Exam SC-300 topic 4 question 37 discussion

It seems correct. Here my thinking: - Managed identity to Security group only. The security group can't be Dynamic or sync from OnPremise - AD User Cloud can be added to Security and M365 groups ○ Not the dynamic (Group3) as it's using a query to get members Not Group4 as it's synch from OnPrem

Given answers are correct. Microsoft 365 groups (even with security enabled) ONLY support users and devices. They do not support managed identities or service principals. You cannot sync Managed identies to groups synced from on-prem. You cannot add a managed identity, service principal or even a regular user to a dynamic group as they are members due only based on attributes. As for Security groups (in-cloud) you can add the managed identity. This is the case as the security group assigns Roles and/or grants permissions to resources.

1st question: you can only add a managed identity to a Security group. You cannot add it to a 365 group by changing "SecurityEnabled" to True. Tested!

-Tested in azure and office admin portal. Managed Identity can only be seen in security groups. Not mailed enabled , distribution or m365 -On-premise and dynamic group cannot allow manually assignment of users

The managed identity answer seems right. However, in the second question, there's no right answer to choose: The question only asks if you can add the cloud user to group. You can add Azure AD cloud user also to Group3. You can do it with dynamic membership rule. For example, you can use this rule to add user name clouduser to group: (user.displayName -eq "clouduser") For Group4, I tried it with both Microsoft Entra Cloud Sync and Microsoft Entra Connect. As far as I can see, you cannot add members to on-premises group in the cloud. Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.

Group 2 only All company, Group 1 and Group 2 only

Group 2 only All company, Group 1 and Group 2 only

2) Cloud users CAN be added to the dynamic cloud security group (like Group3)! Also, I think that cloud users can be added to the security group synced from the on-prem, but only if the group writeback is enabled for that group. That user will be visible as a group member in the Azure AD, but won't be synced back to the on-prem AD group Not tested but here is more info: - https://identity-man.eu/2022/07/05/using-the-new-group-writeback-functionality-in-azure-ad/ "Users which are ‘cloud only’ and are a member of the group are therefore not written back as member." - https://practical365.com/azure-ad-connect-group-writeback-deep-dive/ "If you add any Azure AD cloud-only identities, they will not show up in Active Directory and your group membership will not be consistent."

The given answer is correct

second answer is correct, allcompany, group 1 & 2, im not sure about the first question. I looked up and i only can find something about security groups, but not about dynamic groups