SC-300 · Question #50
SC-300 Question #50: Real Exam Question with Answer & Explanation
This question tests knowledge of Azure AD role-based permissions for app assignment and app registration, specifically which users (based on their assigned roles) can perform these administrative tasks.
Question
Hotspot Question You have an Azure Active Directory (Azure AD) tenant that has the default App registrations settings. The tenant contains the users shown in the following table. You purchase two cloud apps named App1 and App2. The global administrator registers App1 in Azure AD. You need to identify who can assign users to App1, and who can register App2 in Azure AD. What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantyes_no
Explanation
This question tests knowledge of Azure AD role-based permissions for app assignment and app registration, specifically which users (based on their assigned roles) can perform these administrative tasks.
Approach. For assigning users to App1 (which is already registered), this requires the Global Administrator, Cloud Application Administrator, Application Administrator, or the owner of the service principal - so User1 (Global Admin) and any user with an Application Administrator or Cloud Application Administrator role can do this. For registering App2 in Azure AD, by default the 'Users can register applications' setting is enabled (set to Yes) in Azure AD, meaning ALL users (including non-admin users) can register applications by default. Therefore: (1) Who can assign users to App1: User1 (Global Administrator) - as well as anyone with Application Administrator or Cloud Application Administrator roles. (2) Who can register App2: All users, because the default Azure AD tenant setting allows any member user to register applications. If the table shows specific roles like Global Admin, Application Admin, and a standard user, the standard user can still register apps due to default settings, but only admins (Global Admin, Application Admin, Cloud Application Admin) can assign users to enterprise apps.
Concept tested. Azure AD default application registration settings and role-based access control: by default all users can register apps (Users can register applications = Yes), but assigning users to an enterprise app requires Global Administrator, Application Administrator, Cloud Application Administrator, or a delegated owner role on that specific application.
Reference. https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles
Community Discussion
No community discussion yet for this question.