ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 2 question 45 discussion

Actual exam question from Microsoft's AZ-304
Question #: 45
Topic #: 2
[All AZ-304 Questions]

HOTSPOT -
You need to design a resource governance solution for an Azure subscription. The solution must meet the following requirements:
✑ Ensure that all ExpressRoute resources are created in a resource group named RG1.
✑ Delegate the creation of the ExpressRoute resources to an Azure Active Directory (Azure AD) group named Networking.
✑ Use the principle of least privilege.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: An Azure policy assignment at the subscription level that has an exclusion
Box 2: A custom RBAC role assignment at the level of RG1
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage
by arseyam at Dec. 4, 2020, 9:08 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
arseyam
Highly Voted 4 years, 6 months ago
Correct answer
upvoted 44 times
...
sharepoint_Azure_pp
Highly Voted 3 years, 8 months ago
mentioned answer are correct Choosed the same cleared with 900 on 17th October 2021
upvoted 12 times
...
OCHT
Most Recent 3 years ago
Answers are correct.
upvoted 1 times
...
itenginerd
3 years, 2 months ago
On my exam today.
upvoted 2 times
...
plmmsg
3 years, 3 months ago
Answer is correct
upvoted 1 times
...
Dpejic
3 years, 6 months ago
On exam 24.12.2021
upvoted 5 times
...
syu31svc
3 years, 8 months ago
"Ensure that all ExpressRoute resources are created " -> this would imply use of policy "principle of least privilege" -> custom RBAC role at RG level Answer is correct
upvoted 8 times
...
Gautam1985
3 years, 9 months ago
correct
upvoted 2 times
...
JDA
4 years, 4 months ago
The answers are correct.
upvoted 4 times
...
TheMo
4 years, 4 months ago
Correct Answer
upvoted 3 times
...
azurecert2021
4 years, 4 months ago
given answer is correct.
upvoted 3 times
...
glam
4 years, 5 months ago
Box 1: An Azure policy assignment at the subscription level that has an exclusion Box 2: A custom RBAC role assignment at the level of RG1
upvoted 3 times
...
Blaaa
4 years, 5 months ago
Correct answers
upvoted 4 times
...
zeeshankaizer
4 years, 5 months ago
Shouldn't it be RBAC role assignment at subscription level?
upvoted 2 times
meonyahoo
4 years, 5 months ago
Not required as only RG1 is allowed for creating resource
upvoted 3 times
...
MikeHugeNerd
4 years, 5 months ago
No. At the resource group level ensures the principle of least privilege.
upvoted 11 times
oshoparsi
4 years, 3 months ago
but we don't know where is the Networking group who should be able to build the express rout in RG1. so I think the RBAC should be at the subscription level...
upvoted 1 times
pentium75
3 years, 10 months ago
The networking group is an AAD group. This AAD group needs permission to create resources in RG1, thus it needs permission in RG1, thus you assign permission at RG1 level.
upvoted 4 times
...
...
...
jellybiscuit
2 years, 9 months ago
The end result is really the same. If you grant at the subscription level, technically, you have given them more rights than you needed. But... the policy blocks them anyway. Like I said, functionally, they're the same, but applying at the RG would more closely follow least privilege.
upvoted 1 times
...
...
milind8451
4 years, 5 months ago
Why do you need an exclusion? Simply create a policy to allow to creare expressRoute in a particular RG and assign to subscription, what exclusion is needed here?
upvoted 5 times
openidshanks1
4 years, 5 months ago
create policy to deny creation of express route and exclude rg1 from the policy, assign this to the subscription
upvoted 11 times
...
bbartek
4 years, 5 months ago
Policies have allow by default, deny explicitly model. Hence, if you want to accomplish this scenario, you need to explicitly deny creating ExpressRoute for an entire subscription, with the exclusion for RG1
upvoted 48 times
Suhasrs
3 years, 5 months ago
thanks for the explanation
upvoted 1 times
...
rdemontis
3 years, 6 months ago
Thank you very much for explanation
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel