AZ-304 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-304 Exam - Question 67

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft 365 and an Azure subscription.

Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory

Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).

Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and a Microsoft 365 tenant. Fabrikam has the same on- premises identity infrastructure components as Contoso.

A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource group in the Contoso subscription.

You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.

What should you recommend?

Show Answer
Correct Answer: A

To ensure the Fabrikam developers can use their existing credentials to access the resources in Contoso's Azure subscription, configuring an AD FS relying party trust between the Fabrikam and Contoso AD FS infrastructure is the appropriate solution. This setup allows the Fabrikam developers to authenticate using their existing credentials through their AD FS, providing access to Contoso's resources without needing to create new accounts or guest accounts.

Discussion

6 comments
Sign in to comment
syu31svc
Oct 3, 2021

"Contoso has a partnership with a company named Fabrikam" so this would mean Azure AD B2B https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b Answer is D

VincentZhang
Sep 28, 2021

Answer is correct

UglydotcomOption: D
Feb 5, 2022

Only D is providing Guest access to Contoso. Guest access will allow them to use their creds.

ksml
Oct 13, 2021

Why not B? I don't see any MIM reference on linked page: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

examineezer
Dec 28, 2021

Reference to MIM here https://docs.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-cloud-to-on-premises

examineezer
Dec 28, 2021

Apologies - the link above seems to be specifically for accessing on-premise applications. You may be right, maybe it is B.

examineezer
Dec 28, 2021

Nope - B is wrong because: "A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory." ...and... "The solution must ensure that the Fabrikam developers use their existing credentials to access resources."

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

examineezer
Dec 28, 2021

Nope - B is wrong because: "A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory." ...and... "The solution must ensure that the Fabrikam developers use their existing credentials to access resources."

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

examineezer
Dec 28, 2021

Apologies - the link above seems to be specifically for accessing on-premise applications. You may be right, maybe it is B.

examineezer
Dec 28, 2021

Nope - B is wrong because: "A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory." ...and... "The solution must ensure that the Fabrikam developers use their existing credentials to access resources."

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

examineezer
Dec 28, 2021

Nope - B is wrong because: "A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory." ...and... "The solution must ensure that the Fabrikam developers use their existing credentials to access resources."

examineezer
Dec 28, 2021

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

agente232
Jan 6, 2022

answer D does not fulfill the requirements as it is creating guest accounts D. In the Azure AD tenant of Contoso, use MIM to create guest accounts for the Fabrikam developers.

yyuryyucicuryyforme
Jan 17, 2022

Actually answer D does certainly work for granting Fabrikam Azure AD tenant existing identities access to Contoso Azure subscription resources

yyuryyucicuryyforme
Jan 17, 2022

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph

yyuryyucicuryyforme
Jan 17, 2022

https://docs.microsoft.com/en-us/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph

jr_luciano
Feb 10, 2022

But if you create guest accounts, you are not meeting this requirement: "The solution must ensure that the Fabrikam developers use their existing credentials to access resources."

jr_luciano
Feb 10, 2022

Sorry, the given answer is correct!