Microsoft Azure Security Technologies (AZ-500)

What should a user do if they discover synced on-premises accounts are unable to be assigned roles in Azure?

• A. Use individual accounts for role assignments.
• B. Change the synchronization methods.
• C. Check permissions in the parent directory.
• D. Adjust the Azure AD Connect configuration.

The correct answer is: Adjust the Azure AD Connect configuration.

When on-premises accounts that are synchronized with Azure Active Directory (Azure AD) are unable to be assigned roles in Azure, adjusting the Azure AD Connect configuration is the appropriate action. Azure AD Connect is the tool that facilitates synchronization between an on-premises Active Directory and Azure AD. If users discover that their synced accounts cannot assume roles, it is likely due to issues in the synchronization setup or configuration. By adjusting the Azure AD Connect configuration, administrators can ensure that the necessary attributes and permissions are being synchronized correctly. This might involve ensuring that users are part of the right organizational unit (OU) that is being synchronized, confirming that all required attributes (such as the 'userPrincipalName') are being passed correctly, or verifying that the synchronization rule allows the assignment of roles. Addressing configuration issues is essential to ensure that on-premises accounts have the correct permissions and capabilities in Azure. Other choices do not adequately address the underlying issue related to synchronization. Using individual accounts for role assignments ignores the purpose of synced accounts and can lead to management complexities. Changing synchronization methods might be excessive and not directly relevant if the current method is mostly functioning but just needs adjustment. Checking permissions in the parent directory might offer some insight, but it will not resolve the issue if