Exam MD-102 topic 1 question 42 discussion

Should be YNN, CDA is admin within azure portal. SA is also azure role and doesn't have local admin rights to make changes.

letters1234 is correct, it is YNN.

The Security Administrator can indirectly configure the firewall and defender on a device, but the question didn't mention the device enrolled in Intune so the correct answer is YNN.

YNN is the answer

Y N N When device is joined in AAD it wil get local admin rights (for now). Security admin is for administration of security feature in entra etc.. No local admin rights. Same with cloud device administrator.

YNN As of now, user peforming Join will become an admin. This can be managed in future with a preview setting currently rolling out. Cloud Device Admin has only permission for Entra Device section and not the actual device. Security Admin has no permission to any device management.

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#security-administrator

YNN Cloud Device Administrator role does not grant permissions to manage any other properties on the device: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-device-administrator

User1 have no roles assigned, but part of local "users" group, when UserA join the device1 using the user1 account it doesn't automatically elivate the user1's roles, user1 will still be an local user, will not become a member of local admins group.

NYN is correct

Manage regular users By default, Microsoft Entra ID adds the user performing the Microsoft Entra join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options: Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by creating an Autopilot profile. Bulk enrollment - a Microsoft Entra join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device has been joined aren't added to the administrators group. answers are correct

After further research, I have read that a cloud device administrator gets admin rights on the devices that are joined but NOT if they are hybrid joined. So now I don't know anymore about the 3rd answer. When reading about the role itself, it's not mentioning any of this.

i would vote for NO,NO,NO during the join operation security principals of the user are temporary added to local admin group, not the user itself, even if not so thats temporary security admin cannot configure firewall & defender on that computer cloud device admin cant install anything

the first answer is NO: tested it on my tenant (joining a device using a user profile does not add it to the Administrators Group) Proof that the second answer is YES: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#security-administrator this is proof that the third answer is NO: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-device-administrator

YES At the time of Microsoft Entra join, we add the following security principals to the local administrators group on the device: * The Microsoft Entra Global Administrator role * The Microsoft Entra Joined Device Local Administrator role * The user performing the Microsoft Entra join https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin NO Question is ”[email protected] can configure the firewall and Microsoft Defender ON COMPUTER1.” Security administrator doesn’t have local admin rights to modify firewall and defender settings ON COMPUTER1. NO This is a privileged role. Users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-device-administrator

Cloud Device Administrator: With Cloud Device administrator role, you can Delete/Disable/Enable devices in Azure Active Directory but you cannot Add/Remove Users in the directory. With User administrator role, you can Add/Remove users in Azure AD but cannot Delete/Disable/Enable the devices.

By default, Microsoft Entra ID adds the user performing the Microsoft Entra join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options: