A company named Contoso, Ltd. has an Azure Active Directory (Azure AD) tenant that is integrated with Microsoft Office 365 and an Azure subscription.
Contoso has an on-premises identity infrastructure. The infrastructure includes servers that run Active Directory Domain Services (AD DS), Active Directory
Federation Services (AD FS), Azure AD Connect, and Microsoft Identity Manager (MIM).
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Active Directory forest and an Office 365 tenant. Fabrikam has the same on- premises identity infrastructure as Contoso.
A team of 10 developers from Fabrikam will work on an Azure solution that will be hosted in the Azure subscription of Contoso. The developers must be added to the Contributor role for a resource in the Contoso subscription.
You need to recommend a solution to ensure that Contoso can assign the role to the 10 Fabrikam developers. The solution must ensure that the Fabrikam developers use their existing credentials to access resources.
What should you recommend?
Click on the arrows to vote for the correct answer
A. B. C. D.D
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-usersTo allow the Fabrikam developers to access resources in Contoso's Azure subscription, while using their existing credentials, the following solutions can be recommended:
Option A: Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam
This option involves establishing a trust relationship between the on-premises Active Directory forests of Contoso and Fabrikam. With this trust relationship, the identities and credentials of the Fabrikam developers can be authenticated in Contoso's forest, allowing them to be added to the Contributor role for the necessary resources in the Azure subscription. However, this option can be complex to implement and manage, especially if both forests are large, and may require additional infrastructure to support the trust relationship.
Option B: Configure an organization relationship between the Office 365 tenants of Fabrikam and Contoso
This option involves creating an organization relationship between the Office 365 tenants of Fabrikam and Contoso, which allows the identities and credentials of the Fabrikam developers to be authenticated in Contoso's Azure AD tenant. With this relationship in place, the Fabrikam developers can be added to the Contributor role for the necessary resources in the Azure subscription. However, this option may not work if the resources to which the developers require access are not available in the Office 365 tenant.
Option C: In the Azure AD tenant of Contoso, enable Azure Active Directory Domain Services (Azure AD DS). Create a one-way forest trust that uses selective authentication between the Active Directory forests of Contoso and Fabrikam
This option involves enabling Azure AD DS in the Azure AD tenant of Contoso and creating a one-way forest trust that uses selective authentication between the Active Directory forests of Contoso and Fabrikam. With this trust relationship, the identities and credentials of the Fabrikam developers can be authenticated in Contoso's Azure AD tenant, allowing them to be added to the Contributor role for the necessary resources in the Azure subscription. However, this option may require additional infrastructure to support the trust relationship.
Option D: In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers
This option involves creating guest accounts for the Fabrikam developers in Contoso's Azure AD tenant. With these guest accounts, the developers can be added to the Contributor role for the necessary resources in the Azure subscription. However, this option may require additional management of the guest accounts and may not be ideal if the developers already have existing identities in their own organization.
In summary, the recommended option would depend on the existing infrastructure and requirements of the two organizations. Option B or Option C could be the best fit, as they both allow for authentication of the Fabrikam developers in Contoso's Azure AD tenant while using their existing identities and credentials. Option A or Option D could also be considered but may have additional complexity or management requirements.