Exam SC-300 topic 1 question 51 discussion

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#how-are-role-assignable-groups-protected The membership type for role-assignable groups must be Assigned and can't be a Microsoft Entra dynamic group. Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role. Group1 is dynamic an to those groups you can't assign role. So answer is: User1, VM1, App1

Tested in-lab, fyi user-assigned managed identity works also

D is the only answer that fits here. You CANNOT assign a Azure resource role to a group that has dynamic group membership. What does qualify for role assignments are users, groups, service principals, and managed identities.

Dynamic groups cannot be assigned roles in Azure RBAC. Only static groups, individual users, service principals, and managed identities are supported for role assignments.

Answer) E In Azure, you can assign the Contributor role to users, groups, service principals, or managed identities. This means you can give a user, a group of users, an application (service principal), or a system-assigned identity the ability to create and manage most Azure resources within a specified scope.

Tested in my tenant. Dynamically assigned groups allow CONTRIBUTOR assignment for Azure resources. It is only AzureAD roles that are not allowed for dynamically assigned security groups

If you go to IAM in a Resource Group, you can choose a dynamic user assigned group. The limitation is only with Entra Roles. Tested in my tenant.

D. User1, VM1, App1

You can't assign role to dynamic group. That's what I studied.

Answer: D. User1, VM1, and App1 only Explanation: In Azure, the Contributor role for a resource group like RG1 can be assigned to the following types of identities: User accounts (such as User1). System-assigned managed identities for Azure resources (such as VM1). Service principals associated with enterprise applications (such as App1). Here’s why each option qualifies or does not qualify: User1: A user account can be assigned the Contributor role, so User1 is eligible. VM1: Since VM1 has a system-assigned managed identity, it can be assigned roles like Contributor for RG1. App1: As an enterprise application (service principal), App1 can also be assigned the Contributor role. However: Group1 cannot be assigned the Contributor role because dynamic groups (such as those with the Dynamic user membership type) are not supported for Azure role-based access control (RBAC) assignments. Only static groups or individual users, service principals, and managed identities can be assigned roles.

A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals. So, you can assign a role to - User - Group (Assigned) - Service Principal - Managed Identity https://learn.microsoft.com/en-us/azure/role-based-access-control/overview However, it says in another doc: The membership type for role-assignable groups must be Assigned and CAN'T be a Microsoft Entra dynamic group. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#how-are-role-assignable-groups-protected

User, group and appllication (Service principal) with no doubt : https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-1-determine-who-needs-access VM (system assigned) : https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access?pivots=windows-vm-access-wvm so E is correct

Copilot In Azure, you can assign the Contributor role for a resource group (RG1 in this case) to the following identities: User Accounts: You can assign the role to individual user accounts, such as user1 in your table. Security Groups: You can also assign the role to security groups, such as group1. All members of the group, including those dynamically added due to the group’s dynamic membership rules, will inherit the role. Managed Identities: Managed identities for Azure resources, such as the system-assigned managed identity for VM1, can also be assigned the role. This allows the VM to manage resources in the resource group. Enterprise Applications: Enterprise applications, such as app1, can be assigned the role if they have an associated service principal. This allows the application to manage resources in the resource group. Remember, the Contributor role allows the assigned identity to create and manage all types of Azure resources, but it does not allow them to grant access to other users. For that, you would need the Owner role or User Access Administrator role.

The membership type for role-assignable groups must be Assigned and can't be a Microsoft Entra dynamic group. Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role.

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps * User * Group * Service Principal * Managed Identity Screenshot: VM1 = Virtual machine WITH A SYSTEM-ASSIGNED MANAGED IDENTITY Enterprise app is one of three types of Service Principals: * Application * Managed Identity * Legacy https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser

E. should be correct: User and Group with no doubt. VM has MI => works as well. Service principal = Enterprise app => this works as well.

You can assign RBAC roles to any of the options, user, group, MI and apps.