Exam SC-300 topic 2 question 21 discussion

Answer must be B - Helpdesk Administrators. From the docs: Authentication administrator: can reset passwords for non-admins but can't invalidate sessions. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#authentication-administrator Helpdesk administrator: Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. Invalidating a refresh token forces the user to sign in again. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#helpdesk-administrator Privileged Authentication Administrator: can reset all passwords (admins & non-admins) but can't invalidate any sessions. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator Security Operator: can't reset any passwords. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-operator

Tl;dr: A In details: Privileged Auth Admin can reset passwords of non admins and admin accounts Helpdesk Admins can reset non admins and Helpdesk Admins password Authentication Administrator can only reset non admin accounts password To follow the least privilege requirement, Authentication Administrator should be the answer

both helpdesk administrator and authentication administrator can do similiar tasks asked here. the least privileged is helpdesk administrator as the authentication administrator can also modify authenticaiton related settings which is what a helpdesk administrator cannot do

A. Authentication administrator is the correct answer. Authentication Administrator can only reset non admin accounts password

Authentication Administrator and Helpdesk Administrator both have microsoft.directory/users/invalidateAllRefreshTokens and microsoft.directory/users/password/update permissions so I really feel like it comes down to the "non-admin" part of the question. Helpdesk Administrators have more permissions than they need in this area, i.e., they can reset passwords of admins. Authentication Administrators can only reset the passwords of non-admins so the answer is Authentication Administrators.

Help Desk Admin - "Users with this role can change passwords, invalidate refresh tokens"

B https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator

Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. Invalidating a refresh token forces the user to sign in again.

Based on this, it seems that the Authentication Administrator role would be the most suitable, as it allows you to reset passwords for non-administrators. However, the ability to invalidate sessions is also required, and the Authentication Administrator role does not provide this. The Helpdesk Administrator role, on the other hand, allows both password reset and session invalidation for non-administrators, which satisfies both requirements for SecAdmin1.

"manage passwords"-term has only one match by Password Administrator, and the referenced action is microsoft.directory/users/password/update, which is to "Reset the password". This action is assigned to Helpdesk Administrator as well. On the other side, Password Administrator cannot "invalidate sessions". Hmm, this term has no matches, but "invalidate" points to microsoft.directory/users/invalidateAllRefreshTokens, which is the correct action we look for. And guess what - this action is assigned to Helpdesk Administrator again.

The best answer is B. Helpdesk administrator. The Helpdesk administrator role allows users to reset passwords, invalidate refresh tokens, manage service requests, and monitor service health. This role is a good choice for SecAdmin1 because it allows her to manage passwords and invalidate sessions on behalf of non-administrative users, without giving her the full permissions of a Security administrator.

The answer is: B. Helpdesk administrator The Helpdesk administrator role allows users to reset passwords and invalidate sessions on behalf of non-administrative users. It also allows users to manage authentication methods and multi-factor authentication settings for non-administrative users.

I think it's B

In Azure AD, the principle of least privilege is essential for security. To ensure that SecAdmin1 can manage passwords and invalidate sessions for non-administrative users without granting excessive permissions, you should assign the B: "Helpdesk administrator" role. Assigning the "Authentication administrator" or "Privileged authentication administrator" roles might provide more privileges than necessary for SecAdmin1's requirements.

A. Authentication administrator

A. The key here is non-admin accounts. Only the Auth Admin meets the criteria. Auth Admin: Can access to view, set and reset authentication method information for any non-admin user. Helpdesk Admin: Can reset passwords for non-administrators and Helpdesk Administrators. Priv Admin:Can access to view, set and reset authentication method information for any user (admin or non-admin). Security Operator: Creates and manages security events.

Answered correctly in similar question.