ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 4 question 28 discussion

Actual exam question from Microsoft's SC-300
Question #: 28
Topic #: 4
[All SC-300 Questions]

HOTSPOT -
Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant.
The tenant contains the groups shown in the following table.

The tenant contains the users shown in the following table.

You create an access review as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
User1 is member of Group1. Group1 is in the cloud. Group1 is member of Group3. Group3 is in the cloud.
The access review applies to Group3, but not to Group1. The access review is setup to remove access if reviewers don't respond.

Box 2: Yes -
User2 is member of Group2. Group1 is in an Active Directory domain.
The access review applies to Group2.

Box 3: No -
User3 is member of Group3, not of Group2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
by geobarou at Sept. 12, 2022, 4:49 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
f3dj4
Highly Voted 2 years, 4 months ago
This should be N N N. User1's membership cannot be managed since he is a member of a nested group. User2's membership cannot be managed since he is a part of Group2 which is an AD group (not AAD). User3 is not the member of Group2.
upvoted 28 times
jack987
2 years, 1 month ago
I agree with f3dj4. The answer is N N N.
upvoted 1 times
...
mcas
2 years, 2 months ago
User1's membership cannot be managed because he is not synced, he is only on-prem, not because he is a member of a nested group
upvoted 2 times
Tanidanindo
1 year, 6 months ago
The fact that he is not directory synced means it's a cloud account.
upvoted 4 times
...
...
...
haovo
Highly Voted 2 years, 1 month ago
This question is on the exam today Dec 28th 2022. But the user group table is difference. User2 is a member of Group3 and User3 is a member of Group2.
upvoted 8 times
Santeria
2 years, 1 month ago
So it's NNY?
upvoted 3 times
BB6919
2 years ago
So, it should be NYN as given in the answer. Because user2 which is a cloud account will be part of a cloud group and will get affected by access review.
upvoted 6 times
...
...
...
hml_2024
Most Recent 4 months, 3 weeks ago
User1 will be removed automatically from Group1 if the user does not respond to the review request. No: The review only targets Group2 and Group3, not Group1. Therefore, User1’s membership in Group1 is not part of the review. User2 will be removed automatically from Group3 if the user does not respond to the review request. No: User2 is not a member of Group3. The review targets Group2 and Group3, but User2 is only a member of Group2. User3 will be removed automatically from Group2 if the user does not respond to the review. No: User3 is not a member of Group2, they are a member of Group3. Therefore, User3’s membership in Group2 is irrelevant in this case.
upvoted 2 times
...
OK2020
1 year, 6 months ago
Given the question correction : User2- Group3 & User3-Group2 The answer is: NYN
upvoted 6 times
lahl
1 year, 3 months ago
I confirm that comes in the exam as : User2- Group3 & User3-Group2 So the answer is : NYN
upvoted 1 times
Nail
3 months, 1 week ago
so confused by your answer. How can User2 be removed from a group that it doesn't belong to?
upvoted 2 times
...
...
Hull
1 year, 5 months ago
I do believe this is the case, User2, which is a cloud user, cannot be a member of AD synced group in the first place.
upvoted 2 times
...
...
dule27
1 year, 7 months ago
No No No
upvoted 2 times
...
haskelatchi
1 year, 8 months ago
Answer is N, N, N on folks nem
upvoted 1 times
...
splearner
1 year, 10 months ago
On exam 2023-03-28, but they corrected it: the second table now says User2 belongs to Group3 and User3 belongs to Group2. Makes more sense now.
upvoted 4 times
...
Ikeinater
2 years, 1 month ago
NNN User 1 is in group 1 outside the scope of the review User 2 is not in group 3 so can't be removed from a group not a member of User 3 not in group 2 so can't be removed from a group not a member of
upvoted 6 times
...
Cloud_apps
2 years, 2 months ago
Dose any one know the proper answer for this. its messing with my progress
upvoted 1 times
...
Jhill777
2 years, 2 months ago
Access reviews can't change the group membership of groups that you synchronize from on-premises with Azure AD Connect. This restriction is because the source of authority is on-premises. https://learn.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews
upvoted 3 times
...
Elpresidento27
2 years, 3 months ago
https://learn.microsoft.com/en-us/azure/active-directory/governance/complete-access-review#apply-the-changes - "Manually or automatically applying results doesn't have an effect on a group that originates in an on-premises directory." - "For users who have membership through a nested group, we will not remove their membership to the nested group and therefore they will retain access to the resource being reviewed."
upvoted 6 times
chikorita
1 year, 10 months ago
very informative
upvoted 2 times
...
...
Hot_156
2 years, 4 months ago
***Group 3 is a cloud group*** user2 is a cloud user**** They can be managed by Azure AD access review
upvoted 1 times
Hot_156
2 years, 4 months ago
User2 is not a member of the group3 so that doesn't apply. Also, a cloud account cannot be a member of a synced group, so how is that user2 a member of Group2????
upvoted 2 times
[Removed]
2 years, 4 months ago
possible if there is a group writeback for group2
upvoted 2 times
...
...
...
geobarou
2 years, 4 months ago
Please some help with question2. Why is Yes? User2 is not a member of Group3.
upvoted 8 times
purek77
2 years, 1 month ago
It should be No due to below. Especially 2nd paragraph: Access Reviews can't change the group membership of groups that you synchronize from on-premises with Azure AD Connect. This is because the source of authority is on-premises. You can still use Access Reviews to schedule and maintain regular reviews of on-premises groups. Reviewers will then take action in the on-premises group.
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago