ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-303 All Questions

View all questions & answers for the AZ-303 exam
Go to Exam

Exam AZ-303 topic 2 question 7 discussion

Actual exam question from Microsoft's AZ-303
Question #: 7
Topic #: 2
[All AZ-303 Questions]

You have an Azure Active Directory (Azure AD) tenant linked to an Azure subscription. The tenant contains a group named Admins.
You need to prevent users, except for the members of Admins, from using the Azure portal and Azure PowerShell to access the subscription.
What should you do?

  • A. From Azure AD, configure the User settings.
  • B. From Azure AD, create a conditional access policy.
  • C. From the Azure subscription, assign an Azure policy.
  • D. From the Azure subscription, configure Access control (IAM).
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
Typically, you use Conditional Access to control access to your cloud apps. You can also set up policies to control access to Azure management.
The policy you create applies to all Azure management endpoints, including the following:
✑ Azure portal
✑ Azure Resource Manager provider

Classic Service Management APIs -

✑ Azure PowerShell
✑ Visual Studio subscriptions administrator portal
✑ Azure DevOps
✑ Azure Data Factory portal
To create a policy for Azure management, you select Microsoft Azure Management under Cloud apps when choosing the app to which to apply the policy.

Incorrect Answers:
A: From User Settings you can only restrict access to Azure Portal, not access to Azure Powershell.
Note: Microsoft allows restricting standard user access to Azure Active Directory administration portal.
1. Log in to Azure portal as Global Administrator
2. Go to Azure Active Directory | User Settings
3. Then click on Yes under Restrict access to Azure AD administration portal

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management https://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/
by Bullionaire at Jan. 11, 2021, 2:44 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
inf
Highly Voted 4 years, 6 months ago
Answer: B Conditional Access is correct Active Directory | User settings, has an option to 'Restrict access to the Azure administration portal', though this only applies to non-admins. Also, the information dialog states the following which justifies A not being a correct answer: "No lets a non-administrator use this Azure AD administration portal experience to access Azure AD resources that the user has permission to read, or manage resources they own. Yes restricts all non-administrators from accessing any Azure AD data in the administration portal, but does not restrict such access using PowerShell or another client such as Visual Studio."
upvoted 25 times
J4U
3 years, 11 months ago
Correct. As User settings don't apply for PowerShell, I go with conditional access to restrict the portal access.
upvoted 2 times
...
sfa1
4 years, 5 months ago
Thanks for the extra info, that makes A a no go! https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions "Restrict access to Azure AD administration portal Setting this option to No lets non-administrators use the Azure AD administration portal to read and manage Azure AD resources. Yes restricts all non-administrators from accessing any Azure AD data in the administration portal. Note: this setting does not restrict access to Azure AD data using PowerShell or other clients such as Visual Studio."
upvoted 2 times
...
...
johnnsmith
Highly Voted 4 years, 2 months ago
This is about accessing the subscription, not the portal. The correct answer is D.
upvoted 17 times
altafpatel1984
3 years, 5 months ago
I guess this is correct.
upvoted 1 times
...
Nokaido
3 years, 10 months ago
I agree, since it is completely ok to use the Portal or PowerShell, the question states that the user should just not be able to access the subscription with it. That's a typical task for IAM on the Subscription level.
upvoted 4 times
...
robindeboi
4 years, 2 months ago
Exactly. Restrict from the Azure AD level will restrict the user to use the portal in any way. But the question specify that you only want to restrict this particular sub.
upvoted 6 times
...
...
sandeepmalik
Most Recent 3 years, 4 months ago
In today's exam. Score 900+ Correct answer.
upvoted 1 times
...
nd78
3 years, 6 months ago
on Exam today 21st Jan, 2022
upvoted 1 times
...
tomatosis
3 years, 7 months ago
On exam 23 Dec 2021, I chose B
upvoted 2 times
...
quantumray
3 years, 7 months ago
Question appeared On AZ-303 exam on 08/12/2021 - 49 questions, 4Q - Fabrikan case study
upvoted 1 times
...
syu31svc
3 years, 11 months ago
From Azure AD, configure the User settings - This is used to update Azure AD user data. From the Azure subscription, assign an Azure policy - Azure Policy is used to enforce organizational standards. From the Azure subscription, configure Access control (IAM) - IAM is used to add/revoke permissions. Answer is B
upvoted 1 times
...
mingled
4 years ago
The more I think about it - it is Conditional Access: B A - Yes you can block access to Azure Portal but this doesn't stop powershell B - Correct you can block Azure AD administration - so this is correct C - Just no... D - Sure you can stop them having access to the subscription - but they can still technically "Access" the azure portal
upvoted 4 times
...
AAPaul
4 years ago
I had this question in the exam that i took on July 14th 2021
upvoted 1 times
mikymike10
4 years ago
may i know the correct answer?
upvoted 1 times
TheAzureArchitect
3 years, 8 months ago
Not possible to say. After the exam you get a score but not a breakdown of correct/incorrect answers.
upvoted 1 times
...
...
...
AravindITGuy
4 years, 1 month ago
Took exam today passed this morning was on there 6/21/2021
upvoted 2 times
...
BrettusMaximus
4 years, 1 month ago
D. When a subscription is created, by default no one except the subscription owner, has access to the subscription. I have done this. You only give access to the subscription by giving the Admins group (IAM) on the subscription or to its Management Group.
upvoted 3 times
...
MukeshAT0977
4 years, 1 month ago
Was in today's exam and the given answers are correct.
upvoted 1 times
...
jd94
4 years, 1 month ago
6/12/2021. Passed the exam. Conditional Access
upvoted 1 times
...
Suharsh
4 years, 3 months ago
Was in today's exam and the given answer is correct.
upvoted 2 times
...
gssd4scoder
4 years, 3 months ago
For the explanation it seems also A is correct.
upvoted 1 times
...
demonite
4 years, 4 months ago
B is correct https://docs.microsoft.com/en-us/answers/questions/112173/can-we-restrict-azure-portal-httpsportalazurecom-a.html?sort=votes
upvoted 2 times
...
leeuw86
4 years, 5 months ago
I would go for D
upvoted 8 times
kwaazaar
4 years, 4 months ago
Indeed. Why not restrict users all rights on the complete subscription?
upvoted 4 times
pentium75
4 years ago
Because even if user has no access to the subscription, he could have access to a resource in the subscription. Or not? If so, then D would not work. The question here is about blocking access to "the Azure Portal".
upvoted 1 times
...
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel