Exam AZ-104 topic 2 question 14 discussion

User1 can add Device2 to Group1: No User2 can add Device1 to Group1: Yes User2 can add Device2 to Group2: No Explaination: Groups can contain both registered and joined devices as members. As a global administrator or cloud device administrator, you can manage the registered or joined devices. Intune Service administrators can update and delete devices. User administrator can manage users but not devices. User1 is a cloud device administrator. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device. User2 is the owner of Group1. He can add Device1 to Group1. Group2 is configured for dynamic membership. The properties on which the membership of a device in a group of the type dynamic device are defined cannot be changed by either an end user or an user administrator. User2 cannot add any device to Group2.

NO Cloud device admin cannot add/join devices YES: user admin can add device/user/groups NO: Dynamic groups dont require manual intervention, it uses criteria to add or remove devices/users/groups only assigned groups you can add

NYN As a cloud admin User1 do not have permission to add a device. However if User1 was the owner of Group1, then User1 would have full control of membership (which is not the case here)

User2 cannot add Device2 to Group2 because it is a dynamic group

fundamentally bad and confusing azure architecture, when user and device "admin" can't add objects to AD group, unless the admin also has permission to modify the group.

From real life. User1 needs to be member of users administrator to add computer or user as member. As cloud device administrator he can't.

for the question about user admins, as I thought they can only delegate user related queries and not to devices, however... https://learn.microsoft.com/en-us/answers/questions/1340769/can-an-user-with-user-administrator-role-add-an-az

No one can add any device to group2 because its a dynamic group, Static members cant be added.

i think the correct answer is Yes Yes No. User 1 is a cloud device administrator he can add a device to a group, User 2 is the owner of the Group so they can add members despite them being devices. Group 2 is a dynamic group hence you can not manually add a member

(User administrator) can update the membership of both the groups, regardless of whether he is owner of the group or not because User administrator role has the permission to update group membership. He can add users, devices, other groups to any group in Azure AD. Below is the permission that user administrator role has: On the other hand Cloud Device administrator can add members to the Group of which he is the owner. and he can add users, devices and other groups only to that Group. With Cloud Device administrator role, you can Delete/Disable/Enable devices in Azure Active Directory but you cannot Add/Remove Users in the directory. With User administrator role, you can Add/Remove users in Azure AD but cannot Delete/Disable/Enable the devices. Hence, The answers are: No Yes No

The access rights for User1 (Cloud Device Administrator) and User2 (User Administrator) in Azure AD, as well as the device status (Azure AD registered or Azure AD joined), will determine what actions each user can perform. >> User1 can add Device2 to Group1 - No. A Cloud Device Administrator can manage devices in Azure AD but cannot manage groups (including adding devices to a group). That task typically falls under the responsibilities of a User Administrator or a Group Owner. >> User2 can add Device1 to Group1 - Yes. As the owner of Group1 and a User Administrator, User2 has the rights to add devices to Group1. The fact that Device1 is Azure AD registered does not restrict it from being added to Group1. >> User2 can add Device2 to Group2 - No. User2 cannot manually add any device to Group2 because it is a dynamic device group. Memberships in dynamic device groups are determined by rules and conditions, rather than manual assignment. Even though User2 is a User Administrator and the owner of Group2, he cannot manually add devices to a dynamic device group.

User1 can add Device2 to Group 1: NO - Explanation: Cloud Device Admins can enable/disable/delete devices in Azure. Cloud Device Admin DOES NOT grant permission to manage ANY other properties of these devices; Including group membership. User2 can add Device1 to Group1: YES Explanation: User2 is the OWNER of Group1. This user can add and remove membership to this group under any circumstance as the group membership type is ASSIGNED - Implying that any membership affiliation must be manually given to any given resource. User2 can add Device2 to Group2: NO Explanation: Group2 is stated to be a DYNAMIC membership assignment - This implies that any given resource MUST MEET the criteria/requirement outlined within the group dynamic membership scope to be added to this group as a member. The properties of dynamic group membership requirements CANNOT be changed by either end user nor user administrator. Additionally, Dynamic Groups feature require Entra ID Premium P1 or P2 licensing. Hope this helps. Happy studying!

Wrong No Yes No Owner = User2 User2 + Azure AD registered + Assigned

ChatGPT answer: User1 can add device2 to group1: NO Reason: User1 is a Cloud Device Admin, but Group1 is an assigned group, and they are not listed as the owner of the group. Only the owner or a user with appropriate permissions (e.g., User admin) can assign devices to this group. User2 can add device1 to group1: YES Reason: User2 is a User Admin and the owner of Group1. As the group owner and with the User Admin role, they have the necessary permissions to add devices to Group1. User2 can add device2 to group2: NO Reason: Group2 is a Dynamic Device group, meaning its membership is determined automatically by rules based on device attributes. Devices cannot be manually added to dynamic groups, even by the owner.

NYN Generally registered devices would be users personal devices, mobile phones or laptops etc.. they log into the device with their personal credentials. An Entra ID joined device is connected to your organization, and users can log into the devices with their work account.

Conflicting with the question. In question User2 is the owner of Group1 & 2 but in the answer section it is mentioned "Group1 has the assigned join type, and the owner is User1." Examtopics in-charge please fix the contents as we rely on the details mentioned here

Final Answer : N Y N