ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 25 discussion

Actual exam question from Microsoft's AZ-104
Question #: 25
Topic #: 2
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by roh_87 at Dec. 4, 2020, 3:22 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mlantonis
Highly Voted 4 years, 1 month ago
Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”
upvoted 358 times
Awot
1 year, 9 months ago
I have the feeling that the first option “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” is wrong. because it doesn't specify the resource group, the implication is that the user will have access to all other things in the subscription.
upvoted 9 times
Alcpt
1 month, 1 week ago
Read the line carefully. The is no such thing as plural /resourcegroupS
upvoted 3 times
...
...
Slimus
2 years, 1 month ago
Azure RBAC) is the authorization system you use to manage access to Azure resources. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
upvoted 2 times
...
justin19981
2 years, 6 months ago
So often I have the feeling; This HAS to be wrong. And finding the community confirming my thoughts is nice :)
upvoted 15 times
...
Mitazure7
1 year, 8 months ago
In Azure, the correct format for specifying a resource group's path within a subscription is as follows: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
upvoted 5 times
...
...
fedztedz
Highly Voted 4 years, 6 months ago
The Answer is Wrong. First part should be "/Subscription/subcription_id" only. There is nothing called "resourceGroups" only or "resourceGroups/*" . You can specify either a subscription, specific resource group, management group or specific resource. for example it should "/subcription/subcription_id/resourceGroups/resource_group_name" Check https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/role-definitions.md#role-definition-structure For second box. It is correct but missing "*". It should be "Microsoft.Authorization/*" . if you try this on az cli without "*". you will get an error
upvoted 245 times
JayBee65
4 years ago
This link https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions gives an example of "/subscriptions/{subscriptionId1}/resourceGroups/Network"
upvoted 10 times
...
tf444
4 years ago
{ "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}", "name": "{resourceGroupName}", "type":"Microsoft.Resources/resourceGroups", "location": "{resourceGroupLocation}", "managedBy": "{identifier-of-managing-resource}", "tags": { }, "properties": { "provisioningState": "{status}" } }
upvoted 2 times
...
rrobb
4 years, 2 months ago
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-rest#create-a-custom-role Can /{resourceGroup1} be replaced by name or *?
upvoted 2 times
...
Acai
3 years, 11 months ago
I don't know how you said there's no 'resourceGroups' and then put 'resourceGroups' in your example, also an asterisk/wildcard meaning denotes "all" this could imply there are multiple other fields the could be added in place of the wildcard. Regardless, I tested it, you can go to Subscriptions > [Your Subscription] > IAM > Custom Roles. You are correct but the explanation was quite confusing.
upvoted 7 times
mufflon
3 years, 5 months ago
You can specify either a subscription, specific resource group, management group or specific resource. for example it should "/subcription/subcription_id/resourceGroups/resource_group_name" So it you use "/subcription/subcription_id/resourceGroups/resource_group_name" then you need the resource_group_name
upvoted 2 times
...
...
Load full discussion...
...
lumax007
Most Recent 3 months, 1 week ago
You need to create a custom RBAC role named CR1 that meets the following requirements: ✑ Can be assigned only to the resource groups in Subscription1 ✑ Prevents the management of the access permissions for the resource groups ✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups Below are the correct answers “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”
upvoted 1 times
...
rikininetysix
9 months, 1 week ago
The given answer is correct. As the standard format for a resource ID is : '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}' It clearly contains '/subscriptions/{subscriptionId}/resourceGroups/' which should be the proper assignable scope. In order to prevents the management of the access permissions for the resource groups (requirement 2), you need to select 'Microsoft.Authorization/' under permissions, notActions. If the assignable scope is '/subscriptions/{subscriptionId}/' the notAction permission 'Microsoft.Authorization/' would prevent the management of access permission at the subscription level, which is not asked in the question. This link validates the resource ID structure - https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription
upvoted 2 times
...
[Removed]
9 months, 2 weeks ago
WRONG "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e" "Microsoft.Authorization/*"
upvoted 2 times
...
Amir1909
1 year, 4 months ago
Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”
upvoted 2 times
...
Mitazure7
1 year, 8 months ago
In Azure, the correct format for specifying a resource group's path within a subscription is as follows: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
upvoted 1 times
...
TedM2
1 year, 8 months ago
The answer shown for the first part seems to be incorrect, per https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#assignablescopes
upvoted 1 times
...
Josete1106
1 year, 11 months ago
Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”
upvoted 3 times
...
Aluksy
2 years, 2 months ago
Correct Answer : “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/” Came out in my exam today 8th April 2023. Passed 830.
upvoted 11 times
...
rocky48
2 years, 3 months ago
Correct Answer: “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546435e” “Microsoft.Authorization/”
upvoted 4 times
...
orionduo
2 years, 5 months ago
It should be "/Subscription/subcription_id" only. There is nothing called "resourceGroups" only or "resourceGroups/*" Note: You can specify either a subscription, specific resource group, management group or specific resource. For example, it should be "/subcription/subcription_id/resourceGroups/resource_group_name" “Microsoft.Authorization/” is right
upvoted 3 times
...
CoachV
2 years, 5 months ago
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal
upvoted 1 times
...
CoachV
2 years, 5 months ago
The answers provided are actually correct. Look at the syntax of the JSON command below. { "properties": { "roleName": "Billing Reader Plus", "description": "Read billing data and download invoices", "assignableScopes": [ "/subscriptions/11111111-1111-1111-1111-111111111111" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Billing/*/read", "Microsoft.Commerce/*/read", "Microsoft.Consumption/*/read", "Microsoft.Management/managementGroups/read", "Microsoft.CostManagement/*/read", "Microsoft.Support/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
upvoted 1 times
sk4shi
1 year, 11 months ago
CoachV does have a fair point, although this JSON is not showing the fuller picture. If you look at the link CoachV posted and look at Step 5, point 2 there is an information section above in the screenshot that reads: "Select a management group, subscription or resource group to add as an assignable scope. You can only choose from the scopes that you have access to." - that would indicate that the provided answers are correct
upvoted 1 times
...
RougePotatoe
2 years, 5 months ago
Dawg the provided answer was /subscription/sub_id/resourceGroups. What you posted here is not the same thing.
upvoted 2 times
...
...
geisonferreira
2 years, 5 months ago
Why are wrong answers not corrected? This site is sometimes more confused than helpful.
upvoted 11 times
...
NaoVaz
2 years, 9 months ago
1) "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e" 2) "Microsoft.Authorization/*" "assignableScopes" must be the Subscription, so that this Custom Role can be only assignable to Resources Groups under the same Subscription. "notActions" must deny only the actions that interact with the Authorization API Endpoints. Everything else must\can be allowed.
upvoted 11 times
...
ThatDowntownSmell
2 years, 11 months ago
Regarding the assignable scopes part of the question: THERE IS NO WAY TO WILDCARD RESOURCEGROUPS AS AN ASSIGNABLE SCOPE! You can add all of the resource groups in the subscription individually, but you cannot wildcard all of them using /resourceGroups. If you go into Azure Portal and create a custom role under a subscription, you will see clearly that it is not possible - you must select a resource group when using the /resourceGroups type of assignable scope. The result will look similar to: /subscriptions/xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx/resourceGroups/RG1
upvoted 7 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel