https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en#deciding_where_to_deploy_gcds

C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity. E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

GCDS is already creating the groups automatically. We need to create the IAM roles to assign to those groups. So D, not E

CD Why not E?: IAM groups in Google Cloud are separate entities from IAM roles. While you could create IAM groups that mirror Active Directory groups, directly mapping permissions to IAM roles based on the corresponding Active Directory groups offers a more efficient and granular approach to access control.

Answer is C and D.

ANSWER C and E C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity: Google Cloud Directory Sync (GCDS) is used to synchronize user and group information from on-premises Active Directory to Google Cloud Identity. This step ensures that user and group information is consistent across both environments. E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group: Once the synchronization is set up, you can create IAM groups in Google Cloud that mirror the Active Directory groups. Assign permissions to these IAM groups based on the roles and access levels required for each group. This approach simplifies access management by aligning Google Cloud permissions with existing Active Directory groups.

C and D I think, we don't need to create group, as it will be synced from AD, we only need to focus on creating the role for the group.

Answers: B & C... There is NO such thing as IAM groups in GCP

GCDS is already creating the groups automatically. We need to create the IAM roles to assign to those groups. So D, not E

Bard says CE. User and Groups are already imported with GCDS, so you need to focus on creating roles

Not Ek as the groups are already synced and retrieved, so roles will be attached to them

CE are seems to be coorect. B is required only for SSO. GCDS would also provision user and group.

CD is correct

There is a possibility to synchronize groups between AD and Google Cloud so why not to use it and focus on creating roles https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction?hl=en#mapping_groups

CD is the right answer. C> sync with AD user and groups ; D> give users and groups the roles in IAM.

GCDS is required to sync users and groups. Once these get synced, you don't need E anymore because the groups will already be available in cloud identity. The next thing will be to map (create) roles to the groups already available in Active Directory.

Roles should be provided by Auth provider