ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 2 question 42 discussion

Actual exam question from Microsoft's SC-100
Question #: 42
Topic #: 2
[All SC-100 Questions]

HOTSPOT -

Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains a server that runs Windows Server and hosts shared folders. The domain syncs with Azure AD by using Azure AD Connect. Azure AD Connect has group writeback enabled.

You have a Microsoft 365 subscription that uses Microsoft SharePoint Online.

You have multiple project teams. Each team has an AD DS group that syncs with Azure AD.

Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams.

You need to recommend an Azure AD Identity Governance solution that meets the following requirements:

• Project managers must verify that their project group contains only the current members of their project team.
• The members of each project team must only have access to the resources of the project to which they are assigned.
• Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days.
• Administrative effort must be minimized.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Victory007 at Aug. 5, 2023, 3:27 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Victory007
Highly Voted 1 year, 8 months ago
1. Access Reviews. 2. Enable group write back for the existing synced group. https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview.
upvoted 45 times
Er_01
2 months, 2 weeks ago
In looking at the Interface it asks which feature in ID gov can do this. You can configure an access review in an access package under EM or as a stand alone option in an AR. However, part 2 of the question is ensuring only a group has access. So is it inferring access by the nature of the AR or it is explicit as with an AP under EM. With the 2nd line being vague could be either one based on unstated assumptions. Admin effort leans toward EM as you do all in a package, still it is based on the implicit or explicit view of access.
upvoted 1 times
...
casualbork
1 year, 7 months ago
• Project managers must verify that their project group contains only the current members of their project team. This means access reviews, Lifecycle Workflow would do all of this automatically based on the user attributes (such as department or team) You have multiple project teams. Each team has an **AD DS group** that **syncs with Azure AD.** (these being the key to find the correct answer) Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams. The correct answer is "Enable group write back for the existing synced group." Therefor, the answer Victory007 have provided is the correct answer.
upvoted 10 times
...
ServerBrain
1 year, 8 months ago
You are correct. Azure AD Connect has group writeback enabled, no need to create new groups.
upvoted 3 times
...
...
NICKTON81
Highly Voted 1 year, 4 months ago
1 - Entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview 2. Enable group write back for the existing synced group.
upvoted 7 times
...
424ede1
Most Recent 1 month ago
entitlement management The link below contains all requirements! https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview#what-can-i-do-with-entitlement-management
upvoted 1 times
...
Er_01
2 months, 3 weeks ago
Access Reviews do not meet the 2nd requirement of insuring access to resources. AR does 1 and 3. Identity Governance does all 3 as Reviews and Packages are part of it.
upvoted 1 times
...
Dan91
5 months, 4 weeks ago
To meet the requirements of the question. The answer has to be: 1. Entitlement Management - there is a requirement to restrict access only to resources that the user is required to access. Whilst this can be done through various methods, the only option provided that achieves this is Entitlement Managment. Secondly, access reviews must be conducted where if there is no response the access is automatically removed. This also can be achieved through Entitlement Managment (see below link). 2. Enable group write back for the existing synced group. https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-reviews-create?source=recommendations https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync
upvoted 1 times
...
RenegadeOrange
7 months ago
1. Access Reviews You can set it to remove if there is no response from the reviewer. 2. Entra ID, create a security group for each project and enable group writeback for each group: It has to be a cloud group, on premises cannot be configured with writeback. That feature is depricated back in June 24 but the new Microsoft Entra Cloud Sync called Group Provision to Active Directory that you can use instead of Group Writeback https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync
upvoted 1 times
...
jvallespin
9 months ago
1. Access Reviews: When the approver does not reply to the access review you can configure an action like remove users. 2. Azure AD, create a security group for each project and enable group writeback for each group: Already created Synced Groups from on premises cannot be configured with writeback. Create new cloud groups only would work if cloud sync would have been configured for all groups, that is not mentioned in the question text.
upvoted 2 times
...
pokus00132
9 months, 1 week ago
1. Access Reviews 2. Azure AD, create a security group for each project and enable group writeback for each group You need to create cloud Entra Id (Azure AD) group and then select group and enable it for writeback. You can't enable writeback for group which is synchronized from Windows AD to Entra Id. If you create new cloud-only security group for each project, group writeback is not automatically enabled.
upvoted 1 times
...
emartiy
10 months ago
Box1: Access review (Under the Entitlement management of Identity Governance) Box2: From Azure AD, create a new cloud-only security group for each project) --- Group Writeback v2: With the release of provisioning agent 1.1.1370.0, Cloud Sync now supports group writeback. Cloud Sync provisions groups directly to your on-premises AD environment. You can use identity governance features to manage access to AD-based applications by including a group in an entitlement management access package.
upvoted 1 times
emartiy
10 months ago
You can't update on-prem AD groups via Azure AD. Therefore, you need a cloud-only group and also it will be synced to on-prem thanks to Azure AD Connect tool's group writeback feature..
upvoted 2 times
...
...
jayek
10 months, 1 week ago
https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#review-access-to-on-premises-groups
upvoted 1 times
...
ayadmawla
1 year, 2 months ago
I am sorry to contradict but Lifecycle Workflow is exactly what is needed see: https://learn.microsoft.com/en-us/entra/id-governance/what-are-lifecycle-workflows#when-to-use-lifecycle-workflows Automating group membership: When groups in your organization are well defined, you can automate user membership in those groups. Lifecycle workflows manage static groups, where you don't need a dynamic group rule. There's no need to have one rule per group. Lifecycle workflow rules determine the scope of users to execute workflows against, not which group.
upvoted 1 times
Mnguyen0503
1 year ago
You're missing the point here. The key info is manages must approve group membership. This is what access reviews are designed to do. In access review configuration, you can determine what to do when access review is not completed, which meet the other requirement as well.
upvoted 1 times
...
...
Murtuza
1 year, 3 months ago
Project managers must verify = IMPLIES ACCESS REVIEW
upvoted 2 times
Ramye
1 year, 3 months ago
but how does this satisfies this requirement ---> "Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days" see it says automatically
upvoted 1 times
...
...
harimurti20
1 year, 4 months ago
Given Answer is correct: Lifecycle Workflow is correct, as per the requirement-Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days.
upvoted 1 times
jvallespin
9 months, 1 week ago
This is a setting: "Remove Access if reviewers don't respond" in the Access review configuration https://learn.microsoft.com/en-us/entra/id-governance/create-access-review#next-settings
upvoted 2 times
...
...
smanzana
1 year, 6 months ago
Box1:Access Reviews Box2: Enable group write back for the existing synced group.
upvoted 3 times
...
ConanBarb
1 year, 7 months ago
To add some detail to the discussion: Lifecycle Workflows could have been an option, and actually a better one than Access Reviews, but isn't due to 1) The requirements says "Users must be removed from a project group automatically if the project manager has NOT verified the group's membership for 30 days." 2) LC Workflows requires Microsoft Entra ID Governance licenses (which we can't assume) Lifecycle Workflows, if valid, would have been better as they are automatic and event driven, (happen instantly) and not every 30 days or so
upvoted 1 times
ayadmawla
1 year, 2 months ago
This is a logic apps functionality that can be included within Lifecycle Workflows
upvoted 1 times
...
...
sbnpj
1 year, 8 months ago
I agree with Victory007, its 1- Access reviews and Enabled Group write back for the existing synced group.
upvoted 2 times
...
saurabh123sml
1 year, 8 months ago
Given Answer is correct it seems Lifecycle Workflows Writeback enabled
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago