GCP Professional Cloud Security Engineer Practice Question
Your company must let 300 external consultants from a partner that uses Azure Active Directory view Cloud Monitoring dashboards in a single Google Cloud project for six months. Requirements: consultants sign in with their Azure AD credentials; no Google Workspace or Cloud Identity accounts or directory sync; access limited to the Monitoring Viewer role and revocable from Azure AD. Which approach best meets these needs while following Google best practices?
Enable Cloud Identity, synchronize the consultants' Azure AD accounts with Google Cloud Directory Sync, and assign them the Monitoring Viewer role in the project.
Create a workforce identity pool, add Azure AD as a SAML (or OIDC) provider, map Azure user attributes to Google principals, and grant the Monitoring Viewer role to the external identities via a principalSet binding.
Configure traditional SAML single sign-on between Cloud Identity and Azure AD, create Google accounts for each consultant, and grant them the Monitoring Viewer role with two-step verification enforced.
Set up Workload Identity Federation with an Azure AD OIDC provider, create a service-account key, share the key with the consultants, and map the service account to the Monitoring Viewer role.
Workforce Identity Federation lets human users from an external IdP access Google Cloud without creating or syncing Google accounts. By creating a workforce identity pool and adding a SAML (or OIDC) provider that trusts the partner's Azure AD, each consultant can exchange an Azure AD assertion for a short-lived Google credential. You then bind the Monitoring Viewer role to a principalSet that represents all consultants, enforcing least privilege. Disabling a consultant in Azure AD immediately blocks issuance of new Google tokens. Importing accounts with GCDS or traditional SAML SSO violates the no-account-creation rule, while Workload Identity Federation and shared service-account keys target non-human workloads and breach key-management best practices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workforce Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does the SAML or OIDC provider integration work in Workforce Identity Federation?
Open an interactive chat with Bash
Why are service account keys not recommended for human users in Google Cloud?
Open an interactive chat with Bash
What is Workforce Identity Federation?
Open an interactive chat with Bash
What are SAML and OIDC, and how do they differ?
Open an interactive chat with Bash
What is a principalSet and how is it used in Google Cloud IAM?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .