AZ-500 · Question #373
AZ-500 Question #373: Real Exam Question with Answer & Explanation
This question tests knowledge of Azure Active Directory Administrative Units (AUs) and which resource types can be scoped and added to them. Administrative Units restrict management scope to specific subsets of Azure AD resources.
Question
Hotspot Question You have an Azure subscription that has a managed identity named identity and is linked to an Azure Active Directory (Azure AD) tenant. The tenant contains the resources shown in the following table. Which resources can be added to AU1 and AU2? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of Azure Active Directory Administrative Units (AUs) and which resource types can be scoped and added to them. Administrative Units restrict management scope to specific subsets of Azure AD resources.
Approach. Administrative Units (AUs) in Azure Active Directory can only contain Users, Groups, and Devices - these are the three supported member types. Resources such as Service Principals, Managed Identities, Applications, and other Azure resource types CANNOT be added to Administrative Units. AU1 and AU2 can accept Users, Groups, and Devices from the tenant. When evaluating which resources from the table can be added, only those that are of type 'User', 'Group', or 'Device' qualify. Any resource listed as an Application, Service Principal, Managed Identity, or non-AD object cannot be added to an Administrative Unit. For AU1 and AU2 specifically, the answer depends on what resource types are shown in the tenant's resource table - Users and Groups can be added to both, while Devices can be added as well, but applications and service principals cannot.
Concept tested. Azure Active Directory Administrative Units (AUs) - understanding which Azure AD object types (Users, Groups, Devices) can be members of an Administrative Unit, versus object types that are not supported (Applications, Service Principals, Managed Identities). This is a scoping and delegation feature within Azure AD for role-based administrative boundaries.
Reference. https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units
Community Discussion
No community discussion yet for this question.