Exam AZ-104 topic 2 question 35 discussion

Traffic Analytics requires the following prerequisites: A Network Watcher enabled subscription. Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor. An Azure Storage account, to store raw flow logs. An Azure Log Analytics workspace, with read and write access. Your account must meet one of the following to enable traffic analytics: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor.

Correct Answer: A - Yes Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, reader, or network contributor. Reader role - View all resources, but does not allow you to make any changes. Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#user-access-requirements https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

To use Traffic analytics, you must assign one of the following Azure built-in roles to your account: Deployment model Role Resource Manager Owner Contributor Network contributor 1 and Monitoring contributor 1 Network contributor doesn't cover Microsoft.OperationalInsights/workspaces/* actions. If none of the preceding built-in roles are assigned to your account, assign a custom role that supports the actions listed in Flow logs and Traffic analytics permissions. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas#prerequisites

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites

Per MS: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, or network contributor. Here's the confusion: a custom role can have reader roles to enable it. If your account isn't assigned to one of the previously listed roles, it must be assigned to a custom role that is assigned the following actions, at the subscription level. Microsoft.Network/applicationGateways/read Microsoft.Network/connections/read Microsoft.Network/loadBalancers/read Microsoft.Network/localNetworkGateways/read Microsoft.Network/networkInterfaces/read Microsoft.Network/networkSecurityGroups/read Microsoft.Network/publicIPAddresses/read Microsoft.Network/routeTables/read Microsoft.Network/virtualNetworkGateways/read Microsoft.Network/virtualNetworks/read So, if the question were talking about custom roles, then perhaps it'd be A yes, but as it is regarding to built-in roles, this is NO. Source: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq

im going with B

Subscription Reader Role: Permissions: The Subscription Reader role has read-only access to the Azure resources within a subscription. Capability: It allows users to view resources, settings, and data but does not grant permissions to make any changes, including enabling or configuring features like Traffic Analytics. To enable Traffic Analytics, you would need a role with write permissions on the relevant network resources, such as Owner, Contributor, Network Contributor, or a custom role with the necessary permissions.

No, assigning the Reader role to Admin1 does not meet the goal. The Reader role only provides read-only access to resources and does not grant the necessary permissions to enable Traffic Analytics. To enable Traffic Analytics, Admin1 requires the Network Contributor role or a higher role like the Contributor or Owner role, which grants the necessary permissions to configure and manage network resources, including Traffic Analytics. You should assign the Network Contributor role (or a higher role) at the subscription level to Admin1 to meet the goal.

Reader role is not enough: One of the following Azure built-in roles needs to be assigned to your account: Deployment model Role Resource Manager Owner Contributor Network contributor 1 and Monitoring contributor 2

Assigning the Reader role at the subscription level to Admin1 does not meet the goal. The Reader role provides read-only access to Azure resources, which allows viewing information but not configuring or enabling features like Traffic Analytics. To enable Traffic Analytics, Admin1 would need more permissions, typically provided by roles such as Network Contributor or Contributor. These roles allow configuring network resources and settings necessary to enable Traffic Analytics.

https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites:~:text=Deployment%20model-,Role,-Resource%20Manager

B. No Assigning the Reader role at the subscription level to Admin1 does not meet the goal of enabling Traffic Analytics for an Azure subscription. The Reader role has permissions to view resources but does not allow for any write operations, which are required to enable Traffic Analytics. To enable Traffic Analytics, Admin1 would need to be assigned a role that has write permissions, such as the Owner, Contributor, or a custom role with specific permissions for Traffic Analytics

No. Access but not enable.

Hello, seems that there was a typo in Azure documentation and Reader (read only, cannot make any change) cannot enable Traffic Analytics: cf https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites "One of the following Azure built-in roles needs to be assigned to your account: Owner, Contributor, Network contributor,and Monitoring contributor" Hence answer is B.

NO - to enable Traffic Analytics for an Azure subscription, Admin1 should be assigned the Network Watcher Contributor or Owner, Contributor, User Access Administrator, Security Administrator

Correct Answer - No (Confirmed, check below documentation) If you enable Traffic Analytics for sure, it require some write access to capture and write the logs. We need to be Logical. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics Prerequisites Traffic analytics requires the following prerequisites: A Network Watcher enabled subscription. For more information, see Enable or disable Azure Network Watcher. NSG flow logs enabled for the network security groups you want to monitor or VNet flow logs enabled for the virtual network you want to monitor. For more information, see Create a flow log or Enable VNet flow logs. An Azure Log Analytics workspace with read and write access. For more information, see Create a Log Analytics workspace. One of the following Azure built-in roles needs to be assigned to your account: Expand table Deployment model Role Resource Manager Owner Contributor Network contributor 1 and Monitoring contributor 2

It seems reader role cannot enable traffic analytics. It can view it.