Exam-Answer

Home / Microsoft / AZ-100 / Question 106

Prev Question
Next Question

Question 106

You are asked to connect your new Office 365 subscription with your on-premises Active Directory Domain Services (AD DS) domain. You configure Azure AD Connect and enable Seamless Single Sign-On (SSO).

You need to configure Group Policy Object (GPO) support for SSO.

Which two policies or settings should you configure? Each correct answer presents part of the solution.

Answers


Advertisement

Explanation

You should configure the Site to Zone Assignment List setting. You need to configure this setting to establish the URL to which Kerberos tickets are forwarded when the user tries to sign on to Office 365 applications. You need to configure https://autologon.microsoftazuread-sso.com as an Intranet zone, because Kerberos tickets are not sent to cloud endpoints.

You should also configure the Allow updates to status bar via script policy for the Intranet Zone. When the user tries to access an Office 365 application, Seamless SSO uses JavaScript scripts to run all requests in the background. These JavaScript scripts also need to update the status bar of the user's browser. You need to configure this setting for the Intranet Zone because you need your clients to send Kerberos tickets.

You should not configure the Internet Zone Template or Intranet Zone Template policies. These policies are useful to configure the security level for each zone for the domain users.

You should not configure the Allow updates to status bar via script policy for the Internet Zone. This policy will allow JavaScript scripts downloaded from the Internet Zone to update the status bar. In this scenario, the Seamless SSO's URL is treated as an Intranet Zone's URL.

You should not turn on the Notification bar policy for intranet content. This policy has no effect on the Seamless SSO feature.

References

Comments

Load more
Prev Question
Next Question