You have three offices and an Azure subscription that contains an Azure Active Directory (Azure AD) tenant. You need to grant user management permissions to a local administrator in each office. What should you use?
A.
Azure AD roles
B.
administrative units
C.
access packages in Azure AD entitlement management
The answer is correct
Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.
Although I agree with your explanation the question is not really stating that administrative units are required as there is no statement about the local office administrators and weather they need to administer all users or should only administer the users of their respective office.
B) "administrative units"
"It can be useful to restrict administrative scope by using administrative units in organizations that are made up of independent divisions of any kind."- https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units#deployment-scenario
The wording of the question, "what should you choose," is equivalent to "what is the best answer?" AD roles would work, but they wouldn't be the best answer, given that the question mentions having local administrators, which could be grouped together for practicality. The youtube video, like me, probably missed that.
B. Administrative units
Administrative units in Azure AD allow you to organize and delegate administrative tasks to specific administrative units. You can assign specific permissions and roles to administrators based on these units. This approach allows local administrators to have control over users and resources within their respective offices without having full global permissions. It's a more granular and decentralized approach to user management.
Azure AD roles (Option A) typically deal with assigning permissions at a broader level, and they might not provide the necessary granularity for managing users within specific offices.
Access packages in Azure AD entitlement management (Option C) are used for granting access to resources and applications rather than delegating user management tasks.
Azure roles (Option D) are primarily focused on managing permissions for Azure resources and services, not user management within Azure AD.
So, the most suitable choice for delegating user management permissions to local administrators in different offices is "B. Administrative units."
I think A because, the question does not state that each local administrator should be restricted to only administer the users in their office, so assigning the role 'User Administrator' would be the solution to this question would it not?
"You need to grant user management permissions to a local administrator in each office"
vs
"You need to grant *LOCAL* user management permissions to a local administrator in each office"
IMHO the latter is a stronger case for Administrative Units. But the mere fact of mentioning "Local administrator in each office", implies an already in place setup of Administrative Units. Location/Division - based admin is use case for Administrative Units.
B. Administrative units would be the best option to grant user management permissions to a local administrator in each office.
Administrative units are a feature in Azure AD that allow you to delegate administrative privileges to specific groups of users or administrators. By creating an administrative unit for each office, you can grant the local administrator in each office the necessary permissions to manage users and groups within their own office, without giving them access to the entire Azure AD tenant.
Azure AD roles and Azure roles are used to grant permissions to perform specific tasks within Azure services, but they are not specifically designed for user management within Azure AD.
Access packages in Azure AD entitlement management are used to manage access to specific resources and applications within an organization, but they are not specifically designed for delegating administrative privileges.
To grant user management permissions to a local administrator in each office, you should use Azure AD administrative units.
Administrative units are a feature in Azure AD that allow you to delegate administrative permissions to specific groups of users or administrators. You can create an administrative unit for each office and then assign a local administrator to manage the users and groups within that unit.
Azure AD roles, Azure roles, and access packages in Azure AD entitlement management are also used to grant permissions to users and groups, but they are not designed specifically for delegating administrative permissions to specific groups of users or administrators based on their location or organizational structure. Therefore, they are not the best option for granting user management permissions to local administrators in each office.
So, the correct answer is B. administrative units.
True, But the scenario says:
You need to grant user management permissions to a local administrator in each office.
Not....
You need to grant 'local'user management permissions to a local administrator in each office.
The answer assumes a scope that the question does nt actually specify.
B is the answer.
https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units
An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only users, groups, or devices.
Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.
Answer is Administrative unit
If you go to porta.azure.com -> Azure Active Directory -> Roles and Administrators from the left pane, you will be able to see multiple built in role called 'User Administrator'. If you click that role, you are able to assign, update or delete the user to the role
I think that B is the answer because it is what the question is implying a scenario for which "Administrative Units" are specifically tailored for...
"Deployment scenario
It can be useful to restrict administrative scope by using administrative units in organizations that are made up of independent divisions of any kind."
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units#:~:text=An%20administrative%20unit%20is%20an%20Azure%20AD%20resource,any%20portion%20of%20your%20organization%20that%20you%20define.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
HananS
Highly Voted 3 years, 2 months agomagichappens
2 years, 11 months agoNaoVaz
Highly Voted 2 years, 5 months ago[Removed]
Most Recent 6 months agoJananiToo
1 year agoaf68218
11 months, 1 week agoAmir1909
1 year agoRednevi
1 year, 5 months agogrimrodd
1 year, 6 months agourbanmonk
1 year, 5 months agokamalpur
1 year, 6 months agoChris76
1 year, 10 months agolokii9980
1 year, 11 months agoMazinger
2 years agoallyQ
2 years agoChris76
1 year, 10 months agozellck
2 years, 1 month agobrein33
2 years, 1 month agoEmnCours
2 years, 6 months agoAzure_daemon
3 years agoedengoforit
3 years agoSnownoodles
3 years, 2 months agoMozbius_
3 years, 1 month ago