AZ-500: What Is the Difference Between a User Forest and a Resource Forest in Azure AD DS?

Home » Exam » AZ-500 » AZ-500: What Is the Difference Between a User Forest and a Resource Forest in Azure AD DS?

Table of Contents

Can a Resource Forest in Azure AD Domain Services Sync On-Premises Accounts?
Question
Answer
Explanation
Resource Forest
User Forest

Can a Resource Forest in Azure AD Domain Services Sync On-Premises Accounts?

Get a clear explanation for the AZ-500 exam on Azure AD Domain Services. Understand why a resource forest cannot sync on-premises accounts and learn the key differences between a user forest and a resource forest for hybrid identity.

Question

A resource forest in Azure AD Domain Services will sync accounts from on-premises as well as Azure.

A. TRUE
B. FALSE

Answer

B. FALSE

Explanation

Only a user forest synchronizes accounts from on-premises AD.

The statement is false because the primary function of a resource forest in Azure AD Domain Services (Azure AD DS) is to establish trust with an on-premisest AD DS environment, not to synchronize user accounts. The model that synchronizes user accounts is the user forest.

Resource Forest

This deployment model is designed for scenarios where you cannot or do not want to synchronize password hashes from your on-premises Active Directory to Azure AD. A resource forest in Azure AD DS is essentially empty of user accounts. It establishes a one-way outgoing forest trust to your on-premises AD DS domain(s). When a user from the on-premises domain tries to access a resource secured by the Azure AD DS managed domain, the authentication request is passed across the trust to the on-premises domain controller for validation. The resource forest trusts the on-premises forest to handle authentication.

User Forest

This is the standard deployment model for Azure AD DS. It synchronizes user accounts, groups, and password hashes directly from your Azure AD tenant. If that Azure AD tenant is configured with Azure AD Connect to sync with an on-premises AD DS, then identities flow from on-premises to Azure AD, and then from Azure AD into the Azure AD DS managed domain. This is the model where user accounts from both cloud-only (Azure) and on-premises sources are synchronized into the managed domain.

Therefore, the statement incorrectly describes a resource forest’s purpose. A resource forest relies on a trust relationship for authentication and does not sync user accounts itself.

Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.