Option D is the one that lets you create dynamic policies using Entra ID attributes as source. The other choices are more about mapping or static groups, not policy automation. Pretty sure this is what Palo Alto wants here, though let me know if you see it differently.
I don’t think B works here. D is the one that handles dynamic Entra ID attributes for policies, so static group answers (like C) are easy to mix up but miss that bigger attribute support. Open to pushback if someone’s used Group Attribute for this though.
Yeah, D makes sense here. Only Cloud Dynamic User Group lets you build policies using any attributes from Entra ID, not just membership in groups. That’s what sets it apart from the other options I think. Correct me if I missed something, but pretty sure D is right for this one.
