Azure AD Core Concepts — AZ-104 Flashcards (Admin Units, Devices, Roles)

Flashcards covering core Azure AD topics for the AZ-104 exam: including device types and management, administrative units, RBAC roles, and common exam scenarios. Designed using Dr. Justin Sung’s method — short prompts for active recall and conceptual understanding. Perfect for spaced repetition.

What’s the key difference between Azure AD Join and Azure AD Register?

Azure AD Join is for org-owned devices (like office desktops) logged in via domain or Autopilot. Azure AD Register is for BYOD — user’s personal devices logging into 365 services with conditional access and possibly MFA.

Why disable a device in Azure AD?

To revoke access, invalidate tokens, and prevent the device from authenticating again.

Which roles are needed to disable a device?

Global Admin, Intune Admin, Cloud Device Admin

What is enterprise state roaming?

A feature that syncs app data and settings across Azure AD-joined devices for roaming users.

Why download a device report as CSV?

For inventory tracking, audits, and reporting on device status or compliance.

How is an Azure AD Join different from a Register in terms of ownership?

Azure AD Join = company-owned, managed; Azure AD Register = user-owned (BYOD).

What are Administrative Units used for?

To scope admin privileges — like giving password reset rights to one HR admin without giving full org-wide access.

How does group membership affect Administrative Unit access?

Members of a group in an AU don’t automatically inherit access — you must add users individually if they need AU-specific roles.

Can you nest Administrative Units?

No — unlike on-premises OUs, Azure AD Administrative Units cannot be nested.

What’s the benefit of using dynamic groups?

Members are automatically added/removed based on attributes (like department or job title), reducing manual work.