Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Microsoft Discussions

Exam AZ-104 topic 2 question 30 discussion

Actual exam question from Microsoft's AZ-104
Question #: 30
Topic #: 2
[All AZ-104 Questions]

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?

  • A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
  • B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
  • C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
  • D. Create a new management group and delegate User1 as the owner of the new management group.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
The following chart shows the list of roles and the supported actions on management groups.

Note:
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
by Rajash at April 30, 2021, 9:40 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
mlantonis
Highly Voted 2 years, 11 months ago
Correct Answer: C No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it. Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 300 times
JoeGuan
6 months, 2 weeks ago
Why would you assume that USER1 needs to be the Global Administrator, or is a Global Administrator, rather than assuming that I am the Global Administrator? Assuming I am the Global Administrator, and that I have granted myself User Access Administrator, then using the least privileged best practice I would pick B and assign User1 any other role, like Owner, rather than Global Administrator. Granting everyone/anyone GA to assign policies seems like a horrible idea. The Owner role is enough to assign policy to the root management group. There is no need to assign User1 Global Administrator so that User1 can grant themselves the role.
upvoted 5 times
Alscoran
5 months ago
It cannot be A or B simply because subscriptions are underneath Management groups. So doing any thing to those does not fix the issue. Cannot be D since that is creating a new management group. B is the only answer that comes close. Your concerns about assigning a GA noted but no other answer is provided that would alleviate your concerns.
upvoted 6 times
...
...
itgg11
2 years, 4 months ago
Answer is C. Just tested in the lab.
upvoted 22 times
...
mumu_myk
2 years, 4 months ago
mlantonis is correct - the answer here should be C. Assign the Global administrator... Assigning the owner role to the "tenant root" (not the subscription) or the resource policy contributor role wouldve been enough access for user1 but that is not one of the options in the choices. so the only choice that works is C.
upvoted 8 times
...
Netspud
2 years, 3 months ago
After looking at this for a while (cos it was doing my head in), the important bit would be for B we are assigning Owner for the Subscription, It needs to be Owner for the Tenant Root. (which is said but was not instantly clear to me). So it has to be (C) Global Admin which will the elevate it's self to Root owner. Another of those questions you really have to pick apart. So C is the correct answer.
upvoted 19 times
...
...
Rajash
Highly Voted 2 years, 11 months ago
Ans C: No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
upvoted 62 times
brainmind
2 years, 9 months ago
The answer is C, the user should be a GA and then elevate themselves to gain access.
upvoted 3 times
PersonT
2 years, 9 months ago
True. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 1 times
...
...
Negrinho
2 years, 11 months ago
No, the correctly answer is B. C is to control Azure AD (Global Administrators), not to control Management group. If you need to control Management group, use: Access control (IAM)> Add role assignment> Role> Owner or Contributor (in this case you will use Owner). Don't exist "Global Administrators" inside of Access control (IAM)> Add role assignment. The link between Azure AD and Management group will allow that you choose an user of your Azure AD, but not will inherit Azure AD role.
upvoted 48 times
shnz03
2 years, 10 months ago
I agree. Basically there are 3 RBAC methods. They are for 1) Azure AD 2) Azure resources including Management group 3) Classic (used by Subscription)
upvoted 1 times
...
RamanAgarwal
2 years, 10 months ago
B cant be right because the owner access is given at subscription level only.
upvoted 5 times
AK4U
1 year, 1 month ago
not true. yo0u can give the owner roll to the Tenant Root Group in the Access control (IAM) blade > Role assignments > Add
upvoted 1 times
...
...
mdyck
2 years, 11 months ago
This is right. Check the chart in this link. Owners assign policy. https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access
upvoted 5 times
rawrkadia
2 years, 9 months ago
How can it be right when the question specifies the root management group and B specifies a child subscription? The only way to ensure they can make changes to the root management group is to make them a GA on the tenant and then they can assign themselves the owner permissions to that group.
upvoted 6 times
...
...
Load full discussion...
...
...
Nushin
Most Recent 5 days ago
To ensure that User1 can assign a policy to the tenant root management group, you should choose Option C: Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources. The Global Administrator role in Azure Active Directory has permissions to all administrative features. This role is the most powerful role, and it can assign policies to the tenant root management group. The Owner role for the Azure subscription does not have this level of access. Therefore, options A and B would not meet the requirements. Option D is not relevant as it involves creating a new management group, which is not necessary in this case.
upvoted 1 times
...
MelKr
3 weeks, 3 days ago
Selected Answer: C
Just verified this. Owner of the subscription is not enough to assign a policy at the root management group. The user needs to have at least the "Microsoft.Authorization/policyAssignments/write"-Permission and probably a couple more read permissions at the root management group. So given the options answer C fulfills this.
upvoted 1 times
...
tashakori
1 month ago
C is right
upvoted 1 times
...
Cg007
1 month, 1 week ago
Selected Answer: B
By assigning the Owner role for the Azure subscription to User1, they will have the necessary permissions to manage resources within the subscription, including assigning policies to management groups. Then, instructing User1 to configure access management for Azure resources will allow them to assign policies to the tenant root management group.
upvoted 1 times
...
bacana
1 month, 3 weeks ago
It depends. If the subscription is attached to a subgroup manager, the user cannot modify the root group's IAM. If a subscription is attached to the root, the user can modify IAM. If the user is global, then he can gain access across all subscriptions using an "Elevate access" option. I would go with option C because it doesn't say what level the subscription is at. https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal
upvoted 1 times
...
Pringlesucka
2 months ago
Correct Answer: C reasoning: becuase
upvoted 1 times
...
stanislaus450
2 months, 1 week ago
Selected Answer: B
The correct answer is B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources12. To assign a policy to the tenant root management group, User1 needs to have the Microsoft.Authorization/roleAssignments/write permission, such as those provided by the Owner role12. Once User1 has the Owner role, they can configure access management for Azure resources, including assigning policies to the tenant root management group12.
upvoted 1 times
...
HdiaOwner
2 months, 2 weeks ago
Selected Answer: C
Answer should be C
upvoted 1 times
...
BluAlien
3 months ago
Doc says: The Microsoft official documentation (https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#root-management-group-for-each-directory) says that: "The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. " So I would for C but I tryed in lab it doesn't work because Global Administrator can elevate himself to User Access Administrator but the scope of these roles isn't on, or inherited to Tenant Root Management Group so the user1 can't access the overview page of Tenant Root Management Group neither the Access Control (IAM) blade and in this way it'is impossible to him to to assign any policy. The only two possible ways are: 1) Grant User Access Administrator and Resource Policy Contributor to User1 on Tenant Root Management Group 2) Assign Owner role to User1 on Tenant Root Management Group Only After one of these, User1 is able to apply policy to the Tenant Root Management Group.
upvoted 2 times
...
belyo
3 months, 1 week ago
Selected Answer: C
management groups are on top of subscriptions ! if you set subscription owner rights to a user he will never be able to do anything else besides resources on that subscription C is the only applicable variant here
upvoted 1 times
...
ITpower
3 months, 2 weeks ago
well the answer for above question is incorrect cuz we are talking about the managment level not the subscription level so i tested it the letter C is the correct answer
upvoted 1 times
...
TheCarvas
5 months, 2 weeks ago
Selected Answer: C
Although C is not a recommend practice(in more than 1 way), its the only one that would achieve the goal. Assigning owner role to the subscription wouldn't allow the user to assign policies at the root MG level, which is sitting at a higher hierarchical level than the sub (roughly the same reason why D doesn't work), with C the user can elevate himself to owner or access or policy assigner at root MG level any of which would then allow the user to assign a policy at root MG, that could apply to any MG,RG, Resource and Subscription created under that tenant.
upvoted 1 times
...
mattpaul
5 months, 3 weeks ago
I passed with these questions and many friends passed too, all questions appeared in the real exam a great study resource, contact me on [email protected]
upvoted 1 times
...
shivamspsps
6 months ago
Selected Answer: C
khjfdfhjnkjygjk
upvoted 2 times
...
mattpaul
6 months ago
I passed with these questions and many friends passed too, if you want real exam questions for twenty only, contact me on [email protected]
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel