Exam AZ-104 topic 2 question 50 discussion

The answer is correct Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

B) "administrative units" "It can be useful to restrict administrative scope by using administrative units in organizations that are made up of independent divisions of any kind."- https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units#deployment-scenario

B is corerct

Why some YouTube videos say azure AD roles?

B is correct

B. Administrative units Administrative units in Azure AD allow you to organize and delegate administrative tasks to specific administrative units. You can assign specific permissions and roles to administrators based on these units. This approach allows local administrators to have control over users and resources within their respective offices without having full global permissions. It's a more granular and decentralized approach to user management. Azure AD roles (Option A) typically deal with assigning permissions at a broader level, and they might not provide the necessary granularity for managing users within specific offices. Access packages in Azure AD entitlement management (Option C) are used for granting access to resources and applications rather than delegating user management tasks. Azure roles (Option D) are primarily focused on managing permissions for Azure resources and services, not user management within Azure AD. So, the most suitable choice for delegating user management permissions to local administrators in different offices is "B. Administrative units."

I think A because, the question does not state that each local administrator should be restricted to only administer the users in their office, so assigning the role 'User Administrator' would be the solution to this question would it not?

answer is correct https://youtu.be/XNqSQOYtcPQ

"You need to grant user management permissions to a local administrator in each office" vs "You need to grant *LOCAL* user management permissions to a local administrator in each office" IMHO the latter is a stronger case for Administrative Units. But the mere fact of mentioning "Local administrator in each office", implies an already in place setup of Administrative Units. Location/Division - based admin is use case for Administrative Units.

B. Administrative units would be the best option to grant user management permissions to a local administrator in each office. Administrative units are a feature in Azure AD that allow you to delegate administrative privileges to specific groups of users or administrators. By creating an administrative unit for each office, you can grant the local administrator in each office the necessary permissions to manage users and groups within their own office, without giving them access to the entire Azure AD tenant. Azure AD roles and Azure roles are used to grant permissions to perform specific tasks within Azure services, but they are not specifically designed for user management within Azure AD. Access packages in Azure AD entitlement management are used to manage access to specific resources and applications within an organization, but they are not specifically designed for delegating administrative privileges.

To grant user management permissions to a local administrator in each office, you should use Azure AD administrative units. Administrative units are a feature in Azure AD that allow you to delegate administrative permissions to specific groups of users or administrators. You can create an administrative unit for each office and then assign a local administrator to manage the users and groups within that unit. Azure AD roles, Azure roles, and access packages in Azure AD entitlement management are also used to grant permissions to users and groups, but they are not designed specifically for delegating administrative permissions to specific groups of users or administrators based on their location or organizational structure. Therefore, they are not the best option for granting user management permissions to local administrators in each office. So, the correct answer is B. administrative units.

B is the answer. https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices. Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.

Administrative units is correct

Correct Answer: B 🗳️ Reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units

It's very obvious, Administrative Unit is the answer

Answer is Administrative unit If you go to porta.azure.com -> Azure Active Directory -> Roles and Administrators from the left pane, you will be able to see multiple built in role called 'User Administrator'. If you click that role, you are able to assign, update or delete the user to the role

Why is A not correct? Even with B(admin unit), you have to assign AAD role to administrators for an admin unit.