Exam MS-101 topic 3 question 89 discussion

Wouldn't this be B since Group1 is a dynamic group? Therefore user attribute should have been changed, otherwise user1 would be added back in the group automatically..

Finally got time to test this scenario out. I agree with Smoo. I can see two entries. One from the "Removed member from group". Which shows the user was removed but not who did it. On the Updated user entry, I can see the ID was updated/removed and the user that did it. You need to expand the entry to see more details under "ModifiedProperties". The answer is B.

A. Can't be true since its a dynamic group and direct removal not possible B. Most likely scenario as change of attribute on basis of which dynamic group membership was evaluated if changed by an admin then user would be out C. Its still possible as one can change the group definition itself and new definition can be anything else to keep the user out but I would not chose this option in exam as if that's the case, many users would be impacted. If multiple choice, then I would chose B & C and if single choice then B

mumbling about it I would say, if the query was changed, maybe more than one user would be removed so the "more" probable option is an user modification? but it's a speculation

it miss too much info, if the query was changed it's C (maybe it's a multiple and statement query and user miss one) or the user itself was changed and it doesn't match the query anymore.. who knows

B since Group1 is a dynamic group

Just to really throw a wrench in all this...there is no "Security and Compliance" dashboard, there are two -- MS 365 Defender (Security) and Compliance. So old quesiton that isn't good anymore?

Activity - Updated user, user=admin who changed, item=affected user, click for details, scroll to ModifiedProperties to see what was changed. The next logged event for item (affected user) will be by "service principal_" activity = Removed member from group. Answer is B 100% - I am auditing this for our compliance on a daily basis.

agree with some others - can be B or C that could cause this, but as F_M says I would think most likely they are looking for B as it only mentions 1 user being effected. Perfectly feasible of course that the rule could have been changed to effect just one user, but without full info we have to take a best guess here

C is the answer. just test in my environment. no recrd in update user audit log but record to show i changed the query in the dynamic group in update group so that the user was excluded from the group membership.

I think both B and C can be valid answers. By the way the question states that only one user can't access the group anymore so I would say that is more likely a change on the user properties. If the dynamic membership rule was change I expect that more than one user lost the access. With this specific question wording and answer set, I would go with B.

Tested in my lab. The correct answer is B. An administrator performed a change on User 1 attributes and broke the match with dynamic group membership. This action is audit under "User administration activities - Updated user"

For me is not clear. I can update the query for the dynamic group. Bu I can also edit a user property, location as a sample and user i also out of group. But I think she mean answer B.

C A: This is a dynamic group, after you create the group, you cannot change it from a dynamic group to a static group, you must re-create the group. Hence, the only way to remove the member is to either change the query or the user attributes (whatever that is) that will add the user to the group. It all depends on the query. B: While this can be an answer it cannot guarantee that the user is removed from the group. It all depends on how the group membership query is constructed which may or may not be based on the user attributes. C: This is the only way that the user can be removed from the group which is by modifying the query itself.

I think answer C. This can help https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#user-administration-activities

Part of the question states "You suspect that an administrator made a change that caused User1 to be removed from Group1" That is the key to which answer is correct. Therefore, I go with C.

B... When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Tested with an existing customer