SC-300 · Question #314
SC-300 Question #314: Real Exam Question with Answer & Explanation
This question tests knowledge of Microsoft Entra administrative unit scope restrictions and which roles can be assigned at the tenant level versus the administrative unit level.
Question
Hotspot Question You have a Microsoft Entra tenant named contoso.com that contains an administrative unit named AU1 and two users named User1 and User2. User1 is a member of AU1. You need to perform the following role assignments: - User1: Security Administrator - User2: User Administrator For which scopes can each user be assigned the role? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of Microsoft Entra administrative unit scope restrictions and which roles can be assigned at the tenant level versus the administrative unit level.
Approach. User1 (Security Administrator) can be assigned the role at the Tenant scope only - Security Administrator is not a role that can be scoped to an administrative unit, so it must be assigned at the full tenant level. User2 (User Administrator) can be assigned the role at both the Tenant scope AND the Administrative Unit (AU1) scope - User Administrator is one of the roles that supports administrative unit-scoped assignment, allowing delegation of user management within a specific AU. The key distinction is that only certain roles (primarily those managing users, groups, and passwords) support administrative unit scoping, while security-focused roles like Security Administrator are tenant-wide only.
Concept tested. Microsoft Entra administrative units support scoped role assignments, but only a subset of roles are eligible for AU-level scoping. Roles such as User Administrator, Password Administrator, Helpdesk Administrator, and Groups Administrator can be scoped to an administrative unit. Roles like Security Administrator, Global Administrator, and other security/compliance roles cannot be scoped to an administrative unit and must be assigned at the tenant level. Additionally, to assign a role scoped to an AU, the target user must be a member of that AU (User1 is in AU1, User2 is not, meaning User Administrator for User2 can apply at tenant scope or AU1 scope as the assignee not the subject).
Reference. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units
Community Discussion
No community discussion yet for this question.