.
• B. Run the Remove -MsolUser cmdlet.
• C. In the Office 365 admin center, find and delete the account.
• D. Run the Remove ADUser cmdlet.
• E. In the Azure AD admin center, find and delete the account.

Answer: D

NEW QUESTION 15

You need to implement an authentication solution for contoso.com users. What should you do?

• A. Install two Active Directory Federation Services (AD FS) servers and two AD FS Proxy servers.
• B. Install a second Azure AD Connect serve
• C. Add a second SQL Server instance in an Always On Failover Cluster and implement password sync.
• D. Install two Active Directory Federation Services (AD FS) servers and two Web Application Proxy (WAP) servers.
• E. Install a single Active Directory Federation Services (AD FS) server and a single Web ApplicationProxy (WAP) server.

Answer: A

NEW QUESTION 16

Your company purchases an Office 365 plan. The company has an Active Directory Domain Services domain. User1 must be able to manage Office 365 delegation for the company.
You need to ensure that User1 can assign administrative roles to other users. What should you do?

• A. Create an Office 365 tenant and assign User1 the password administrator role.
• B. Use an existing user management administrator account to assign a role with the correct permissions to User1.
• C. Create an Office 365 tenant and assign User1 the service administrator role.
• D. Create an Office 365 tenant by using the User1 account.

Answer: D

Explanation:
https://support.office.com/en-ie/article/assign-admin-roles-in-office-365-for-business-eac4d046-1afd-4f1a-85fc-

NEW QUESTION 17

You manage an on-premises Active Directory environment. You implement an Office 365 tenant. Password requirements for the environments are listed in the table below.

You deploy Microsoft Azure Active Directory (Azure AD) Connect and configure synchronization between Office 365 and the on-premises Active Directory.
You need to determine the resulting policies for Office 365 users.
Which password policies will take effect? To answer, drag the appropriate values to the correct policies. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
If your organization uses the accountExpires attribute as part of user account management, be aware that this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password synchronization will still be active in Azure AD.
When password synchronization is enabled, the password complexity policies in your on-premises Active Directory instance override complexity policies in the cloud for synchronized users. You can use all of the valid passwords from your on-premises Active Directory instance to access Azure AD services.
References:
https://scottcroucher.com/2021/08/11/implement-password-synchronization-with-azure-ad-connect-sync/

NEW QUESTION 18

Contoso, Ltd. has an on-premises SharePoint environment. The company plans to deploy SharePoint Online. You must use Active Directory Federation Services (AD FS). The global administrator account must be able to access the Office 365 tenant even if AD FS is unavailable.
You need to set up the global administrator account. What should you do?

• A. In the Office 365 admin center, create a user named sp_admin@contoso.onmicrosoft.com
• B. In the Office 365 admin center, create a user named sp_admin@contoso.com
• C. In Active Directory Domain Services Users and Computers, create a user named sp_admin@contoso.onmicrosoft.com
• D. In Active Directory Domain Services Users and Computers, create a user named sp_admin@contoso.com

Answer: A

Explanation:
One of the first steps is to create SPO administrative account. You should always plan to create this account as Cloud ID, E.g. sp_admin@yourdomain.onmicrosoft.com. Having this as Cloud ID, it allows you to access your tenant even if On-Premises ADFS environment is unavailable. You can provision new Cloud Account from the Office 365 Administration site.
References:
https://nikpatel.net/2014/06/03/best-practices-for-configuring-sharepoint-online-tenant-part-ii-configuring-share

NEW QUESTION 19

Your company has a hybrid deployment Office 365.
You create a user in Office 365. The next day, you discover that the new user account fails to appear in the Microsoft Exchange Server on-premises global address list (GAL).
You need to ensure that the user has a mailbox and appears in the Exchange on-premises GAL and the Office 365 GAL.
What should you do?

• A. Assign a Microsoft Exchange Online license to the user account.
• B. From the Microsoft Online Services Directory Synchronization tool, enable rich coexistence.
• C. From the Office 365 portal, modify the sign-in status of the user account.
• D. Delete the user account hosted on Office 365.From the Exchange Management Console, create a new remote mailbox.

Answer: D

NEW QUESTION 20

A company uses Office 365 services. You implement Azure AD Connect in the local environment. An employee moves to a new department. All Office 365 services must display the new department
information for the employee.
You need to update the employee's user account.
Where should you change the value of the department attribute for the employee?

• A. the Active Directory management page in the Azure Management Portal
• B. the on-premises Active Directory
• C. the Users and groups page in the office 365 admin center
• D. the Metaverse Designer

Answer: B

NEW QUESTION 21

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that a user named User1 can create mailboxes in Exchange Online and sites in SharePoint Online.
Solution: You add User1 to the Service administrator admin role. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
The Service administrator admin role does not have the necessary privileges to create mailboxes in Exchange Online and sites in SharePoint Online.
References:
https://support.office.com/en-us/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d

NEW QUESTION 22

You are the office 365 administrator for a company. You deploy Microsoft SharePoint Online. Many users report that they cannot discover useful content via searches.
You need to run the appropriate SharePoint Online report to help identify the issue. Which report should you run?

• A. SharePoint Site Usage
• B. SharePoint Activity
• C. Query Rule Usage by Day
• D. Abandoned Queues by Day

Answer: D

Explanation:
References:
https://support.office.com/en-us/article/view-search-usage-reports-2cd8f257-c29b-423d-8265-d44e6214d095

NEW QUESTION 23

You are the administrator for a company. You plan to use Office 365 for email and file sharing. You plan to implement a hybrid deployment with your current on-premises Active Directory Domain Services (AD DS) environment and Microsoft Azure Active Directory (Azure AD) Connect.
You must deploy Microsoft Exchange Online and OneDrive for Business for all employees. You have the following security requirements:
All employees must use complex passwords. Passwords must be changed every six months.
Employees must use multi-factor authentication (MFA) when possible.
You need to implement MFA verification options to use with the employee's password. Solution: Have the employee use a physical smart card.
Does the solution meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 24

Your company uses Office 365 and has an Enterprise E3 license plan. Employees are issued laptop computers that are configured with a standard image.
The image includes an installation of Office 365 ProPlus that must be activated by the employees. An employee recently received a new laptop computer to replace an older laptop.
The older laptop will be reimaged.
When the employee attempts to start Word for the first time, she receives a message saying that she cannot activate it because she has already activated five devices.
You need to help the employee activate Office on her new laptop computer. What should you do?

• A. Assign a second E3 license to the employee.
• B. Remove the employee's E3 license and then assign a new E3 license.
• C. Sign in to the Office 365 portal as the employee and deactivate the old laptop.
• D. Sign in to the Office 365 portal by using your Global Admin account and then deactivate the old laptop.

Answer: D

Explanation:
Deactivating Office on a particular device for a specific user can be done with either logging in as the employee and deactivating it, or by using your Global Admin account.
Sign into the Office 365 Portal -> Users -> Active Users -> Select User Name -> Edit Office Installations and pick the device you want to remove.
References:
https://support.office.com/en-us/article/Remove-a-former-employee-from-Office-365-44d96212-4d90-4027-9aa

NEW QUESTION 25

Contoso Ltd. uses Office 365 for collaboration. You are implementing Active Directory Federation Services (AD FS) for single sign-on (SSO) with Office 365 services. The environment contains an Active Directory domain and an AD FS federation server.
You need to ensure that the environment is prepared for the AD FS setup.
Which two actions should you perform? Each correct answer presents part of the solution.

• A. Configure Active Directory to use the domain contoso.com.
• B. Configure Active Directory to use the domain contoso.local.
• C. Create a server authentication certificate for the federation server by using fs.contoso.com as the subject name and subject alternative name.
• D. Create a server authentication certificate for the federation server by using fs.contoso.local as the subject name and subject alternative name.

Answer: AC

Explanation:
A: The domain we want to federate must be registered as a public internet domain with a domain registrar or within our own public DNS servers. We cannot use contoso.local as it is not routable outside of the intranet.
C: The Subject Name of the SSL certificate must match the names used in the AD FS configuration. The default sub-domain for AD FS is fs. As we use contoso.com as the domain, we are probably using fs,contoso.com as the AD FS name and we must also use it in the subject name for the certificate.

NEW QUESTION 26

You need to use the Office 365 admin center portal to create the report for the Dallas office. Which values should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 27

You have an Office 365 tenant that uses an Enterprise E3 subscription. You activate Azure Rights Management for the tenant.
You need to deploy Azure Rights Management for all users. Which Windows PowerShell cmdlet should you run?

• A. Enable-Aadrm
• B. New-AadrmRightsDefinition
• C. Enable-AadrmSuperUserFeature
• D. Add-AadrmSuperUser
• E. Set-AadrmOnboardingControlPolicy

Answer: A

Explanation:
The Enable-Aadrm cmdlet enables your organization to use Azure Rights Management when you have a
subscription that includes this service.

NEW QUESTION 28

A company has an Office 365 tenant. You plan to use Office 365 to manage the DNS settings for a custom domain. You purchase the domain through a third-party provider.
You create a custom website. You must host the website through a third-party provider at the IPv6 address 2001:4860:4801:1:5:4d. You need to configure the correct DNS settings.
What should you do? To answer, drag the appropriate DNS record to the correct DNS target. Each record may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Change your domain’s name server (NS) records
When you get to the last step of the domains setup wizard in Office 365, you have one task remaining. To set up your domain with Office 365 services, like email, you change your domain’s name server (or NS) records at your domain registrar to point to the Office 365 primary and secondary name servers. Use (A) DNS record for the web site.

NEW QUESTION 29
......