ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-301 All Questions

View all questions & answers for the AZ-301 exam
Go to Exam

Exam AZ-301 topic 2 question 3 discussion

Actual exam question from Microsoft's AZ-301
Question #: 3
Topic #: 2
[All AZ-301 Questions]

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Project1. Only a group named Project1admins is assigned roles in the Project1 subscription. The Project1 subscription contains all the resources for an application named Application1.
Your company is developing a new application named Application2. The members of the Application2 development team belong to an Azure Active Directory
(Azure AD) group named App2Dev.
You identify the following requirements for Application2:
✑ The members of App2Dev must be prevented from changing the role assignments in Azure.
✑ The members of App2Dev must be able to create new Azure resources required by Application2.
✑ All the required role assignments for Application2 will be performed by the members of Project1admins.
You need to recommend a solution for the role assignments of Application2.
Solution: In Project1, create a resource group named Application2RG. Assign Project1admins the Owner role for Application2RG. Assign App2Dev the Contributor role for Application2RG.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
You should use a separate subscription for Project2.
by chan76 at July 31, 2019, 11:27 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Anindya
Highly Voted 5 years, 10 months ago
SHould be yes as access can be provided as RG level as well
upvoted 35 times
...
spidy
Highly Voted 5 years ago
The answer is no, because the Resource Group Owner will not have permission to register for Azure Resource Provider which will need Subscription Level access. Contributor can create any resource that is already registered in Azure Resource Provider however not the ones that are not. So this is the tricky part of this question. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types
upvoted 22 times
juri
4 years, 11 months ago
thanks, spidy, for this insight! really deep. initially voted for yes, now switching to no.
upvoted 4 times
...
TinyTrexArmz
4 years, 10 months ago
I too agree with Spidy. The requirements say that App2Dev be able to create all resources needed without defining what those requirements are. So you must assume any and all resource types. You cannot do with this without having contributor role at the subscription level in order to register a new Azure Resource Provider. Thanks Spidy for writing that up. It was helpful
upvoted 2 times
...
aMaineCloud
4 years, 10 months ago
Exactly!! Resource/RG like NetworkWatcher need subscription level access. App2Dev with contributor role to just that RG will not be able to create this resource.
upvoted 3 times
...
tmurfet
4 years, 9 months ago
Q: How did the resource owner register Application1? A: They must already have have Subscription Level access. So the answer is still yes.
upvoted 1 times
...
Load full discussion...
...
omth
Most Recent 3 years, 8 months ago
jfhkjw
upvoted 1 times
...
varunthakur84
4 years, 3 months ago
Correct answer is YES Access can be granted at subscription as well as RG levels In this question main point to set right role (owner/contributor) to the correct ADD group. Owner - can do user assignment Contributor can create new resources
upvoted 1 times
...
glam
4 years, 4 months ago
A. Yes
upvoted 2 times
...
sanketshah
4 years, 5 months ago
A is correct
upvoted 1 times
...
AhmedAL
4 years, 7 months ago
answer should be A
upvoted 2 times
...
toja1234
4 years, 8 months ago
No is correct. The DevTeam should be able to create ALL Resources required for Application2. This could include a new ResourceGroup, which is not possible if its on RG level. We need a new Subscription.
upvoted 3 times
...
cozzy
4 years, 8 months ago
The answer is yes, read the requirements properly, there is nothing saying is has to be in a different subscription, this may be a "recommended" practice but is not a requirement of this solution.. the correct answer is yes
upvoted 2 times
...
cj93s3
4 years, 10 months ago
if this question comes up, i am going with yes
upvoted 2 times
...
dumbu
4 years, 10 months ago
I tend to agree with the No reason the subscription has "Only a group named Project1admins is assigned roles in the Project1 subscription". App2Dev is part of diff AD group so it must be in diff subscription.
upvoted 3 times
...
eug45
4 years, 10 months ago
the answer is A.
upvoted 1 times
...
Andy_Lee
4 years, 10 months ago
Should be yes. It fulfillment request
upvoted 1 times
...
Neetiniti
4 years, 10 months ago
Answer:-A. Yes, If you assign the Contributor role to an application at the resource group scope, it can manage resources of all types in that resource group, but not other resource groups in the subscription. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
upvoted 3 times
...
DeveshSolanki
4 years, 11 months ago
Yes should be
upvoted 1 times
...
jonnybugaloo
4 years, 11 months ago
I agree it should be Yes. There is no mention about different AD tenant, so, we can't consider this as an eliminatory point. The explicity requirenments are: The members of App2Dev must be prevented from changing the role assignments in Azure. - Contributor role doesn't aloow this The members of App2Dev must be able to create new Azure resources required by Application2. - Contributor role aloows this All the required role assignments for Application2 will be performed by the members of Project1admins. - Owner can do this Contributor - Can create and manage all types of Azure resources but can't grant access to others. Owner - Has full access to all resources including the right to delegate access to others. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
upvoted 1 times
HemantArora
4 years, 11 months ago
If I read this carefully, the ask is App2Dev group should be able to create any resource required for the app- which could include RG as well and if you are limiting this to RG, it would defy the objective
upvoted 2 times
am20
4 years, 11 months ago
agree with you. depends how important is each person point of view for the following two items, answer can be either yes or no 1. With provided solution, App2Dev are restricted to use only one (Application2)RG for their app. so if they need more RG, the answer can be No. otherwise, the answer can be Yes 2. May not be as critical as the first point, but now 2.a: "Project1admins" is not the only group in Project1 Subscription 2.b: Project1 Subscription now contains more resources than just application1 if subscription is used as a way to isolate app1 and app2, then the answer can be no, otherwise, answer is yes
upvoted 2 times
...
...
...
mtb123
4 years, 11 months ago
They do not share resources, so a contributor would not be able to create these resources in a single subscribtion The answer is correct. If it was implied that they use the same resources then they could be created in the same subscription and app 2users would then be given contributor access. But thats not the case so the answer is correct.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel