SC-100 Exam QuestionsBrowse all questions from this exam

SC-100 Exam - Question 74


HOTSPOT

-

Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains a server that runs Windows Server and hosts shared folders. The domain syncs with Azure AD by using Azure AD Connect. Azure AD Connect has group writeback enabled.

You have a Microsoft 365 subscription that uses Microsoft SharePoint Online.

You have multiple project teams. Each team has an AD DS group that syncs with Azure AD.

Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams.

You need to recommend an Azure AD Identity Governance solution that meets the following requirements:

• Project managers must verify that their project group contains only the current members of their project team.

• The members of each project team must only have access to the resources of the project to which they are assigned.

• Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days.

• Administrative effort must be minimized.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Answer
Correct Answer:

Discussion

12 comments
Sign in to comment
Victory007
Aug 5, 2023

1. Access Reviews. 2. Enable group write back for the existing synced group. https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview.

ServerBrain
Aug 17, 2023

You are correct. Azure AD Connect has group writeback enabled, no need to create new groups.

casualbork
Sep 15, 2023

• Project managers must verify that their project group contains only the current members of their project team. This means access reviews, Lifecycle Workflow would do all of this automatically based on the user attributes (such as department or team) You have multiple project teams. Each team has an **AD DS group** that **syncs with Azure AD.** (these being the key to find the correct answer) Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams. The correct answer is "Enable group write back for the existing synced group." Therefor, the answer Victory007 have provided is the correct answer.

NICKTON81
Dec 21, 2023

1 - Entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview 2. Enable group write back for the existing synced group.

smanzana
Oct 22, 2023

Box1:Access Reviews Box2: Enable group write back for the existing synced group.

saurabh123sml
Aug 14, 2023

Given Answer is correct it seems Lifecycle Workflows Writeback enabled

sbnpj
Aug 15, 2023

I agree with Victory007, its 1- Access reviews and Enabled Group write back for the existing synced group.

Murtuza
Jan 6, 2024

Project managers must verify = IMPLIES ACCESS REVIEW

Ramye
Jan 19, 2024

but how does this satisfies this requirement ---> "Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days" see it says automatically

ConanBarb
Sep 22, 2023

To add some detail to the discussion: Lifecycle Workflows could have been an option, and actually a better one than Access Reviews, but isn't due to 1) The requirements says "Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days." 2) LC Workflows requires Microsoft Entra ID Governance licenses (which we can't assume) Lifecycle Workflows, if valid, would have been better as they are automatic and event driven, (happen instantly) and not every 30 days or so

ayadmawla
Feb 24, 2024

This is a logic apps functionality that can be included within Lifecycle Workflows

harimurti20
Dec 7, 2023

Given Answer is correct: Lifecycle Workflow is correct, as per the requirement-Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days.

ayadmawla
Feb 24, 2024

I am sorry to contradict but Lifecycle Workflow is exactly what is needed see: https://learn.microsoft.com/en-us/entra/id-governance/what-are-lifecycle-workflows#when-to-use-lifecycle-workflows Automating group membership: When groups in your organization are well defined, you can automate user membership in those groups. Lifecycle workflows manage static groups, where you don't need a dynamic group rule. There's no need to have one rule per group. Lifecycle workflow rules determine the scope of users to execute workflows against, not which group.

Mnguyen0503
Apr 20, 2024

You're missing the point here. The key info is manages must approve group membership. This is what access reviews are designed to do. In access review configuration, you can determine what to do when access review is not completed, which meet the other requirement as well.

jayek
Jun 21, 2024

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#review-access-to-on-premises-groups

emartiy
Jun 26, 2024

Box1: Access review (Under the Entitlement management of Identity Governance) Box2: From Azure AD, create a new cloud-only security group for each project) --- Group Writeback v2: With the release of provisioning agent 1.1.1370.0, Cloud Sync now supports group writeback. Cloud Sync provisions groups directly to your on-premises AD environment. You can use identity governance features to manage access to AD-based applications by including a group in an entitlement management access package.

emartiy
Jun 26, 2024

You can't update on-prem AD groups via Azure AD. Therefore, you need a cloud-only group and also it will be synced to on-prem thanks to Azure AD Connect tool's group writeback feature..

pokus00132
Jul 18, 2024

1. Access Reviews 2. Azure AD, create a security group for each project and enable group writeback for each group You need to create cloud Entra Id (Azure AD) group and then select group and enable it for writeback. You can't enable writeback for group which is synchronized from Windows AD to Entra Id. If you create new cloud-only security group for each project, group writeback is not automatically enabled.