Question 4 - Microsoft AZ-140 Real Exam Questions [March 2026 Update]

Q: 4

HOTSPOT Which users can create Pool4, and which users can join session hosts to the domain? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Discussion

Jamie D. Feb 27, 2026 5:05 am

Admin2 only for Pool4, Operator1 only for domain join. Saw something similar in recent exam reports, safer to stick with these picks.

Skyler M. Mar 2, 2026 8:05 pm

Is it possible Operator2 could join hosts if the environment hasn't removed default Account Operators rights? Or does the question assume strict RBAC like most exam scenarios where only Domain Admin (Operator1) is allowed? Curious how strict we should be interpreting this.

Jason A. Feb 23, 2026 10:11 pm

Admin2 only for Pool4 since that's the only one with both VM Contributor and Desktop Virtualization Contributor. Domain join is Operator1 only, because Account Operators' rights are usually restricted in secure setups. Pretty sure that's what MS wants for this scenario, but open to counterpoints.

Casey E. Feb 28, 2026 7:01 pm

I think this is same as a common exam questions, on practice, answer is Admin2 only for Pool4, Operator1 only for joining session hosts to the domain.

Riley P. Feb 18, 2026 9:15 pm

Had something like this in a mock, definitely Admin2 for creating Pool4 and Operator1 for joining session hosts.

Arjun H. Feb 28, 2026 2:14 pm

I don’t think Admin4 is enough here, since Host Pool Contributor can’t do the full host pool + VM creation combo. Admin2 is the only one with both roles needed for Pool4. Joining hosts is Operator1 only, because Account Operators usually get restricted on exam scenarios. Trap is thinking default AD perms still apply.

FriendlySec1735 Mar 5, 2026 11:56 am

This CA mapping makes my head spin every time! Connecting to Azure Virtual Desktop by using a subscription feed → Azure Virtual Desktop, authenticating to a session host with SSO → Azure Windows VM Sign-in. Seen similar questions in some practice pools. Microsoft really likes making you know where the auth boundary is for MFA. Not 100% sure but that's how I see it.

Ethan Feb 18, 2026 9:21 am

Nah, I don’t think Global Admin helps here-need both the Desktop Virtualization Contributor and VM Contributor roles for Pool4. Trap is thinking Account Operators could join the domain, but only Operator1 as Domain Admin is guaranteed. Similar question on some practice sets.

Sara S. Mar 5, 2026 3:17 am

Nah, Admin4's role is a trap here. Only Admin2 can create Pool4, and Operator1 is the sure pick for domain join.

Daniel B. Mar 5, 2026 8:48 pm

Azure Virtual Desktop → subscription feed, Azure Windows VM Sign-in → SSO host. A lot of folks mix this up since Azure Virtual Desktop alone won't enforce MFA at the actual VM layer when SSO is in play. I think that's the trap MSFT sets here, agree or not?

Be respectful. No spam.

Correct Answer:

CAN CREATE POOL4: ADMIN2 ONLY

CAN JOIN SESSION HOSTS TO THE DOMAIN: OPERATOR1 ONLY

Explanation

Can create Pool4: Admin2 only

The ability to create an Azure Virtual Desktop (AVD) host pool (Pool4) requires a specific combination of Azure role-based access control (RBAC) permissions.

Host Pool Creation: The Desktop Virtualization Contributor role is a comprehensive built-in role that "allows managing all your Azure Virtual Desktop resources." This single role grants the necessary permissions to create host pools, application groups, and workspaces.
VM Creation: A host pool also requires creating virtual machines (session hosts). This action requires the Virtual Machine Contributor role on the resource group.

In the scenario this question is based on, Admin2 is the only user assigned the Desktop Virtualization Contributor role (which includes permissions for host pools, workspaces, and app groups) and the Virtual Machine Contributor role, making them the only user who can complete the end-to-end creation of Pool4.

Admin4 typically holds the Desktop Virtualization Host Pool Contributor role, which is insufficient as it does not grant permissions to create the required workspace or application groups.
Admin1 and Admin3 are Azure AD Global Administrators, which grants no implicit permissions to create or manage Azure resources like host pools or virtual machines.

Can join session hosts to the domain: Operator1 only

This action concerns permissions within the on-premises Active Directory (AD) domain, not Azure.

On-Premises vs. Cloud: Admin1 and Admin3 are cloud-only Azure AD users and have no credentials or permissions in the on-premises AD domain (contoso.com). Therefore, they cannot perform a domain join.
Domain Permissions: Operator1 is a member of the Domain Admins group. This group has unrestricted rights to join computers to the domain.
Restricted Permissions: Operator2 and Operator3 are members of the Account Operators group. While this group can create computer objects by default, in a secure, least-privilege enterprise environment (which is standard for exam scenarios), the default "Add workstations to domain" right is removed from regular users and this group's permissions are often restricted to prevent privilege escalation.

Therefore, the only user guaranteed to have the irrevocable permission to join machines to the domain is the Domain Admin, Operator1.

References

Microsoft Learn. (2025). Built-in Azure RBAC roles for Azure Virtual Desktop. "The Desktop Virtualization Contributor role allows managing all your Azure Virtual Desktop resources... You also need the Virtual Machine Contributor role to create virtual machines... or you can use the Desktop Virtualization Contributor role [which implies it's the encompassing role for the AVD object creation]."

Microsoft Learn. (2025). Built-in Azure RBAC roles for Azure Virtual Desktop. "Desktop Virtualization Host Pool Contributor... You will need AppGroup and Workspace contributor roles to create host pool using the portal..." [This confirms the Host Pool Contributor role alone is insufficient].

Microsoft Learn. (2024). Active Directory security groups. "Members of the Domain Admins group are authorized to... join workstations to the domain..."

Microsoft Learn. (2024). Active Directory security groups. "Account Operators... By default, this group has permissions to create, modify, and delete computer... accounts... [This permission is often revoked in secure environments by modifying default delegation]."

Microsoft Learn. (2025). How to Configure a Domain Join Computer Service Account. [This official guide outlines the best practice of restricting the default domain-join permissions, leaving it to explicitly delegated accounts or Domain Admins]. "By default, any authenticated user can add up to 10 computers to the domain... It's essential to... restrict users from joining a computer to a domain."

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE