ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 1 question 85 discussion

Actual exam question from Microsoft's SC-300
Question #: 85
Topic #: 1
[All SC-300 Questions]

HOTSPOT
-

You have a Microsoft Entra tenant named contoso.com that contains an administrative unit named AU1 and two users named User1 and User2. User1 is a member of AU1.

You need to perform the following role assignments:

• User1: Security Administrator
• User2: User Administrator

For which scopes can each user be assigned the role? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by sn0rlaxxx at Jan. 26, 2025, 1:18 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sn0rlaxxx
Highly Voted 5 months ago
User 1: Contoso Only User 2: AU1 and Contoso.com https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/manage-roles-portal?form=MG0AV3&tabs=admin-center#:~:text=Roles%20that%20can%20be%20assigned%20with%20administrative%20unit%20scope
upvoted 6 times
armid
4 months, 2 weeks ago
thats right 1. Security Admin cannot be scoped to AUs 2. you dont need to be memeber of AU to be given administrative rights to it;
upvoted 5 times
...
...
siggiijons
Most Recent 3 weeks, 4 days ago
User 1:Contoso Only User 2: I can't see where it is mentioned that he needs to be a user administrator for only the AU1, so giving him tenant wide user administrator should include all users, as well as those inside the AU1? Maybe i am not understanding this correctly
upvoted 1 times
siggiijons
3 weeks, 4 days ago
Nevermind - read the question again and now see that it is asking where it CAN be assigned, not where it should be assigned
upvoted 1 times
...
...
noa808a
3 months, 2 weeks ago
The correct answer: User1: Only in the Tenant (Contoso.com) User2: AU1 & Tenant.
upvoted 1 times
...
csi_2025
4 months ago
Just checked it myself. User1: Only in the tenant; Security Admin is not a role available for administrative units User2: Only in the tenant; Simply because he is not in the AU -> Can`t get assigned the role in it (but is available in administrative units)
upvoted 1 times
noa808a
3 months, 2 weeks ago
Incorrect. You do not need membership of the AU to be assigned a role. From Microsoft documentation: "Administrators don't have to be members of the administrative unit they manage."
upvoted 2 times
...
...
YesPlease
4 months, 1 week ago
User1: Can be Security Admin of the tenant, but not the AU since it does not have the Security Administrator role available for use with AU https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/manage-roles-portal?form=MG0AV3&tabs=admin-center#roles-that-can-be-assigned-with-administrative-unit-scope User2: Can be User Admin of the tenant, but not the AU since they are not a member of the AU. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management#:~:text=Even%20Global%20Administrators%20won%27t%20be%20allowed%20to%20modify%20the%20objects%20unless%20they%20assign%20themselves%20explicitly%20to%20a%20role%20scoped%20to%20the%20restricted%20management%20administrative%20unit
upvoted 1 times
noa808a
3 months, 2 weeks ago
Incorrect. You do not need membership of the AU to be assigned a role. From Microsoft documentation: "Administrators don't have to be members of the administrative unit they manage."
upvoted 1 times
...
...
Frank9020
5 months ago
User1:Security Administrator- Can be assigned at AU1 level - Can be assigned at contoso.com (tenant-wide) =AU1 and contoso.com User2: User Administrator- Can only be assigned at contoso.com (tenant-wide) (User is not a member of AU1) = contoso.com only
upvoted 3 times
noa808a
3 months, 2 weeks ago
Incorrect. You do not need membership of the AU to be assigned a role. From Microsoft documentation: "Administrators don't have to be members of the administrative unit they manage."
upvoted 1 times
...
Frank9020
5 months ago
Since User2 is not a member of AU1, User2 cannot have an AU-scoped role.
upvoted 1 times
AcTiVeGrEnAdE
1 month, 4 weeks ago
Incorrect, You can assign roles scoped to AU's and the users do not need to be a user in the AU. When you create the role assignment you select an AU instead of the directory.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel