ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-101 All Questions

View all questions & answers for the MS-101 exam
Go to Exam

Exam MS-101 topic 2 question 35 discussion

Actual exam question from Microsoft's MS-101
Question #: 35
Topic #: 2
[All MS-101 Questions]

HOTSPOT -
You have a Microsoft Azure Activity Directory (Azure AD) tenant contains the users shown in the following table.

Group3 is a member of Group1.
Your company uses Microsoft Defender Advanced Threat Protection (ATP). Microsoft Defender ATP contains the roles shown in the following table.

Microsoft Defender ATP contains the device groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by vsk91 at April 5, 2021, 8:31 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TFou0076
Highly Voted 4 years, 2 months ago
Nested groups are not supported in AAD, so User3 cannot sign in the Security Center. Answer YYN.
upvoted 38 times
MSGrady
4 years, 2 months ago
is there a place to go to to support this? If the user 3 in Group 3 is a member of Group1 shouldnt user 3 be able to sign in?
upvoted 2 times
SimoneV
4 years, 2 months ago
No nesting. A group can't be added as a member of a role-assignable group. https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept#why-we-enforce-creation-of-a-special-group-for-assigning-it-to-a-role
upvoted 7 times
...
...
...
ALPHA_DELTA
Highly Voted 4 years, 2 months ago
Believe this one is Y Y Y User 2 is part of Group 2 which has view permissions for the Security Center which would allow them to sign in
upvoted 14 times
lucidgreen
4 years, 1 month ago
Nested groups are support in AAD, but are they supported in ATP? If so, Y, Y, Y. If not, Y, Y, N.
upvoted 3 times
lucidgreen
4 years ago
I think nested groups for role assignment, if it works, would be a new thing.
upvoted 1 times
...
Mrawrrr
4 years, 1 month ago
Group nesting in MSDfE works well. I was able to get the same permissions from the nested group as from the parent group.
upvoted 2 times
lucidgreen
3 years, 11 months ago
I think nesting works for certain things, but not for role assignment.
upvoted 1 times
...
...
...
...
bac0n
Most Recent 2 years, 6 months ago
YYY; Nested groups are not supported in Azure AD, but they ARE supported for Microsoft Defender for Endpoint. Just make security groups and do not enable the "enable role assignment" option. You can assign the role in the Defender for Endpoint, nest the second security group in the first, add the user to the second security group and boom, they'll have that role. I tested in my demo tenant with a test user, two test security groups with the defender for endpoint Admin role and boom it works.
upvoted 5 times
...
fpin01
2 years, 7 months ago
https://github.com/MicrosoftDocs/azure-docs/issues/97022
upvoted 1 times
fpin01
2 years, 7 months ago
Last bullet point in this document: https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-are-role-assignable-groups-protected states "Group nesting is not supported. A group can't be added as a member of a role-assignable group" This is not exactly accurate as it is possible to assign a group as a member of a role-assignable group.
upvoted 1 times
...
...
KrisCyclo
2 years, 8 months ago
Box 3: Yes. User3 is in Group3 which is assigned the Windows ATP Administrator role. Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments.
upvoted 1 times
alonso_mosley
2 years ago
"User3 is in Group3 which is assigned the Windows ATP Administrator role." Really? Where did you see write this?
upvoted 2 times
...
...
Durden871
3 years, 3 months ago
Nesting is not supported for roles. Period. The following scenarios are not supported with nested groups: App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access. Group-based licensing (assigning a license automatically to all members of a group). Microsoft 365 Groups. https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions
upvoted 2 times
Durden871
3 years, 3 months ago
At this time, the following scenarios are supported with nested groups: One group can be added as a member of another group, and you can achieve group nesting. Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included. Conditional access (when a conditional access policy has a group scope). Restricting access to self-serve password reset. Restricting which users can do Azure AD Join and device registration. https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions Group nesting is not supported. A group can't be added as a member of a role-assignable group. https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept This isn't a CA, this is role-based assignment.
upvoted 2 times
...
...
puuyii96
3 years, 10 months ago
YYN Nesting is not suported for azure ad role assignment: "Group nesting is not supported. A group can't be added as a member of a role-assignable group." https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept
upvoted 8 times
jkklim
3 years, 7 months ago
Group nesting is not supported. A group can't be added as a member of a role-assignable group. ==> therefore it is YYN
upvoted 2 times
...
...
F_M
3 years, 10 months ago
Did some trials. Turns out that ATP (Microsoft Defender for Endpoint, now) supports nested groups role assignment. If you assign a role in ATP to a group, users belonging to nested groups will be assigned that role. Y | Y | Y
upvoted 7 times
...
encxorblood
3 years, 10 months ago
Group nesting is not supported. A group can't be added as a member of a role-assignable group. Y-Y-N
upvoted 1 times
...
NikPat3125
3 years, 11 months ago
came in exam 27.07.2021
upvoted 9 times
ferrit
3 years, 11 months ago
I swear during revising today every question that I'm thinking the given answer is wrong and come to review you're here telling me it's in the exam :D
upvoted 12 times
...
...
LoremanReturns
3 years, 11 months ago
YYN, group nesting is not supported. https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-are-role-assignable-groups-protected "Group nesting is not supported. A group can't be added as a member of a role-assignable group."
upvoted 8 times
...
MiZi
4 years, 1 month ago
Just tested. Nested groups work (just tested it). So in this scenario, I would select: Y Y Y
upvoted 7 times
Ceuse
4 years, 1 month ago
Is it offically supported though. Cant find information about that anywhere sadly
upvoted 2 times
Durden871
3 years, 3 months ago
I don't think it's officially supported according to the two following links that explicitly say roles don't support nested groups. https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions
upvoted 1 times
...
...
...
init2winit
4 years, 1 month ago
YYY - Nested Sec groups is OK You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-membership-azure-portal
upvoted 4 times
Durden871
3 years, 3 months ago
Roles aren't supported for group nesting.
upvoted 1 times
...
Requi3m
3 years, 11 months ago
Regular security groups can be nested. But when you create a security group with the isAssignableToRole set to true, it can no longer be done. The question is misleading though, because it says "Group 3 is a member of group 1". This should not be possible if group 1 was created as a role assignable group. So unless ATP roles can be assigned to regular security groups somehow, the answer should be YYN. https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept#why-we-enforce-creation-of-a-special-group-for-assigning-it-to-a-role
upvoted 1 times
...
...
MSGrady
4 years, 2 months ago
It is in fact YYN.. TFou0076, you are correct nested groups are not supported in AZure AD
upvoted 3 times
Goseu
4 years, 1 month ago
At this time the following are the supported scenarios with nested groups. One group can be added as a member of another group and you can achieve group nesting. Group membership claims (when an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included) Conditional access (when a conditional access policy has a group scope) Restricting access to self-serve password reset Restricting which users can do Azure AD Join and device registration The following scenarios DO NOT supported nested groups: App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning Group-based licensing (assigning a license automatically to all members of a group) Microsoft 365 Groups.
upvoted 1 times
...
...
slaoui
4 years, 2 months ago
Yes Yes No User 1 is part of group 1 and group 1 has the role1 permissions for the machine device1 User 2 is part of group 2 and group 2 has has view permissions from role2 so they can sign (it doesn't matter what they can view) User 3 is not part of any group. Y, Y, N
upvoted 5 times
HvD
4 years, 1 month ago
Read again: User3 is part of Group3.
upvoted 2 times
eroc1990
3 years, 7 months ago
And for this case, nested groups are not supported and won’t pass permissions down from the parent group.
upvoted 1 times
...
...
...
Rens19991
4 years, 2 months ago
I think Yes Yes No here.
upvoted 3 times
...
MSGrady
4 years, 2 months ago
How can User 3 in group 3 view device 1?
upvoted 1 times
malamos
4 years, 2 months ago
group3 is part group1
upvoted 2 times
bdedecker
4 years ago
Can't see where you found that?
upvoted 1 times
bdedecker
4 years ago
nevermind, I looked over it ;)
upvoted 2 times
Durden871
3 years, 3 months ago
It shouldn't matter. Nesting isn't supported for roles according to Microsoft. https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions
upvoted 1 times
...
...
...
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel