ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-301 All Questions

View all questions & answers for the AZ-301 exam
Go to Exam

Exam AZ-301 topic 2 question 2 discussion

Actual exam question from Microsoft's AZ-301
Question #: 2
Topic #: 2
[All AZ-301 Questions]

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.
Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory
(Azure AD) group named App2Dev.
You identify the following requirements for Application2:
✑ The members of App2Dev must be prevented from changing the role assignments in Azure.
✑ The members of App2Dev must be able to create new Azure resources required by Application2.
✑ All the required role assignments for Application2 will be performed by the members of Project1admins.
You need to recommend a solution for the role assignments of Application2.
Solution: Create a new Azure subscription named Project2. Assign Project1admins the User Access Administrator role for the Project2 subscription. Assign
App2Dev the Owner role for the Project2 subscription.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
Instead, assign Project1admins the Owner role for the Project2 subscription. Assign App2Dev the Contributor role for the Project2 subscription.
by Ekramy_Elnaggar at Jan. 8, 2020, 1:27 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
alibob
Highly Voted 5 years, 5 months ago
No as Owner can assigned roles and here mentioned that : All the required role assignments for Application2 will be performed by the members of Project1admins
upvoted 11 times
bbbb
5 years, 5 months ago
Alibob is correct, a subscription owner can modify user permissions which breaks the requirements.
upvoted 4 times
...
...
Ekramy_Elnaggar
Highly Voted 5 years, 5 months ago
Answer is correct , B
upvoted 9 times
...
glam
Most Recent 4 years, 5 months ago
B. No.
upvoted 2 times
...
Afz
4 years, 10 months ago
Answer is No ie B. App2Dev receiving the Owner role (highest level) does not satisfy the condition. Another aspect there is no need for having another subscription.
upvoted 1 times
...
Prash85
4 years, 12 months ago
Its No... please note here it says Assign App2Dev the Owner role for the Project2 subscription. (not the contributor)
upvoted 3 times
...
jcarlos
5 years, 1 month ago
I would say answer is yes. Based on https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#prerequisites Prerequisites To add or remove role assignments, you must have: Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner So, being Owner (as in previous question) or "User Access Administration" you'll meet the requirement. A different thing would be meeting the requirement under the least privilege best practice
upvoted 3 times
...
milind8451
5 years, 1 month ago
App2Dev group should not be made Owner of subscription as then they can change role assignment. "B" is right ans.
upvoted 1 times
...
RL
5 years, 5 months ago
Azure RBAC has three basic roles that apply to all resource types: • Owner has full access to all resources including the right to delegate access to others. • Contributor can create and manage all types of Azure resources but can't grant access to others. • Reader can view existing Azure resources.
upvoted 3 times
...
Ekramy_Elnaggar
5 years, 5 months ago
I guess it should be A not B , as it is fulfilling the requirements !
upvoted 1 times
tartar
4 years, 9 months ago
B is ok
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel