Exam MS-102 topic 1 question 278 discussion

NYN A user admin can never reset the password of a Global Admin, AU or not. That's a huge security risk if you use common sense.

No - The User Admin can not reset the password for the Global Admin, User2 is not in direct scope. Yes The Global Admin he can manage all aspects of Entra ID No User3 is not in the same scope as User1

Copilot In Microsoft 365, a User Administrator cannot reset the password of a Global Administrator, even if they are in the same Administrative Unit. Only another Global Administrator has the authority to reset the password for a Global Administrator. NYN

NO: User administrator cannot reset password for Global Administrator. NO: Global Administrator cannot change or modify group in AU2. The scope of a Global administrator’s permissions is limited to the administrative unit they are assigned to AU1. YES: User Admin has AU1 as scope, and User3 has no admin rights and is member of Group2 in AU1.

This question is very poorly design. Especially the 2nd table. In the first table column scope - none and organization basically means the same thing so why bother except to confuse you. 2nd table is poor design and misleading. It can be: AU2 contains Group1 AND User3, AU1 contains Group2 AND User2 AND User3, which make User1 scope to AU1 able to reset password of User3. OR Group1 contains User3 Group2 contains User2 and User3 AND a separate table to show AU2 contain Group1 ONLY and AU1 contain Group2 ONLY, if so this will make User1 only able to manage properties of Group2 but not able to reset password of its member - user3.

Answers are Correct User 1 is a User Administrator Scoped to AU1 = Has Admin permissions over users in AU1 User2 is a Global Administrator For AU1, But is not Scoped to AU1, therefore, has admin permissions over Users in AU1 and the Tenant. User 3 has no admin role/permissions and is just a user in the Tenant

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles In Microsoft Entra ID, for more granular administrative control, you can assign a Microsoft Entra role with a scope that's limited to one or more administrative units. When a Microsoft Entra role is assigned at the scope of an administrative unit, role permissions apply only when managing members of the administrative unit itself, and don't apply to tenant-wide settings or configurations

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support. Note that if you assign a role to a user that is not a member of an administrative unit, the scope of the role is the entire tenant. Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).

No Yes No

User1 can reset the password of User2: User1: User Administrator for AU1 User2: Member of AU1 (through Group2) Conclusion: Yes, User1 can reset the password of User2 because User1 is a User Administrator for AU1, and User2 is within AU1. User2 can modify the membership of Group1: User2: Global Administrator (Global scope) Group1: Part of AU2 Conclusion: Yes, User2 can modify the membership of Group1 because User2 is a Global Administrator and has permissions over all administrative units, including AU2. User1 can reset the password of User3: User1: User Administrator for AU1 User3: Not a member of AU1 (User3 is in AU2) Conclusion: No, User1 cannot reset the password of User3 because User1’s scope is limited to AU1, and User3 is not within AU1. Answer Selections: User1 can reset the password of User2: Yes User2 can modify the membership of Group1: Yes User1 can reset the password of User3: No