In a test tenant, I was able to add mail-enabled security, M365 and security groups to an EndPoint Security Manager role assignment.
Add Role Assignment -> Admin Groups...
tricky question because based on this article you need to use a security group, but indeed you can select a M356 group (but It won't work)
https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control#role-assignments
The correct answer is B. Security only.
Explanation:
- The Endpoint Security Manager role is managed through role-based access control (RBAC) in Microsoft Intune.
- Security groups are the only group type that can be used for assigning RBAC roles in Microsoft Endpoint Manager.
- Mail-enabled security groups, Microsoft 365 groups, and distribution groups cannot be used for RBAC role assignments in Endpoint security.
To assign roles (like Endpoint Security Manager) in Microsoft Entra ID (formerly Azure AD), you can only use security groups — and not mail-enabled or Microsoft 365 groups.
Security groups are used to control access and assign roles/permissions.
Role assignments (like Azure AD roles or Microsoft 365 admin roles) can only be assigned to users or security groups.
There are no right answers. Only Security groups and M365 groups can have assigned roles. You can't create a mail-enabled security group in Entra ID. So right answer is F: Security and Microsoft 365 groups.
Microsoft 365 groups are designed primarily for collaboration within Microsoft 365 apps, like Teams, SharePoint, and Outlook, rather than for security or administrative role assignments.
The correct option is D, because it is the only answer that contains both groups to which roles can be assigned: To assign a role to a group, you must create a new security or Microsoft 365 group with the isAssignableToRole property set to true
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept
You CAN use : D. mail-enabled security, Microsoft 365, and security only
But recommended would be : B. security only.
But question here is about what you CAN do.
I tested in my tenant from Intune to assign this role, I was able only to choose: mail-enabled security and security only.
When I tried MS365 or Distribution group, there is not any option to choose.
So, I will choose option C.
Update it should be D -> From endopint manager > tenant admin > roles > open "endpoint decurity manager" > assignments > ..... you can choose M365, security & mail-enabled group
To create a group and assign the Endpoint Security Manager role to the group, you can use a role-assignable group. A role-assignable group is a type of Azure AD security group that can be assigned to a role in Microsoft Endpoint Manager1. You can create a role-assignable group by using the Azure portal, PowerShell, or Microsoft Graph2.
This section is not available anymore. Please use the main Exam Page.MS-102 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cb0900
Highly Voted 1 year, 10 months agodaye
1 year, 8 months agodaye
1 year, 8 months agoDarekmso
Highly Voted 1 year, 9 months agorass1981
1 year, 6 months agoWASDowningpower
Most Recent 1 month, 2 weeks agoIgoKostadin
1 month, 3 weeks agobnijhofNL
3 months, 1 week agoMToo
6 months agoFrank9020
8 months, 1 week agoFrank9020
8 months, 1 week agojustITtopics
9 months, 1 week agowael_kodmani
10 months, 3 weeks agomikl
1 year, 2 months agoShuihe
1 year, 7 months agoChristianbrivio1991
1 year, 7 months agoChristianbrivio1991
1 year, 7 months agoTP447
1 year, 8 months agosergioandreslq
1 year, 8 months agoDarekmso
1 year, 9 months agoDarekmso
1 year, 9 months agoMarkusSan
1 year, 9 months agoRJTW070
1 year, 10 months ago