You have an Azure AD tenant that contains two users named User1 and User2.
You plan to perform the following actions:
• Create a group named Group1.
• Add User1 and User2 to Group1.
• Assign Azure AD roles to Group1.
You need to create Group1.
Which two settings can you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
To create a group in Azure AD that can have Azure AD roles assigned to it, you need to ensure that the group type and membership type are compatible with this feature. You can use either a Microsoft 365 group with an assigned membership type or a Security group with an assigned membership type. Dynamic membership types are not suitable for assigning Azure AD roles as it could lead to unintended elevation of permissions based on dynamic attributes.
Correct, when you create a group you MUST enable "azure ad roles can be assigned to the group" (cannot be done afterwards). If you enable this feature when creating a group, dynamic groups are getting greyed out / disabled. So yes, only assigned security and assigned m365 groups
Just confirmed on my tenant
A. Group type: Microsoft 365 - Membership type: Assigned B. Group type: Security - Membership type: Assigned
correct and logical. Any dynamic group would be able to give you elevated permissions just because you changed a certain attribute? that would defeat the whole purpose of using PIM.
A. Group type: Microsoft 365 - Membership type: Assigned B. Group type: Security - Membership type: Assigned
A. Group type: Microsoft 365 - Membership type: Assigned B. Group type: Security - Membership type: Assigned
Correct - Tested and when you select either M365 Group as Group type or Security, the default Assignment Type is "Assigned" This can't be changed