Exam SC-100 All QuestionsBrowse all questions from this exam
Go to Exam
Question 74

HOTSPOT

-

Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains a server that runs Windows Server and hosts shared folders. The domain syncs with Azure AD by using Azure AD Connect. Azure AD Connect has group writeback enabled.

You have a Microsoft 365 subscription that uses Microsoft SharePoint Online.

You have multiple project teams. Each team has an AD DS group that syncs with Azure AD.

Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams.

You need to recommend an Azure AD Identity Governance solution that meets the following requirements:

• Project managers must verify that their project group contains only the current members of their project team.

• The members of each project team must only have access to the resources of the project to which they are assigned.

• Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days.

• Administrative effort must be minimized.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Victory007

1. Access Reviews. 2. Enable group write back for the existing synced group. https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview.

ServerBrain

You are correct. Azure AD Connect has group writeback enabled, no need to create new groups.

casualbork

• Project managers must verify that their project group contains only the current members of their project team. This means access reviews, Lifecycle Workflow would do all of this automatically based on the user attributes (such as department or team) You have multiple project teams. Each team has an **AD DS group** that **syncs with Azure AD.** (these being the key to find the correct answer) Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams. The correct answer is "Enable group write back for the existing synced group." Therefor, the answer Victory007 have provided is the correct answer.

NICKTON81

1 - Entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview 2. Enable group write back for the existing synced group.

smanzana

Box1:Access Reviews Box2: Enable group write back for the existing synced group.

Murtuza

Project managers must verify = IMPLIES ACCESS REVIEW

Ramye

but how does this satisfies this requirement ---> "Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days" see it says automatically

sbnpj

I agree with Victory007, its 1- Access reviews and Enabled Group write back for the existing synced group.

saurabh123sml

Given Answer is correct it seems Lifecycle Workflows Writeback enabled

pokus00132

1. Access Reviews 2. Azure AD, create a security group for each project and enable group writeback for each group You need to create cloud Entra Id (Azure AD) group and then select group and enable it for writeback. You can't enable writeback for group which is synchronized from Windows AD to Entra Id. If you create new cloud-only security group for each project, group writeback is not automatically enabled.

emartiy

Box1: Access review (Under the Entitlement management of Identity Governance) Box2: From Azure AD, create a new cloud-only security group for each project) --- Group Writeback v2: With the release of provisioning agent 1.1.1370.0, Cloud Sync now supports group writeback. Cloud Sync provisions groups directly to your on-premises AD environment. You can use identity governance features to manage access to AD-based applications by including a group in an entitlement management access package.

emartiy

You can't update on-prem AD groups via Azure AD. Therefore, you need a cloud-only group and also it will be synced to on-prem thanks to Azure AD Connect tool's group writeback feature..

jayek

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#review-access-to-on-premises-groups

ayadmawla

I am sorry to contradict but Lifecycle Workflow is exactly what is needed see: https://learn.microsoft.com/en-us/entra/id-governance/what-are-lifecycle-workflows#when-to-use-lifecycle-workflows Automating group membership: When groups in your organization are well defined, you can automate user membership in those groups. Lifecycle workflows manage static groups, where you don't need a dynamic group rule. There's no need to have one rule per group. Lifecycle workflow rules determine the scope of users to execute workflows against, not which group.

Mnguyen0503

You're missing the point here. The key info is manages must approve group membership. This is what access reviews are designed to do. In access review configuration, you can determine what to do when access review is not completed, which meet the other requirement as well.

harimurti20

Given Answer is correct: Lifecycle Workflow is correct, as per the requirement-Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days.

ConanBarb

To add some detail to the discussion: Lifecycle Workflows could have been an option, and actually a better one than Access Reviews, but isn't due to 1) The requirements says "Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days." 2) LC Workflows requires Microsoft Entra ID Governance licenses (which we can't assume) Lifecycle Workflows, if valid, would have been better as they are automatic and event driven, (happen instantly) and not every 30 days or so

ayadmawla

This is a logic apps functionality that can be included within Lifecycle Workflows