Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 2 question 30 discussion

Actual exam question from Microsoft's AZ-104
Question #: 30
Topic #: 2
[All AZ-104 Questions]

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?

  • A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
  • B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
  • C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
  • D. Create a new management group and delegate User1 as the owner of the new management group.
Show Suggested Answer Hide Answer
Suggested Answer: B ūüó≥ÔłŹ
The following chart shows the list of roles and the supported actions on management groups.

Note:
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
mlantonis
Highly Voted 2 years, 6 months ago
Correct Answer: C No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it. Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 279 times
Netspud
1 year, 10 months ago
After looking at this for a while (cos it was doing my head in), the important bit would be for B we are assigning Owner for the Subscription, It needs to be Owner for the Tenant Root. (which is said but was not instantly clear to me). So it has to be (C) Global Admin which will the elevate it's self to Root owner. Another of those questions you really have to pick apart. So C is the correct answer.
upvoted 18 times
...
JoeGuan
2 months ago
Why would you assume that USER1 needs to be the Global Administrator, or is a Global Administrator, rather than assuming that I am the Global Administrator? Assuming I am the Global Administrator, and that I have granted myself User Access Administrator, then using the least privileged best practice I would pick B and assign User1 any other role, like Owner, rather than Global Administrator. Granting everyone/anyone GA to assign policies seems like a horrible idea. The Owner role is enough to assign policy to the root management group. There is no need to assign User1 Global Administrator so that User1 can grant themselves the role.
upvoted 4 times
Alscoran
3 weeks, 1 day ago
It cannot be A or B simply because subscriptions are underneath Management groups. So doing any thing to those does not fix the issue. Cannot be D since that is creating a new management group. B is the only answer that comes close. Your concerns about assigning a GA noted but no other answer is provided that would alleviate your concerns.
upvoted 1 times
...
...
mumu_myk
2 years ago
mlantonis is correct - the answer here should be C. Assign the Global administrator... Assigning the owner role to the "tenant root" (not the subscription) or the resource policy contributor role wouldve been enough access for user1 but that is not one of the options in the choices. so the only choice that works is C.
upvoted 8 times
...
itgg11
1 year, 12 months ago
Answer is C. Just tested in the lab.
upvoted 20 times
...
...
Rajash
Highly Voted 2 years, 7 months ago
Ans C: No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
upvoted 60 times
Negrinho
2 years, 7 months ago
No, the correctly answer is B. C is to control Azure AD (Global Administrators), not to control Management group. If you need to control Management group, use: Access control (IAM)> Add role assignment> Role> Owner or Contributor (in this case you will use Owner). Don't exist "Global Administrators" inside of Access control (IAM)> Add role assignment. The link between Azure AD and Management group will allow that you choose an user of your Azure AD, but not will inherit Azure AD role.
upvoted 47 times
shnz03
2 years, 6 months ago
I agree. Basically there are 3 RBAC methods. They are for 1) Azure AD 2) Azure resources including Management group 3) Classic (used by Subscription)
upvoted 1 times
...
RamanAgarwal
2 years, 6 months ago
B cant be right because the owner access is given at subscription level only.
upvoted 5 times
AK4U
9 months, 2 weeks ago
not true. yo0u can give the owner roll to the Tenant Root Group in the Access control (IAM) blade > Role assignments > Add
upvoted 1 times
...
...
mdyck
2 years, 6 months ago
This is right. Check the chart in this link. Owners assign policy. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access
upvoted 5 times
rawrkadia
2 years, 5 months ago
How can it be right when the question specifies the root management group and B specifies a child subscription? The only way to ensure they can make changes to the root management group is to make them a GA on the tenant and then they can assign themselves the owner permissions to that group.
upvoted 6 times
...
...
...
brainmind
2 years, 5 months ago
The answer is C, the user should be a GA and then elevate themselves to gain access.
upvoted 3 times
PersonT
2 years, 4 months ago
True. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 1 times
...
...
...
TheCarvas
Most Recent 1 month ago
Selected Answer: C
Although C is not a recommend practice(in more than 1 way), its the only one that would achieve the goal. Assigning owner role to the subscription wouldn't allow the user to assign policies at the root MG level, which is sitting at a higher hierarchical level than the sub (roughly the same reason why D doesn't work), with C the user can elevate himself to owner or access or policy assigner at root MG level any of which would then allow the user to assign a policy at root MG, that could apply to any MG,RG, Resource and Subscription created under that tenant.
upvoted 1 times
...
mattpaul
1 month, 2 weeks ago
I passed with these questions and many friends passed too, all questions appeared in the real exam a great study resource, contact me on [email protected]
upvoted 1 times
...
shivamspsps
1 month, 3 weeks ago
Selected Answer: C
khjfdfhjnkjygjk
upvoted 2 times
...
mattpaul
1 month, 3 weeks ago
I passed with these questions and many friends passed too, if you want real exam questions for twenty only, contact me on [email protected]
upvoted 1 times
...
TobeReto
1 month, 4 weeks ago
The answer B is correct. The mistake most people are making is that they are not taking note of the scenario, Azure subscription is mentioned not Azure AD. Owner's role is an Azure subscription role while Global Admin is more of an Azure AD role.
upvoted 3 times
...
gwerin
2 months, 3 weeks ago
Selected Answer: C
bc playing with Root
upvoted 1 times
...
NoobieWon
3 months ago
Explanation: In Azure, permissions and access control are often managed through management groups and role assignments. The tenant root management group is the highest level in the Azure hierarchy, and you need to delegate permissions at this level. Assigning the Owner role at the Azure subscription level (options A and B) or assigning the Global administrator role (option C) would not directly grant User1 the necessary permissions to manage policies at the tenant root management group level. Creating a new management group and delegating User1 as the owner of that management group allows User1 to have the necessary permissions to manage policies at that level without giving them excessive privileges over the entire Azure subscription or tenant. So, the correct answer is option D.
upvoted 1 times
...
Hades231
3 months, 1 week ago
Selected Answer: C
C is correct!
upvoted 1 times
...
AMEHAR
3 months, 2 weeks ago
Selected Answer: C
Correct Answer is C-
upvoted 1 times
...
Lishva
3 months, 3 weeks ago
Correct Answer: B Because the user 1 is already part of the tenant group, if we need to create a new user / assign roles for tenant means we use Global Administrator role. But here we only assign policy.
upvoted 1 times
...
oopspruu
3 months, 3 weeks ago
Selected Answer: C
Assigning someone as Owner to a Subscription gives them full control ONLY to that subscription. The question requires that the person touches the Root Management Group. Only an AAD Global Administrator has the permissions to do so. So answer is C.
upvoted 5 times
...
RickySmith
3 months, 3 weeks ago
Selected Answer: B
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group Once User1 is elevated to Owner of the tenant, they can manage the policies. The Azure Subscription Owner need not be a global admin of Azure AD.
upvoted 2 times
...
Misty39
3 months, 4 weeks ago
Selected Answer: C
after everything i will go again with c, can't be anything else...
upvoted 2 times
...
Misty39
3 months, 4 weeks ago
now, when i think about a bit, if we have subscription, we are probably global admin user0, and we have to assign something to user1, if we assign something to user1, then maybe it is b in the end, can someone clarify more, im feeling dizzy
upvoted 1 times
...
Misty39
3 months, 4 weeks ago
Selected Answer: C
I thought I read on learn ms that ONLY global admin can do that
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...