Your network contains an Active Directory forest named contoso.com. You have an Azure Directory (Azure AD) tenant named contoso.com.
You plan to configure synchronization by using the Express Settings installation option in Azure AD Connect.
You need to identify which roles and groups are required to perform the planned configuration. The solution must use the principle of least privilege.
Which two roles and groups should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Click on the arrows to vote for the correct answer
A. B. C. D. E.CE
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissionsWhen configuring synchronization using the Express Settings installation option in Azure AD Connect, it is important to follow the principle of least privilege. This means that only the minimum necessary permissions should be granted to the roles and groups responsible for the configuration.
Of the options provided, the Domain Admins group in Active Directory and the Enterprise Admins group in Active Directory should not be used for this purpose. These groups have broad, high-level administrative permissions over the entire Active Directory forest, and using them to configure Azure AD Connect synchronization would grant more access than is necessary, violating the principle of least privilege.
The Security administrator role in Azure AD provides the necessary permissions to configure synchronization using the Express Settings installation option. This role has the ability to create and manage synchronization rules, and to view and manage synchronization errors. However, it does not have access to other administrative functions, such as user and group management, which helps maintain the principle of least privilege.
The Global administrator role in Azure AD provides full administrative permissions over the entire Azure AD tenant, which includes the ability to manage users, groups, and applications. While this role could be used to configure synchronization using the Express Settings installation option, it would grant more access than is necessary, violating the principle of least privilege.
The User administrator role in Azure AD provides permissions to manage user accounts and groups, but does not have the necessary permissions to configure synchronization using the Express Settings installation option. Therefore, this role is not applicable for this scenario.
In summary, the roles and groups required to perform the planned configuration while adhering to the principle of least privilege are: