AZ-140 Question #61: Real Exam Question with Answer & Explanation

Question

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You use a user account named Admin1 to deploy an Azure Active Directory Domain Services (Azure AD DS) managed domain named aaddscontoso.com to a virtual network named VNET1. You plan to deploy an Azure Virtual Desktop host pool named Pool1 to VNET1. You need to ensure that you can use the Admin1 user account to deploy Windows 10 Enterprise session hosts to Pool1. What should you do first?

Options

• AAdd Admin1 to the AAD DC Administrators group of contoso.com.
• BAssign the Cloud device administrator role to Admin1.
• CAssign a Microsoft 365 Enterprise E3 license to Admin1.
• DChange the password of Admin1.

Explanation

Azure AD Domain Services has a built-in security group called 'AAD DC Administrators.' Members of this group are granted the delegated privilege to join computers to the Azure AD DS managed domain (aaddscontoso.com) and perform other domain administrative tasks. Deploying AVD session hosts requires the deployment account to successfully domain-join the VMs to Azure AD DS, which requires AAD DC Administrator membership. Without this group membership, the domain-join step will fail with an access denied error. The Cloud device administrator role (B) applies to Azure AD device management, not domain join. An E3 license (C) is not required for deployment, and changing the password (D) assists with password hash synchronization but is not the first required step.

No community discussion yet for this question.