AZ-500 · Question #65
AZ-500 Question #65: Real Exam Question with Answer & Explanation
The correct answer is C: the Global administrator role in Azure AD. Explanation When configuring Azure AD Connect using Express Settings, two specific roles are required: the Global Administrator role in Azure AD (C) is needed because Express Settings automatically creates the Azure AD service account used for synchronization, which requires the
Question
Your network contains an Active Directory forest named contoso.com. You have an Azure Directory (Azure AD) tenant named contoso.com. You plan to configure synchronization by using the Express Settings installation option in Azure AD Connect. You need to identify which roles and groups are required to perform the planned configuration. The solution must use the principle of least privilege. Which two roles and groups should you identify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
Options
- Athe Domain Admins group in Active Directory
- Bthe Security administrator role in Azure AD
- Cthe Global administrator role in Azure AD
- Dthe User administrator role in Azure AD
- Ethe Enterprise Admins group in Active Directory
Explanation
Explanation
When configuring Azure AD Connect using Express Settings, two specific roles are required: the Global Administrator role in Azure AD (C) is needed because Express Settings automatically creates the Azure AD service account used for synchronization, which requires the highest level of Azure AD permissions; and the Enterprise Admins group in Active Directory (E) is required because Express Settings must configure the entire forest (not just a single domain), and Enterprise Admins is the only built-in group with forest-wide permissions to create the AD DS connector account.
Why the distractors are wrong:
- (A) Domain Admins only has permissions within a single domain, not across the entire forest, making it insufficient for Express Settings
- (B) Security Administrator is a limited Azure AD role focused on security policies and cannot create service accounts or configure directory synchronization
- (D) User Administrator can manage users and groups in Azure AD but lacks the permissions needed to set up synchronization infrastructure
Memory Tip 🧠
Think "Forest + Full Control" - Express Settings works at the forest level (requiring Enterprise Admins, not just Domain Admins) and needs full Azure AD control (requiring Global Admin, not a scoped role). If the question mentioned Custom Settings with specific domain scope, Domain Admins might be relevant - but Express = forest-wide = Enterprise Admins.
Topics
Community Discussion
No community discussion yet for this question.