Exam SC-300 topic 1 question 18 discussion

This is a dumb question that only some dude at MSFT would write. Tested in lab because you'll never do something this dumb in real life. The answer is correct even though the wizard specifically states "Nested groups are not supported and will be ignored." They are not ignored. User1, Group1 and Group2 were created in Azure AD. User2 was not.

Correct: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#:~:text=When%20you%20add%20a%20group%20as%20a%20member%2C%20only%20the%20group%20itself%20is%20added.%20Its%20members%20aren%27t%20added.

YES NO YES

YES NO YES

Correct: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#:~:text=When%20you%20add%20a%20group%20as%20a%20member%2C%20only%20the%20group%20itself%20is%20added.%20Its%20members%20aren%27t%20added

YES NO YES

The given answer is correct. Group 2 is a member of Group 1, so only Group 2 will sync, its members won't sync. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#sync-filtering-based-on-groups "All objects that you want to synchronize must be direct members of the group. Users, groups, contacts, and computers or devices must all be direct members. Nested group membership isn't resolved. **When you add a group as a member, only the group itself is added. Its members aren't added.**"

Correct, YNY

In the "Filter Users and Devices" exhibit it states "Nested groups are not supported and will be ignored." So does this mean only the the users and devices in a nested group won't sync, or the group won't sync either?

See articles pasted by other members and on answer sections for refereance as to why. 1:Y - User1 is a member of Group 1, and a direct member so as the group is synced, so will this. 2:N - User 2 is not a member of group1, and filtering is in place for G1. 3:Y - G2 will be synced becaused it's a direct member of G1, however any nested, for example, members of G2 will not be synced, so direct users or groups of G1 will. For reference see below excert from MS article "All objects that you want to synchronize must be direct members of the group. Users, groups, contacts, and computers or devices must all be direct members. Nested group membership isn't resolved. When you add a group as a member, only the group itself is added. Its members aren't added."

At first i thought this should be Y/N/N but having confirmed in the article, Group 2 will sync as a Direct Member of Group 1 delegated for the pilot. Therefore Y/N/Y is correct.

Q3 is NO: "When using OU-based filtering in conjunction with group-based filtering, the OU(s) where the group and its members are located must be included." Synchronization is selected only for OU2, and Group2 is in OU1. Therefore, Group2 WILL NOT sync to Azure AD. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#group-based-filtering

Group 2 is Nested and it will be ignored. Y, N, N is the correct.

All objects that you want to synchronize must be direct members of the group. Users, groups, contacts, and computers or devices must all be direct members. Nested group membership isn't resolved. When you add a group as a member, only the group itself is added. Its members aren't added.

In my opinion, user2 also syncs to AAD. it is located in OU1, and OU1 syncs to AAD

If Filter users and devices (for a pilot deployment) further refines the Domain and OU filtering, then only Group1 (OU2) syncs. YES - User1 is a member of Group1, NO - User2 is not a member of Group1, NO - Group2 is a member of Group1, but nested groups are ignored in Filter users and devices.

Actually to be honest this would probably cause Azure Connect to fail for Group 1 and Group 2 because by what I can see there is circular Group nesting in place. But if you ignore that then the answer is correct.