ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-301 All Questions

View all questions & answers for the AZ-301 exam
Go to Exam

Exam AZ-301 topic 2 question 15 discussion

Actual exam question from Microsoft's AZ-301
Question #: 15
Topic #: 2
[All AZ-301 Questions]

A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory
Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on- premises identity infrastructure as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.
What should you recommend?

  • A. Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam.
  • B. Configure an organization relationship between the Office 365 tenants of Fabrikam and Contoso.
  • C. In the Azure AD tenant of Contoso, enable Azure Active Directory Domain Services (Azure AD DS). Create a one-way forest trust that uses selective authentication between the Active Directory forests of Contoso and Fabrikam.
  • D. In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users
by JimmyO at Sept. 11, 2019, 6:07 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kondapaturi
Highly Voted 5 years, 8 months ago
D is preferred solution as a organisation
upvoted 31 times
...
Ekramy_Elnaggar
Highly Voted 5 years, 6 months ago
D is correct , this called Azure B2B
upvoted 27 times
...
Ario
Most Recent 3 years, 10 months ago
dont make it complicated : With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. Guest users sign in to your apps and services with their own work, school, or social identities. The partner uses their own identities and credentials; Azure AD is not required. You don't need to manage external accounts or passwords. You don't need to sync accounts or manage account lifecycles.
upvoted 1 times
...
nickname82
3 years, 11 months ago
correct answer is the A reference az 304 page 14 question 53
upvoted 2 times
...
glam
4 years, 6 months ago
D. In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.
upvoted 4 times
...
Junooni
4 years, 6 months ago
Correct answer is C, pay close attention to last sentence : the solution must ensure that the Fabrikam developers use their existing credentials to access resources. Only possible with Option C
upvoted 1 times
...
sanketshah
4 years, 7 months ago
D is correct answer
upvoted 2 times
...
temporal111
4 years, 9 months ago
"Selective Authentication To combat the above mentioned security loophole and have some control on the authentication, we can opt for the Selective Authentication level. In this level, not all users are authenticated by Domain Controllers by default. Instead, when a Domain Controller of Trusting Forest detects that an authentication request is coming from a trusted forest, it first validates whether the user account has been granted exclusive permission on the resource that is holding the object. For example, a file share has been configured on a file server. If a user from a trusted forests wants to access that file share, that user account has to be explicitly granted "Allowed to Authenticate" right on the file server. Only then the Domain Controller will authenticate the user, otherwise Domain Controller will reject the authentication request, and the user will not be part of "Authenticated User" group." From : https://social.technet.microsoft.com/wiki/contents/articles/50969.active-directory-forest-trust-attention-points.aspx
upvoted 2 times
temporal111
4 years, 9 months ago
I am not saying that the D answer is wrong, in fact, it is correct and its efford is less than the C answer. However, from my point of view, C answer is correct too.
upvoted 3 times
...
...
hchafloque
4 years, 9 months ago
After comparing answers with other pages C wins. That's because both are already using FS, and that requires trust policies. Usually D should be enought, but looks like a MS answer is required. Thanks for answers, I learn a lot.
upvoted 1 times
...
alokpsingh
4 years, 10 months ago
Correct answer is C
upvoted 1 times
...
alokpsingh
4 years, 10 months ago
Correct answer is A
upvoted 1 times
...
Afz
4 years, 10 months ago
B2B can integrate with other Federation services (ADFS, Google federation etc) and other AAD tenants. Fabrikam should have ADFS has since it has similar infrastructure. So it is guest users that is option d.
upvoted 1 times
...
vlu
4 years, 10 months ago
Answer is D, check the statement in the Microsoft article: "A simple invitation and redemption process lets partners use their own credentials to access your company's resources" https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b
upvoted 2 times
...
Rooh
4 years, 10 months ago
Given answer looks correct
upvoted 1 times
...
Afz
4 years, 10 months ago
D should be right answer using B2B but also depends on ensuring that the ADFS of Fabricano is configured in B2B so that they can use their existing credentials. B2B can integrate with ADFS, other AAD, Google Federation, MS accounts etc
upvoted 1 times
...
exams0123456
4 years, 11 months ago
The correct answer is D. We did this in our environment last month. Gave RBAC access to 2 support people from a partner for particular resource. In fact this is what you do whenever there is a Enterprise Premiere Support from Microsoft. You give their support engineer Guest access and assign requisite RBAC Roles.
upvoted 2 times
...
Harkonnen
4 years, 12 months ago
I don't think that forest trust were designed with the intention of trusting external organisation users. It is more like a took for internal organisation departments or branches. For this reason, I would create guest accounts.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel