You have the following Azure Active Directory (Azure AD) tenants:
-> Contoso.onmicrosoft.com: Linked to a Microsoft 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization
-> Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1
You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.To allow users in the contoso.com Active Directory forest access to resources in Subscription1, you need to establish a trust relationship between the two environments. There are different ways to achieve this, but the correct answer in this case is option D: Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.
Here's why the other options are not the best choice:
Option A: Create an Azure management group that contains Subscription1. Creating a management group does not provide any mechanism for authenticating users from the contoso.com Active Directory forest. Management groups are used to manage access, policies, and compliance across multiple Azure subscriptions.
Option B: Configure contoso.onmicrosoft.com to use pass-through authentication. Pass-through authentication (PTA) is a mechanism for authenticating users against an on-premises Active Directory infrastructure without requiring a full Active Directory Federation Services (AD FS) deployment. However, PTA does not provide the necessary integration between Azure AD and an on-premises Active Directory forest.
Option C: Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com. Creating guest accounts for all the contoso.com users would work, but it is not the best solution because it would require manual provisioning and management of guest accounts for potentially a large number of users. Moreover, it would not provide a seamless authentication experience for the users.
Option D: Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com. Configuring AD FS federation provides a trust relationship between Azure AD and the on-premises Active Directory forest, enabling users to authenticate using their existing Active Directory credentials. AD FS uses industry-standard protocols such as Security Assertion Markup Language (SAML) and WS-Federation to establish trust and exchange authentication information between the two environments.
AD FS requires some infrastructure setup and configuration, including setting up an AD FS farm and configuring the necessary trust relationships, certificates, and firewall rules. However, it provides the most seamless and secure user experience, and it allows you to use more advanced authentication scenarios such as multifactor authentication (MFA).