MD-102 · Question #367
MD-102 Question #367: Real Exam Question with Answer & Explanation
The correct answer is B: Conditional Access Administrator. The Conditional Access Administrator role in Azure AD grants exactly the permissions needed to manage Security defaults and create/edit/delete Conditional Access policies-nothing more. This directly satisfies the principle of least privilege. Global Administrator (A) has full ten
Question
You have a Microsoft 365 subscription. You need to provide a user the ability Security defaults and create Conditional Access policies. The solution must use the principle of least privilege. Which role should you assign to the user?
Options
- AGlobal Administrator
- BConditional Access Administrator
- CSecurity Administrator
- DIntune Administrator
Explanation
The Conditional Access Administrator role in Azure AD grants exactly the permissions needed to manage Security defaults and create/edit/delete Conditional Access policies-nothing more. This directly satisfies the principle of least privilege. Global Administrator (A) has full tenant control and far exceeds what is needed. Security Administrator (C) has broad security permissions including Defender, Identity Protection, and more, making it a wider scope than necessary for Conditional Access alone. Intune Administrator (D) manages device and app policies in Endpoint Manager and has no ability to configure Conditional Access or Security defaults. The Conditional Access Administrator role is the narrowest built-in role that covers both required tasks.
Topics
Community Discussion
No community discussion yet for this question.