Exam AZ-104 topic 2 question 14 discussion

User1 can add Device2 to Group1: No User2 can add Device1 to Group1: Yes User2 can add Device2 to Group2: No Explaination: Groups can contain both registered and joined devices as members. As a global administrator or cloud device administrator, you can manage the registered or joined devices. Intune Service administrators can update and delete devices. User administrator can manage users but not devices. User1 is a cloud device administrator. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device. User2 is the owner of Group1. He can add Device1 to Group1. Group2 is configured for dynamic membership. The properties on which the membership of a device in a group of the type dynamic device are defined cannot be changed by either an end user or an user administrator. User2 cannot add any device to Group2.

NO Cloud device admin cannot add/join devices YES: user admin can add device/user/groups NO: Dynamic groups dont require manual intervention, it uses criteria to add or remove devices/users/groups only assigned groups you can add

I think 1. User1 can add Device2 to Group1? No Group1 has Membership Type is "Assigned", so Owner Or Global Administrator has permission add device. User1 is a Cloud device administrator, but isn't owner Group1, so User1 don't add Device2 to Group1. 2. User2 can add Device1 to Group1? Yes User2 is Owner of Group1 and Group1 has Membership Type Assigned. User2 has permission for member management, So can add Device1 to Group1. 3. User2 can add Device2 to Group2? (No) Group2 has Membership Type is "Dynamic Device", so Azure AD automated member management based on predefined rules.. Users cannot manually add devices to Dynamic Device Groups, even if they are the group owners

No No Yes

User1 can add Device2 to Group1: No User1 is a Cloud Device Administrator and does not have permissions to manage group memberships. User2 can add Device1 to Group1: Yes User2 is a User Administrator and has the necessary permissions to manage group memberships, including adding devices to security groups. User2 can add Device2 to Group2: No Group2 is a Dynamic Device group, and User2, even as a User Administrator, cannot manually add devices to a dynamic group. Dynamic groups are managed automatically based on rules.

NYN As a cloud admin User1 do not have permission to add a device. However if User1 was the owner of Group1, then User1 would have full control of membership (which is not the case here)

User2 cannot add Device2 to Group2 because it is a dynamic group

fundamentally bad and confusing azure architecture, when user and device "admin" can't add objects to AD group, unless the admin also has permission to modify the group.

From real life. User1 needs to be member of users administrator to add computer or user as member. As cloud device administrator he can't.

for the question about user admins, as I thought they can only delegate user related queries and not to devices, however... https://learn.microsoft.com/en-us/answers/questions/1340769/can-an-user-with-user-administrator-role-add-an-az

No one can add any device to group2 because its a dynamic group, Static members cant be added.

i think the correct answer is Yes Yes No. User 1 is a cloud device administrator he can add a device to a group, User 2 is the owner of the Group so they can add members despite them being devices. Group 2 is a dynamic group hence you can not manually add a member

(User administrator) can update the membership of both the groups, regardless of whether he is owner of the group or not because User administrator role has the permission to update group membership. He can add users, devices, other groups to any group in Azure AD. Below is the permission that user administrator role has: On the other hand Cloud Device administrator can add members to the Group of which he is the owner. and he can add users, devices and other groups only to that Group. With Cloud Device administrator role, you can Delete/Disable/Enable devices in Azure Active Directory but you cannot Add/Remove Users in the directory. With User administrator role, you can Add/Remove users in Azure AD but cannot Delete/Disable/Enable the devices. Hence, The answers are: No Yes No

The access rights for User1 (Cloud Device Administrator) and User2 (User Administrator) in Azure AD, as well as the device status (Azure AD registered or Azure AD joined), will determine what actions each user can perform. >> User1 can add Device2 to Group1 - No. A Cloud Device Administrator can manage devices in Azure AD but cannot manage groups (including adding devices to a group). That task typically falls under the responsibilities of a User Administrator or a Group Owner. >> User2 can add Device1 to Group1 - Yes. As the owner of Group1 and a User Administrator, User2 has the rights to add devices to Group1. The fact that Device1 is Azure AD registered does not restrict it from being added to Group1. >> User2 can add Device2 to Group2 - No. User2 cannot manually add any device to Group2 because it is a dynamic device group. Memberships in dynamic device groups are determined by rules and conditions, rather than manual assignment. Even though User2 is a User Administrator and the owner of Group2, he cannot manually add devices to a dynamic device group.

User1 can add Device2 to Group 1: NO - Explanation: Cloud Device Admins can enable/disable/delete devices in Azure. Cloud Device Admin DOES NOT grant permission to manage ANY other properties of these devices; Including group membership. User2 can add Device1 to Group1: YES Explanation: User2 is the OWNER of Group1. This user can add and remove membership to this group under any circumstance as the group membership type is ASSIGNED - Implying that any membership affiliation must be manually given to any given resource. User2 can add Device2 to Group2: NO Explanation: Group2 is stated to be a DYNAMIC membership assignment - This implies that any given resource MUST MEET the criteria/requirement outlined within the group dynamic membership scope to be added to this group as a member. The properties of dynamic group membership requirements CANNOT be changed by either end user nor user administrator. Additionally, Dynamic Groups feature require Entra ID Premium P1 or P2 licensing. Hope this helps. Happy studying!

Wrong No Yes No Owner = User2 User2 + Azure AD registered + Assigned

ChatGPT answer: User1 can add device2 to group1: NO Reason: User1 is a Cloud Device Admin, but Group1 is an assigned group, and they are not listed as the owner of the group. Only the owner or a user with appropriate permissions (e.g., User admin) can assign devices to this group. User2 can add device1 to group1: YES Reason: User2 is a User Admin and the owner of Group1. As the group owner and with the User Admin role, they have the necessary permissions to add devices to Group1. User2 can add device2 to group2: NO Reason: Group2 is a Dynamic Device group, meaning its membership is determined automatically by rules based on device attributes. Devices cannot be manually added to dynamic groups, even by the owner.