SC-300 Exam - Question 226

MS documentation is not up to date! Just tested in my tenant, all the below groups are supported 1- Security 2- Microsoft 365 3- Mail-Enabled security Group

As of today, 9/6/2023: "Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups and Microsoft 365 groups whose SecurityEnabled setting is set to True only." Answer is correct.

E according tohttps://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal

Answer: E Group-based assignment requires Microsoft Entra ID P1 or P2 edition. Group-based assignment is supported for Security groups and Microsoft 365 groups whose SecurityEnabled setting is set to True only. Nested group memberships aren't currently supported. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal

Group-based assignment is supported for Security groups and Microsoft 365 groups whose SecurityEnabled setting is set to True only

I tested adding M365 Group, was able to add group to enterprise app. Also the doco states it as well. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups and Microsoft 365 groups whose SecurityEnabled setting is set to True only.

tested on my tenant . M365 group is listed and can be selected. Members of that group have access to App

Only security groups and mail-enabled security groups.

Just tested this and you can indeed assign it to Security and MS365 groups. I also checked the access and users in the 365 groups do have access to the app. https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-saasapps This article states "For example, if you want to assign access for the marketing department to use five different SaaS applications, you can create an Office 365 or security group that contains the users in the marketing department, and then assign that group to these five SaaS applications that are needed by the marketing department. "

according tohttps://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal

I have tested also and these 3 groups i can add, Gropup 1 (Security), Group 3(Microsoft 365) and Group 4 (Mail-enabled Security), but it could never be Distribution list, some answers shows that distribution list can also be added but it is 100% wrong

checked - you can't add M365 groups

only Security group and mail enabled Security group can be assigned.

Group 1 and Group 4 only

Only security groups and mail-enabled security groups. M365 groups are not allowed

tested in lab, can add m365 group to an enterprise app

Sure. - Group-based assignment is supported for Security groups only. - Nested group memberships and Microsoft 365 groups aren't currently supported. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal

Just testet, and able to add Security, Microsoft 365 both assigned and dynamic and Security Mail-enabled. Not able to answer correctly.

Tested it in my lab: Seems like the question is outdated... I was able to add all four kinds of groups (mail-enabled security, security, M365, distribution)

Group1, Group 3 and Group 4

From azure portal, only security and m365 group type can be seen when adding to ent apps.

D. Groups1 and Groups4 is correct in this scenario. Yes, all except for the distribution group option here CAN be assigned, but we are to assume default settings for these questions unless otherwise specified. Once you've looked into this question a little ask yourself this question and you'll realize the solution: What is the default setting for Microsoft 365 "SecurityEnabled" flag? To use a Microsoft 365 Group for security-related tasks, such as application assignments or Conditional Access policies, the SecurityEnabled property must be explicitly set to True.

Following default settings, it should be D.

It looks like only Security group can be assigned. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal Only Security groups are listed when I tested. I still have to test with mail-enabled Security groups.

"Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only." Source: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal

Security groups!

You can assing Security and 365 groups both, not sure why people here saying only security group and where are they testing.

Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are NOT CURRENTLY SUPPORTED. Source: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal#:~:text=group%20memberships%20and-,Microsoft%20365%20groups,-are%20not%20currently

The correct answer is D: Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups aren't currently supported. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal

Group 1 only, as you cannot add APP to Mail-enabled security group , as Mail-Enabled security group assignment is handled from Exchange not from Azure AD.

Docs says that "you can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan. Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time."

Group 1 only. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal When you assign a group to an application, only users in the group will have access. The assignment doesn't cascade to nested groups. Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups aren't currently supported.

"Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups and Microsoft 365 groups whose SecurityEnabled setting is set to True only. Nested group memberships aren't currently supported." https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal

You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan. Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.

Answer is D (Group1 and Group4) In Azure AD, you can only assign Security groups and Mail-enabled Security groups to an enterprise application. These types of groups have the necessary permissions for assigning to applications. Distribution groups and Microsoft 365 groups are used for different purposes like email communication and collaboration, and lack the necessary permissions that are required for application assignment. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal In the "Assign a group" section, it mentions that "Any type of security group can be assigned to an application for the purposes of assigning users or groups to the app." This clarifies that Security Groups, and by extension Mail-enabled Security groups, can be assigned to an application. It doesn't mention Distribution groups or Microsoft 365 groups, which are not generally used for managing security or application assignments.

Answer D I tested and if you create M365 Group from Admin Centre, then I wasn't able to add it to the Enterprise application. If you create it from Azure portal you would be able to add it. You don't know where the M365 group was created, so it is better to play a safe bet going with Security group and mail-enabled security group.

La asignación basada en grupos requiere la edición Microsoft Entra ID P1 o P2. La asignación basada en grupos se admite para grupos de seguridad y grupos de Microsoft 365 cuya SecurityEnabledconfiguración está establecida en Truesolo. Actualmente no se admiten membresías de grupos anidados

E. Group1 and Group3 Group-based assignment requires Microsoft Entra ID P1 or P2 edition. Group-based assignment is supported for Security groups and Microsoft 365 groups whose SecurityEnabled setting is set to True only. Nested group memberships aren't currently supported. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal

Group-based assignment requires Microsoft Entra ID P1 or P2 edition. Group-based assignment is supported for Security groups, Microsoft 365 groups, and Distribution groups whose SecurityEnabled setting is set to True only. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal

Answer is E. Security groups: Azure Resources: Security groups can be used to manage access to Azure resources such as virtual machines, databases, and other services. SharePoint Sites: They can control access to SharePoint sites and libraries. Applications: Security groups can be assigned to enterprise applications in Azure AD to manage user access. Licenses: They can be used to assign licenses to users. Mail-enabled security groups: Email Distribution: These groups are primarily used for email distribution and can also grant access permissions to resources in Active Directory. Exchange Online: They are managed through the Exchange admin center and are used for both email distribution and security