User1 can add Device2 to Group1: No User2 can add Device1 to Group1: Yes User2 can add Device2 to Group2: No Explaination: Groups can contain both registered and joined devices as members. As a global administrator or cloud device administrator, you can manage the registered or joined devices. Intune Service administrators can update and delete devices. User administrator can manage users but not devices. User1 is a cloud device administrator. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device. User2 is the owner of Group1. He can add Device1 to Group1. Group2 is configured for dynamic membership. The properties on which the membership of a device in a group of the type dynamic device are defined cannot be changed by either an end user or an user administrator. User2 cannot add any device to Group2. Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

NO Cloud device admin cannot add/join devices YES: user admin can add device/user/groups NO: Dynamic groups dont require manual intervention, it uses criteria to add or remove devices/users/groups only assigned groups you can add

Yes Yes No

User1 can add Device2 to Group 1: NO - Explanation: Cloud Device Admins can enable/disable/delete devices in Azure. Cloud Device Admin DOES NOT grant permission to manage ANY other properties of these devices; Including group membership. User2 can add Device1 to Group1: YES Explanation: User2 is the OWNER of Group1. This user can add and remove membership to this group under any circumstance as the group membership type is ASSIGNED - Implying that any membership affiliation must be manually given to any given resource. User2 can add Device2 to Group2: NO Explanation: Group2 is stated to be a DYNAMIC membership assignment - This implies that any given resource MUST MEET the criteria/requirement outlined within the group dynamic membership scope to be added to this group as a member. The properties of dynamic group membership requirements CANNOT be changed by either end user nor user administrator. Additionally, Dynamic Groups feature require Entra ID Premium P1 or P2 licensing. Hope this helps. Happy studying!

No Yes No User1 (Cloud Device administrator) should be an owner of group1 to add users or devices User 2 (User administrator) can update the membership of any assigned group, regardless of whether he is owner of the group or not because User administrator role has the permission to update group membership. He can add users, devices, to any assigned group in Azure AD. User 1&2 can't manually add or remove a member of a dynamic group.

No Yes No

It looks like someone answered this question on Microsoft Learn: https://learn.microsoft.com/en-us/answers/questions/40861/azure-ad-device-management Based on the given scenario, the answers are: N: User1 is NOT the owner of Group1 Y: User 2 is a user admin N: You can't manually add into a dynamic group

After reviewing the documentation and given that the group ownership is as provided in the question, I think the answer is NYN. N- user1 can modify the device status, but the cloud device admin can't add devices (Users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal) Y- user2 is group1 owner N- You can't manually add to a dynamic group (https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership)

1.N 2.Y 3.N

Anyone used GPT-4 on these?

NYN Nothing to do with ownership. Just Azure roles. Cloud device administrator's role do NOT allow group membership update, so user 1 CANNOT add any device to any group. User administrator's role allows group membership update, so User 2 CAN add devices to groups. However, Group 2 is dynamic. This is the Microsoft ambigously phrased question. User 2 CAN edit dynamic membership rules to add devices, but you CANNOT add device/user directly to a dynamic group.

@@@@@@@@@@@Don't be confused@@@@@@@ option 1 ==== YES [ Joined devices and Register Devices are just for distraction] option 2 ==== YES option 3 ==== NO [Can't add anything to Dynamic Group no matter what access you have]

ForCloud Device Administrator, users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-device-administrator

I've implemented anser is No Yes No User 1 is Cloud device administartor can only perform Enable disable delete Manage setting for Device User 2 is User Administartor have rights to manage the memer , group , device , enterprise application to the group in Assigned Type group User 2 can't add member as group type is Dynamic Assigned which didn't allow manual add or remove operation.

WRONG Answer, the right answer must be: User1 can add Device2 to Group1: No User2 can add Device1 to Group1: Yes User2 can add Device2 to Group2: No https://www.youtube.com/watch?v=1oK-Mfrmu8A

I passed with these questions and many friends passed too, all questions appeared in the real exam a great study resource, contact me on [email protected]

pass in the first attempt with real questions, contact me [email protected]