AZ-301 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-301 Exam - Question 26

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.

Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory

Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).

Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on- premises identity infrastructure as Contoso.

A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.

You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.

What should you recommend?

Show Answer
Correct Answer: D

To ensure that Contoso can assign the Contributor role to the 10 Fabrikam developers while allowing them to use their existing credentials, the most efficient solution is to create guest accounts for the developers in the Azure AD tenant of Contoso. This approach leverages Azure AD B2B (Business to Business) collaboration, which allows external users to access resources using their existing credentials without the need for complicated trust configurations or additional overhead. This method is straightforward and aligns with best practices for managing external user access in a secure and manageable way.

Discussion

36 comments
Sign in to comment
kondapaturi
Nov 8, 2019

D is preferred solution as a organisation

Ekramy_Elnaggar
Jan 9, 2020

D is correct , this called Azure B2B

GB_SYD
Sep 29, 2019

Hi Jimmy, C will enable for all fabricam users instead of the 10

Famous_Guy
Apr 28, 2020

They are not complaining if all get access. so ans is C

BoyGoober
May 5, 2020

Always think of "least privelege". Why give access to 1000 people when only 10 need access?

RStover
May 7, 2020

That is not what least privilege means.

RStover
May 7, 2020

That is not what least privilege means.

STFN2019
May 23, 2020

that would be great security breach, always apply permissions to only those that need with least privelege in mind. It's a golden rule of security in any organization, hence D is the most appropriate answer here.

BoyGoober
May 5, 2020

Always think of "least privelege". Why give access to 1000 people when only 10 need access?

RStover
May 7, 2020

That is not what least privilege means.

RStover
May 7, 2020

That is not what least privilege means.

STFN2019
May 23, 2020

that would be great security breach, always apply permissions to only those that need with least privelege in mind. It's a golden rule of security in any organization, hence D is the most appropriate answer here.

cool0609
Sep 27, 2020

"selective authentication" <-- It won't.

gboyega
Jul 18, 2020

Given Answer is correct. C is not correct because it would give everybody at fabri... access and not just the 10 developers

praveen97
Aug 5, 2020

Yes D is correct.

zomb
Dec 13, 2019

how does D ensure they use "existing credentials" though?

MarcoZ
Dec 15, 2019

A simple invitation and redemption process lets partners use their own credentials to access your company's resources. (https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b)

ablab
Jul 28, 2020

With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. The partner uses their own identities and credentials; Azure AD is not required. You don't need to manage external accounts or passwords. You don't need to sync accounts or manage account lifecycles.

glam
Jan 29, 2021

D. In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.

JimmyO
Sep 11, 2019

Think it is C. Both organisations have ADFS so a one trust may be the best option https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adfs

Famous_Guy
May 4, 2020

Now it changed. Correct answer not given in option. ref: https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation

tartar
Sep 18, 2020

D is ok

tartar
Sep 18, 2020

D is ok

mykolaantoniv
Feb 16, 2020

Answer is D

Coolking
May 9, 2020

Answer is D "You can use the capabilities in Azure Active Directory B2B to collaborate with external guest users and you can use Azure RBAC to grant just the permissions that guest users need in your environment." Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users

[Removed]
Jul 22, 2020

I think the proposed answer D is correct, because we can create guest accounts for the 10 developers, while they still can use there credentials (Azure AD B2B). From what I understand it would require to setup a new Identity Provider in Contoso's AAD (External Identities => All identity providers => New SAML/WS-Fed IdP) and point it to Fabrikams ADFS infrastructure. Can someone please confirm this? https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b#integrate-with-identity-providers

Corona_Virus
Apr 28, 2020

Answer : C Explanation: Trust configurations - Configure trust from managed forests(s) or domain(s) to the administrative forest * A one-way trust is required from production environment to the admin forest. * Selective authentication should be used to restrict accounts in the admin forest to only logging on to the appropriate production hosts. Reference: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material

SIDNEY1
Jun 20, 2020

No. It will give access to everyone in Fabrikam, not just the 10 devs.

hubekpeter
Feb 5, 2021

By default they'll get only restricted permissions. So the correct answer is C. To create a trust between two DCs, you need a network connectivity in place, which is overcomplicated solution. Guest users have restricted directory permissions. They can manage their own profile, change their own password and retrieve some information about other users, groups and apps, however, they cannot read all directory information. For example, guest users cannot enumerate the list of all users, groups and other directory objects. Guests can be added to administrator roles, which grant them full read and write permissions contained in the role. Guests can also invite other guests.

hubekpeter
Feb 5, 2021

By default they'll get only restricted permissions. So the correct answer is C. To create a trust between two DCs, you need a network connectivity in place, which is overcomplicated solution. Guest users have restricted directory permissions. They can manage their own profile, change their own password and retrieve some information about other users, groups and apps, however, they cannot read all directory information. For example, guest users cannot enumerate the list of all users, groups and other directory objects. Guests can be added to administrator roles, which grant them full read and write permissions contained in the role. Guests can also invite other guests.

yemma
May 16, 2020

Answer's correct, guest users will use there actual credentials.

Harkonnen
Aug 6, 2020

I don't think that forest trust were designed with the intention of trusting external organisation users. It is more like a took for internal organisation departments or branches. For this reason, I would create guest accounts.

exams0123456
Sep 5, 2020

The correct answer is D. We did this in our environment last month. Gave RBAC access to 2 support people from a partner for particular resource. In fact this is what you do whenever there is a Enterprise Premiere Support from Microsoft. You give their support engineer Guest access and assign requisite RBAC Roles.

Anonymous
Sep 10, 2020

Answer is D, check the statement in the Microsoft article: "A simple invitation and redemption process lets partners use their own credentials to access your company's resources" https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

temporal111
Nov 5, 2020

"Selective Authentication To combat the above mentioned security loophole and have some control on the authentication, we can opt for the Selective Authentication level. In this level, not all users are authenticated by Domain Controllers by default. Instead, when a Domain Controller of Trusting Forest detects that an authentication request is coming from a trusted forest, it first validates whether the user account has been granted exclusive permission on the resource that is holding the object. For example, a file share has been configured on a file server. If a user from a trusted forests wants to access that file share, that user account has to be explicitly granted "Allowed to Authenticate" right on the file server. Only then the Domain Controller will authenticate the user, otherwise Domain Controller will reject the authentication request, and the user will not be part of "Authenticated User" group." From : https://social.technet.microsoft.com/wiki/contents/articles/50969.active-directory-forest-trust-attention-points.aspx

temporal111
Nov 5, 2020

I am not saying that the D answer is wrong, in fact, it is correct and its efford is less than the C answer. However, from my point of view, C answer is correct too.

sanketshah
Jan 1, 2021

D is correct answer

nickname82
Sep 2, 2021

correct answer is the A reference az 304 page 14 question 53

MeasService
Apr 17, 2020

By looking at this, I would go for C. "The solution must ensure that the Fabrikam developers use their existing credentials to access resources."

Manchana
Apr 22, 2020

Answer is C...They can not use existing credentials with guest accounts.

SIDNEY1
Jun 20, 2020

Lol no. It will give access to everyone in Fabrikam, not just the 10 devs.

unknown4noone
Jul 28, 2020

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration lets you securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources. Developers can use Azure AD business-to-business APIs to customize the invitation process or write applications like self-service sign-up portals.

aMaineCloud
Jul 30, 2020

Well technically they can. They'd just use the same credentials as with their existing credentials.

Pierrick
May 15, 2020

Azure B2B is guest invitation and enables the partner to use their own identities and credentials. answer is correct. https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b

DLyte
May 15, 2020

I thin answer is C "Manage access to Azure resources for external guest users using RBACRole-based access control (RBAC) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. You can use the capabilities in Azure Active Directory B2B to collaborate with external guest users and you can use RBAC to grant just the permissions that guest users need in your environment"

SkyDream
May 27, 2020

Answer is D https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b

milind8451
May 29, 2020

Azure AD B2B permission is needed in this scenario, so "D" is right ans.

corona2020
Jun 1, 2020

I will go with D because why give access to everyone at fabrikam instead of those 10 developers.

Baranli
Jun 21, 2020

Option C -- Correct , As per question , Both Organization having same "premises identity infrastructure" One way Domain trust is best choice.

Prash85
Jun 27, 2020

Create a one-way forest trust Option: C is the correct answer

zarl
Aug 3, 2020

I think it is C. The key is "developers use their existing credentials"

exams0123456
Sep 5, 2020

Just to clear your... When people say .. ADD GUEST.. that means.. its basically ... INVITE GUESTS... you send the INVITATION to the guest own account. Which means... even if we send Guest Invite requests to Fabrikam developers, the invites are sent to the existing accounts of the developers and hence they can use their existing credential.

Afz
Sep 7, 2020

D should be right answer using B2B but also depends on ensuring that the ADFS of Fabricano is configured in B2B so that they can use their existing credentials. B2B can integrate with ADFS, other AAD, Google Federation, MS accounts etc

Rooh
Sep 8, 2020

Given answer looks correct

Afz
Sep 26, 2020

B2B can integrate with other Federation services (ADFS, Google federation etc) and other AAD tenants. Fabrikam should have ADFS has since it has similar infrastructure. So it is guest users that is option d.

alokpsingh
Sep 30, 2020

Correct answer is A

alokpsingh
Sep 30, 2020

Correct answer is C

hchafloque
Nov 4, 2020

After comparing answers with other pages C wins. That's because both are already using FS, and that requires trust policies. Usually D should be enought, but looks like a MS answer is required. Thanks for answers, I learn a lot.

Junooni
Jan 16, 2021

Correct answer is C, pay close attention to last sentence : the solution must ensure that the Fabrikam developers use their existing credentials to access resources. Only possible with Option C

Ario
Sep 20, 2021

dont make it complicated : With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities. The partner uses their own identities and credentials; Azure AD is not required. You don't need to manage external accounts or passwords. You don't need to sync accounts or manage account lifecycles.