Question

Your company has a Microsoft 365 E5 subscription. You need to ensure that a user named Admin1 has the necessary permissions to manage users in the Human Resources department only. What should you use?

O an administrative unit
O a Microsoft Entra role
O a Microsoft 365 Defender role
O a Microsoft Purview role group

Answer 1

An administrative unit in Microsoft 365 should be used to give Admin1 permission to manage users within the Human Resources department exclusively.

Step-by-step explanation:

To ensure that Admin1 has the necessary permissions to manage users specifically within the Human Resources department, you should use an administrative unit in Microsoft 365. Administrative units allow for the segregation of administrative roles and permissions within a larger organization. By creating an administrative unit for the Human Resources department and assigning Admin1 to manage that unit, you can scope their management capabilities to just that department.

To set this up in Microsoft 365:

Create an administrative unit and specify the Human Resources department as the scope.

Add Admin1 to the administrative unit as a member.

Assign the appropriate role to Admin1, such as User Management Administrator, but only within the context of the administrative unit.

This approach is more precise and secure compared to granting broader administrative permissions that could affect other departments.

Answer 2

To manage users in the Human Resources department only, Admin1 needs to be assigned to a custom Microsoft Purview role group with specific permissions and scopes related to that department in your Microsoft 365 E5 subscription environment.

Step-by-step explanation:

To ensure that a user named Admin1 has the necessary permissions to manage users specifically in the Human Resources department, you should use a Microsoft Purview role group. Microsoft 365 E5 subscription provides various role groups that you can tailor according to your organization's needs. By assigning Admin1 to a custom role group within Microsoft Purview that has permissions limited to managing users in the Human Resources department, you can uphold the principle of least privilege to enhance security and compliance.

Firstly, you would create a new role group in Microsoft Purview compliance portal, then define the specific permissions that Admin1 needs to manage the Human Resources department. This might include permissions to create, modify, or delete user accounts, manage group memberships and licenses. After setting up the appropriate permissions, you would then scope the role group to the Human Resources department only. This is achieved by setting up membership rules that target users within that department, ensuring that Admin1's management capabilities are confined to the appropriate users.