You have an Azure Active Directory (Azure AD) tenant that contains a user named SecAdmin1
SecAdmin1 is assigned the Security administrator role.
SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.
You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of non-administrative users.
The solution must use the principle of least privilege.
Which role should you assign to SecAdmin1?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-referenceThe correct answer is C. Privileged authentication administrator.
The Security Administrator role that SecAdmin1 currently has does not include the ability to manage passwords or invalidate sessions for non-administrative users. The Authentication Administrator role (option A) allows for managing authentication methods and password reset settings, but not managing passwords for individual users. The Helpdesk Administrator role (option B) allows for resetting passwords for users, but not invalidating sessions. The Security Operator role (option D) does not provide the necessary permissions for managing passwords or invalidating sessions.
The Privileged authentication administrator role (option C) is the correct choice because it provides the necessary permissions for SecAdmin1 to manage passwords and invalidate sessions on behalf of non-administrative users, while still adhering to the principle of least privilege. This role allows the user to manage authentication methods, reset passwords, and invalidate sessions for any user in the directory. However, it does not provide access to manage other directory objects or settings, minimizing the risk of accidental or intentional damage to the directory.
Therefore, option C, Privileged authentication administrator, is the best choice for granting SecAdmin1 the necessary permissions while still adhering to the principle of least privilege.