ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-303 All Questions

View all questions & answers for the AZ-303 exam
Go to Exam

Exam AZ-303 topic 2 question 27 discussion

Actual exam question from Microsoft's AZ-303
Question #: 27
Topic #: 2
[All AZ-303 Questions]

You have the following Azure Active Directory (Azure AD) tenants:
✑ Contoso.onmicrosoft.com: Linked to a Microsoft 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization
✑ Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1
You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1.
What should you do?

  • A. Create an Azure management group that contains Subscription1.
  • B. Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com.
  • C. Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com.
  • D. Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Azure AD Connect allows you to quickly onboard to Azure AD and Office 365.
In this topology, one Azure AD Connect sync server is connected to each Azure AD tenant. The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
by TSMRE at June 3, 2021, 3:45 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
datts
Highly Voted 3 years, 11 months ago
Although option C seems to be correct. What if contoso user needs to access resources in both contoso.onmicrosoft.com and contosoazure.onmicrsoft.com, it would not be possible. Option C limits the user to accessing contoso.onmicrosoft.com or contosoazure.onmicrsoft.com. The easies way to grant contso.com users to contosoazure.onmicrosoft.com I think is to create guest accounts and grant the guest account access. As such the correct answer may likely be D.
upvoted 16 times
Spooky7
3 years, 7 months ago
I don't think so you can't assign RBAC roles to guest users and give them permission to other Azure resources this way. Guest users are allowed to authenticate through registered Azure AD apps, receive auth token and access some apps which are running in Azure
upvoted 1 times
...
BoxGhost
3 years, 10 months ago
Agreed, it seems clear to me. The only way for the contoso.com users to have access to another tenant is using guest accounts. You cannot associate a vanity domain to two separate tenants and even if you managed to sync the accounts using a second ad connect server, they won't be the same accounts since they will be in another directory. The answer doesn't even make sense as it says sync contoso.com, you don't sync domains you sync users.
upvoted 4 times
gizda2
3 years, 8 months ago
Although BoxGhost's explanation is right, D should not be the answer. Think about having10k users in contoso.com, would you create that many guests in contosoazure?
upvoted 3 times
...
mingled
3 years, 10 months ago
Has to be guest users - I agree. UserA.contoso.local would not be able to be in both tenants if you set up multiple AD Connect servers The only way I see multiple AD Connect servers working is if you filter the OU or Forrests: So - UserA.contoso.local could have access to contosoazure.onmicrosoft.com but not to contoso.onmicrosoft.com and UserB.contoso.locl could have access contoso.onmicrosoft.com but not to contosoazure.onmicrosoft.com I cannot see any way other then "D" being the answer here. (Guest users)
upvoted 1 times
...
...
...
Jcbrow27
Highly Voted 3 years, 11 months ago
C is correct, we can't use B because we have 2 tenants. 1 fores 2 tenants. we need 2 Servers AD conect: 1 for contoso.com to tenant 1 1 for contoso.com to tenant 2
upvoted 12 times
jgforum
3 years, 10 months ago
This topology is impossible, the right ans is D
upvoted 10 times
J4U
3 years, 9 months ago
Correct: D. We can't sync the same user to multiple tenant. We need to create guest users to provide access to another tenant.
upvoted 8 times
J4U
3 years, 9 months ago
Technically we can sync using 2 AD Connect to 2 tenants if we filter and sync part users to Tenant A and part to Tenant B, if we do this way the solution isn't met for this question. Otherwise, if you sync all users to both tenant, you can have only one tenant enabled with Exchange Hybrid, Device join, password hash sync etc., Instead just move the subscription to Tenant A itself to have a recommended setup.
upvoted 1 times
...
...
Ario
3 years, 9 months ago
@jgforum you are wrong! So long as the two Azure AD Connect instances are each on different servers, you will be fine. so answer C is ok
upvoted 2 times
...
...
tita_tovenaar
3 years, 10 months ago
C is impossible, see following ref: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#single-forest-multiple-sync-servers-to-one-azure-ad-tenant The text is clear: "Having multiple Azure AD Connect sync servers connected to the same Azure AD tenant is not supported, except for a staging server. It's unsupported even if these servers are configured to synchronize with a mutually exclusive set of objects." Must be B.
upvoted 3 times
whoisthatguy
3 years, 10 months ago
We have 2 tenants here
upvoted 1 times
...
jmay
3 years, 5 months ago
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#single-forest-multiple-sync-servers-to-one-azure-ad-tenant Option C pattern is in preview state as of now.
upvoted 2 times
jmay
3 years, 5 months ago
sorry, wrong link. this one: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-azure-ad-tenants
upvoted 1 times
...
...
...
pentium75
3 years, 11 months ago
But, as the explanation says: "The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit." So we can't sync the SAME users to both tenants, even with multiple servers. But the question says that "THE users in contoso.com" should get "access to the resources in Subscription1".
upvoted 4 times
...
...
justfordevelopment
Most Recent 3 years, 3 months ago
In the exam on 12-03-2022. Total 50 questions including case study. "Litware Acquired Fabricam" case study.
upvoted 1 times
...
azahran
3 years, 3 months ago
It is C. Check "Sync AD objects to multiple Azure AD tenants " in https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#sync-ad-objects-to-multiple-azure-ad-tenants
upvoted 2 times
...
JillYoung
3 years, 3 months ago
Selected Answer: C
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-azure-ad-tenants
upvoted 1 times
...
JillYoung
3 years, 3 months ago
C is Correct in my opinion based on the following. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-azure-ad-tenants
upvoted 1 times
...
pradhyumna
3 years, 3 months ago
Selected Answer: D
Guest users is the only sensible answer
upvoted 1 times
...
BhupalS
3 years, 4 months ago
You have the following Azure Active Directory (Azure AD) tenants: ✑ Contoso.onmicrosoft.com: Linked to a Microsoft 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization ✑ Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1 You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1. What should you do? A. Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. B. Configure the existing Azure AD Connect server to sync contoso.com to contosoazure.onmicrosoft.com. C. Configure contoso.onmicrosoft.com to use pass-through authentication. D. Configure contosoazure.onmicrosoft.com to use pass-through authentication.
upvoted 1 times
...
pcman
3 years, 5 months ago
The given answear is correct. "AADConnect can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants. These tenants can be in different Azure environments, such as the Azure China environment or the Azure Government environment, but they could also be in the same Azure environment, such as two tenants that are both in Azure Commercial." https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
upvoted 2 times
...
Miey
3 years, 5 months ago
Isn't correct answer A based on this? https://docs.microsoft.com/en-us/azure/defender-for-cloud/management-groups-roles
upvoted 1 times
...
AberdeenAngus
3 years, 5 months ago
Is anything wrong with A as the answer? Create a management group trusting contoso.com, and add both subscriptions to it as per https://docs.microsoft.com/en-us/azure/governance/management-groups/manage#move-subscriptions C sounds terrible, if it's technically possible, because the objects in on prem contoso.com are synced with 2 separate Azure AD tenants - hard to manage. D sounds terrible too, you have to duplicate ALL your contoso.com user accounts in contosoazure.onmicrosoft.com, also very hard to manage. I think I'll go A!
upvoted 1 times
...
jadepe
3 years, 7 months ago
This is the same question as #20, but with different options. Only B option appears on both 20 and 27. Could it be the right one?
upvoted 3 times
...
poplovic
3 years, 7 months ago
check the topology support in https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies D is correct. C is not correct because contoso.com already sync to AAD contoso.onmicrosoft.com, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#each-object-multiple-times-in-an-azure-ad-tenant
upvoted 2 times
...
krakenbite
3 years, 9 months ago
The answer C is correct if there's filtering : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#each-object-multiple-times-in-an-azure-ad-tenant But the question didn't mention nothing about filtering, so I think C is incorrect : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#each-object-multiple-times-in-an-azure-ad-tenant Correct answer should be D.
upvoted 2 times
...
tteesstt
3 years, 9 months ago
Having topology where we have 1 Forest, 2+ Sync Servers and 2+ Tenants is not supported. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#each-object-multiple-times-in-an-azure-ad-tenant
upvoted 2 times
...
syu31svc
3 years, 9 months ago
MS recommends having a single tenant in Azure AD for an organization There's a 1:1 relationship between an Azure AD Connect sync server and an Azure AD tenant. For each Azure AD tenant, you need one Azure AD Connect sync server installation. The Azure AD tenant instances are isolated by design. That is, users in one tenant can't see users in the other tenant. If you want this separation, this is a supported configuration. Otherwise, you should use the single Azure AD tenant model. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies Answer is C
upvoted 1 times
...
MinhajR
3 years, 9 months ago
On Exam 27/08/2021
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel