Authorize the provider as a "Delegated Admin" in the Microsoft 365 admin center and assign the "Admin Agent" role is correct.

The Admin Agent delegated privilege in the partner model lets an external provider manage users and assign administrative roles while keeping tenant security controls under the customer's control. That role is scoped to administration tasks and does not grant rights to change tenant multi factor authentication policies or security defaults which are configured in Microsoft Entra ID and require tenant Global Administrator privileges.

Create a custom role in Microsoft Entra ID that grants user management and role assignment but explicitly excludes permissions for security settings and MFA policies is incorrect because custom roles cannot reliably replace tenant governance for all security controls. Custom roles can provide fine grained permissions but granting role assignment and excluding every relevant security permission is error prone and tenant MFA and conditional access remain tenant level settings.

Authorize the provider as a "Delegated Admin" in the Microsoft 365 admin center and assign the "Global Administrator" role is incorrect because Global Administrator grants full tenant control. That level of access would allow the provider to modify multi factor authentication and other security settings and so it does not meet the requirement to prevent provider management of MFA.

Grant the provider the read oriented "Helpdesk Agent" role and require escalation through the Microsoft Entra admin center for role assignment tasks is incorrect because the Helpdesk Agent role is read oriented and does not include the ability to assign administrative roles. Requiring escalations would add operational friction and would not satisfy the requirement that the provider be able to assign roles while being prevented from managing MFA.

Full AWS Practitioner Certification Question