Exam MS-100 topic 1 question 19 discussion

I'd say B is correct https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator User Administrator Users with this role can create users, and manage all aspects of users with some restrictions (see the table), and can update password expiration policies. Additionally, users with this role can create and manage all groups.

Somente o administrador de função privilegiada pode tornar um grupo atribuível a funções administrativas

B is correct

Checked and tested: (B) Source : https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator

Privileged Role Administrator Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. They can create and manage groups that can be assigned to Azure AD roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.

Right answer is A. The question says about the group as "... purpose of managing administrative accounts". This clearly indicates that we are talking about a roles assigned group. If you read about that in https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept, they say that "Only Global Administrators and Privileged Role Administrators can create a role-assignable group"

A. The Privileged role administrator role. The Privileged role administrator role in Azure AD is the highest level of administrative access, and it has the ability to manage all aspects of an Azure AD tenant, including managing other administrators. This role can be used to add a user with the Security administrator role to the security group. The User administrator, Security administrator, and Billing administrator roles do not have the necessary permissions to manage other administrators and add them to the security group. It is important to note that, depending on the organization's security policies, adding users to the security group with the role of Security administrator may require approval from more than one privileged role administrator.

Using this link https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task by section Users there is Create guest users Guest inviter and User administrator

Tested it just now. B is correct.

I think the answer here is A https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-are-role-assignable-groups-protected "By default, only Global Administrators and Privileged Role Administrators can manage the membership of a role-assignable group, but you can delegate the management of role-assignable groups by adding group owners." B - would be correct if they had been added to the group owners but this is not the default. We need to assume that the default settings are in place - therefore the answer must be A

Correct answer is B User Administrator. Seems that there is a new feature where you can do a Run As for the different roles. For Priviledged Role , Security Administrator and Billing Administrator this is displayed when trying to add any user to a security group. You do not have appropriate permissions to edit this group. You should be a global administrator or user management administrator to manage this group.

https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#how-are-role-assignable-groups-protected By default, only Global Administrators and Privileged Role Administrators can manage the membership of a role-assignable group, but you can delegate the management of role-assignable groups by adding group owners.

The answer is A (tried and tested). The reason for this is logical, if you make any group role assignable, this could lead to privilege escalation. Role-assignable groups are designed to help prevent potential breaches by having the following restrictions: Only Global Administrators and Privileged Role Administrators can create a role-assignable group. The membership type for role-assignable groups must be Assigned and can't be an Azure AD dynamic group. Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role. https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept

B is correct.

Tested.B is correct

Assign group to role require special group. To that group you can assing member with user administrator role, you need to Global Admin or Priviliged role administrator

Both of them are correct if you read the role description "Privileged Role Administrator: Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. They can create and manage groups that can be assigned to Azure AD roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units." "User Administrator: Users with this role can create users, and manage all aspects of users with some restrictions (see the table), and can update password expiration policies. Additionally, users with this role can create and manage all groups. This role also includes the ability to create and manage user views, manage support tickets, and monitor service health. User Administrators don't have permission to manage some user properties for users in most administrator roles. Admins with this role do not have permissions to manage MFA or manage shared mailboxes. The roles that are exceptions to this restriction are listed in the following table."