Exam AZ-104 topic 6 question 5 discussion

Correct Answer: C Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role

Answer is D. AG sends to users that have 'reader' role, User2 inherits that role through Group1 membership.

"Email ARM Role" notification type can be only received by direct AAD user, not by indirect user under one group which has the target role of the AG as well as the Service Principal like managed identity

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is sent to Microsoft Entra ID user or group members of the role. This includes support for roles assigned through Azure Lighthouse. Note Action Groups only supports emailing the following roles: Owner, Contributor, Reader, Monitoring Contributor, Monitoring Reader.

user 1 and user 2 User 2 because its also a member of a group that has the rights Email Azure Resource Manager When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is sent to Microsoft Entra ID user or group members of the role. This includes support for roles assigned through Azure Lighthouse. Note Action Groups only supports emailing the following roles: Owner, Contributor, Reader, Monitoring Contributor, Monitoring Reader. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager

Correct Ans: D When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is sent to Microsoft Entra ID **user** or **group** members of the role. This includes support for roles assigned through Azure Lighthouse. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager

This might have changed or is depricated, but now for Entra it is "Email Azure Resource Manager When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is sent to Microsoft Entra ID user or group members of the role. This includes support for roles assigned through Azure Lighthouse." https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups

When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is sent to Microsoft Entra ID user or group members of the role. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager

Managed identities (such as Principal1 and Principal2) do not have associated email addresses and cannot receive email notifications. Therefore, only Azure AD users who are part of the Monitoring Reader role and have valid email addresses will receive the email notifications.

Email Azure Resource Manager role - Send an email to the subscription members, based on their role. A notification email is sent only to the primary email address configured for the Microsoft Entra user. - The email is only sent to Microsoft Entra ID user members of the selected role, not to Microsoft Entra groups or service principals. https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role:~:text=Fields-,Email%20Azure%20Resource%20Manager%20role,-Send%20an%20email https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/monitor#monitoring-reader

C is correct Check mlantonis links. Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals. A user has to be assigned that role hence User 1 is. User 2 (We are not told that this user was assigned) is a member of a group that has the role enabled, but that doesn't mean that User 2 has that role.

Tested in lab, correct answer is D.

D is correct

mail will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.

Makes sure the email addresses added to the group are AAD user members not any groups, see Email Azure Resource Manager role for more info. If the members not receiving emails are not in a group and indeed member roles at the subscription level, then your issue will require more investigation.

Correct answer is D. I have tested it in a lab. Logic of this alert is very simple. User1 received an email because he is directly assigned to the Monitoring Reader role (which is in Action group). User2 received alert because he has the same role as a User1, because he inherited this role from the Group1 assignment. It means, that notification was received not because Group1 was selected as a target of notifications in AG1 (1. Cuz it's not; 2. Group can't be assigned as an email receiver, because groups physically have no emails. Service Principals also can't have email address), but because of AG1 condition is set for Monitoring Reader role. Email was sent to User2, because User2 has the same role as a User1. Even if User1 is assigned directly and User2 inherit this role from his Group in AAD.

mlantonis Highly Voted 2 years, 6 months ago Correct Answer: C Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.