ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-102 All Questions

View all questions & answers for the MS-102 exam
Go to Exam

Exam MS-102 topic 1 question 167 discussion

Actual exam question from Microsoft's MS-102
Question #: 167
Topic #: 1
[All MS-102 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription and an Azure AD tenant named contoso.com.

All users have computers that run Windows 11, are joined to contoso.com, and are protected by using BitLocker Drive Encryption (BitLocker).

You plan to create a user named Admin1 that will perform following tasks:

• View BitLocker recovery keys.
• Configure the usage location for the users in contoso.com.

You need to assign roles to Admin to meet the requirements. The solution must use the principle of least privilege.

Which two roles should you assign? To answer, select the appropriate options in the answer area.

Show Suggested Answer Hide Answer
Suggested Answer:
by OliwerCiecwierz at Sept. 17, 2023, 8:52 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Amir1909
Highly Voted 10 months, 1 week ago
- Cloud Device Administrator - Licence Administrator
upvoted 15 times
...
OliwerCiecwierz
Highly Voted 1 year, 2 months ago
Answer is correct as Helpdesk Administrator has action of: microsoft.directory/bitlockerKeys/key/read - Read bitlocker metadata and key on devices and License Administrator has: microsoft.directory/users/usageLocation/update - Update usage location of users
upvoted 12 times
BigO76
21 hours, 14 minutes ago
Helpdesk Administrator: To view BitLocker recovery keys.(This role was previously named Password Administrator in the Azure portal. It was renamed to Helpdesk Administrator to align with the existing name in the Microsoft Graph API and Microsoft Graph PowerShell) License Administrator: To configure the usage location for users (instead of User Administrator, as it adheres more closely to the principle of least privilege).
upvoted 1 times
...
Thor123
6 months, 2 weeks ago
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator
upvoted 1 times
...
...
Xive
Most Recent 1 month, 2 weeks ago
Cloud Device admin is less privilege than helpdesk admin. With helpdesk admin, one can reset the password of another non-admin user, but that user could have access to alot more sensitive information otherwise. Cloud Device admin the most damage he can do is to delete some devices in Entra ID, this does not means data leak compare to an unauthorised access whose may be the owner serveral subscriptions due to password reset by the helpdesk admin.
upvoted 1 times
...
f0f4a76
2 months, 2 weeks ago
Given answer is INCORRECT, Cloud Device Admin is the LEAST PRIVILEGED. Remember this exam is open learn.microsoft.com Please reference https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task THIS HAS ALL THE LEAST PRIVILEGED stated. Helpdesk has MORE privilege than Cloud Device Admin. License admin is correct
upvoted 2 times
...
dado11
2 months, 2 weeks ago
Correct!
upvoted 1 times
...
Rizwan235
2 months, 4 weeks ago
As stated in the FAQs in this doc: https://msft.it/61696cDu6p the minimum role-based access control (RBAC) rights required to access the recovery key in the Intune console is Helpdesk Administrator.
upvoted 1 times
...
Jamesat
7 months, 2 weeks ago
I think I agree with this. Cloud Device Admin would allow disabling and deleting of devices from Entra ID. Helpdesk Admin would therefore by least privileged as it can only reset passwords. Hard as is deleting accounts less privileged than password resets? Hmmm
upvoted 2 times
...
oopspruu
7 months, 2 weeks ago
The key here is Least privileged role. 1. Cloud Device Admin is least privileged for Bitlocker keys. 2. License Admin for usage location.
upvoted 1 times
...
Motanel
7 months, 3 weeks ago
Cloud Device Admin is the least privilege role for viewing Bitlocker keys: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task
upvoted 7 times
...
OwerGame
8 months, 3 weeks ago
I guess Helpdesk Admin is less privileged than Cloud device admin
upvoted 1 times
...
Vaerox
11 months ago
Are we sure that it's Helpdesk Administrator? Cloud Device Administrator: Users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal.
upvoted 3 times
...
Kmkz83510
11 months, 4 weeks ago
I think the first answer is a tossup between Intune Admin and HelpDesk Admin. Yes, if you compare them via the M365 admin portal, Intune Admin has more checkboxes, but could one argue that Intune Admin is less privilege since it's only scoped to devices? Agree with answer 2 - License Admin.
upvoted 1 times
OwerGame
8 months, 2 weeks ago
Bro the amount of reach that Intune admin has compared to Cloud device and Helpdesk admin is clearly beyond your grasp. If You don't work in the industry, I can suggest that You setup that free tenant and join all Your spare/old devices/vm's. Good luck anyway.
upvoted 1 times
...
Bouncy
10 months ago
Claiming that Cloud Device Administrator is less privileged due to its device scope sounds valid. Intune Admin not so much, way too powerful...
upvoted 2 times
...
...
NrdAlrt
1 year, 1 month ago
correct, see https://practical365.com/license-admin-role-and-other-improvements-in-azure-ad-administration/ for confirmation a license admin can set usage location in azure ad.
upvoted 2 times
...
DiligentSam
1 year, 2 months ago
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago