Microsoft Azure Security Technologies (AZ-500)

What is the best approach to give a domain administrator in an on-premises Active Directory domain the ability to modify Azure AD synchronization options while adhering to the principle of least privilege?

• A. Assign Global administrator role
• B. Assign Security administrator role
• C. Assign User administrator role
• D. Assign Directory Readers role

The correct answer is: Assign Global administrator role

The best approach in this scenario is to assign the Global administrator role. This role is designed to have complete access to all administrative features in Azure Active Directory (Azure AD), including the capability to modify Azure AD synchronization options. By granting this role, the domain administrator will be able to manage and configure synchronization settings effectively. However, it is important to note that while the Global administrator role provides extensive permissions, assigning this role should be done with careful consideration of the principle of least privilege. In scenarios where limited access is preferred, a more granular role may be considered. Nonetheless, the Global administrator role is indeed necessary to perform the specific task of modifying synchronization options, given that no other roles provide this level of access directly related to Azure AD synchronization. The other options—Security administrator, User administrator, and Directory Readers roles—do not provide the necessary permissions to manage Azure AD synchronization. The Security administrator can manage security-related settings but lacks the authority to modify synchronization settings. The User administrator role is focused on user management without the ability to adjust sync configurations, while the Directory Readers role is purely for read-only access, lacking administrative capabilities altogether. Therefore, to fulfill the requirement of modifying Azure AD synchronization options with the necessary permissions, the Global administrator role is indeed the