You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. Group writeback is enabled in Azure AD Connect.
The AD DS domain contains a server named Server1. Server1 contains a shared folder named share1.
You have an Azure Storage account named storage2 that uses Azure AD-based access control. The storage2 account contains a share named share2.
You need to create a security group that meets the following requirements:
-> Can contain users from the AD DS domain
-> Can be used to authorize user access to share1 and share2
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B
To create a security group that can contain users from an on-premises Active Directory Domain Services (AD DS) domain and can be used to authorize user access to both share1 and share2, we need to ensure that the security group can be synced to Azure AD and can also be used for access control in Azure Storage.
Option A: Creating a security group that has assigned membership in the Azure AD tenant does not meet the requirements, as this security group cannot be synced to the on-premises AD DS domain and cannot be used for access control in Azure Storage.
Option B: Creating a universal security group in the AD DS domain is a valid option as it can contain users from the AD DS domain and can be synced to Azure AD. However, it cannot be used for access control in Azure Storage, as it does not have any relationship with Azure Storage.
Option C: Creating a security group that has dynamic membership in the Azure AD tenant does not meet the requirements, as this security group cannot be synced to the on-premises AD DS domain and cannot be used for access control in Azure Storage.
Option D: Creating a Microsoft 365 group in the Azure AD tenant does not meet the requirements, as this type of group is used for collaboration and communication in Microsoft 365 services and cannot be used for access control in Azure Storage.
Therefore, the correct answer is option B: In the AD DS domain, create a universal security group. This security group can contain users from the AD DS domain, can be synced to Azure AD, and can be used for access control in on-premises and cloud resources.
After creating the universal security group in the AD DS domain, we can sync it to Azure AD using Azure AD Connect. Once synced, we can use the security group to authorize user access to share1 on Server1 and share2 in the Azure Storage account storage2. For Azure Storage access control, we need to configure the share2 in the storage2 account to use Azure AD-based access control and then add the universal security group to the access control list (ACL) with appropriate permissions.