Exam AZ-500 topic 4 question 80 discussion

Answer and reference is wrong. The correct one: User admin or Global admin. See here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined

Ok, I've figured this one out. The OLD method does require Global Administrator. So, the provided answer is correct. However, the NEW way of doing this require at least Authentication Policy Administrators. "The Authentication methods policy is the recommended way to manage authentication methods, including modern methods like passwordless authentication. Authentication Policy Administrators can edit this policy to enable authentication methods for all users or specific groups." Both scenarios are explained here: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage

I go with C Explanation: To enable passwordless authentication and use the combined registration experience (which allows users to register for passwordless authentication methods like Windows Hello, FIDO2 security keys, and Microsoft Authenticator), User1 needs the appropriate permissions. The least privileged role that grants permissions to enable passwordless authentication and manage authentication methods is: C. Authentication administrator Why Authentication Administrator? Authentication administrators have the necessary permissions to configure authentication methods (like passwordless authentication) in Azure Active Directory. They can manage authentication methods, including enabling the combined registration experience, which is part of passwordless authentication. D. Global administrator ❌ While this role can configure authentication methods, it is more privileged than necessary to follow the principle of least privilege. It grants broad permissions that include managing all aspects of the Azure AD tenant, which is unnecessary in this case.

A very similar question is in the practice assessment and the answer is Global Admin, which is the role that is needed to do this.

To enable passwordless authentication for the tenant, User1 needs to have Authentication Administrator role. But to enable "combined registration experience", User1 needs to have User Administrator Role. Hence Global Admin combines both access. Hence D.

D-Authentication administration can not set it for admin users and question asks about tenant wide configuration that is why we need to go with GA.

Answer: D Explanation: Sign in to the Azure portal as a user administrator or global administrator.

It is clearly mentioned in this link either User/Global administrator for "combined registration experience." I am wondering, isn't here anyone from ExamTopics to see and update the result? Link: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles

this can be done with all of mentioned roles but option c is enough without requiring excessive privileges or access to other administrative functions.

I think the answers y D- Global Administrator https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles Required roles Here are the least privileged roles required for this deployment: Azure AD Role Description User Administrator or Global Administrator To implement combined registration experience. Authentication Administrator To implement and manage authentication methods. User To configure Authenticator app on device, or to enroll security key device for web or Windows 10 sign-in.

B is the least priv and can do passwordless. the two admins who can do passwordless are the global admin and the privilege role admin. the least privilege is the privilege role admin so I would choose B.

C is the correct answer. the question says: The solution must use the principle of least privilege. The Authentication Administrator has the privileges to implement and manage authentication methods. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles

D is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles Here are the least privileged roles required for this deployment: - User Administrator or Global Administrator To implement combined registration experience.

D. Global administrator

Global Admin is required as per docs: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles Authentication Administrator can only implement and manage authentication methods, NOT implement combined registration experiences.

Tried with lab, when granted "Authentication admin", user cannot access Azure Active Directory > User settings > Manage user feature settings, hence not able to enable the combined registration experience. Based on MS documentation: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined#enable-combined-registration Need user administrator or global administrator to do that, so I would choose D

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined as somenick stated