ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-500 All Questions

View all questions & answers for the MS-500 exam
Go to Exam

Exam MS-500 topic 1 question 64 discussion

Actual exam question from Microsoft's MS-500
Question #: 64
Topic #: 1
[All MS-500 Questions]

HOTSPOT -
You have a Microsoft 365 E5 subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains a user named User1 and multiple Windows
10 devices. The devices are Azure AD joined and protected by using BitLocker Drive Encryption (BitLocker).
You need to ensure that User1 can perform the following actions:
✑ View BitLocker recovery keys.
✑ Configure the usage location for the users in the tenant.
The solution must use the principle of least privilege.
Which two roles should you assign to User1 in the Microsoft 365 admin center? To answer, select the appropriate roles in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Helpdesk admin -
View BitLocker recovery keys.
Helpdesk Admins can read bitlocker metadata and key on devices
Note: One of the following should be enough:

Global admins -

Intune Service Administrators -

Security Administrators -

Security Readers -

Helpdesk Admins -

Box 2: User Administrator -
Configure the usage location for the users in the tenant.
The User Administrator can manage all aspects of users and groups, including resetting passwords for limited admins.
The User Administrator cam manage all user properties including User Principal Name

Update (FIDO) device keys -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
by pete26 at Oct. 15, 2022, 11:11 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fjfg
Highly Voted 2 years, 3 months ago
According to the following link the least privileged role that can read BitLocker keys is the Cloud Device Administrator. https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task
upvoted 9 times
...
pete26
Highly Voted 2 years, 7 months ago
Valid on exam October 14, 2022
upvoted 6 times
...
RomanV
Most Recent 2 years, 1 month ago
Least privileged role to read BitLocker keys: - Cloud Device Administrator Additional roles: - Helpdesk Administrator - Intune Administrator - Security Administrator - Security Reader And for the 2nd request: User Administrator Source: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task
upvoted 2 times
...
examdj101j
2 years, 1 month ago
On my screen I wasn't able to even see all the options available.
upvoted 4 times
...
JoeP1
2 years, 2 months ago
All of the correct answers are cut off in the picture!
upvoted 5 times
...
msysadmin
2 years, 2 months ago
This question is bit complicated. Agree with fjfg & Dzuljzebari. Cloud Device Admin also have a same permisson. Cloud Device Administrator microsoft.directory/bitlockerKeys/key/read Read bitlocker metadata and key on devices.
upvoted 1 times
...
Dzuljzebari
2 years, 3 months ago
Tested in lab, Helpdesk admin role allows to view the BitLocker key. Tricky as it is not described in the role description while it clearly mentions this capability for Cloud Device Administrator role.
upvoted 2 times
...
brotown22
2 years, 4 months ago
Tricky as full list of roles not provided, however if following 'least privilege role': role #1 - helpdesk admin role #2 - licence admin (only role with specific microsoft.directory/users/usageLocation/update permission) ref: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#license-administrator
upvoted 1 times
...
hans333
2 years, 5 months ago
I think, its: Bitlocker: Intune administrator Usage location: User administrator
upvoted 3 times
...
Naveedkarjikar
2 years, 6 months ago
How ato answer this
upvoted 2 times
...
ariania
2 years, 7 months ago
This question is a little strange. If you are actually watching the answer area it should be "Intunes Admin" and "Global Admin". But study on the roles in solution area incase it has different forms in the exam.
upvoted 2 times
ariania
2 years, 7 months ago
Note that we dont see the full list, so my answer is from what we see.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel