Exam MS-100 topic 3 question 86 discussion

I disagree, the admin role to install the connector is on-prem therefore should be User4

Connector installation requires local admin rights to the Windows server that it's being installed on. It also requires a minimum of an Application Administrator role to authenticate and register the connector instance to your Azure AD tenant. https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-deployment-plan

They only ask who can install it, not who ca register it.. Answer is D.

B: It also requires a minimum of an Application Administrator role to authenticate and register the connector instance to your Azure AD tenant.

User 4

On exam as of two days ago.

Answer D It needs to install on the server, so would need domain admin rights

refer to KSvh53 comment

For those that are not aware, domain admins are by design given local admin access to a domain controller and all member servers and workstations on a domain. Domain admin = local admin of that server. Azure AD admin =/= local admin to server. An Azure AD admin has absolutely no connection whatsoever to the local admin on that server. "Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains. This default nesting should not be modified for supportability and disaster recovery purposes." https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory

This is a tricky one. The keyword in the question is "install". A local admin on the server (aka a domain admin) would be needed to install it. Therefore the only correct answer for this question is D. If, however, the question asked who would be able to register it in Azure AD, the only correct answer would be B. Both installing it on the server and registering it in Azure AD are necessary to make it work, but that's not what the question asks. It only asks who is able to install it on the server. See link below. "Connector installation requires local admin rights to the Windows server that it's being installed on. It also requires a minimum of an Application Administrator role to authenticate and register the connector instance to your Azure AD tenant." https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-deployment-plan

This is a tricky one. The keyword in the question is "install". A local admin on the server (aka a domain admin) would be needed to install it. Therefore the only correct answer for this question is D. If, however, the question asked who would be able to register it in Azure AD, the only correct answer would be B. Both installing it on the server and registering it in Azure AD are necessary to make it work, but that's not what the question asks. It only asks who is able to install it on the server. See link below. "Connector installation requires local admin rights to the Windows server that it's being installed on. It also requires a minimum of an Application Administrator role to authenticate and register the connector instance to your Azure AD tenant." https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-deployment-plan

The answer is B, Application Administrator - "Prerequisites. To add an on-premises application to Azure AD, you need: A Microsoft Azure AD premium subscription An application administrator account" https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application

B is correct https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application#install-and-register-a-connector .We have to suppose that this user is Local Admin on the server where the connector will be installed or is in a group of admins that can perform such installation on server but are not domain admins.

The answer should be D. "You need to identify which user can _INSTALL_ the Application Proxy connector." If it were to authenticate and register I would agree with B being the correct answer but it clearly asks for which user is able to install the connector. User4 has Domain Admin rights which means they have local admin rights on the server. User2 has the role Application Administrator but it's not stated they have local admin rights. "Connector installation requires local admin rights to the Windows server that it's being installed on. It also requires a minimum of an Application Administrator role to authenticate and register the connector instance to your Azure AD tenant." From the link: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-deployment-plan Obviously everyone knows that you don't need domain admin to have local admin rights to a server, but nowhere in the question is it stated that any of them have local admin rights, except for User4 with admin rights to all servers in the domain. I'm quite shocked that there exists any doubt here when it's one of the more straightforward questions.

I found this information: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-deployment-plan Administrative rights and roles: => Connector installation requires local admin rights to the Windows server that it's being installed on. It also requires a minimum of an Application Administrator role to authenticate and register the connector instance to your Azure AD tenant. => Application publishing and administration require the Application Administrator role. Application Administrators can manage all applications in the directory including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. It doesn't grant the ability to manage Conditional Access. The Cloud Application Administrator role has all the abilities of the Application Administrator, except that it does not allow management of Application Proxy settings. The correct answer is (B)

As I just went through the steps, the App Proxy Connector is a downloadable file that will need to be installed locally. The App Admin may have to setup the external application to get the proxy connector, but the only user that can install the connector here is User4, the domain admin.

Only user4 can install the connector, and only user2 can connect it... Stupid question, but they ask which user can install the Application Proxy connector, so I'm going with User4