Microsoft 365 Certified Endpoint Administrator (MD-102) Practice Test

To restrict device enrollment to only certain users, which option should be implemented?

• A. Allow only users who are members of a specific Azure AD group to enroll devices
• B. Allow any user to enroll devices
• C. Allow users to enroll devices with a one-time enrollment token
• D. Require users to provide a certificate for device enrollment

The correct answer is: Allow only users who are members of a specific Azure AD group to enroll devices

Implementing the restriction of device enrollment to only certain users can be effectively achieved by allowing only users who are members of a specific Azure AD group to enroll devices. This method leverages Azure Active Directory's group management features, where administrators can create groups that encompass only the users who need to enroll devices. By enforcing this policy, an organization can maintain tighter control over which users are permitted to register their devices, thereby enhancing security and compliance with organizational policies. Establishing this level of restriction is particularly beneficial for organizations that need to ensure that only authorized personnel can access sensitive company resources from personal or company-issued devices. It also simplifies the management of device enrollment since changes in user access happen automatically as users are added or removed from the designated Azure AD group. The other options, while they may have their own use cases, do not provide the same level of control. Allowing any user to enroll devices would open the doors to unauthorized access potentially, while using a one-time enrollment token or requiring a certificate for device enrollment introduces complications and additional management overhead without specifically targeting user restriction effectively.