Azure Role Assignment for Fabrikam Developers
Question
A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory
Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and a Microsoft 365 tenant. Fabrikam has the same on- premises identity infrastructure components as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource group in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.
What should you recommend?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data.
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2bThe best solution for ensuring that the 10 Fabrikam developers can be added as Contributors in the Contoso subscription is to use option D: In the Azure AD tenant of Contoso, use MIM to create guest accounts for the Fabrikam developers.
Option A (Configure an AD FS relying party trust between the Fabrikam and Contoso AD FS infrastructure) is not a suitable solution as it would require significant configuration changes to the on-premises identity infrastructure of both companies, which may not be feasible or practical.
Option B (In the Azure AD tenant of Contoso, create cloud-only user accounts for the Fabrikam developers) is also not a suitable solution as it would require the Fabrikam developers to create new accounts in the Azure AD tenant of Contoso, which may not be desirable or feasible for various reasons.
Option C (Configure an organization relationship between the Microsoft 365 tenants of Fabrikam and Contoso) is not a suitable solution as it would only allow access to Microsoft 365 resources and not the Azure subscription resources, which is the requirement in this case.
Option D (In the Azure AD tenant of Contoso, use MIM to create guest accounts for the Fabrikam developers) is the best solution as it would allow the Fabrikam developers to use their existing credentials to access the resources in the Azure subscription of Contoso. MIM can be used to synchronize the on-premises identity infrastructure of Fabrikam with Azure AD, and then guest accounts can be created in the Azure AD tenant of Contoso for the Fabrikam developers. These guest accounts can then be added to the Contributor role for the required resource group in the Contoso subscription, allowing the Fabrikam developers to access the necessary resources.
