ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-305 All Questions

View all questions & answers for the AZ-305 exam
Go to Exam

Exam AZ-305 topic 1 question 52 discussion

Actual exam question from Microsoft's AZ-305
Question #: 52
Topic #: 1
[All AZ-305 Questions]

DRAG DROP
-

You have an Azure AD tenant that contains an administrative unit named MarketingAU. MarketingAU contains 100 users.

You create two users named User1 and User2.

You need to ensure that the users can perform the following actions in MarketingAU:

• User1 must be able to create user accounts.
• User2 must be able to reset user passwords.

Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by [deleted] at April 20, 2023, 12:45 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
memo454
Highly Voted 1 year, 5 months ago
This question is on today's exam. I passed the exam today 17-09-2023 with a score of 906/1000. The exam is easier than AZ-104.
upvoted 27 times
...
CloudJordao
Highly Voted 1 year, 10 months ago
Correct answer. Here's an explanation: The roles that you need to assign are: User1: User Administrator for the MarketingAU administrative unit. User2: Password Administrator or Helpdesk Administrator for the MarketingAU administrative unit. The User Administrator role provides permissions to manage user accounts, including creating new users. The Password Administrator and Helpdesk Administrator roles provide permissions to reset user passwords. Therefore, User1 needs the User Administrator role for the MarketingAU administrative unit to be able to create new user accounts. User2 needs either the Password Administrator or Helpdesk Administrator role for the MarketingAU administrative unit to be able to reset user passwords. Note that assigning Helpdesk Administrator for the tenant role to User2 would provide permissions to reset passwords for all users in the Azure AD tenant, not just in the MarketingAU administrative unit. https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles
upvoted 23 times
MiniLa92
1 year, 1 month ago
Just to add more clarity, assigning User Administrator for the MarketingAU administrative unit, will allow creating users in Azure AD itself as it holds the permission microsoft.directory/users/create , refer https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#groups-administrator
upvoted 4 times
_punky_
4 months, 2 weeks ago
Nope, CloudJordao is right.
upvoted 1 times
...
...
...
[Removed]
Most Recent 3 months, 3 weeks ago
CORRECT
upvoted 1 times
...
PrepaCertif
5 months, 2 weeks ago
Sorry, you can't create user directly in administrative unit. Just add user. So you need to create user outside the administrative unit and then add it inside. So you need User Administrator for the tenant. For User2, I think it's correct.
upvoted 1 times
...
MHguy
10 months, 1 week ago
in the Exam April 2024
upvoted 4 times
...
Lazylinux
10 months, 1 week ago
Given answer is correct
upvoted 1 times
...
nav109
1 year, 3 months ago
This question appeared on my Exam today 11/17/2023
upvoted 7 times
...
InvalidNickname
1 year, 7 months ago
Got this on Aug 5th, 2023.
upvoted 3 times
babakeyfgir
1 year, 3 months ago
are you sure?
upvoted 2 times
...
...
theboywonder
1 year, 8 months ago
answer is so obvious here, CloudJordao is right, and ofc users are part of tenant AD level, and AU's are a part of that, simple
upvoted 2 times
...
betterthanlife
1 year, 10 months ago
User 1 response incorrect (impossible to answer this correctly). 1) You cannot create users in an Administrative unit, you can only create users in Azure AD, so User 1 would require the User Administrator role for the tenant. 2) You can only add/remove users within an Administrative unit, User 1 would require the Privileged Role Administrator role (or GA) to do so. https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-members-add#prerequisites I would choose "User Administrator for the tenant" for User 1.
upvoted 12 times
GuyForget
1 year, 9 months ago
The Tenant is outside of Azure AD; roles assigned at the tenant level are for resource control Administrative Units are a part of Azure AD
upvoted 1 times
mced
1 year, 4 months ago
What do you mean? The tenant/directory is in Entra ID (AAD) It´s not "outside". In the tenant/directory is where you have the users/groups/roles. Roles in the tenant are for administration of tenant level objects. Azure roles are for managing resources in Azure.
upvoted 3 times
...
...
MiniLa92
1 year, 1 month ago
At the first look I also thought the same, but if we refer comment of Cloudjordao and do bit more search, we will see that, 'User Administrator' role can be assigned to Administrative unit as per https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope and 'User Administrator' role holds permission "microsoft.directory/users/create" which creates user in Azure AD only (not in Administrative unit). So I think assigning User Administrator for the MarketingAU administrative unit will satisfy ques requirement.
upvoted 2 times
...
...
yonie
1 year, 10 months ago
Given answer is correct Though question could have been written better if it had a requirement for least privilege, since User Administrator can create user and reset their passwords. So potentially could be given to both users.
upvoted 3 times
AdventureChick
1 year, 6 months ago
"least privilege" is the #1 best practice for designing security - across every tool/tech/company. LP is assumed. In all scenarios. Yes, it's absolutely fair to not include all the info in a scenario: 1. MS cert info says that you are expected to know, and apply, best practices and that the "Skills Measured" are not comprehensive. 2. Exam instructions say that "If there are two correct questions, pick the BEST one". LP = best (I hope that's obvious) 3. LP applies at every level of Defense in Depth (covered in the AZ-305). 4. LP is part of the Well-Architected Framework (WAF). (also covered in AZ-305) Microsoft often does not give you 100% of the information for a scenario. They are testing if you know how to apply these in real-world situations.
upvoted 2 times
AdventureChick
1 year, 6 months ago
LOL ... I meant "two correct answers" pick the BEST one
upvoted 1 times
...
...
...
Jackdisuin
1 year, 10 months ago
correct answer. We have tested this in one of client environment.
upvoted 2 times
...
peeky
1 year, 10 months ago
aren't user accounts at the tenant level?
upvoted 1 times
...
[Removed]
1 year, 10 months ago
Correct answer no need Tenant level role, Admin required to create Users, HelpDesk enough to reset passwords
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago