Microsoft Azure Security Technologies (AZ-500)

What should be done first to assign Azure roles to synced on-premises user accounts in a new subscription?

• A. Configure a second instance of Azure AD Connect.
• B. Change the Azure AD tenant used by the new subscription.
• C. Configure the Azure AD tenant to use federated authentication.
• D. Configure the tenant to use pass-through authentication.

The correct answer is: Change the Azure AD tenant used by the new subscription.

The correct approach to assign Azure roles to synced on-premises user accounts in a new subscription is to change the Azure AD tenant used by the new subscription. When a new subscription is created in Azure, it is often associated with a specific Azure Active Directory (Azure AD) tenant. If that tenant doesn't already contain the necessary synced user accounts, changing the tenant to one that does enables the subscription to properly recognize and utilize those synced user accounts for role assignments. When the appropriate Azure AD tenant is selected, the necessary directory information, including the synced on-premises accounts, becomes available, allowing for proper role management within the subscription. This setup is crucial because Azure role assignments rely on users being present in the Azure AD tenant associated with the subscription. Configuring a second instance of Azure AD Connect, setting up federated authentication, or configuring pass-through authentication are not required initial steps for assigning roles to users in the new subscription. These settings pertain more to the overall authentication strategy and maintaining synchronization but do not directly impact the initial process of associating user roles within a newly created subscription. By ensuring the subscription is linked to the right tenant, you streamline the user management and role assignment processes.