You sign up for Azure Active Directory (Azure AD) Premium. You need to add a user named [email protected] ad an administrator on all the computers that will be joined to the Azure AD domain. What should you configure in Azure AD?
Suggested Answer:D🗳️
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device: ✑ The Azure AD global administrator role ✑ The Azure AD device administrator role The user performing the Azure AD join In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page: 1. Sign in to your Azure portal as a global administrator or device administrator. 2. On the left navbar, click Azure Active Directory. 3. In the Manage section, click Devices. 4. On the Devices page, click Device settings. 5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices. References: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
Agree, as per the Devices blade under Device Settings, you can configure "Additional local administrators on Azure AD joined devices" and select members.
C is correct. However Azure AD premium is needed for this functionality: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#manage-the-device-administrator-role
Correct answer is D, because it is for future computers getting added automatically it happens after. While if it was for the current computers you all would have been correct but, the question is deceiving..... Answer D is correct! NOT C.
C and D both achieve the desired outcome - though C provides a route to achieving this without having to add the user account to a sensitive group such as Global Admins. Both methods grant access to existing and future AAD joined machines.
My argument to do this and ensure least privilege would be;
- Create a group specifically for this purpose
- Add the desired user to the group
- Add the group to the Device Settings on Devices blade.
There are 2 ways to implement requirements: C and D. You can use device settings to add an admin or you can assign admin role to the user and he will be added to local admins automatically. But I like the C, because the description for D is incorrect. You can assign user roles from "Assigned roles", not from settings.
Go to Azure AD blade -> Devices -> Device Settings
Here you will see option of "Additional local Administrator on Azure AD joined devices", click on selected and add the name of administrator whom you want to add.
So option "C" is correct. Tested in lab.
However if they ask to choose 2 answers then D is also correct as you can assign role "Cloud Device Administrator" from "User"->"Assigned Roles" blade which will also do the same job.
Cloud Device Administrator
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.
Hence its not the same as the local Admin on the servers.
It must be C
This section is not available anymore. Please use the main Exam Page.AZ-300 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
looker
Highly Voted 5 years, 8 months agobbbb
5 years, 5 months agoZixxer2Go
5 years, 1 month agotartar
4 years, 9 months agopraveen97
4 years, 11 months agoA365
4 years, 10 months agogurby
Highly Voted 5 years, 6 months agoBOC
Most Recent 4 years, 9 months agoJend
4 years, 10 months agoTP447
4 years, 9 months agoAusias18
4 years, 11 months agopoohtt
4 years, 11 months agoLen
4 years, 11 months agogboyega
4 years, 11 months agoDeveshSolanki
4 years, 11 months agoRooh
4 years, 12 months agoAmarKavita
5 years, 1 month agomilind8451
5 years, 2 months agomilind8451
5 years, 2 months agoaillusionist
4 years, 8 months agoGorha
5 years, 2 months agosilverdeath
5 years, 2 months agoHS007
5 years, 5 months agoBenkyoujin
5 years, 6 months agowigger
5 years, 4 months agoMatt_t
5 years, 6 months ago