Exam AZ-800 topic 5 question 19 discussion

Answer is A. Group Writeback is enabled so it can access Azure File Share and on-prem share with Azure AD group.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-group-writeback-v2 since Azure AD security groups are written back with scope ‘Universal’ B it is then

Why Option B Works Best A universal security group created in AD DS will automatically sync to Azure AD through Azure AD Connect1 It can manage permissions for both on-premises resources (share1) and cloud resources (share2) after synchronization2 It's the most straightforward option for hybrid environments where you need to manage both local and cloud access3

B. In the AD DS domain, create a universal security group. Here’s why: A universal security group in AD DS can contain users from the AD DS domain. This group can be synchronized to Azure AD using Azure AD Connect. Once synchronized, the group can be used to authorize access to resources in both the on-premises AD DS domain (share1) and Azure AD-based resources (share2).

To create a security group that meets the specified requirements, follow these steps: Create a Security Group in Azure Active Directory (Azure AD): Log in to the Azure portal. Navigate to Azure Active Directory. Click on Groups and then select New group. Choose Security as the group type. Enter a name for the group (e.g., “ShareAccessGroup”). Set the Membership type to Assigned. Add the necessary users from the AD DS domain to this group. Click Create. Authorize User Access to share1 and share2: Assign the newly created security group permissions to the shared folders: On Server1 (on-premises), configure the permissions for the share1 folder to allow access to the security group. In Azure Storage (storage2), configure the permissions for the share2 folder to allow access to the same security group.

https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory Supported groups: - only cloud created Security groups are supported - these groups can have assigned or dynamic membership. - these groups can only contain on-premises synchronized users and / or additional cloud created security groups. - the on-premises user accounts that are synchronized and are members of this cloud created security group, can be from the same domain or cross-domain, but they all must be from the same forest. - these groups are written back with the AD groups scope of universal. Your on-premises environment must support the universal group scope. - groups that are larger than 50,000 members aren't supported. - each direct child nested group counts as one member in the referencing group

B is WRONG: IF YOU CREATE THE UNIVERSAL GROUP IN ADDS THEN THE WRITEBACK OPTION IS IRRELEVANT. THE GROUP GETS SYNCED VIA AD CONNECT BUT WRITEBACK IS IRRELEVANT. IF YOU CREATE THE SECURITY GROUP IN AZURE IT WILL BE WRITTEN BACK TO ADDS AS A UNIVERSAL GROUP AT WHICH POINT YOU THE USER ACCTS IN ADDS WILL BE ADDED TO THAT GROUP BASED ON THE MAPPING TO THEIR COUNTERPARTS IN AZURE AD. KEEP IN MIND THAT WHEN A USER ACCT SYNCS FROM ON-PREM TO AZURE AD ONLY THE ACCT'S ATTRIBUTES SYNC TO A NEW SID COMPLETELY DIFFERENT THAN THAT OF ADDS, THEREFORE, THE MAPPING I AM ALLUDING TO.

It does not state that groups are actually being synced from adds to azure ad, while it does say that group writeback is enabled. Since this a public preview feature this question is probably not scored.

In my opinion it's A Why not most voted B? We do have AAD Connect but not mentioned that groups are being synced from ADDS to AAD but we do have mentioned that group writeback is enabled. By choosing B we do not know if this group will be synced to AAD so we may not be able to use it to give access to share 2 Choosing either A or C we are sure we will have group in both AAD and ADDS and that we will be able to add users from both. In this situation ASSIGNED seems better than DYNAMIC as we do not have any hints that only specific users should have access (it is only CAN CONTAIN users from ADDS)

B seems to be the best bet, though A might work as well.

This feature is out in preview- all of these answers could be correct- depending on the question- as written- you can go with B- however, the Univeral group will go only back to one OU if you enable it this way--- seems problematic. furthermore you cannot put any domain local groups inside the univeral security group --- also if you go the old way and just have office 365 group- then you can likely do the same thing- but seems like less restrictions- IDK- but here is the guidance - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-group-writeback-v2

Correct