Exam SC-300 topic 1 question 36 discussion

Correct Answer: Object Type: Administrative Unit Role: Authentication administrator

Sheesh this site has a lot of wrong answers, what's the point even ..

The key part of this question is the requirement that these settings be changed or managed for ONLY the executives. From the who can reset passwords page (https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope) it notes that additional restrictions apply to roles scoped to administrative units. Once you create an AU there is then a smaller selection of eligible roles that can be assigned, and the further restrictions page (https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope) states that the Authentication Administrator "Has access to view, set, and reset authentication method information for any non-admin user in the assigned administrative unit ONLY." This accomplishes our goal of ensuring the administrator permissions would only extend to members of of the AU (executives). Therefore the answer is: Administrative Unit & Authentication Administrator

To meet the requirement of allowing the support team to reset passwords and manage MFA settings for only the executives while adhering to the principle of least privilege, you can follow this approach: Object Type: Azure AD Group You should use an Azure AD group to define the executives as a specific set of users. Create a group that contains only the 100 executives, which will limit the scope of operations to this group. Azure AD Role: Authentication Administrator Assign the Authentication Administrator role to the support team for this specific group. This role allows resetting passwords, managing multi-factor authentication (MFA) settings, and configuring authentication policies, but only for the users within the assigned scope (in this case, the executives group). Summary: Object Type: Azure AD Group Azure AD Role: Authentication Administrator

To ensure that the support team can reset passwords and manage multi-factor authentication (MFA) settings for only the executives while adhering to the principle of least privilege, you should use: Object Type: 1. An Administrative Unit Role: 1. Authentication Administrator

no such thing as a custom admin role

AU Authentication Administrator

Should be Administrative Unit Helpdesk administrator - The Authentication Administrator role is less privileged than the Helpdesk Administrator role The Authentication Administrator role has permissions to manage authentication methods and password reset whereas the Helpdesk Administrator role has permissions to manage passwords, groups, and users.

Object Type: Administrative Unit Role: Authentication administrator

Object Type: An Administrative Unit Role: Authentication Administrator

Role: Authentication Administrator - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#authentication-administrator - "Set or reset any authentication method (including passwords) for non-administrators"

Object Type: An administrative unit Role: Authentication administrator

Correct: Object Type: An Administrative Unit Role: Authentication Administrator

Please update final answer

Authentication Administrator is the least privileged role to manage MFA as per https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task#multi-factor-authentication

As well regarding the Authentication administrator or Helpdesk administrator options pay attention to "executives" in our case and Helpdesk administrator -Can reset passwords for non-administrators and Helpdesk Administrators. So Authentication administrator is our choice

Object Type: Administrative Unit Role: Authentication administrator