You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. Group writeback is enabled in Azure AD Connect.
The AD DS domain contains a server named Server1. Server1 contains a shared folder named share1.
You have an Azure Storage account named storage2 that uses Azure AD-based access control. The storage2 account contains a share named share2.
You need to create a security group that meets the following requirements:
✑ Can contain users from the AD DS domain
✑ Can be used to authorize user access to share1 and share2
What should you do?
- A. In the Azure AD tenant, create a security group that has assigned membership.
- B. In the AD DS domain, create a universal security group.
- C. In the Azure AD tenant, create a security group that has dynamic membership.
- D. In the Azure AD tenant, create a Microsoft 365 group.
- B. In the AD DS domain, create a universal security group.
The suggested answer is correct
Group writeback is enabled in Azure AD Connect.
The public preview of Group Writeback v2 in Microsoft Entra Connect Sync will no longer be available after June 30, 2024. This feature will be discontinued on this date, and you will no longer be supported in Connect Sync to provision cloud security groups to Active Directory. The feature will continue to operate beyond the discontinuation date; however, it will no longer receive support after this date and may cease functioning at any time without notice.
We offer similar functionality in Microsoft Entra Cloud Sync called Group Provision to Active Directory that you can use instead of Group Writeback v2 for provisioning cloud security groups to Active Directory. We're working on enhancing this functionality in Cloud Sync along with other new features that we're developing in Cloud Sync.
ant_12
Highly Voted 1 year, 10 months ago
Answer is A. Group Writeback is enabled so it can access Azure File Share and on-prem share with Azure AD group.
upvoted 10 times
syu31svc
Highly Voted 1 year, 8 months ago
Selected Answer: B
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-group-writeback-v2
since Azure AD security groups are written back with scope ‘Universal’ B it is then
upvoted 5 times
Ksk08
Most Recent 1 week, 3 days ago
Why Option B Works Best A universal security group created in AD DS will automatically sync to Azure AD through Azure AD Connect1 It can manage permissions for both on-premises resources (share1) and cloud resources (share2) after synchronization2 It's the most straightforward option for hybrid environments where you need to manage both local and cloud access3
upvoted 1 times
Krayzr
4 months ago
Selected Answer: B
B. In the AD DS domain, create a universal security group. Here’s why: A universal security group in AD DS can contain users from the AD DS domain. This group can be synchronized to Azure AD using Azure AD Connect. Once synchronized, the group can be used to authorize access to resources in both the on-premises AD DS domain (share1) and Azure AD-based resources (share2).
upvoted 3 times
SIAMIANJI
6 months, 3 weeks ago
Selected Answer: A
To create a security group that meets the specified requirements, follow these steps:
Create a Security Group in Azure Active Directory (Azure AD):
Log in to the Azure portal.
Navigate to Azure Active Directory.
Click on Groups and then select New group.
Choose Security as the group type. Enter a name for the group (e.g., “ShareAccessGroup”).
Set the Membership type to Assigned.
Add the necessary users from the AD DS domain to this group.
Click Create.
Authorize User Access to share1 and share2: Assign the newly created security group permissions to the shared folders: On Server1 (on-premises), configure the permissions for the share1 folder to allow access to the security group. In Azure Storage (storage2), configure the permissions for the share2 folder to allow access to the same security group.
upvoted 2 times
Kuikz
7 months, 2 weeks ago
Selected Answer: B
https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory Supported groups: - only cloud created Security groups are supported - these groups can have assigned or dynamic membership. - these groups can only contain on-premises synchronized users and / or additional cloud created security groups. - the on-premises user accounts that are synchronized and are members of this cloud created security group, can be from the same domain or cross-domain, but they all must be from the same forest. - these groups are written back with the AD groups scope of universal. Your on-premises environment must support the universal group scope. - groups that are larger than 50,000 members aren't supported. - each direct child nested group counts as one member in the referencing group
upvoted 2 times
dolphan904
11 months, 1 week ago
B is WRONG: IF YOU CREATE THE UNIVERSAL GROUP IN ADDS THEN THE WRITEBACK OPTION IS IRRELEVANT. THE GROUP GETS SYNCED VIA AD CONNECT BUT WRITEBACK IS IRRELEVANT. IF YOU CREATE THE SECURITY GROUP IN AZURE IT WILL BE WRITTEN BACK TO ADDS AS A UNIVERSAL GROUP AT WHICH POINT YOU THE USER ACCTS IN ADDS WILL BE ADDED TO THAT GROUP BASED ON THE MAPPING TO THEIR COUNTERPARTS IN AZURE AD. KEEP IN MIND THAT WHEN A USER ACCT SYNCS FROM ON-PREM TO AZURE AD ONLY THE ACCT'S ATTRIBUTES SYNC TO A NEW SID COMPLETELY DIFFERENT THAN THAT OF ADDS, THEREFORE, THE MAPPING I AM ALLUDING TO.
upvoted 1 times
windowsmodulesinstallerworker
1 year, 2 months ago
Selected Answer: A
It does not state that groups are actually being synced from adds to azure ad, while it does say that group writeback is enabled. Since this a public preview feature this question is probably not scored.
upvoted 3 times
Doman01
1 year, 4 months ago
In my opinion it's A Why not most voted B? We do have AAD Connect but not mentioned that groups are being synced from ADDS to AAD but we do have mentioned that group writeback is enabled. By choosing B we do not know if this group will be synced to AAD so we may not be able to use it to give access to share 2 Choosing either A or C we are sure we will have group in both AAD and ADDS and that we will be able to add users from both. In this situation ASSIGNED seems better than DYNAMIC as we do not have any hints that only specific users should have access (it is only CAN CONTAIN users from ADDS)
upvoted 3 times
jecawi9630
1 year, 11 months ago
Selected Answer: B
B seems to be the best bet, though A might work as well.
upvoted 2 times
johosofat
2 years ago
This feature is out in preview- all of these answers could be correct- depending on the question- as written- you can go with B- however, the Univeral group will go only back to one OU if you enable it this way--- seems problematic. furthermore you cannot put any domain local groups inside the univeral security group --- also if you go the old way and just have office 365 group- then you can likely do the same thing- but seems like less restrictions- IDK- but here is the guidance - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-group-writeback-v2
upvoted 4 times
edykss
2 years, 2 months ago
Correct
upvoted 3 times