You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.
You plan to enable passwordless authentication for the tenant.
You need to ensure that User1 can enable the combined registration experience. The solution must use the principle of least privilege.
Which role should you assign to User1?
To enable the combined registration experience in Azure Active Directory, the roles required are either User Administrator or Global Administrator. User Administrator can manage settings related to user features and authentication, whereas Global Administrator has the overarching rights to manage all aspects of the Azure AD environment. Since the task involves changing tenant-wide settings and adhering to the principle of least privilege, assigning the User Administrator role is the minimal requisite. However, since 'User Administrator' is not an option, the suitable choice is Global Administrator.
Answer and reference is wrong. The correct one: User admin or Global admin. See here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined
Ok, I've figured this one out. The OLD method does require Global Administrator. So, the provided answer is correct. However, the NEW way of doing this require at least Authentication Policy Administrators. "The Authentication methods policy is the recommended way to manage authentication methods, including modern methods like passwordless authentication. Authentication Policy Administrators can edit this policy to enable authentication methods for all users or specific groups." Both scenarios are explained here: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage
Tried with lab, when granted "Authentication admin", user cannot access Azure Active Directory > User settings > Manage user feature settings, hence not able to enable the combined registration experience. Based on MS documentation: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined#enable-combined-registration Need user administrator or global administrator to do that, so I would choose D
It is clearly mentioned in this link either User/Global administrator for "combined registration experience." I am wondering, isn't here anyone from ExamTopics to see and update the result? Link: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles
D is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles Here are the least privileged roles required for this deployment: - User Administrator or Global Administrator To implement combined registration experience.
Answer is correct. Note that principle of least priv is expected.
D. Global administrator
Global Admin is required as per docs: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles Authentication Administrator can only implement and manage authentication methods, NOT implement combined registration experiences.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined as somenick stated
Global Admin
D-Authentication administration can not set it for admin users and question asks about tenant wide configuration that is why we need to go with GA.
Answer: D Explanation: Sign in to the Azure portal as a user administrator or global administrator.
this can be done with all of mentioned roles but option c is enough without requiring excessive privileges or access to other administrative functions.
sorry i missed the point of enabling this option not managing which only can be done by Global Admin so correct answer is D
I think the answers y D- Global Administrator https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles Required roles Here are the least privileged roles required for this deployment: Azure AD Role Description User Administrator or Global Administrator To implement combined registration experience. Authentication Administrator To implement and manage authentication methods. User To configure Authenticator app on device, or to enroll security key device for web or Windows 10 sign-in.
B is the least priv and can do passwordless. the two admins who can do passwordless are the global admin and the privilege role admin. the least privilege is the privilege role admin so I would choose B.
C is the correct answer. the question says: The solution must use the principle of least privilege. The Authentication Administrator has the privileges to implement and manage authentication methods. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment#required-roles
Agree with JohnBentass - the authentication administrator can set auth methods for non-admin users. Global Admin is overkill, does not adhere to principle of least privilege