Exam AZ-500 topic 2 question 94 discussion

D. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps "You can assign a role to a user, group, service principal, or managed identity. " App1 has service principal. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

The Contributor role can be assigned to any Azure resource, including users, groups, service principals, and managed identities. • Group1 is a dynamic device security group in Azure AD. Dynamic groups are not role-assignable, so Group1 cannot be assigned the Contributor role for VM1. • Managed1 is a managed identity. Managed identities can be assigned the Contributor role for VM1. • VM1 is a virtual machine. Virtual machines can be assigned the Contributor role for themselves. • App1 is an enterprise application in Azure AD. Enterprise applications can be assigned the Contributor role for VM1. Therefore, the only resources that can be assigned the Contributor role for VM1 are Managed1, VM1, and App1.

❌ Why D. Group1, Managed1, VM1, and App1 only is incorrect: Group1 is a dynamic device group, which can't be used as a principal in RBAC role assignment. VM1 is a resource, not a principal you assign roles to — it's the target of the role assignment. A. Managed1 and App1 only is still the correct choice.

You can’t assign RBAC to a “dynamic” group type which is what group 1 is All answers that have group 1 is automatically wrong https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept

I wish this website gave answers instead of making people fight over the options and confuse people trying to write the exam. I paid for this service and this is what I am presented with. What is this exam, if people cannot find the proper answer on the Microsoft website even with access and then expects people to do it under time pressure with very minimal access? This is insane. If this was the exam I would choose option D or something because I don't think Microsoft would make the question too easy to find with the method of elimination.

d is correct

This is about an Azure RBAC role, not an Entra ID role. Thus everything, except for VM2 which doesn't have a managed identity, can get it assigned.

Tested for user, group, VM and App. All of them can be assigned Contributor role for VM.

This question is weird, because it should have a choice for: Managed ID, App1 and VM. Dynamic Entra Sec Groups cannot have roles assigned, all the other can have. The closet answer to truth is A.

Difference between Azure AD roles and Azure RBAC is as follows: RBAC can have a User, group, or service principal, Managed identity (group nesting is allowed and the group can dynamic as well Azure AD roles only users and groups (group nesting is not allowed as soon as you enable entra roles can be enabled the membership type greys out to assign and group nesting is not allowed. Here contributor is a RBAC role not azure ad role

D. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps "You can assign a role to a user, group, service principal, or managed identity. "

Tested, D is correct

Tested. When creating a group, if you choose dynamic user "Microsoft Entra roles can be assigned to the group" option turns to NO automatically. So when you eliminate group1, answer is A.

Answer: D Explanation: Confirmed in my lab. I think VM1 in D should change to VM2 though.

Correct answer is A

Correct answer is A role-assignable groups is limited to AD Azure roles https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept#restrictions-for-role-assignable-groups

https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-concept Only Global Administrators and Privileged Role Administrators can create a role-assignable group. The membership type for role-assignable groups must be Assigned and can't be an Azure AD dynamic group.Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role.