ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 4 question 47 discussion

Actual exam question from Microsoft's AZ-500
Question #: 47
Topic #: 4
[All AZ-500 Questions]

HOTSPOT -
You have 20 Azure subscriptions and a security group named Group1. The subscriptions are children of the root management group.
Each subscription contains a resource group named RG1.
You need to ensure that for each subscription RG1 meets the following requirements:
✑ The members of Group1 are assigned the Owner role.
✑ The modification of permissions to RG1 is prevented.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by dadageer at March 13, 2021, 11:50 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hang10z
Highly Voted 4 years, 3 months ago
Question 1 is Blueprints Question 2: Azure blueprint locking won't affect existing resources, RG1 already exists A resource lock will either make RG1 read only or prevent deletion, not just stopping permission changes, not the best solution. The only good answer is RBAC role assignment at the RG level.
upvoted 40 times
cassucena
6 months, 3 weeks ago
tested and a resource lock works for question number 2. With read only lock I am not able to delete assigments or create new ones.
upvoted 1 times
...
AzureJobsTillRetire
2 years, 6 months ago
There is nowhere in the question indicates that the resource groups already exist. Those resource groups could be the result of blueprints.
upvoted 1 times
xRiot007
11 months, 2 weeks ago
There is : "Each subscription contains a resource group named RG1."
upvoted 1 times
...
Mnguyen0503
1 year, 5 months ago
It said right here "Each subscription contains a resource group named RG1". Azure Blueprint is only the answer to question 1, no where does they say it will affect the result of question 2. You're using your assumption to answer question 2. What would you choose if question 2 is its own standalone question?
upvoted 1 times
...
...
ServerBrain
2 years ago
100% correct! Question 2 is about permissions on RG1.. locking RG1 using a resource lock is not the answer to preventing changes to permissions on RG1.
upvoted 2 times
...
somenick
2 years, 8 months ago
Question 1: Blueprints seems to be the only option. Question 2: I'd vote for resource lock. Because you can't add deny assignment. Deny assignments block users from performing specific actions even if a role assignment grants them access. At this time, the ONLY way you can add your own deny assignments is by using Azure Blueprints. However Blueprints will have no effect on the existing resources...
upvoted 4 times
xRiot007
11 months, 2 weeks ago
You can use the notActions and notDataActions in a custom RBAC role to explicitly deny certain actions
upvoted 1 times
pentium75
11 months, 1 week ago
No, "notActions" just excludes the specified actions from the previously provided "actions". It is NOT a "deny" permission.
upvoted 1 times
xRiot007
10 months, 3 weeks ago
Yes, sorry and thanks for correction. notActions will remove the ability to do a certain action, but if another role assigned to the user is mentioning that action in the Actions sections, it will apply. Maybe a better word would have been "disable" or "exclude"
upvoted 1 times
...
...
...
kabooze
2 years, 7 months ago
Indeed. Confirmed here: https://learn.microsoft.com/en-us/answers/questions/28683/deploy-resources-from-blueprint-into-an-existing-r.html
upvoted 1 times
...
...
...
Pinto
Highly Voted 4 years, 3 months ago
Azure blueprint with locks for sure is the answer to 2nd part. I think the whole question is derived from this article - https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#overriding-locking-states It's typically possible for someone with appropriate Azure role-based access control (Azure RBAC) on the subscription, such as the 'Owner' role, to be allowed to alter or delete any resource. This access isn't the case when Azure Blueprints applies locking as part of a deployed assignment. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource. This security measure protects the consistency of the defined blueprint and the environment it was designed to create from accidental or programmatic deletion or alteration.
upvoted 20 times
JAGUDERO
4 years, 2 months ago
wrong, on the same link Resource locks deployed by Azure Blueprints are only applied to resources deployed by the blueprint assignment. Existing resources, such as those in resource groups that already exist, don't have locks added to them.
upvoted 4 times
...
rgullini
4 years, 2 months ago
wrong, you need to prevent modifying permissions in the resource groups but not prevent modifying the resources themselves.
upvoted 6 times
...
...
tomchan2417
Most Recent 3 days, 2 hours ago
its resource lock. See https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#understand-scope-of-locks:~:text=A%20cannot%2Ddelete%20lock%20on%20a%20resource%20or%20resource%20group%20prevents%20the%20deletion%20of%20Azure%20RBAC%20assignments.
upvoted 1 times
...
pentium75
11 months, 1 week ago
#2 must be "Azure Blueprint assignments in locking mode" because "A resource lock" won't fly, there's only "read-only-lock" or "cannot-delete-lock" but no "cannot-modify-permissions-lock" An RBAC role assignment also won't help because there you can't create DENY permissions. Everybody who has a role that can modify permissions on the subscription can modify permissions on resource groups in it. The only way to achieve the result, prevent modification of permissions with whatever means but not block anything else, is Azure Blueprints in locking mode.
upvoted 1 times
Viggy1212
9 months ago
I tested it by adding a "Read_Only" lock to RG and tried to assign a role to user. I got an error Failed to add Group1 as Owner for ResGroup1 : The scope '/subscriptions/xx/resourceGroups/ResGroup1/providers/Microsoft.Authorization/roleAssignments/xx' cannot perform write operation because following scope(s) are locked: '/subscriptions/xx/resourceGroups/ResGroup1'. Please remove the lock and try again. Locks are most viable option. Please correct if I'm wrong.
upvoted 1 times
...
...
wardy1983
1 year, 7 months ago
Answer: A Explanation: Reference: https://docs.microsoft.com/en-us/azure/governance/policy/overview https://4sysops.com/archives/apply-gov ernance-policy-to-multiple-azure-subscriptions-with-management-groups/
upvoted 1 times
...
_fvt
1 year, 11 months ago
Question 1: Blueprints. Question 2: - RBAC is not the solution: it doesn't have Deny assignments, and we need to have the Owners of RG1 deployed, so we cannot just remove all owners.. - If it is a typo issue and the meaning is "not change the permissions INTO RG1", I would go with blueprint locks. - But if not a typo issue and as RG1 already exists and blueprint resource locks only affects New resources, I would go with resource lock on RG1 instead. This is the only solution, but not ideal as it will block any modification in and within (inheritance) RG1, not only permissions. if it's a typo issue and means "
upvoted 1 times
...
majstor86
2 years, 4 months ago
1. Azure Blueprints 2. A Resource lock
upvoted 3 times
...
ltjones12
2 years, 6 months ago
Anyone who has bothered to test will know that #2 is a resource lock
upvoted 2 times
AzureJobsTillRetire
2 years, 6 months ago
Azure Blueprint assignment in locking mode would have the same effects to resource lock. Why do it separately?
upvoted 1 times
...
...
Ajdlfasudfo0
2 years, 6 months ago
blueprint wouldn't help, since the resources already exist. So the only possible option for two is "Resource Lock" https://learn.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#overriding-locking-states
upvoted 2 times
AzureJobsTillRetire
2 years, 6 months ago
There is nowhere in the question indicates that the resource groups already exist. Those resource groups could be the result of blueprints.
upvoted 1 times
...
...
gulerayhan
2 years, 7 months ago
Tested in LAB. 1- Blueprints 2- Resource lock
upvoted 2 times
...
Muaamar_Alsayyad
2 years, 8 months ago
Key word here is PERFENT if we use RBAC, then we can change the permissions, we need to use Blueprint, with blueprint even the owner can't change the permissions Answer: 1- Blueprint 2- Azure Blueprint assignment in locking mode
upvoted 2 times
AzureJobsTillRetire
2 years, 6 months ago
Exactly! With RBAC and resource lock, the "modification of permissions" to RG1 is NOT "prevented" for owners and owners still can modify the permissions. Blueprint assignments in locking mode is the way to go. Forget about the existing resource groups, if they exist, we can delete them and recreate them.
upvoted 3 times
...
...
Pasapugazh
2 years, 8 months ago
Tested in Lab. Unable to make changes in the RBAC of the resource groups after applying resource lock. So for the 2nd question Resource lock is right option.
upvoted 3 times
...
ikidreamz
2 years, 9 months ago
https://learn.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking B is - locking mode ''Azure Blueprints applies locking as part of a deployed assignment'
upvoted 1 times
...
Amit3
2 years, 11 months ago
The answer for Ques.2 should be Azure Blueprint assignment in locking mode at management level, so that even the owner won't be able to remove resource or the lock.
upvoted 1 times
...
Janusguru
3 years, 1 month ago
Question 1 is correct but question 2 is wrong. Owner with RBAC role can modify, therefore answer to question 2 is wrong. To override owner permission Resource lock should be the answer. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 2 times
...
adamsca
3 years, 6 months ago
## In Exam 12/10/2021
upvoted 2 times
...
Elazari
3 years, 9 months ago
TESTED! Question1 - Blueprints Question2 - Resource Locks
upvoted 11 times
xRiot007
11 months, 2 weeks ago
I also think Resource Lock is a good option, because a lock is enforced for everybody, including the Owners of that resource.
upvoted 1 times
...
khengoolman
3 years, 4 months ago
This makes more sense than RBAC anyway, using RBAC, given the users are given owner, they'd bypass any limitation regardless anyway, as the only way to prevent an owner from modifying permissions or other things is to setup a lock.
upvoted 3 times
...
skycrap
3 years, 7 months ago
Agree. tested as well. 1. Blueprints 2. Locks
upvoted 3 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel