100% Real Microsoft MCSA 70-346 Exam Questions & Answers, Accurate & Verified By IT Experts
Instant Download, Free Fast Updates, 99.6% Pass Rate
Microsoft MCSA 70-346 Practice Test Questions in VCE Format
Archived VCE files
| File | Votes | Size | Date |
|---|---|---|---|
File Microsoft.Actualtests.70-346.v2014-08-20.by.BRENDA.90q.vce |
Votes 10 |
Size 1.94 MB |
Date Aug 20, 2014 |
File Microsoft.Actualtests.70-346.v2014-04-26.by.MAUREEN.90q.vce |
Votes 6 |
Size 2.69 MB |
Date Apr 26, 2014 |
Microsoft MCSA 70-346 Practice Test Questions, Exam Dumps
Microsoft 70-346 (Managing Office 365 Identities and Requirements) exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Microsoft 70-346 Managing Office 365 Identities and Requirements exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Microsoft MCSA 70-346 certification exam dumps & Microsoft MCSA 70-346 practice test questions in vce format.
The 70-346 Exam, Managing Office 365 Identities and Requirements, was once a cornerstone certification for IT professionals. It served as one of two exams required to earn the Microsoft Certified Solutions Associate (MCSA): Office 365 credential. Its focus was on the critical tasks of provisioning, managing, and securing identities within the Office 365 ecosystem. Although this specific exam was officially retired as part of Microsoft's shift to role-based certifications, the skills it validated have not diminished in importance. In fact, they have become even more crucial in today's cloud-centric world.
This five-part series will provide a deep dive into the knowledge domains that were central to the 70-346 Exam. We will treat the exam's objectives as a blueprint for mastering the fundamentals of Microsoft 365 identity management. Understanding these concepts is essential for anyone aspiring to roles like Microsoft 365 Administrator, Identity and Access Administrator, or Security Administrator. The content covered here provides the foundational knowledge that underpins many of the current Microsoft role-based certifications, such as those associated with the Microsoft 365 Certified: Enterprise Administrator Expert.
Our approach will be to dissect the core competencies measured by the 70-346 Exam, from initial tenant provisioning and DNS configuration to the complex world of hybrid and federated identity. We will explore not just the "how" but also the "why" behind each task, providing the context needed to make sound administrative and architectural decisions. While you can no longer sit for the 70-346 Exam, mastering the skills it covered is a necessary step on your journey to becoming a proficient Microsoft 365 professional.
Think of this series as a historical and educational guide. It uses the well-defined structure of the retired 70-346 Exam to build a comprehensive understanding of identity management principles that are timeless. By the end, you will have a solid grasp of the technologies and practices that are essential for managing any modern Microsoft cloud environment, preparing you for the challenges of today's IT landscape and the requirements of current certification paths.
The very first step in any Office 365 deployment, and a foundational topic of the 70-346 Exam, is the provisioning of a new tenant. A tenant is your organization's dedicated instance of Office 365 services. It is a secure, isolated container that holds all your company's data, users, and configurations. The creation process begins with selecting an Office 365 plan that meets your organization's needs and choosing an initial tenant name, which forms the basis of your onmicrosoft domain.
During the provisioning process, you are required to provide details about your organization and create the first user account. This initial account is automatically granted the Global Administrator role, which has unrestricted access to all management features within the tenant. It is a best practice to create a dedicated, secondary global administrator account for emergency access and to use a non-privileged account for daily tasks, following the principle of least privilege. This was a key security concept for the 70-346 Exam.
After the tenant is created, the next step is to add and verify your custom domain names. This allows your users to have email addresses and user principal names (UPNs) that match your company's branding, such as user@yourcompany. Verification is a critical process that proves you own the domain you are adding. This is typically done by creating a specific TXT or MX record in your public DNS zone.
The 70-346 Exam required a thorough understanding of this entire setup phase. This includes navigating the admin center, understanding the implications of the chosen tenant name, and successfully adding and verifying custom domains. This process is the bedrock upon which the entire Office 365 service is built for an organization, and getting it right from the start is crucial for a smooth deployment.
Once a tenant is provisioned, a key administrative responsibility is managing the subscriptions and licenses. This was a core competency for the 70-346 Exam and remains a vital task for cost management and compliance. Each user who needs to access Office 365 services must be assigned a license from a purchased subscription, such as Microsoft 365 Business Standard or Office 365 E3.
The Microsoft 365 admin center provides a centralized interface for managing these tasks. Administrators must know how to assign licenses to individual users and how to perform bulk assignments, often using PowerShell for larger organizations. It is also important to be able to remove licenses from users who no longer require them, freeing up those licenses for others. This ensures that the organization is only paying for the services that are being actively used.
Beyond individual license assignment, the 70-346 Exam curriculum covered the management of the subscriptions themselves. This includes monitoring the number of available versus assigned licenses, purchasing additional licenses or new subscriptions, and managing the billing and payment information for the tenant. A clear understanding of the different subscription plans and the services included in each is essential for making informed purchasing decisions.
A more advanced skill is the ability to manage the individual services within a license. For example, you might have a user who only needs access to Exchange Online and not the other services included in their E3 license. Administrators can disable the unneeded services on a per-user basis. This level of granular control can be important for security and for managing the user experience, and it demonstrates a deep understanding of license management principles.
Effective and secure administration of an Office 365 tenant relies on the proper use of administrative roles. The 70-346 Exam required candidates to understand the different built-in roles and how to assign them to delegate administrative tasks without granting excessive permissions. This aligns with the security principle of least privilege, which states that users should only have the access required to perform their specific job functions.
The highest-level role is the Global Administrator, which has full access to every setting and service. This role should be assigned to a very small number of trusted individuals. For more specialized tasks, there are a variety of other roles. For example, the Exchange Administrator role can manage all aspects of mailboxes and mail flow, but cannot manage users in Azure AD. The User Management Administrator can manage users and groups but cannot configure service settings.
Assigning a role is a straightforward process done through the admin center. You select a user and then choose which administrative role to assign to them. For the 70-346 Exam, it was crucial to be able to analyze a set of administrative requirements and determine the most appropriate role to assign to a user. This prevents the over-provisioning of permissions and reduces the organization's security risk.
In addition to the built-in roles, Microsoft 365 also allows for the creation of custom roles in some services, providing even more granular control. A solid understanding of role-based access control (RBAC) is fundamental for maintaining a secure and well-managed environment. This skill, which was central to the 70-346 Exam, is even more critical today as the number of services and settings in Microsoft 365 continues to grow.
Proper DNS configuration is absolutely critical for the functioning of Office 365 services, particularly Exchange Online and Skype for Business (now Microsoft Teams). The 70-346 Exam placed a strong emphasis on an administrator's ability to plan for, create, and verify the necessary public DNS records. Without the correct DNS records, mail will not flow, and clients will not be able to discover and connect to the services.
The most important record for email is the MX (Mail Exchanger) record. This record tells other mail servers on the internet where to deliver email for your domain. For Office 365, the MX record must point to the value provided by Microsoft. Another key record for mail flow is the SPF (Sender Policy Framework) record. This is a TXT record that helps to prevent email spoofing by specifying which mail servers are authorized to send email on behalf of your domain.
For client connectivity, the Autodiscover record is essential. This is typically a CNAME record that allows email clients like Outlook to automatically discover and configure the user's mailbox settings. Similar CNAME records are required for services like Skype for Business/Teams to enable client sign-in and service discovery. The 70-346 Exam required candidates to know the specific names and target values for these critical records.
The process involves working with your public DNS provider to create these records. The Microsoft 365 admin center provides a guided process that shows you the exact records you need to create for each of your verified domains. After creating the records, you use the admin center to run a check, which verifies that they are correctly configured and propagated across the internet. Troubleshooting DNS issues was a key skill for the 70-346 Exam.
A proactive administrator must constantly be aware of the health and status of the services within their Office 365 tenant. A significant part of the 70-346 Exam curriculum was focused on the tools and processes for monitoring service health, managing service interruptions, and creating service requests. This ensures that administrators can respond quickly to issues and keep their users informed.
The primary tool for this is the Service Health Dashboard in the Microsoft 365 admin center. This dashboard provides a real-time view of the status of all services. If Microsoft is experiencing a widespread issue or performing planned maintenance, the details will be published here. It provides information about the user impact, the current status of the investigation, and any available workarounds. The ability to interpret this information and communicate it to users is a key administrative skill.
When an issue is not a known global problem, administrators may need to create a service request to get support from Microsoft. The 70-346 Exam required knowledge of this process. This involves using the admin center to create a new service request, providing a detailed description of the problem, the user impact, and any troubleshooting steps that have already been taken.
Beyond the dashboard, administrators can also subscribe to notifications and view reports on service usage and performance. This helps in identifying trends and potential problems before they become critical. This proactive monitoring approach, a key competency for the 70-346 Exam, is fundamental to maintaining a reliable and high-performing cloud environment for your organization.
At the very core of Office 365 and the broader Microsoft cloud ecosystem is Azure Active Directory (Azure AD), now known as Microsoft Entra ID. For the 70-346 Exam, a deep understanding of Azure AD was non-negotiable, as it is the identity and access management service that underpins the entire platform. Every user, group, and device that accesses Office 365 services has an identity object in Azure AD. It is the central repository for authentication and authorization.
It is important to distinguish Azure AD from traditional on-premises Active Directory Domain Services (AD DS). While they share a similar name, they are architecturally very different. AD DS is designed for managing on-premises resources and uses protocols like Kerberos and LDAP. Azure AD is a modern, cloud-native identity service built for web-based applications and uses protocols like SAML, OAuth 2.0, and OpenID Connect. The 70-346 Exam required candidates to understand Azure AD's role as a cloud-based directory service.
Azure AD is responsible for authenticating users when they sign in to Office 365. It checks their credentials (username and password) and, if configured, enforces additional security checks like multi-factor authentication. Once a user is authenticated, Azure AD issues a security token that the user's client can present to the various Office 365 services (like Exchange Online or SharePoint Online) to prove their identity and gain access to resources.
All the user and group management tasks that an administrator performs for Office 365 are, in fact, operations on objects within Azure AD. Whether you are using the Microsoft 365 admin center, the Azure AD portal, or PowerShell, you are interacting with the Azure AD service. This foundational understanding was a prerequisite for tackling the identity management objectives of the 70-346 Exam.
A primary responsibility for any Office 365 administrator is the management of user accounts. The 70-346 Exam covered the skills required to perform the full lifecycle of user management for cloud-only identities, which are user accounts that are created and exist solely within Azure AD and are not synchronized from an on-premises directory.
Creating a new user can be done through the Microsoft 365 admin center or the Azure AD portal. The process involves specifying the user's display name, their User Principal Name (UPN), and their initial password. You also assign the necessary Office 365 licenses at this stage. For creating users in bulk, using a CSV file upload or a PowerShell script is a much more efficient method, and proficiency in these techniques was an important skill for the 70-346 Exam.
Once a user is created, their properties may need to be modified over time. This includes updating contact information, changing their job title or department, or assigning a manager. These attributes are not just for informational purposes; they are used by various Office 365 services. For example, the organizational information is used to build the organization chart that is visible in applications like Microsoft Teams and Delve.
When a user leaves the organization, their account must be properly managed. The standard practice is to first block the user's sign-in and then, after a certain period, delete the account. Deleted users are moved to a recycle bin (the "Deleted users" view in Azure AD) for a period of 30 days, during which they can be restored. The 70-346 Exam required knowledge of this soft-delete and restore functionality, which is a crucial safety net against accidental deletions.
Password management is a critical aspect of identity security, and it was a significant topic in the 70-346 Exam. Azure AD has a default password policy that enforces basic complexity requirements and prevents the use of common weak passwords. For cloud-only users, administrators can configure settings like the password expiration policy, which defines how often users are required to change their passwords.
A key feature for improving user experience and reducing help desk calls is Self-Service Password Reset (SSPR). SSPR allows users who have forgotten their password to reset it themselves, without needing to contact an administrator. To use SSPR, users must first register one or more authentication methods, such as a mobile phone number for a text message code, an authenticator app, or a set of security questions.
The 70-346 Exam required administrators to know how to enable and configure SSPR. This involves using the Azure AD portal to turn on the feature for a specific group of users (or all users) and to select which authentication methods are available for them to use. A well-implemented SSPR strategy is a hallmark of a mature identity management practice.
For administrators, there is also the need to perform password resets on behalf of users. This can be done through the admin center or with PowerShell. When an administrator resets a user's password, they can either generate a temporary password or force the user to change their password at the next sign-in. Understanding these different password management options, for both end-users and administrators, was essential for the 70-346 Exam.
In today's threat landscape, a password alone is no longer considered sufficient protection for a user's account. Multi-Factor Authentication (MFA) adds a crucial second layer of security, and its implementation was a key skill for the 70-346 Exam. MFA requires users to provide at least two different forms of verification when they sign in, proving they are who they say they are. This dramatically reduces the risk of an account compromise from a stolen password.
The "factors" of authentication are typically categorized as something you know (like a password), something you have (like a mobile phone with an authenticator app), and something you are (like a fingerprint or facial scan). Azure AD MFA supports a variety of second factors, including a phone call, a text message with a code, or a notification in the Microsoft Authenticator app.
The 70-346 Exam covered the different ways to enable MFA for users. The original method was to enable it on a per-user basis, which was a simple on/off switch. However, the modern and much more powerful approach is to use Conditional Access policies. Conditional Access allows you to create rules that require MFA based on various conditions, such as the user's location, the device they are using, or the application they are trying to access.
For example, you could create a policy that requires MFA for all users when they are accessing Office 365 from a location outside of the corporate network. This provides a balance between security and user convenience. While Conditional Access is a more advanced topic, understanding the fundamental importance of MFA and how to enable it was a core security competency for the 70-346 Exam.
Groups are a fundamental tool for managing access to resources and for communication in Office 365. The 70-346 Exam required a solid understanding of the different types of groups and how to manage their membership. Using groups simplifies administration by allowing you to assign permissions or send communications to a collection of users at once, rather than to each user individually.
There are several types of groups. Security groups are used to grant access to resources, such as SharePoint sites or shared mailboxes. Distribution groups are used for sending email to a list of recipients. Microsoft 365 groups (formerly Office 365 groups) are a more modern type of group that provides a collaborative workspace, including a shared mailbox, a calendar, a SharePoint site, and a Planner plan.
Group membership can be either assigned or dynamic. With assigned membership, an administrator manually adds or removes users from the group. With dynamic membership (which requires an Azure AD Premium license), the membership is updated automatically based on rules that you define. For example, you could create a dynamic group that automatically includes all users whose "Department" attribute is set to "Sales." This powerful automation capability was an important concept for the 70-346 Exam.
Managing groups and their members can be done through the admin center or with PowerShell. PowerShell is particularly useful for tasks like exporting the membership of a large group or for performing bulk additions or removals of members. A deep understanding of how to leverage groups to streamline administration and access control is a critical skill for any Office 365 professional.
While the graphical user interface of the admin center is convenient for managing individual users and groups, it is not efficient for performing tasks at scale. The 70-346 Exam emphasized the importance of using PowerShell for automation and bulk management of Office 365 identities. PowerShell is a powerful command-line shell and scripting language that allows administrators to connect to their tenant and perform almost any management task programmatically.
To get started, administrators must install the necessary PowerShell modules, such as the Azure Active Directory PowerShell for Graph module. Once installed, they can use the Connect-AzureAD cmdlet to establish an authenticated session with their tenant. From there, they have access to a rich set of cmdlets for managing users, groups, and licenses.
For example, to retrieve a list of all users, you would use Get-AzureADUser. To create a new user, you would use New-AzureADUser. These cmdlets can be combined with other PowerShell features, like loops and conditional logic, to create powerful scripts. For instance, you could write a script that reads a list of new employees from a CSV file and automatically creates an Office 365 account and assigns the correct license for each one.
The 70-346 Exam would often present scenarios and ask the candidate to identify the correct PowerShell cmdlet or script snippet to accomplish a specific task. This required not just memorization of command names, but an understanding of their parameters and how to pipe them together to perform complex operations. Proficiency in PowerShell remains one of the most valuable skills for a Microsoft 365 administrator today.
For most established organizations, moving to Office 365 does not mean abandoning their existing on-premises Active Directory Domain Services (AD DS). This on-premises directory is often deeply integrated with many internal applications and systems. The concept of hybrid identity provides a bridge between this on-premises world and the cloud. This was a major and complex topic area of the 70-346 Exam, and the skills remain highly relevant.
Hybrid identity is the practice of creating a common user identity for authentication and authorization to resources, regardless of whether those resources are located on-premises or in the cloud. The goal is to provide a seamless sign-on experience for users and to simplify administration. Instead of managing two separate sets of credentials for each user, you manage a single identity that is synchronized from your on-premises AD DS to your cloud-based Azure AD.
This synchronization allows users to use their familiar on-premises username and password to log in to Office 365 services. This greatly improves the user experience and reduces confusion. For administrators, it means that user account lifecycle management (creating, disabling, and deleting users) can continue to be done in the on-premises Active Directory, and the changes will automatically be reflected in the cloud.
The primary tool that enables this hybrid identity model is Azure AD Connect. A deep understanding of how to plan for, install, and manage Azure AD Connect was a central requirement for the 70-346 Exam. This tool is the engine that drives the synchronization process, and its correct configuration is critical to the health and security of a hybrid environment.
Azure AD Connect is not a single program but a collection of components that work together to provide directory synchronization. A key part of the 70-346 Exam was understanding this architecture. The core component is the synchronization engine, which is responsible for reading objects from the on-premises Active Directory and writing them to Azure AD.
The sync engine uses a staging area called the metaverse. It maintains a connector space for the on-premises AD and another for Azure AD. Data is first imported from the source directories into their respective connector spaces. Then, projection and join rules are used to create a unified representation of the identity objects in the metaverse. Finally, export rules are used to provision and update the objects in the target directory, Azure AD.
Another key component is Azure AD Connect Health. This is a cloud-based service that provides monitoring for your on-premises identity infrastructure. It can monitor the health of your Azure AD Connect sync servers and provide alerts, reports, and detailed analytics about synchronization performance and errors. The ability to use the Health agent to troubleshoot sync problems was a key skill for the 70-346 Exam.
Azure AD Connect is typically installed on a dedicated member server in your on-premises environment. For high availability, it is possible to have a second server in "staging mode." This server receives the same configuration as the primary server but does not actively export any changes. If the primary server fails, an administrator can manually fail over to the staging server. Understanding these architectural options was crucial for design-related questions.
When you implement directory synchronization with Azure AD Connect, you must also choose how your users will authenticate. Azure AD Connect offers several options, and selecting the right one is a critical architectural decision that was heavily tested on the 70-346 Exam. The three main methods are Password Hash Synchronization (PHS), Pass-through Authentication (PTA), and Federation.
Password Hash Synchronization is the simplest and most common method. With PHS, Azure AD Connect synchronizes a hash of the user's on-premises Active Directory password hash to Azure AD. When a user tries to sign in to Office 365, Azure AD can authenticate them directly by comparing the hash of the password they entered with the stored hash. This method is highly resilient because authentication does not depend on the on-premises infrastructure being available.
Pass-through Authentication (PTA) is an alternative that provides a higher level of security for organizations that have a policy against synchronizing password hashes to the cloud. With PTA, a lightweight agent is installed on-premises. When a user tries to sign in, Azure AD passes the username and password to this agent, which then validates them against the on-premises Active Directory. The authentication happens on-premises, and no password hashes are stored in the cloud.
Federation is the most complex option and is typically implemented using Active Directory Federation Services (AD FS). In this model, Azure AD is configured to trust an on-premises identity provider (AD FS). When a user signs in, they are redirected to the AD FS servers for authentication. This model provides the most control but requires a highly available on-premises federation infrastructure. The 70-346 Exam required candidates to understand the pros and cons of each of these methods.
The practical skill of installing and configuring Azure AD Connect was a core competency for the 70-346 Exam. The installation wizard provides two main paths: Express Settings and Custom Settings. Express Settings is a streamlined process that makes a number of default choices and is suitable for single-forest Active Directory environments with fewer than 100,000 objects. It automatically installs and configures Password Hash Synchronization.
For more complex environments, you must use the Custom Settings path. This allows you to configure a wide range of options. You can specify a custom installation location, use an existing SQL Server for the database, and connect to multiple Active Directory forests. Most importantly, the custom path is where you select the user sign-in method (PHS, PTA, or Federation) that you have chosen for your design.
During the custom installation, you will be prompted for credentials for both your on-premises Active Directory (an Enterprise Admin account is needed for the initial setup) and your Azure AD (a Global Administrator account). The wizard will then create the necessary service accounts and configure the synchronization rules based on your selections.
After the initial installation, you can re-run the Azure AD Connect wizard at any time to modify the configuration. This is how you would change the sign-in method, configure optional features like password writeback, or customize the synchronization options, such as filtering which objects are synchronized to the cloud. A deep familiarity with this wizard and its various options was essential for the 70-346 Exam.
By default, Azure AD Connect will synchronize all user, group, and contact objects from your on-premises Active Directory to Azure AD. However, in many cases, you may want to limit which objects are synchronized. The 70-346 Exam required administrators to know how to configure filtering to control the scope of synchronization. This can be important for security, performance, and licensing reasons.
There are several ways to configure filtering. The simplest and recommended method is to use domain or organizational unit (OU) based filtering. During the custom installation of Azure AD Connect, you can select the specific domains and OUs that you want to synchronize. Any objects that reside outside of the selected OUs will not be synchronized to the cloud. This is a common way to stage a migration by only synchronizing a pilot group of users initially.
For more granular control, you can use attribute-based filtering. This allows you to create rules that synchronize objects based on the value of a specific attribute. For example, you could configure a rule to only synchronize user accounts that have the extensionAttribute1 set to a specific value. This requires a more advanced configuration of the synchronization rules.
It is crucial to plan your filtering strategy carefully. If you filter out an object that was previously being synchronized, it will be deleted from Azure AD. Understanding the impact of changing your filtering configuration was a key concept for the 70-346 Exam. The goal is to ensure that only the necessary identity objects are present in the cloud, following the principle of least privilege.
Once Azure AD Connect is up and running, it is critical to monitor its health and to be able to troubleshoot any issues that arise. The 70-346 Exam tested the skills required to keep the synchronization process running smoothly. The primary on-premises tool for this is the Synchronization Service Manager.
The Synchronization Service Manager provides a detailed view of the synchronization process. You can see the results of the import, synchronization, and export runs for each connector. If there are any errors, such as a corrupted attribute on an object that prevents it from being synchronized, the details of the error will be visible here. This tool is indispensable for deep-dive troubleshooting of individual object sync issues.
For a higher-level, cloud-based view, you use Azure AD Connect Health. The Health agent, which is installed with Azure AD Connect, sends data about the health of the sync service up to the Azure portal. The portal provides a dashboard that can alert you to major problems, such as a prolonged period without a successful synchronization. It also provides reports on password hash synchronization latency and other key performance indicators.
Common troubleshooting tasks that were relevant for the 70-346 Exam include investigating why a user's password change has not synced to the cloud, why a newly created user has not appeared in Office 365, or why an attribute change made on-premises is not being reflected. This requires a methodical approach, starting with the Health dashboard and then moving to the Synchronization Service Manager for more detailed analysis if necessary.
While Password Hash Sync and Pass-through Authentication are common in hybrid environments, the most complex and powerful authentication method covered by the 70-346 Exam was federation. Federation provides true Single Sign-On (SSO) by creating a trust relationship between your on-premises identity provider and Office 365. To understand federation, you must first grasp the concept of claims-based authentication.
In a claims-based model, a user is not authenticated by presenting a password directly to an application. Instead, they authenticate to a trusted Identity Provider (IdP). The IdP, upon successful authentication, issues a security token containing a set of "claims" about the user. These claims are statements about the user, such as their name, email address, or group memberships. The user then presents this token to the application.
The application, known as the Relying Party (RP), is configured to trust the IdP. It validates the signature on the security token to ensure it came from the trusted IdP, and then reads the claims to identify the user and make authorization decisions. This model decouples the application from the authentication process. The application doesn't need to know how the user was authenticated; it only needs to trust the IdP.
For the 70-346 Exam, Office 365 is the Relying Party, and the on-premises Active Directory Federation Services (AD FS) is the Identity Provider. When a user tries to access an Office 365 resource, they are redirected to their company's AD FS servers to sign in. AD FS authenticates them against the on-premises Active Directory and issues a token, which is then sent back to Office 365.
Active Directory Federation Services (AD FS) is a Windows Server role that allows you to provide single sign-on access to systems and applications located outside your corporate network. For the 70-346 Exam, its primary role was to act as the on-premises Identity Provider for an Office 365 federation trust. A deep understanding of the AD FS architecture was essential.
The core component of an AD FS deployment is the Federation Server. This is the server that runs the AD FS service, authenticates users against Active Directory, and generates the security tokens. For high availability and scalability, you typically deploy multiple federation servers in a load-balanced configuration known as a farm. All servers in the farm share the same configuration database.
For users who are accessing Office 365 from outside the corporate network, you need a way to securely publish the AD FS service to the internet. This is the role of the Web Application Proxy (WAP). The WAP is another Windows Server role that is deployed in a perimeter network (DMZ). It acts as a reverse proxy, receiving authentication requests from the internet and forwarding them to the internal federation servers.
This architecture ensures that the federation servers, which are domain-joined and have direct access to Active Directory, are not directly exposed to the internet. The WAP provides a layer of security and pre-authentication. A typical AD FS deployment for Office 365 would consist of at least two internal federation servers and at least two WAP servers for full redundancy. This resilient design was a key concept for the 70-346 Exam.
Because federation places the authentication responsibility entirely on the on-premises infrastructure, the availability of the AD FS farm is critical. If the AD FS and WAP servers are down, no one can log in to Office 365. The 70-346 Exam required a strong understanding of the design principles for creating a highly available AD FS deployment.
High availability for the internal federation servers is achieved by creating an AD FS farm with two or more servers. These servers need to be load-balanced using a technology like a hardware load balancer or Windows Network Load Balancing (NLB). The load balancer provides a single virtual IP address for the farm and distributes the traffic across the active servers.
Similarly, the Web Application Proxy servers in the DMZ should also be deployed in a load-balanced cluster of at least two nodes. This ensures that the failure of a single WAP server will not prevent external users from authenticating. The design must also consider network connectivity, ensuring that the necessary firewall ports are open between the WAP servers and the internal federation servers, and between the federation servers and the domain controllers.
The AD FS configuration database also requires consideration for high availability. In older versions of AD FS, you could use a dedicated SQL Server cluster. However, the more common and recommended approach for most deployments is to use the built-in Windows Internal Database (WID). In a WID-based farm, the primary AD FS server holds the read-write copy of the database, and the other servers in the farm pull read-only copies. This provides sufficient redundancy for the configuration data.
Once the AD FS infrastructure is built, the next step is to configure the trust relationship between AD FS (the IdP) and Azure AD (the RP for Office 365). The 70-346 Exam tested the skills required to create and manage this federation trust. This process can be done manually using PowerShell commands, but the much simpler and recommended method is to use Azure AD Connect.
When you run the Azure AD Connect wizard and select "Federation with AD FS" as the sign-in option, the wizard will automate the entire trust setup process. It communicates with your AD FS farm and with Azure AD to configure both sides of the trust. It creates the necessary relying party trust in AD FS for Office 365 and configures your custom domain in Azure AD for federation.
During this process, Azure AD Connect will read the public key of the token-signing certificate from your AD FS farm and upload it to Azure AD. This is how Azure AD can later verify the signatures on the security tokens that it receives from your AD FS servers. The wizard also configures the necessary claim rules in AD FS, which define which attributes from Active Directory will be sent as claims in the security token.
After the trust is established, you can verify it using PowerShell cmdlets like Get-MsolDomainFederationSettings. It is also crucial to test the sign-on experience for a synchronized user. When they navigate to an Office 365 portal, they should be seamlessly redirected to your organization's AD FS sign-in page to enter their credentials. This successful redirection and authentication cycle confirms that the federation trust is working correctly.
A critical ongoing maintenance task for an AD FS deployment, and a common source of outages if mismanaged, is the management of its certificates. The 70-346 Exam required a thorough understanding of the different certificates used by AD FS and their lifecycle. There are three main types of certificates: the SSL certificate, the token-signing certificate, and the token-decrypting certificate.
The SSL certificate is used to secure the web traffic to the federation servers and the WAP servers. This is a standard web server SSL certificate that must be issued by a trusted public Certificate Authority (CA), as it will be trusted by clients on the internet. This certificate must be renewed before it expires to prevent browser errors and service interruptions.
The token-signing and token-decrypting certificates are used for the core cryptographic operations of federation. The token-signing certificate is used by the AD FS server to digitally sign the security tokens it issues. This allows the relying party (Office 365) to verify that the token is authentic and has not been tampered with. By default, AD FS generates self-signed certificates for these purposes, and they have a one-year validity period.
AD FS has an automatic certificate rollover feature. Shortly before the primary token-signing certificate expires, AD FS will generate a new one and make it the secondary. Office 365 will periodically check for this new certificate. Once the rollover period is complete, the new certificate becomes the primary. Administrators must monitor this process to ensure it completes successfully, as a failure can result in all users being unable to log in. This was a key operational skill for the 70-346 Exam.
When a user is unable to sign in to Office 365 in a federated environment, troubleshooting can be complex due to the number of components involved. The 70-346 Exam tested the ability to methodically diagnose and resolve these authentication failures. The process involves tracing the entire authentication flow to identify the point of failure.
The first step is to determine the scope of the issue. Is it affecting a single user or all users? Is it affecting users on the internal network, external users, or both? This helps to narrow down the potential cause. For example, if only external users are affected, the problem is likely with the Web Application Proxy servers or the firewall rules.
A key tool for troubleshooting is the Microsoft Remote Connectivity Analyzer. This web-based tool can perform an Office 365 single sign-on test, which simulates the entire authentication process and provides a detailed report of each step, highlighting any failures. This can often pinpoint the exact problem, whether it is a DNS issue, a certificate problem, or an issue with the AD FS service itself.
On the AD FS servers, the Event Viewer is the primary source of diagnostic information. The AD FS logs will contain detailed error messages if there are problems with authenticating a user or issuing a token. By analyzing these logs and using tools like the Remote Connectivity Analyzer, an administrator can effectively troubleshoot SSO failures, a critical skill that was required for the 70-346 Exam.
As we conclude our exploration of the skills covered by the retired 70-346 Exam, it is essential to review and solidify your understanding of the three core identity models for Office 365. Each model has its own use cases, benefits, and complexities, and an administrator must be able to choose and manage the right model for their organization. A deep understanding of these models is the ultimate takeaway from the 70-346 Exam curriculum.
The first model is cloud-only identity. In this model, user accounts are created and managed directly in Azure Active Directory. There is no connection to an on-premises directory. This is the simplest model to deploy and manage and is often suitable for new, cloud-first businesses or small organizations without a pre-existing Active Directory. Its key characteristic is its complete independence from on-premises infrastructure.
The second model is synchronized identity. This is a hybrid model where user accounts from an on-premises Active Directory are synchronized to Azure AD using Azure AD Connect. This model provides a common identity for users across on-premises and cloud resources. Authentication can be handled in the cloud via Password Hash Sync or on-premises via Pass-through Authentication. This is the most common model for established organizations moving to the cloud.
The third and most complex model is federated identity. This is also a hybrid model, but it delegates the entire authentication process to an on-premises identity provider like AD FS. This provides true single sign-on but introduces significant on-premises infrastructure dependencies. The knowledge required to manage each of these three models was at the heart of the 70-346 Exam.
While the 70-346 Exam dedicated a large portion of its objectives to federation with AD FS, the industry trend since the exam's creation has been a significant shift away from this model. Organizations are increasingly moving towards the simpler and more resilient cloud authentication methods offered by Azure AD Connect: Password Hash Sync (PHS) and Pass-through Authentication (PTA).
The primary driver for this shift is the reduction in complexity and cost. A federated model requires a highly available on-premises infrastructure of AD FS and WAP servers, which must be patched, monitored, and maintained. This adds significant administrative overhead and creates a critical point of failure. If the on-premises AD FS farm goes down, no one can authenticate to Microsoft 365 services.
PHS and PTA, on the other hand, do not require this extensive on-premises footprint. With PHS, authentication is handled entirely in the cloud and is not dependent on the on-premises environment being online. With PTA, while authentication does happen on-premises, it uses lightweight agents that are simpler to deploy and manage than a full AD FS farm.
Furthermore, Microsoft has introduced a feature called Seamless Single Sign-On, which can be used with both PHS and PTA. This feature provides a true SSO experience for users on domain-joined machines on the corporate network, mimicking the user experience of AD FS without the backend complexity. Understanding this modern architectural trend is crucial for any identity professional today.
The world of cloud identity security has evolved significantly since the 70-346 Exam was designed. While MFA was a key topic, it is now just one component of a much richer set of security tools available in Azure AD. Any professional working with Microsoft 365 identities today must be familiar with these modern security features, many of which require Azure AD Premium licenses.
Conditional Access is the most powerful of these tools. It acts as the policy engine for Azure AD, allowing you to create granular access control rules. A Conditional Access policy is an "if-then" statement. For example, IF a user is a member of the "Domain Admins" group, THEN require MFA and require them to be on a compliant device to access any cloud app. This allows you to enforce security policies based on user, location, device, and application context.
Azure AD Identity Protection is another critical feature. It uses Microsoft's vast threat intelligence signals to detect and respond to identity-based risks. It can identify risky sign-ins (e.g., from an anonymous IP address) or users with leaked credentials that have appeared on the dark web. You can create policies to automatically block access or force a password reset when these risks are detected.
Privileged Identity Management (PIM) provides just-in-time access to administrative roles. Instead of having permanent Global Administrators, you can use PIM to make users eligible for a role. When they need to perform an administrative task, they must go through an activation process that can require approval and a justification. This dramatically reduces the risk associated with privileged accounts. These modern tools are central to current security practices.
While you can no longer take the 70-346 Exam, the skills it covered are distributed across several of the current Microsoft role-based certifications. Understanding this mapping can help you plan your modern certification journey. The knowledge you have gained by studying these topics provides a strong foundation for these new exams.
The skills related to overall tenant and identity management, including synchronization, are now a major part of the Microsoft 365 Certified: Enterprise Administrator Expert certification path. Specifically, the exam MS-102: Microsoft 365 Administrator covers provisioning, identity synchronization, and managing roles and security. This is the most direct successor to the MCSA: Office 365 credential.
The more advanced identity topics, especially those related to Azure AD security, federation, and application access, are now the focus of the Microsoft Certified: Identity and Access Administrator Associate certification. The corresponding exam, SC-300, dives deep into Conditional Access, MFA, PIM, and managing hybrid identity. This is an excellent path for those who want to specialize in identity security.
Even the Microsoft Certified: Azure Administrator Associate certification (Exam AZ-104) has a significant identity component. Azure administrators must be proficient in managing users, groups, and role-based access control within an Azure subscription, all of which are powered by Azure AD. The foundational identity skills from the 70-346 Exam are therefore relevant across multiple modern IT roles.
The retirement of the 70-346 Exam marked the end of an era for Microsoft certifications, but it did not diminish the value of the skills it represented. In a world that is increasingly reliant on cloud services, the ability to securely manage digital identities is more important than ever. Identity has become the new security perimeter, and professionals with deep expertise in this area are in high demand.
The topics covered by the 70-346 Exam—provisioning, DNS, cloud user management, directory synchronization, and federation—are the fundamental building blocks of any Microsoft 365 deployment. While the specific tools and best practices have evolved, the underlying principles remain the same. The journey from a simple cloud-only directory to a complex, federated single sign-on solution is a path that many organizations still travel.
By studying these topics, you have built a powerful foundation of knowledge. Your next step is to build upon this foundation by exploring the modern security and identity features of Azure AD and aligning your skills with the current role-based certifications. The path of an IT professional is one of continuous learning, and the knowledge once validated by the 70-346 Exam is an invaluable asset as you continue to advance in your career in the dynamic world of cloud technology.
Go to testing centre with ease on our mind when you use Microsoft MCSA 70-346 vce exam dumps, practice test questions and answers. Microsoft 70-346 Managing Office 365 Identities and Requirements certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Microsoft MCSA 70-346 exam dumps & practice test questions and answers vce from ExamCollection.
Microsoft 70-346 Video Course
Top Microsoft Certification Exams
Site Search:
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
MIN10OFF
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.
Hello Guys, pls i need your advice on which one of this exams i can go for first between Enabling Office 365 Services or Managing Office 365 Identities and Requirement. Is any of them a prerequisite for another or how? need to know which is best to take first. neeed Urgent response guys pls.
The premium (and the latest free dumps) are about 70-80% valid. There were some new questions that I had to guess on. Passed today.
Ppl are only the premium dumps valid? or I can use the free dumps from this site too? can those help me to pass the exam?
Hi Guys, Which exam is valid for the Netherlands to study thanks a lot
Made today, the premium is valid, only 5 new issues. Luck
Took today and passed. Still valid. 5 new questions from 53.
Is the Free Dumps of latest date(11/11/2018) still valid? Will that be helpful for taking exam in Jan 2019?
Still valid! Took today and passed. 5 new questions from 56
Premium dump 100% valid. passed Passed on 11 Dec with Score of 815
Passed today - 920/1000.
I recommended premium dump.
Passed today 17/11/2018 with score 850, 100% Premium dumps valid
is the premium file still valid ? how many questions comes in the exam ?
Premium 100% valid
Passed yesterday, score 841, premium is mostly valid, two cases studies one from the dump and one new. total 55Q. Good luck All
Passed today in Australia with score 779, pass mark is 700. Premium dump valid exams is case study and drag and drop. 55 questions in all
Which dump suggested to use for 70-346 now? Alex, or is Adel still valid? Thanks
@benjamin, i am here to help you pass like passed. the trick to excelling in the test is to utilizing the reliable study resources which can only be found in the website of examcollection. read them thoroughly and have a guaranteed chance of excellence.
@ezekiel, i can ascertain their validity. i completed the exam last week and all the questions i came across were just a duplicate of those found in exam dumps for 70-345. recommend!
wow! i have passed the test . thanks for office 365 exam 70-346 dumps. the contain all the essential information to help a candidate excel in the exam.
70-346 exam questions are really nice. i used them to revise for the exam and i was surprised to find them being repeated in the exam i took. i answered the exam questions with lots of ease and passed.
hello comrades, use 70-346 vce file in your preparation for the exam. i found the contents it comprises are reliable. it helped me to pass the exam with 84 percent.
those who have passed 70-346 exam before what’s the trick behind success? i be taking the test soon and i don’t want to fail.
Passed today in Spain with 9XX. Only Premium dump
Passed with premium in Germany with 858pt. Few new, but very similar questions, rest identical.
after having sleepless nights studying for exam 70-346 finally i have passed. i am very happy that my efforts have been rewarded. i used study materials from examcollection website and they were very informative as far as the exam is concerned.
Dump is valid.13 new question.Some Question are same but answer's new.
are the 70-346 dumps valid? i would like to utilize them in my preparation for the test.
what an incredible performance in the test! 70-346 practice test is really helpful. all the questions I encountered in the exam were contained in it. luckily, i had checked for the possible answers to those questions thus i had no difficulties in tackling the exam.
who has used 70-346 exam dumps? are they helpful?
i will be sitting for the certification exam of Microsoft 70-346 next week. just hope i will perform well the way i have been performing in other Microsoft certification exam.
i have passed 70 346 cert exam. more than three quarters of the questions tested in the exam were in the vce files. thank you guys for offering reliable files.
hey people as i was going through the practice test i found this question ‘’ you are an administrator for sharepointaaron.com and have to prove the domain ownership of your domain for office 365. what dns type do you have to create and how do you create it? i understand how to go about the what but for how? i don’t. do we write a script for this question?
who has free 70-346 dumps?????? HEEEEEEEEEEEEEEEEEEEEEELP