ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 4 question 28 discussion

Actual exam question from Microsoft's SC-300
Question #: 28
Topic #: 4
[All SC-300 Questions]

HOTSPOT -
Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant.
The tenant contains the groups shown in the following table.

The tenant contains the users shown in the following table.

You create an access review as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by geobarou at Sept. 12, 2022, 4:49 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
f3dj4
Highly Voted 2 years, 7 months ago
This should be N N N. User1's membership cannot be managed since he is a member of a nested group. User2's membership cannot be managed since he is a part of Group2 which is an AD group (not AAD). User3 is not the member of Group2.
upvoted 28 times
jack987
2 years, 4 months ago
I agree with f3dj4. The answer is N N N.
upvoted 1 times
...
mcas
2 years, 5 months ago
User1's membership cannot be managed because he is not synced, he is only on-prem, not because he is a member of a nested group
upvoted 2 times
Tanidanindo
1 year, 9 months ago
The fact that he is not directory synced means it's a cloud account.
upvoted 4 times
...
...
...
haovo
Highly Voted 2 years, 4 months ago
This question is on the exam today Dec 28th 2022. But the user group table is difference. User2 is a member of Group3 and User3 is a member of Group2.
upvoted 8 times
Santeria
2 years, 4 months ago
So it's NNY?
upvoted 3 times
BB6919
2 years, 3 months ago
So, it should be NYN as given in the answer. Because user2 which is a cloud account will be part of a cloud group and will get affected by access review.
upvoted 6 times
...
...
...
Obi_Wan_Jacoby
Most Recent 5 days, 15 hours ago
Given answers are correct. NNN
upvoted 1 times
Obi_Wan_Jacoby
5 days, 14 hours ago
Scenario Recap: Access Review targets group1. group2 is a member of group1 (nested group). user1 is a member of group2. If user1 does not respond to the access review, will access be removed? ✅ Key Azure AD Behavior: Access Reviews in Azure AD evaluate direct and indirect (nested) members of the target group. If user1 is a member of group1 via group2, they will be included in the access review. If user1 does not respond (and reviewers don’t act), and the review is configured to remove access for non-responders, then: user1 will be removed from group1. But since user1 is not directly in group1, Azure AD cannot remove them from group2. Therefore, user1 will retain access to group1 via group2, unless group nesting is flattened or group2 is also reviewed. 🔍 So, what happens? Access to group1: Not removed, because user1 is still in group2, which is still in group1. Access to group2: Unaffected, because group2 wasn’t part of the review.
upvoted 1 times
Obi_Wan_Jacoby
5 days, 14 hours ago
I know the groups don't match up in this scenario I submitted, but it is laid out in a way to let you better understand. Hope this helps for anyone that had questions.
upvoted 1 times
...
...
...
YesPlease
1 month, 3 weeks ago
1) NO, The Access Review rule is only applying to Group 2 and 3...User 1 is in Group 1, but it is a member of Group 3. Even though Group Access Reviews can see users in nested groups and adds them like they were direct members of the parent group, it can not remove a user from their original group (Group 1)...if they answer NO to remove themselves, they will only be removed from Group 3. So NO, User1 will not be removed from Group 1. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review#:~:text=Reviewing%20a%20role%20with%20nested%20groups%20assigned 2) NO, User2 is not a member of Group 3 to begin with. 3) NO, User 3 is not a member of Group 2 to begin with.
upvoted 1 times
...
hml_2024
7 months, 3 weeks ago
User1 will be removed automatically from Group1 if the user does not respond to the review request. No: The review only targets Group2 and Group3, not Group1. Therefore, User1’s membership in Group1 is not part of the review. User2 will be removed automatically from Group3 if the user does not respond to the review request. No: User2 is not a member of Group3. The review targets Group2 and Group3, but User2 is only a member of Group2. User3 will be removed automatically from Group2 if the user does not respond to the review. No: User3 is not a member of Group2, they are a member of Group3. Therefore, User3’s membership in Group2 is irrelevant in this case.
upvoted 2 times
...
OK2020
1 year, 10 months ago
Given the question correction : User2- Group3 & User3-Group2 The answer is: NYN
upvoted 6 times
lahl
1 year, 6 months ago
I confirm that comes in the exam as : User2- Group3 & User3-Group2 So the answer is : NYN
upvoted 1 times
Nail
6 months, 1 week ago
so confused by your answer. How can User2 be removed from a group that it doesn't belong to?
upvoted 2 times
...
...
Hull
1 year, 8 months ago
I do believe this is the case, User2, which is a cloud user, cannot be a member of AD synced group in the first place.
upvoted 2 times
...
...
dule27
1 year, 10 months ago
No No No
upvoted 2 times
...
haskelatchi
1 year, 11 months ago
Answer is N, N, N on folks nem
upvoted 1 times
...
splearner
2 years, 1 month ago
On exam 2023-03-28, but they corrected it: the second table now says User2 belongs to Group3 and User3 belongs to Group2. Makes more sense now.
upvoted 4 times
...
Ikeinater
2 years, 5 months ago
NNN User 1 is in group 1 outside the scope of the review User 2 is not in group 3 so can't be removed from a group not a member of User 3 not in group 2 so can't be removed from a group not a member of
upvoted 6 times
...
Cloud_apps
2 years, 5 months ago
Dose any one know the proper answer for this. its messing with my progress
upvoted 1 times
...
Jhill777
2 years, 5 months ago
Access reviews can't change the group membership of groups that you synchronize from on-premises with Azure AD Connect. This restriction is because the source of authority is on-premises. https://learn.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews
upvoted 3 times
...
Elpresidento27
2 years, 6 months ago
https://learn.microsoft.com/en-us/azure/active-directory/governance/complete-access-review#apply-the-changes - "Manually or automatically applying results doesn't have an effect on a group that originates in an on-premises directory." - "For users who have membership through a nested group, we will not remove their membership to the nested group and therefore they will retain access to the resource being reviewed."
upvoted 6 times
chikorita
2 years, 1 month ago
very informative
upvoted 2 times
...
...
Hot_156
2 years, 7 months ago
***Group 3 is a cloud group*** user2 is a cloud user**** They can be managed by Azure AD access review
upvoted 1 times
Hot_156
2 years, 7 months ago
User2 is not a member of the group3 so that doesn't apply. Also, a cloud account cannot be a member of a synced group, so how is that user2 a member of Group2????
upvoted 2 times
[Removed]
2 years, 7 months ago
possible if there is a group writeback for group2
upvoted 2 times
...
...
...
geobarou
2 years, 7 months ago
Please some help with question2. Why is Yes? User2 is not a member of Group3.
upvoted 8 times
purek77
2 years, 4 months ago
It should be No due to below. Especially 2nd paragraph: Access Reviews can't change the group membership of groups that you synchronize from on-premises with Azure AD Connect. This is because the source of authority is on-premises. You can still use Access Reviews to schedule and maintain regular reviews of on-premises groups. Reviewers will then take action in the on-premises group.
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago