Which account can you use?

Posted by: Pdfprep Category: AZ-104 Tags: , ,

You create an Azure subscription named Subscription1 and an associated Azure Active Directory (Azure AD) tenant named Tenant1.

Tenant1 contains the users in the following table.

You need to add an Azure AD Privileged Identity Management application to Tenant1.

Which account can you use?
A . [email protected]
B . [email protected]
C . [email protected]
D . [email protected]

Answer: B

Explanation:

For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can grant access to other administrators to manage Privileged Identity Management. Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.

Only owner can create an subscription and only global administrator can perform Privileged Identity Management changes. So you can create subscription with external user and then promote him to global administrator to get things done.

As it is mentioned as it is associated with azure tenant so that tenant has an AD domain. So in azure AD the default domain ends with onmicrosoft.com. So you can’t have Hotmail IDs there. Moreover always remember the principle of least privileges, when you can get your job done with Global Administrator then you should not look for owner for security purpose.

[email protected]: Correct Choice

As Admin1 is Global Administrator and part of default AD domain so Admin1 can add an Azure AD Privileged Identity Management application to Tenant1 [email protected]: Incorrect Choice

As per the above explanation Admin3 is not Global Administrator, so this option is incorrect.

[email protected]: Incorrect Choice

As per the above explanation Admin2 is not Global Administrator, so this option is incorrect.

[email protected]: Incorrect Choice

Although this user is Global Administrator but referring to the least privileges principal and default domain consideration this option is incorrect.

References:

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance

Leave a Reply

Your email address will not be published.